Tuesday, June 30, 2015

Cybersecurity & Civic Hacking # 4: Malware

Nobody in NE Wisconsin wants malware on their computer or smartphone. But how much do you know about malware, and what can YOU do to prevent it from hurting YOU?

In this week's 'Cybersecurity & Civic Hacking' post, the Bloomberg article, “The Hunt for the Financial Industry's Most-Wanted Hacker,” says the malware known as ZeuS and its rogue creator have been at the cutting edge of cyber-crime for nearly a decade. ZeuS is thought to be responsible for the theft of hundreds of millions of dollars from people and businesses who do online banking.
“...“fliime” was the name used by somebody who went on the online forum Techsupportguy.com on October 11, 2006, at 2:24 a.m., saying he’d found some bad code on his sister’s computer...Fliime probably didn’t realize this was history in the making. But the malicious program that had burrowed into the PC was a new breed, capable of vacuuming up more user logins and website passwords in one day than competing malware did in weeks...the malware and its offspring became juggernauts of cyber bank robbery—turning millions of computers into global networks of zombie machines...Conservative estimates of their haul reach well into hundreds of millions of dollars...the mystery coder gave his product a name with staying power; he called it ZeuS...this ZeuS fathered powerful descendants—and became a case study of the modern cybercrime industry. This is the story of a nasty piece of code, and the hunt for its creator...
ZeuS infected all types of computers
The ZeuS article makes computer malware sound pretty bad, but does it really affect regular people in our area? You might wonder, “How is malware directly and indirectly affecting people in NE Wisconsin in 2015?” Here are a few ways it's affecting us:

  • My son has removed ZeuS malware from his customers’ computers when providing in-home service for consumers (not businesses). He has also removed thousands of other malware programs from customers’ computers. It's impossible to say how many problems those thousands of malware programs caused other than making the computers annoying or impossible to use.
  • CryptoLocker ransomware recently encrypted the files on the business software at a local auto repair shop which services my car. The owner of the shop paid Russian cybercriminals to get back his customer files -- he had no other choice. I got an email today from the auto repair shop and immediately deleted it. I had no way of knowing if it actually was from the shop or if it came from a cyberciminal because of the Cryptolocker episode at the shop.
  • I had fraudulent charges on my credit card recently for several hundred dollars to Google and Facebook. I had to fill out credit card fraud report forms and get a new charge card, dealing with associated hassles for auto-payments that had been set up on the previous card number for recurring charges. At some point, malware was probably responsible for my card’s information being available for fraudulent use.
  • My sister had fraudulent charges on her credit card at a store 250 miles away from her. She went through the same hassles I did.
  • All of us pay the cost of the credit card fraud caused by malware. The financial services company build the cost of that fraud into their operating expenses.
  • New credit cards are being issued for everyone in the US this summer / fall with a new microchip to combat credit card fraud caused by malware and other factors. (Note the chip on the left side of the card just above the card number.)
  • Government agencies and cybercriminals use malware to intercept and store your online activities and electronic communications.
  • Hearing about malware problems makes you concerned about the dangers of using computers and modern electronics. But it also makes you feel helpless to improve the situation
    or do anything about the mess you’re in or might end up in.

You CAN do something about the malware mess -- support the proposed NE Wisconsin cybersecurity initiative and encourage others to support it!

How will a collaborative regional cybersecurity initiative greatly reduce the impact of malware on your life and the life of other NE Wisconsin residents and organizations?

A new NE Wisconsin College Cybersecurity Program will provide the following improvements regarding malware in our region:
  • Courses at the NE Wisconsin colleges involved with the regional cybersecurity initiative will teach (and research) how all sorts of malware work, how to detect the malware, how to minimize it’s impact on your computers, smartphones and other electronic devices, and what to do when malware does affect you.
  • A feature of the cybersecurity initiative will be auditing and certifying the expertise and performance level of NE Wisconsin cybersecurity companies, including customer reviews. You’ll know how well these local companies will deal with malware before you pay for their services.
  • Students will learn about malware in the wild by doing real-life security audits for individuals and businesses as part of their degree program.
  • Some of the students who graduate in this program will work for or start up NE Wisconsin cybersecurity companies, keeping their malware expertise in the region.
  • NE Wisconsin residents will be able to take some of the courses during evenings or weekends to learn how to deal with malware.
  • Instructors will collaborate with civic hackers in the NE Wisconsin Cyber Defense Force (CDF) and instructors in cybersecurity programs at other colleges, as well as cybersecurity professionals in companies and agencies around the world, to ensure NE Wisconsin knows the best way to deal with malware.
Civic hacking in NE Wisconsin, in collaboration with the colleges’ regional cybersecurity program, will help reduce our malware problems through:
  • CDF weekly workshops to scan devices for malware.
  • CDF weekly info sessions about malware and recent cybersecurity developments.
  • CDF blog posts analyzing impact of new malware or recent malware articles.
  • CDF hotline to answer your questions about malware.
  • Assistance with personal cybersecurity audits.
  • Having tech-inclined residents of NE Wisconsin join CDF, then learn the basics of malware and cybersecurity, choose their own niche of cybersecurity to specialize in, and maybe come a ninja civic hacker in that niche.
In future blog posts, I’ll take a look at specific types of malware, like ransomware, trojans, and APTs (advanced persistent threats).

---------------------------------------------------

DHMN Civic Hacks posts about 'Cybersecurity & Civic Hacking':
C&CH # 01: "Cybersecurity: A New Horizon For Civic Hacking?"
C&CH # 02: “Cybersecurity & Civic Hacking # 2: Public Wi-Fi
C&CH # 03: "Cybersecurity & CH # 3: The Right Person / Topics Of Interest"
C&CH # 04: This post, published June 30, 2015
C&CH # 05: “Cybersecurity & CH # 5: Even Cybersecurity Companies Get Hacked!
C&CH # 06: "Cybersecurity & CH # 6: How Cybersecure Is Your Car?"
C&CH # 07: "Cybersecurity & CH # 7: Data Breaches"
C&CH # 08: "Cybersecurity & CH # 8: Hype or Reality?"

*****

Monday, June 29, 2015

Hacking Begins At School

I was recently contacted by a NE Wisconsin resident interested in civic hacking. She said, “I wonder how cities/schools might collaborate?”

To figure out how cities and schools might collaborate, let's get people who are involved with schools to think about civic hacking. One might say, "hacking begins at school."

So the goal of today’s post is to start people thinking, learning and talking about how civic hacking might relate to schools and education. (Maybe a few readers of the post will even launch civic hacks focused on education!)

One of the higher-profile civic hacks relevant to schools is DiscoverBPS.
“...In 2011, the Boston Code for America team was in a rough spot. They wanted to build a whiz-bang suite of tools tied to Boston's student ID cards. The only problem was that government officials couldn't be fast enough or flexible enough — especially with potentially identifiable information about students — to do any of that. CfA and their Boston partners tabled the student ID card project. What they did instead was create DiscoverBPS, a web application that allows public-school parents to figure out exactly where they want to send their kid to school by showing the schools they're eligible for and even measuring if they are within walking distance. DiscoverBPS took an arcane and frustrating aspect of every parent's school experience and made it more accessible. It solved a problem everyone had and allowed people a way in to an aspect of their government. It will not change government. It was not even a particularly sweeping idea. But it was an instant hit...” [Click here for the CfA page about DiscoverBPS and click here for the GitHub code.] 
What other ways might  civic hackers improve, innovate and solve problems in the broad area of education and the more specific area of schools and students?

If you’ve got a civic hack for this topic you’re itching to work on, scratch that itch! If you value local schools and education opportunities, but don’t know where to start, talk to local school administrators, teachers, students and parents. Get their ideas and suggestions and find out what types of civic hacks they’d like to work on. By doing this, you’ll know you’re working on something that’s definitely of interest to people who will be affected by your hack. Below are a few topics related to schools and education that might help begin the conversation or kick start increased neural activity.

  • Which school do I want to send my children to?  (DiscoverGBAPSD, DiscoverOASD, DiscoverAASD, etc.)
  • Appathon: teach students how to build simple apps.
  • Cost-saving school data warehouse owned by a consortium of schools.
  • Workshop: student-based approach to civic hacking.
  • Student ideation sessions on civic hacks; sessions done at school or at hackathon.
  • EduCamp: an unconference for education and schools.
  • Student civic hacking options for community service requirements.
  • Encouraging students to enter civic hack competitions.
  • Contact other civic hacking schools or school districts; find out what they’ve done.
  • Involve homeschoolers and charter schools.
  • Visualization on school spending and other school statistics to support new or revised programs or to enable comparisons of a local school or school district vs:
    • Other NE Wisconsin schools
    • Other Wisconsin schools
    • Other states
    • Other highly-ranked school districts
    • Other similar size school districts

If people in NE Wisconsin want to launch and work on school / education civic hacks, I’ll be happy to assist them in finding helpful contacts and info or to incorporate that theme into a civic hackathon. You can contact Bob Waldron at bwaldron (at) gmail [dott] com. Involving students, teachers, administrators and students’ parents in civic hacking will benefit NE Wisconsin, whether they work on school and education hacks or on a different topic.

How can you begin civic hacking on school and educations issues?

Hacking begins at school.

------------------------------------------------------------------

Advanced Degrees of School & Education Civic Hacks:


*****
[thanks to my sister, Kathryn, for the title of this post!]

*****

Sunday, June 28, 2015

Beware The Listening Machines: Civic Hacking & Society

Are big-picture social issues something civic hackers should be concerned about and working on?

A narrowly-focused, easily-tackled and non-controversial example of a civic hack is “Is It Recycling Week?” -- a smartphone app that tells you if you need to put out the recycling bin tonight for trash pickup in the morning. Pretty much everybody can agree this is an appropriate thing for civic hackers to work on.

A broadly-focused, hard-to-even-start and very controversial example of a civic hack is working to improve your life and the lives of fellow citizens with regards to how they’re impacted by ‘Listening Machines.’

Or, to expand the civic hacking concept even more broadly, you could call this the topic of hacking society, especially with respect to new technology, or new uses and impacts of technology.

Working on the issue of Listening Machines, or the bigger picture of hacking our current US society and policies for preventing egregious technology blunders, is so daunting and complex that most people, if they even think about it, wouldn’t contemplate trying to improve the system.

I’ll back up for a minute and point you to the article that prompted this post. It explains what Listening Machines are and suggests the need for a conversation (and action) about preventing unnecessary disasters caused by new technologies or new applications of technology. “Beware the Listening Machines,” an article from the director of the Center for Civic Media at MIT, paints a discomforting picture of where the innocent-seeming ‘surveillance technology’ of kids-toys-that-listen and smartphones-that-you-talk-to are taking us.
When dolls [, smartphones] and friendly robots can listen and respond to what people say, where's the line between personal assistance and mass surveillance? 
...my friend Kate Crawford invited me to a daylong “Listening Machine Summit,”...What's a listening machine? The example of everyone's lips was Hello Barbie, a...doll that will listen to your child speak and respond in kind...a Mattel representative introduced the newest version of Barbie by saying: ‘Welcome to New York, Barbie.’ The doll, named Hello Barbie, responded: ‘I love New York! Don't you? Tell me, what's your favorite part about the city? The food, fashion, or the sights?’ 
Barbie accomplishes this magic by recording your child’s question, uploading it to a speech recognition server, identifying a recognizable keyword (“New York”) and offering an appropriate synthesized response. The company behind Barbie’s newfound voice, ToyTalk, uses your child’s utterance to help tune their speech recognition, likely storing the voice file for future use. And that’s the trick with listening systems. If you can imagine reasons why you might not want Mattel maintaining a record of things your child says while talking to his or her doll, you should be able to imagine the possible harms that could come from use—abuse or interrogation of other listening systems... 
As one of the speakers put it...listening machines trigger all three aspects of the surveillance holy trinity:
  • They're pervasive, starting to appear in all aspects of our lives.
  • They're persistent, capable of keeping records of what we've said indefinitely.
  • They process the data they collect, seeking to understand what people are saying and acting on what they're able to understand.
To reduce the creepy nature of their surveillant behavior, listening systems are often embedded in devices designed to be charming, cute, and delightful: toys, robots, and smooth-voiced personal assistants. 
...If a robot observes spousal abuse, should it call the police? If the robot is designed to be friend and confidant to everyone in the house, but was paid for by the mother, should we expect it to rat out one of the kids for smoking marijuana? Despite the helpful provocations offered by real and proposed consumer products, the questions I found most interesting focused on being unwittingly and unwillingly surveilled by listening machines. 
...companies invent new technologies and bring them to market. Consumers occasionally react, and if sufficient numbers react loudly enough, government regulators investigate and mandate changes. There’s a sense that this is the correct process, that more aggressive regulation would crush innovation...But this is a model in which regulation is a very modest counterweight to market forces. So long as a product is on the market, it’s engaged in persuading people that a new type of behavior is the new normal. When Apple brought Siri to market, it engaged in a multi-front campaign to persuade people that they should regularly speak to a computer to make appointments, order dinner, check traffic conditions, and seek advice. Apple was able to lower barriers to adoption by making the product a pre-installed part of their very popular phone, making it available for free, and heavily advertising the new functionality...people talk to their phones and share sensitive information with them, and that's just the way things are now...Apple has already won: We're talking to our phones, sharing our lives, generating terabytes of data in the process. The problem with this approach to regulation is that we rarely, if ever, have a conversation about...do we want a world in which we confide in our phones? And how should companies be forced to handle the data generated by these new interactions? 
...These questions...aren't regulatory questions, but policy ones. The challenge is figuring out how, in our current, barely functional political landscape, we decide what technologies should trigger pre-emptive conversations about whether, when, and how those products should come to market...We need a better culture of policymaking in the IT world. We need a better tradition of talking through the “whethers, whens, and hows” of technologies like listening machines.  And we need more conversations that aren’t about what’s possible, but about what’s desirable.
If you want a glimpse of where the Hello Barbie could lead, check out the fictional-but-highly-believable story of Purza the pukah in Anne McCaffrey’s book “The Rowan.”
Purza is a pukha and she's been mine a long time, the Rowan answered, hefting the pukha behind her in a proprietary way...`A specially programmed stabilizing surrogate device,' the Rowan explained. `It's not a stuffed toy.'
Purza is a cuddly, soft, stuffed creature given to a young girl to help her recover from a traumatic disaster which killed all her relatives and anyone who knew her. The puhka listens to the girl and talks back to her about her concerns and thoughts. The Rowan and Purza have long involved conversations. Purza is fictional, but if psychologists and aid-workers had reasonable-cost pukhas available to them in 2015, they would no doubt be giving them to young survivors of landslides in Turkey or tsunamis in Indonesia that wipe out almost everyone in a small remote village. Or many other young victims of trauma scenarios you might think of. But even if we could (can?) make puhkas, should we?

Regulations, government policies and societal trends regarding listening machines have huge implications for the Internet of Things (IoT) smartphones, virtual assistants, robotics, smart cities, government and civilian drones, self-driving (and always-listening) vehicles and numerous other technologies.

I don’t know what the role of civic hackers should be regarding listening machines. Nor do I have a firm opinion on whether or how civic hacking should be a significant force in improving US policies regarding new technologies and new technological impacts in our lives.

But a guiding principle for civic hackers is to be engaged with their community and their government and take personal responsibility for improving situations where they feel they can contribute. So when your city or county is considering using technology to prevent crime by monitoring who is using public spaces, when the local law enforcement sets up traffic cams that captures and stores all the license plates numbers of vehicles coming into your town to monitor vehicle traffic patterns, and when your local K-12 school proposes GPS technology for tracking where students are to 'ensure the safety of your children,' make sure you get involved with those conversations and decisions.

Did you hear that, Barbie?

(I know you're listening too, Siri, Now, Alexa, Cortana, and Pepper...)

------------------------------------------------------

XKCD has also commented on dealing with technology run amok.

------------------------------------------------------

I'll periodically update the list below to make civic hackers aware of disturbing/amazing articles about listening machines subtly becoming an integral and accepted part of our lives, and other ubiquitous technologies invading and controlling our lives.

Amazon Echo:
Amazon's Echo Speaker: Hey, This Thing Is Remarkably Smart 
Amazon Echo, a.k.a. Alexa 
Code that changes how we (can) act:
Demystifying the algorithm: who designs your life?

*****

Saturday, June 27, 2015

Civic Hacking In The News: June 27, 2015

Here's your June 27 update on recent news about civic hacking. This Saturday’s news includes a variety of topics that could be leveraged by NE Wisconsin civic hackers or might inspire them to launch a related-but-different project. For complete details on any of the items, click the headline link and read the article in its entirety.

This civic hacker and cofounder just moved to Philly from Wisconsin
"...So, you came from Madison? What brought you here?...My fiancé just started pediatric residency at CHOP. That was the motivation to move to Philly... 
Were you scoping out the tech scene when you visited? Not really, but I started to after we found out we were moving here. That was at the end of March. I started by just following everyone and everything Philly I could find on Twitter. Generally I was pretty impressed with the coverage. It was pretty easy to get a sense of what was going on and all the different people and organizations who were driving the tech scene here. 
What were you doing in Madison? Were you involved in the scene over there?...I was very involved in the tech scene in Madison. I am also co-owner of a coworking space there and helped organize many different events, meetups and entrepreneurial events...One thing I also worked a lot on was civic hacking. I helped organize a meetup in Madison and would create my own APIs to city data before the city passed an open data ordinance a couple years ago...Greg Tracy built the API for the bus arrival data. Greg’s API was really the starting point. A few years ago he built a simple app that scraped but data and sent a text message called SMSMyBus. Once he added an API it really paved the way for others, including myself, to use the data. Right before I left I had started working on building an API for library data since I was getting frustrated not having access as a developer... 
Wait, so, a lot of the data you were using in Madison just didn’t have APIs? When we started, there were none. Bus data was posted in html to a website that updated every few minutes. Madison did pass an open data law, partially because of our work, but we are still waiting for a lot of stuff to make it online. It is better now but a few years ago, it was just writing screen scraping code to generate developer friendly APIs. I wrote code that scraped fire reports, police reports, property ownership records..."
This post has several lessons for civic hackers and the TIME community (Tech, Innovators, Makers, Entrepreneurs) in NE Wisconsin. One of them is that for civic hackers and TIME community members to be visible and easily discoverable to like-minded people who move into the area, or who are interested in knowing what's happening in NE Wisconsin, we need to have at least a few people active on Twitter and other websites or web services that those like-minded people use or look at frequently. Another lesson is that, just as Madison was in some ways significantly 'behind' Philadelphia in civic hacking maturity, so our region is significantly behind Madison. We're still at the stage where most of the data we want to use for civic hacking needs to be scraped and APIs need to be written. A third point to consider is that Madison's civic hacking online presence and organized activity seems somewhat static at the moment, with few updates and new projects being launched. In a community which doesn't have a critical mass of civic hackers, there needs to be intentional focus on having several active community organizers and promoters. Having several people actively promoting, organizing and starting new projects allows the community to continue growing and improving. That lessens the impact of one or a couple of the visible members of the community moving away or getting absorbed in a new focus for their life.

3 models for civic hackers: green field, cloned, augmentation
“...Augmentation is the new shiny object—the idea that a government agency is the maintainer of a project for civic hackers to contribute to...Augmented projects...Vetted and supported projects that are currently being worked on by a city, county, or state agency where civic hackers can support development activity, provide user feedback, increase adoption, and assist in testing by augmenting a sponsored project...While there is a lot of preparation needed in order to make this successful for a hackathon event or a recurring civic hacking night, that investment by the agency will pay off with quality code commitments and feedback. The preparation might involve creating a repository, writing good documentation, maintaining a backlog, and reviewing project submissions...The agency benefits from a fresh perspective of the problem and accelerated development. Many government IT shops are facing smaller budgets, more projects, and may even lack some of the skill-sets needed to implement the projects they want to work on. By reaching out to their...tech communities, government IT can augment their staff with passionate technologists who want to help advance the mission. For the civic hackers, it's a short-term commitment. The idea is that they can show up to a hackathon or hack night, grab a few tasks from the backlog, and submit their code for review. They're able to contribute to a project without having to maintain or deploy the solution...”
Stage 1 in the growth of a regional civic hacking community is 'greenfield' hacking. There doesn't need to be an organized or connected community of civic hackers for this stage to happen. All that's needed is for one lone coder or hacker to have the drive to build a civic hack. Mike Putnam did that in NE Wisconsin. Stage 2 is 'cloning,' when the lone hackers begin to connect and someone decides they'd rather leverage what people in another city or region have created. So they fork the code or the project idea, and build a localized version that they feel is useful and appropriate to their region or city. The article above suggests that Stage 3 in the maturing civic hacking community is 'augmentation.' Stage 3 appears when there is a recognizably-connected civic hacking community AND a recognition by a city (or several cities in a region) that civic hacking, open data, and DIY urbanism of engaged citizens are valuable resources that cities and counties should support and encourage. Stage 3 MUST be endorsed and driven by the government organizations because they need to (a) prepare data and other resources needed for the civic hack, (b) 'host' and support the existing version of the civic hack, and (c) commit to maintain and upgrade the civic hack in the future until the civic hack no longer is felt to be valuable. This requires a different mindset for the city from Stages 1 and 2. In the first two stages, civic hackers can do the bulk of civic hack design, data manipulation, hosting and maintenance of the civic hack.

Princeton upside to hacking
Princeton Civic Hackathon
“...Code for Princeton is determined to prove that hacking has its upside. The fledgling unit partnered with the Princeton Public Library and the municipality earlier this month to sponsor its first hackathon, designed to build solutions for the community by using publicly released data and new technology. Participants, more than 100 strong, spent a Saturday morning into Sunday afternoon tackling such diverse projects as tracking voting results on a map, creating an app toward improving the bicycling experience for Princeton-area residents, and establishing a webpage giving users access to the health scores of local restaurants...The event drew technology developers, graphic designers, writers and just plain folks with an investment in fostering a more welcoming, more sustainable civic environment. Also on board were students from Montgomery Upper Middle School, who worked on an app allowing people to easily adopt pets from Princeton's SAVE animal shelters, sign up to volunteer and determine the best use of donor funding...”
Princeton's National Day of Civic Hacking 2015 event is an inspiring example of the first civic hackathon for a city or region. They had more than 100 people participate in the activities, and it sounds like they've made a great start on connecting like-minded people in that city. We need to talk with the Princeton organizers about how they attracted so many participants to their first event and apply their strategies where it makes sense for NE Wisconsin. Libraries and schools are two factors we might begin with. The city's library sounds like a key partner for launching civic hacking in Princeton, and we can use Princeton's library involvement to augment the ideas discussed in "Libraries And Civic Hacking." Princeton also appears to have had significant involved of middle school students. A post is being planned for next week on this blog discussing the opportunities for civic hacking in the arena of schools and education.

City of Philadelphia Releases Open Data on Parking Violations
The City of Philadelphia released data about parking violations on the City's open data portal. The data includes citation information for 4.8 million parking tickets issued between January 2012 and March 2015 by the Philadelphia Parking Authority, the Philadelphia Police Department, SEPTA Police, and other issuing agencies. "We are proud to reinforce our commitment to transparency and open government by publishing parking violation data online," said Mayor Michael A. Nutter. "This release joins a growing list of more than 170 open data sets that help inform citizens and strengthen trust in government." In addition to being available for download, the data is provided in a powerful new visualization tool enabling users to easily browse, filter, and drill down into the data within their web browser.”
Parking violations might be a high-interest, non-threatening topic to help get widespread familiarity with the concept of civic hacking. A majority of people do not want to get parking tickets and are curious about how many tickets are given to their fellow citizens, what areas of the city get the most tickets, and other aspects of parking violations. Geeks interested in 'big data' could have a whole lot of fun playing with data for thousands or millions of parking tickets. Visualization and interpretation of this data might lead to changes or improvements in a city's parking policies.

Police Data: What Do People Want?
Where does distrust between police and the community begin, and how might we repair it?...After spending time in Vallejo and riding alongside Vallejo police officers, we started to notice some patterns that might contribute to the fragmented trust between both parties. One big suspect: lack of information. Police told us that they feel “misunderstood” and unable to fulfill unrealistic expectations during their daily policing...After speaking with people living in Vallejo, we learned that many feel confused by the criminal justice system. They wonder where to go for what, what is and is not allowed, and what to expect during and after their interactions with police. So we wondered, if the community had more information, what kinds of information would they find useful or interesting? 
As a completely hypothetical exercise, we collected different types of information that might interest people and asked them to prioritize it. We took inventory of all of the traditional categories of information released to the public, such as number of crimes, arrests, and traffic stops in the last year, and put them on individual index cards...We made it clear that cards selected were not necessarily a promise of what information we would make publicly available. The purpose of the sort was to learn why people want certain types of information, and if having that information would be useful in repairing their trust in the police...We highlighted participants’ preferences and noticed that none of their top 10 cards were a perfect match. The information a resident wants really depends on their own goals, experiences, and community...It was an insightful exercise because we saw the types of information people were interested in and the “why” behind their interests or non-interests...This highlighted the need to focus on the problem that certain types of data solve, rather than the data itself. Do people really want to know how many arrests there were in their area, or do they want to ensure that they’re living somewhere safe?...we did learn that everyone was interested in cards particular to the problems they were trying to solve every day...They spoke of being able to have more informed conversations with the police and their communities about what’s going on in the city. Finally, they mentioned the gesture of giving information as a sign of trust and support...”
The primary reason for the above 'police data' post is events of the past six months in Ferguson and other US cities. However, crime data has a long tradition of the modern civic hacking movement, e.g. chicagocrime.org. Like parking tickets, citizen interest in data related to crime and police activity might be a great way to raise the visibility of civic hacking in NE Wisconsin. Crime data will be more controversial to obtain than parking ticket data. It might also be more challenging to hack in a way that is both interesting and fairly addresses sensitive issues. But the long term benefits would seem to outweigh the short term discomfort this civic hacking causes and the effort needed to obtain the crime-related data. This post also takes an instructive look at one process to figure out what information people want. This process could inform many areas of civic hacking, not just police data.

Accela Construct App Challenge 2015
$22,000 in prizes and a trip to Los Angeles are up for grabs by building an app for the second annual Accela Construct App Challenge! Got an idea for an app that opens up government data and makes it available to citizens? Want to build a tool for people and businesses to interact more easily with their local and state governments? Have a solution that compliments the Accela Civic Platform? Then hurry and submit a short video and some prototype screens that pitch your genius concept to our esteemed judges. You could win up to $10,000 in support of building your app and a stipend to attend Accela Engage 2015 in Los Angeles to share your app idea...”
This one is more of an announcement than a news item, but it’s included in today’s post for these reasons:

  • When I recently found this civic hack challenge, only 12 people were entered to compete for a $10K first prize.
  • The Accela challenge is a good opportunity for NE Wisconsin civic hackers to get experience in a civic hack competition.
  • I would like to do a NE Wisconsin challenge like the New York one described last week in "Civic Hacking In The News: June 20, 2015."


*****

Friday, June 26, 2015

Cybersecurity & Civic Hacking # 3: The Right Person / Topics Of Interest

On this blog, I wrote two previous posts about Cybersecurity & Civic Hacking for three reasons:

  1. To introduce you to the concept of civic hacking related to cybersecurity.
  2. To present an open proposal to the citizens of NE Wisconsin for a collaborative regional cybersecurity initiative which has a civic hacking component.
  3. To convince you that 99% of NE Wisconsin citizens need improved cybersecurity by highlighting ways computers and smartphones are used insecurely on public WiFi.

The primary goal of my posts about cybersecurity and civic hacking is to spur the launch of a NE Wisconsin collaborative initiative to achieve a high level of cybersecurity for citizens, businesses and other organizations in our region.

Today's post has two topics; (1) connecting the 'right influential person' with this cybersecurity proposal, and (2) cybersecurity topics I'll write posts about for this blog.

A collaborative regional cybersecurity initiative may seem like something that’s too big to wrap your arms or mind around. It may seem like Don Quixote tilting at windmills to get the 18 counties of NE Wisconsin to work together on a single ambitious program like this. A friend told me he didn’t think there was anything he do to help me get the proposed cybersecurity program started.

So you might wonder, ‘what will it take to get a collaborative regional cybersecurity initiative started?’

All it will take is for the Right Influential Person to hear about the regional cybersecurity proposal and decide to support and promote it.

I’ve seen it happen over and over. It takes many smart and dedicated people to make big, impactful, worthwhile projects happen. But it all starts with one person, someone who can see the big picture and has connections, influence or money. If they decide an idea is a good one, they can make things happen, make the idea come to life.

The most likely way the right influential person will hear about the proposal is if people who read this blog tell others about the proposal, express their agreement with the concept, and send a link to this post, a link to “Cybersecurity: A New Horizon For Civic Hacking?” or a link to one of the other cybersecurity posts on this blog, to people they know. If you know influential people, you should definitely tell them, but you should also tell others you know. Because even if you don’t know an influential person who can be the key to launching this cybersecurity initiative, you do know people who might know that Right Influential Person. By sharing our concerns and our desire to improve the situation, we can get the message to the right person.

As a civic hacker, I’ve done the first part of my role by identifying the need for improvement and developing a solution for the problem. The ‘need’ is that my level of cybersecurity knowledge and everyday application is lousy, and so is yours and that of most residents and organizations in NE Wisconsin. As was recently explained by Alex Stamos, the cybersecurity chief for Yahoo:

Alex Stamos, Yahoo CISO
“...I’m not very happy with where we are as an industry,” he said, with a grim look on his face. “We’re really focusing on the 1%,” he added, referring to the small number of companies that can afford to spend on cybersecurity teams and products, and the minority of internet users who are literate enough to jump through the hoops that are needed to be safer online...“The vast majority of people are not safe using the internet everyday…”


You and I need to change the situation so residents and organizations in NE Wisconsin are part of “the minority of internet users who are literate enough to jump through the hoops that are needed to be safer online.”

The ‘solution’ is the regional cybersecurity initiative that I proposed in “Cybersecurity: A New Horizon For Civic Hacking?” and reiterated in “Cybersecurity & Civic Hacking # 2: Public Wi-Fi.”

I can’t personally make the regional cybersecurity initiative happen because I don’t have the influence, connections or money to do so. But as a civic hacker, I can continue to write blog posts and talk to people about this topic. I can (1) educate the residents of NE Wisconsin about the totally inadequate level of cybersecurity in our region, (2) try to distill and present the concept of a regional cybersecurity program so people understand it and are convinced it is the right solution, and (3) work to persuade people who read or hear my proposal that they should tell other people about it. If I'm successful with those three goals, I’m confident the Right Influential Person will hear about the proposal and make it happen.

That brings us to the education part of my civic hacking task. I’ll be writing cybersecurity posts regularly to educate people about cybersecurity problems. Sooner or later, reading about one of the many cybersecurity issues will make the light come on for people and convince them that something should be done to improve cybersecurity right here at home, in NE Wisconsin. Not in Mountain View, CA, at Google’s HQ. Not in Redmond, WA, in the Microsoft offices or research labs. Not in Cupertino, CA, at Apple, not in Stanford, CA, at Stanford University or in Cambridge, MA, at MIT.
And not in Washington, DC in the hallowed halls of the US government. Sure, it's true things need to happen in those places to improve cybersecurity for all US citizens and for other people around the world.

But I don’t feel it’s worthwhile for me to try and influence or work on what happens in those faraway places. I do feel like it’s worth trying to influence what happens with cybersecurity in NE Wisconsin.

So I’m going to write a bunch of posts about topics that I think people in this region might be concerned about or interested in. If you have a cybersecurity topic of interest or concern to you, let me know (bwaldron [at] gmail {dott} com), and I’ll research it and write a post about that topic. The list below is long, ambitious, and subject to change. But it’s a starting point.

Cryptolocker
  1. Understanding Your Personal Cybersecurity
  2. Personal Cybersecurity Audit
  3. Understanding Organizational Cybersecurity
  4. NE Wisconsin College Cybersecurity Program
  5. Northeast Wisconsin Cyber Defense Force (NEW CDF)
  6. Personal Computer Security
  7. Smartphone Security
  8. Security In The Cloud
  9. Cryptolocker And Ransomware
  10. Viruses, Worms, Trojans, Spyware And Other Malware
  11. Antivirus, Antimalware And Security Software
  12. Cybersecurity: How To Know If You’ve Been Attacked
  13. Online Banking and Finances
  14. Digital Wallets
  15. Debit Cards And Credit Cards
  16. Buying Stuff Online
  17. Using Public Wi-Fi
  18. Using Wi-Fi Securely At Home
  19. Non-WiFi Wireless Security
  20. How To Choose A Computer Security Company
  21. Passwords And Biometric Security
  22. Google USB Hardware Security Key
    Google USB security key
  23. Private Information And Identify Theft
  24. Identity Theft: They Have My Info, Now What?
  25. PC & Phone: Digital Attackers Owned Me, Now What?
  26. Personal Cybersecurity: Facebook, Twitter, Google, Microsoft, Apple
  27. Who Owns Your Information
  28. Facial Recognition
  29. Biometric Cybersecurity
  30. Encryption
  31. BYOD Security (Using Personal Devices For Work)
  32. IoT Security (Internet of Things)
  33. Ubiquitous Listening Machines
  34. Simply Secure
  35. Anonymous Web Use
  36. Bitcoin And Digital Currency
  37. Cybersecurity: Windows, Mac & Linux
  38. Cybersecurity Legal Issues
  39. Cybersecurity Fiction Literature
  40. Wwwwww wwwww wwwww
  41. Xxxxxxxxx xxxxxxxx xxxxxxxx
  42. Yyyyyyyyy yyyyyyyy yyyyyyyy
  43. Zzzzzzzzz zzzzzzzz zzzzzzzz

Xxxxxxxxx, Yyyyyyyyy and Zzzzzzzzz will be topics readers of this blog suggest, or additional cybersecurity problems I think people might be interested in. Those topics won’t go at the bottom of my priority list; they’ll likely be close to the top since people have expressed their interest or concern about the topic.

Thank you for taking personal responsibility for improving this situation and for spreading the word so the Right Influential Person will know about the proposed collaborative regional cybersecurity initiative!

---------------------------------------------------

DHMN Civic Hacks posts about 'Cybersecurity & Civic Hacking':
C&CH # 01: "Cybersecurity: A New Horizon For Civic Hacking?"
C&CH # 02: “Cybersecurity & Civic Hacking # 2: Public Wi-Fi
C&CH # 03: This post, published June 26, 2015
C&CH # 04: "Cybersecurity & CH # 4: Malware"
C&CH # 05: “Cybersecurity & CH # 5: Even Cybersecurity Companies Get Hacked!
C&CH # 06: "Cybersecurity & CH # 6: How Cybersecure Is Your Car?"
C&CH # 07: "Cybersecurity & CH # 7: Data Breaches"
C&CH # 08: "Cybersecurity & CH # 8: Hype or Reality?"

*****

Thursday, June 25, 2015

‘Asks’ & ‘Offers’ -- Community-Builder And CivicTech Marketplace

A common problem for civic hacking seems to be that many civic hackers, especially ones relatively new to the game, aren’t sure what government information is available for them to hack on, or what type of civic hacks government workers would appreciate or utilize to help the government provide better services for its citizens.

Looking at it from the other side, because civic hacking is so new to NE Wisconsin, most government workers in the area have no idea what data or information might be of interest to the civic hackers.

One attempt to bring the two sides closer together and help them understand the wants and needs of the ‘other’ group is the use of Switchboard in Portland, Oregon. “The Early Adopter Program in Portland, Oregon” explains that,
“...it’s encouraging for us to see how the City of Portland is trying one way to improve procurement with their Early Adopter Program...What’s interesting about the early adopter program is two things: that the platform that’s being used to power the program - Switchboard – has come from a local PDX company, and secondly that it helps government move towards thinking of services in terms of user needs. Portland is using Switchboard to power a new marketplace and community, one that lets government staff post “asks” – like a better way to update and manage the city’s 1,700 page multiple-PDF zoning code document – and “offers” from local companies and entrepreneurs – like a homegrown PDX and metro-area procurement search engine...“We’re thrilled to be using Switchboard as the platform to connect the needs of the local government bureaus to the services that the private sector can provide. Switchboard is not only our technical platform, it is also a wonderful example of the power of tech and business to improve local government,” said Vidya Spandana, Strategic Advisor to Portland Development Commission.”
Portland seems to use Switchboard mainly for getting proposals for solutions to its CivicTech or GovTech needs, but it seems like it could also be used to connect civic hackers with the government guardians of civic data for less formal purposes. A civic hacker could ‘ask’ if anyone can link him to a certain type of crime data, or tell him who to talk to regarding that topic. A city worker might see that and give the civic hacker a link to the data, or tell him to talk to Jenny in the Public Safety Division at phone number 876-5309.

A city worker in the economic development department who wants to help real estate developers or business project developers could use Switchboard to ‘offer’ a pilot project like the Parcel Assessment Tool (PAT) developed in Kansas City. The PAT is “an application for a smart phone and online. The target user is a real estate developer. The application will display viable initial information for the developer, including zoning, liens, lot dimensions, a geo locator, building envelopes, legal description, PIN, owner's name and address, school district, etc. The goal is to combine all relevant initial information to the real estate developer for a one-stop shopping experience.” An interested civic hacker could reply to that ‘offer,’ learn exactly what the city worker would like to have, look at the PAT code on GitHub, and decide to fork the code and build a pilot program for the city.

So the Switchboard system could be used in several ways to promote civic hacking by connecting government workers with civic hackers.

Switchboard can also be used as a tool to connect, strengthen and expand a community of like-minded people (in this case, civic hackers), which was its original application when it was developed for Reed College. Per the Wired Magazine article “Switchboard Is Like Craigslist Without the Creeps.”
Most startups want to grow as fast as they can. For many in the tech game, including as Paul Graham, the founder Y Combinator, one of Silicon Valley’s hottest startup incubators, rapid growth is the very definition of a startup...But not all tech companies see things this way. Take Switchboard. The Portland, Oregon-base outfit offers an online service that lets people create simple sites for online communities. Using a Switchboard site, you can either “ask” for something you need or “offer” something you have. That’s it. The larger Portland startup community uses it to post job listings, offer expertise, and announce hackathons. Oberlin College in Ohio uses it to help students and alums network with each other and share job opportunities. Then there’s The Meat Collective, which helps people buy and sell sustainably raised meat. The possibilities are limitless, but Switchboard has decided to grow slowly for now, limiting and carefully screening the creation of new communities. “We value the quality of the communities, not the quantity of communities,” says Mara Zepeda, the company’s co-founder and CEO...Zepeda...originally envisioned the service as a networking platform for her alma mater, Reed College in Portland, where she served on the alumni board. She took inspiration, oddly enough, from the U.S. Department of Agriculture’s Hay Net site, where farmers can either ask for hay or offer hay for sale. She and co-founder Sean Lerner built the original Switchboard just for Reed, but they quickly realized that the platform they’d built could be useful to other communities...”
A bunch of civic hackers in NE Wisconsin already use the #dhmncivichackks Slack channel for keeping in touch with each other. I don’t know enough about Slack or Switchboard to know if they are direct competitors in terms of the function and value they offer, or if they’d be complementary tools which many people would use side by side. Because it's a platform, Slack already integrates other services like Asana, Dropbox and GitHub, and they offer an API for integrating additional services. So if NE Wisconsin coders wanted to use both Slack and Switchboard, they could likely integrate the two.

I haven’t quite figured out if Switchboard is a good or an excellent way to enable civic hackers to ask about a type of data they’re interested in and for government people to share data they think might be valuable or interesting to hackers. But it seemed like a close enough fit that I’d throw it out there to NE Wisconsin civic hacking community so that people can look at it, play with it and follow up on it with Mara Zepeda or another Switchboard rep if it seems like a fantastic fit for our situation.

Click here to go to Switchboard’s website.

Click here to see the city of Portland’s Switchboard site.

Click here for a related post, “Hacking the RFI Process” by Mark Headd, uber civic hacker.

*****

Wednesday, June 24, 2015

Community Mesh Networks & Civic Hacking

Over the past couple days, some people I know have been talking about coalescing a team of civic hackers to build a community mesh network. Read on if you want to know what a community mesh network is, or if you might like to join that team. (If interested, contact me at bwaldron (at) gmail [dott] com, or initiate a conversation on the NE Wisconsin Slack channel or the DHMN mailing list.)

The people who've expressed interest in this project haven't yet defined what 'civic hacking' aspect of a community mesh network would be the primary goal of the project. As you'll read below, there are multiple ways in which a mesh network could benefit a city and its residents. The mission of the project will be determined when the team first starts meeting and discussing system design.

The introduction in the Technical.ly post, “12 communities experimenting with mesh networks” highlights a dozen wireless community mesh networks.
Mesh networks help people stay connected while avoiding traditional internet providers. Motivation around the country for creating community mesh networks ranges from a desire for social justice, improved information access during natural disasters or just the need to experiment. 
A mesh network creates reliable and redundant wireless internet access. Instead of relying on a wired access point to the internet like a traditional network, a mesh network uses wireless radio nodes that speak to each other, thus creating decentralized wireless access points. Because a mesh network does not have to communicate through a central organization (like an ISP), if one node goes down the network will self heal — allowing service to continue without interruption. 
You are probably wondering, how is this different than your WiFi at home? For one, mesh networks are actually wireless. If you think of your at-home wireless router, it is wired directly to the internet. Within a mesh network, only one node needs to be hardwired. All the other nodes, of which there could be hundreds, do not require direct access to the internet, just access to the mesh network itself. This allows a mesh network to operate without laying new cable, or as a local network during a service outage.”
If you’re considering working on the NE Wisconsin community mesh network civic hack team, read the above post about networks in different cities, and click through to some of the websites mentioned to see exactly what they’re doing. The Technical.ly post also has a recommendation for those considering building a community mesh network: “For Diana Nucera, program director of the Detroit Community Technology Project, it is all about access, no matter where you get it. Nucera points potential mesh network advocates to Commotion’s setup wizard.” [Commotion is open source. The OpenMeshProject is another of the many resources to look at for project design.]

In the Wired Magazine article “It’s Time To Take Mesh Networks Seriously,” the author paints an interesting picture of how community mesh networks can work and a variety of reason why people might want to build and use them. This is definitely civic hacking…
“...mesh networks have many benefits, from architectural to political. Yet they haven’t really taken off, even though they have been around for some time. I believe it’s time to reconsider their potential, and make mesh networking a reality. Not just because of its obvious benefits, but also because it provides an internet-native model for building community and governance. 
But first, the basics: An ad hoc network infrastructure that can be set up by anyone, mesh networks wirelessly connect computers and devices directly to each other without passing through any central authority or centralized organization (like a phone company or an ISP). They can automatically reconfigure themselves according to the availability and proximity of bandwidth, storage, and so on; this is what makes them resistant to disaster and other interference. Dynamic connections between nodes enable packets to use multiple routes to travel through the network, which makes these networks more robust. Compared to more centralized network architectures, the only way to shut down a mesh network is to shut down every single node in the network. 
That’s the vital feature, and what makes it stronger in some ways than the regular internet. 
But mesh networks aren’t just for political upheavals or natural disasters. Many have been installed as part of humanitarian programs, aimed at helping poor neighborhoods and underserved areas. For people who can’t afford to pay for an internet connection, or don’t have access to a proper communications infrastructure, mesh networks provide the basic infrastructure for connectivity. Not only do mesh networks represent a cheap and efficient means for people to connect and communicate to a broader community, but they provide us with a choice for what kind of internet we want to have. 
For these concerned about the erosion of online privacy and anonymity, mesh networking represents a way to preserve the confidentiality of online communications. Given the lack of a central regulating authority, it’s extremely difficult for anyone to
assess the real identity of users connected to these networks. And because mesh networks are generally invisible to the internet, the only way to monitor mesh traffic is to be locally and directly connected to them...”
Based on my minimal knowledge about mesh networks, it seems like it should be approached not primarily as a low-cost way to provide Internet to those who couldn’t otherwise afford it. If a city wants to provide a minimum level of service for all of its residents, there are more robust ways to do that than by using a civic hack mesh network. Internet for underserved populations might end up being one of many uses for these networks, but there should be a larger focus on providing (1) a method of connecting to the Internet that is an alternative to traditional ISPs, (2) an interesting ‘maker’ project for those who enjoy radio and electronics and (3) an opportunity for young people who may enjoy learning about this field of technology by hands-on building and maintaining, rather than just by reading about it or building small projects in a lab. In some areas, creating a resilient communications network for use after natural disasters is an appropriate application for community mesh networks. But NE Wisconsin has an extremely low likelihood of needing that compared to areas that get hit by hurricanes, frequent earthquakes, flooding or landslides.

So mesh networks sound pretty cool and useful, and the technology has been around for a while. Why aren't there more mesh networks around the US and the world? Why don't you hear more about them in the media? Here's an edited version of why the Wired article author thinks mesh networks are less common than it seems like they should be:
"The complexity to set up, manage, and maintain a mesh network is one obstacle to their widespread deployment. 
Another barrier is perception (and marketing). Mesh networks are generally seen as an emergency tool rather than a regular means for communication 
Political and power struggles. Even though mesh networking could theoretically support the government in providing internet connectivity to poor neighborhoods or undeserved areas, mesh networks cannot be easily monitored, nor properly regulated by third parties. 
We are focusing too much on the technical and legal challenges of mesh networking as opposed to the social benefits it might bring in terms of user autonomy and community-building. As has been done with Freifunk in Germany and GuiFi.net in Spain, more mesh networks need to be deployed on an arbitrary basis. Beyond the internet, the governance model of many community wireless networks could potentially translate into other parts of our life. By promoting a DIY approach to network communications, mesh networking represents an opportunity to realize that it can sometimes be more beneficial for us, as a community, to rely on our own resources and those of our peers than that of centralized authorities."
The Internet is overflowing with technical and social information about community mesh networks. If you know pretty much nothing about these networks and want to learn more, start by reading the Technical.ly and Wired articles linked above, then read and understand the Wikipedia entries about wireless community networks and mesh networking. That will give you a good start on visualizing what this civic hacking project might involve. Wikipedia also has a list of wireless community networks. As mentioned above, the Commotion open source system is recommended by a person involved with a mesh network in Detroit, so either that or the OpenMeshProject would probably be a good starting point for designing the NE Wisconsin mesh network. Googling for this topic will present you with way more info than you’ll ever find time to read.

If this project hits critical mass and acquires a project lead, I’ll write posts to provide info on tech and design details of the proposed community mesh network as the work progresses. As mentioned above, contact us if you want to get involved with this project!

*****