Tuesday, December 11, 2018

A very very small portion of Google’s users.
Google says Google+ bug affected 52.5 million people
Google will shut down its Google+ social network much sooner than planned after discovering a second bug that revealed millions of customers' private information to software developers.
In a blog post, the company said 52.5 million people were affected by a bug in a November software update. The latest bug allowed app developers to access profile information not marked public. App developers inadvertently had access to this data for six days.

You might want to send this article to “your leaders.” Or at least your Accounts Payable department.
How Internet Savvy are Your Leaders?
Back in April 2015, I tweeted about receiving a letter via snail mail suggesting the search engine rankings for a domain registered in my name would suffer if I didn’t pay a bill for some kind of dubious-looking service I’d never heard of. But it wasn’t until the past week that it become clear how many organizations — including towns, cities and political campaigns — actually have fallen for this brazen scam.
… According to a statement filed with the Federal Election Commission, one of the earliest public records involving a payment to Web Listings dates back to 2008 and comes from none other than the the 2008 Hillary Clinton for President fund.
… Guilmette said most of the public references he found regarding payments to Web Services Inc. are from political campaigns and small towns.
“Which naturally raises the question: Should we really be trusting these people with our money?” Guilmette said. “What kind of people or organizations are most likely to pay a bill that is utterly phony baloney, and that actually isn’t due and payable? The answer is people and organizations that are not spending their own money.”

I doubt this will be the basis for a US version of the GDPR. And why no Democrats? Cherchez la political contribution?
House Cmte Investigation Issues Scathing Report on Equifax Breach
The Hill: “The House Oversight and Government Reform Committee, following a 14-month probe, released a scathing report Monday saying the consumer credit reporting agency aggressively collected data on millions of consumers and businesses while failing to take key steps to secure such information. The breach is estimated to have harmed 148 million consumers.
“In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, information technology (IT) systems, and data,” according to the 96-page report authored by Republicans. “Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable.”…

How do we know this article was not written by an AI?
Artificial Intelligence and the Future of Humans
Pew: “Experts say the rise of artificial intelligence will make most people better off over the next decade, but many have concerns about how advances in AI will affect what it means to be human, to be productive and to exercise free will. Digital life is augmenting human capacities and disrupting eons-old human activities. Code-driven systems have spread to more than half of the world’s inhabitants in ambient information and connectivity, offering previously unimagined opportunities and unprecedented threats. As emerging algorithm-driven artificial intelligence (AI) continues to spread, will people be better off than they are today? Some 979 technology pioneers, innovators, developers, business and policy leaders, researchers and activists answered this question in a canvassing of experts conducted in the summer of 2018. The experts predicted networked artificial intelligence will amplify human effectiveness but also threaten human autonomy, agency and capabilities. They spoke of the wide-ranging possibilities; that computers might match or even exceed human intelligence and capabilities on tasks such as complex decision-making, reasoning and learning, sophisticated analytics and pattern recognition, visual acuity, speech recognition and language translation. They said “smart” systems in communities, in vehicles, in buildings and utilities, on farms and in business processes will save time, money and lives and offer opportunities for individuals to enjoy a more-customized future…”

I don’t think they like Article 13.
Latest EU Copyright Proposal: Block Everything, Never Make Mistakes, But Don't Use Upload Filters
As we've been discussing the "Trilogue" negotiations between the EU Commission, EU Council and EU Parliament over the EU's Copyright Directive have continued, and a summary has been released on the latest plans for Article 13, which is the provision that will make upload filters mandatory, while (and this is the fun part) insisting that it doesn't make upload filters mandatory. Then, to make things even more fun, another document on the actual text suggests the way to deal with this is to create a better euphemism for filters.

Perspective. No breakdown of the results of these searches. What were they looking for? How often did they find anything?
Colleen Long of AP reports:
U.S. Customs and Border Protection officers are searching the electronic devices of travelers more often, and did not always follow proper protocol, a new watchdog report has found.
The report made public Monday found there were 29,000 devices searched at a port of entry out of 397 million travelers to the U.S. in budget year 2017, up from 18,400 the year before from 390 million travelers.
Customs and Border Protection officials note it is less than 1 percent of all travelers.
Read more on AP.

Social media outpaces print newspapers in the U.S. as a news source
Social media sites have surpassed print newspapers as a news source for Americans: One-in-five U.S. adults say they often get news via social media, slightly higher than the share who often do so from print newspapers (16%) for the first time since Pew Research Center began asking these questions.
… Overall, television is still the most popular platform for news consumption – even though its use has declined since 2016. News websites are the next most common source, followed by radio, and finally social media sites and print newspapers.

Perspective. This should have been done 30 or 40 years ago!
UK just banned the NHS from buying any more fax machines
BBC News: “The National Health Service will be banned from buying fax machines from next month – and has been told by the government to phase out the machines entirely by 31 March 2020. In July, the Royal College of Surgeons revealed nearly 9,000 fax machines were in use across the NHS in England. The Department of Health said a change to more modern communication methods was needed to improve patient safety and cyber security. An RCS spokesman said they supported the government’s decision. In place of fax machines, the Department of Health said secure email should be used. Richard Kerr, who is the chair of the RCS’s commission on the future of surgery, said the continued use of the outdated technology by the NHS was “absurd”. He added it was “crucial” that the health service invested in “better ways of communicating the vast amount of patient information that is going to be generated” in the future. The group’s report from earlier this year found the use of fax machines was most common at the Newcastle upon Tyne NHS Trust, which still relied on 603 machines. Three-quarters of the trusts in England replied to the survey – 95 in total. Ten trusts said that they did not own any fax machines, but four in ten reported more than 100 in use…”

Monday, December 10, 2018

Not as much exposure as you might think. Do you know every computer a job applicant might have had access to?
DarkVishnya: Banks attacked through direct connection to local network
… In 2017-2018, Kaspersky Lab specialists were invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown device directly connected to the company’s local network. In some cases, it was the central office, in others a regional office, sometimes located in another country.
… Each attack can be divided into several identical stages. At the first stage, a cybercriminal entered the organization’s building under the guise of a courier, job seeker, etc., and connected a device to the local network, for example, in one of the meeting rooms.
The devices used in the DarkVishnya attacks varied in accordance with the cybercriminals’ abilities and personal preferences. In the cases we researched, it was one of three tools:
  • netbook or inexpensive laptop
  • Raspberry Pi computer
  • Bash Bunny, a special tool for carrying out USB attacks
… At the second stage, the attackers remotely connected to the device and scanned the local network seeking to gain access to public shared folders, web servers, and any other open resources. The aim was to harvest information about the network, above all, servers and workstations used for making payments. At the same time, the attackers tried to brute-force or sniff login data for such machines.
… Having succeeded, the cybercriminals proceeded to stage three. Here they logged into the target system and used remote access software to retain access

This could be another example of the FBI talking to lawmakers in another country, hoping to convince them to support an FBI position. Now they can point to this law and tell US lawmakers, :We’re behind!”
Australia Anti-Encryption Law Rushed to Passage
A newly enacted law rushed through Australia's parliament will compel technology companies such as Apple, Facebook and Google to disable encryption protections so police can better pursue terrorists and other criminals.
"I think it's detrimental to Australian and world security," said Bruce Schneier, a tech security expert affiliated with Harvard University and IBM.
U.S. law enforcement officials, including Deputy Attorney General Rod Rosenstein, are again pushing for legislation that would somehow give authorities access to secure communications.
The Australian bill is seen by many as a beachhead for those efforts because the nation belongs to the "Five Eyes" security alliance with the U.S., Britain, Canada and New Zealand.
"There is a lot here that doesn't make any sense," Schneier said of the Australian bill. "This is a technological law written by non-technologists and it's not just bad policy. In many ways, I think it's unworkable."
A leading figure in cryptography, Martin Hellman of Stanford University, said it appears the bill would "facilitate crime by weakening the security of the affected devices."
But Apple, in comments filed with parliament in October, argued that "it would be wrong to weaken security for millions of law-abiding customers in order to investigate the very few who pose a threat."

I’m beginning to think that stories like this are influencing the push for real penalties (like GDPR). The next requirement is some significant penalties for the managers who won’t take action on their own.
Stuff reports on a case in New Zealand that was cited in a newly-released annual report by the Privacy Commissioner. Disturbingly, the unnamed government agency not only did not set a great example for data protection, but they demonstrated less than admirable response to the incident of insider-wrongdoing that harmed a member of the public. Stuff reports:
A government employee in dispute with his neighbour snooped on him 73 times after accessing his employer’s “sensitive” records.
He also changed the man’s file to add allegations of “improper conduct”.
When the government agency found out about the privacy breach it reviewed its processes but was not willing to apologise to the neighbour or pay him compensation.
The commissioner has called for changes to the Privacy Act to introduce “meaningful consequences” for non-compliance, including for the commissioner to decide which cases should go to the tribunal and for the commissioner to take the claims.
Read more on Stuff. That the agency didn’t even apologize for the anguish or harm to the individual is concerning.
It is one thing to argue that you had policies and procedures in place that you monitored, but despite that, an employee willfully managed to violate both, but then not to give the affected individual anything — even a “We agree with you with and have terminated the employee’s position with us,” well…. there has to be more redress and/or compensation for those whose complaints are founded. And government agencies should be setting good examples instead of needing to be dragged before a tribunal or sued.
To jump directly to the annual report, go here.

Is political news based on the number of people who want to read it?
The long, tortured quest to make Google unbiased
The Verge – Can a search engine ever be meaningfully neutral: “[December 11, 2018], Sundar Pichai will try to reassure Congress that Google’s search engine isn’t rigged. The Google CEO is testifying before the House Judiciary Committee on Tuesday [The Hearing is titled – Transparency & Accountability: Examining Google and its Data Collection, Use and Filtering Practices] answering questions about “potential bias and the need for greater transparency” in Google’s business practices. It’s Republican lawmakers’ latest move in a series of hearings over Silicon Valley political bias. “Google has created some of the most powerful and impressive technology applications,” wrote House Majority Leader Kevin McCarthy in the announcement. “Unfortunately, recent reports suggest Google might not be wielding its vast power impartially. Its business practices may have been affected by political bias.” We don’t know exactly what questions will arise during Pichai’s testimony. But this summer, President Donald Trump caused a brief uproar by claiming (without evidence) that Google suppressed positive news about him. Reports indicated Trump might even direct regulators to investigate Google and other platforms for bias. But that proposal hadn’t come from one of Silicon Valley’s many ideological enemies — it was supposedly promoted by recommendations site Yelp, which has spent years protesting what it calls unfair demotion of its search results.
That investigation never came to pass. But it highlighted a major underpinning of the current anti-Google backlash: a decade-long fight over how search engines, which have become many people’s primary gateway to the internet, should treat the websites they list.”

Sunday, December 09, 2018

A Privacy issue, more than a Terminator issue.
… On Thursday, the AI Now Institute, which is affiliated with New York University and is home to top AI researchers with Google and Microsoft, released a report detailing, essentially, the state of AI in 2018, and the raft of disconcerting trends unfolding in the field. What we broadly define as AI—machine learning, automated systems, etc.—is currently being developed faster than our regulatory system is prepared to handle, the report says. And it threatens to consolidate power in the tech companies and oppressive governments that deploy AI while rendering just about everyone else more vulnerable to its biases, capacities for surveillance, and myriad dysfunctions.
… But it also conveys a the succinct assessment of the key problem areas in AI as they stand in 2018. As detailed by AI Now, they are:
  1. The accountability gap between those who build the AI systems (and profit off of them) and those who stand to be impacted by the systems (you and me) is growing.
  2. AI is being used to amplify surveillance, often in horrifying ways.
  3. The government is embracing autonomous decision software in the name of cost-savings, but these systems are often a disaster for the disadvantaged.
  4. AI testing “in the wild” is rampant already.
  5. Technological fixes to biased or problematic AI systems are proving inadequate.

The world must look different from the Ninth Circuit.
The good folks at EPIC.org write:
In a surprisingly brief opinion, the Ninth Circuit has upheld a decision to dismiss a privacy suit against Facebook concerning the collection of sensitive medical data. In Smith v. Facebook, users alleged that the company tracked their visits to healthcare websites, in violation of the websites’ explicit privacy policies. In a little less than five pages, the Ninth Circuit decided that Facebook was not bound by the promises made not to disclose users’ data to Facebook because Facebook has a provision, buried deep in its own policy, that allows Facebook to secretly collect such data. The court actually wrote that searches for medical information are not sensitive because the “data show only that Plaintiffs searched and viewed publicly available health information…” EPIC filed an amicus brief in the case, arguing that “consent is not an acid rinse that dissolves common sense.” In 2011 Facebook settled charges with the FTC that it routinely changed the privacy settings of users to obtain sensitive personal data. The consent order resulted from detailed complaints brought by EPIC and several other consumer organizations
I hate to say it, but I do understand the court’s reasoning, at least in part. Just visiting a site about a health issue is not the same thing as going to a doctor’s office for a consultation on a disorder or diagnosis. But we also know that sometimes, these situations create significant problems when advertising relating to a sensitive issue then shows up on a shared browser. For example, if a teen browses for information on transgender issues, and then their parents later have ads pop up while they’re using the browser, the collection and use of data from public sites can cause privacy issues and concerns.
So yes, the court’s siding with Facebook is very troubling because it’s ignoring what we have learned — that buried provisions in Facebook’s terms of service are generally not read by consumers who click through “I consent.” For the court to say that hey, it’s in there and consumers consented to have their data collected by Facebook, even though they are on a web site that promises NOT to share their data with Facebook, well…. the Ninth Circuit has set consumer privacy back. As EPIC noted in their amicus brief (p. 6):
Users could point to explicit statements on the medical websites they visited which said their personal data would not be disclosed to others. Yet, Facebook pointed to language, buried deep in its privacy policy, which said that it nonetheless could collect the data, and the lower court sided with Facebook. In such a world, how can users possibly make sense of privacy statements
Although the plaintiffs didn’t prevail, do read EPIC’s amicus brief in this case as it provides a helpful discussion of the concerns.

Helpful for us non-lawyers.
Standing Issues in Data Breach Litigation: An Overview

Saturday, December 08, 2018

Maybe if this warning had come a bit earlier…
North Korea-linked Hackers Target Academic Institutions
A threat group possibly originating from North Korea has been targeting academic institutions since at least May of this year, NetScout’s security researchers reveal.
… The actors behind the attack, however, displayed poor OPSEC, which allowed the researchers to find open web browsers in Korean, English-to-Korean translators, and keyboards switched to Korean.
… Remote Desktop Protocol (RDP) was also used to ensure continuous access. However, because there is no evidence of data theft, the motivation behind the attacks is largely uncertain.

Laura Krantz reports:
Hackers stole more than $800,000 from Cape Cod Community College last week when they infiltrated the school’s bank accounts, the school notified its employees Friday.
Several computers in the school’s Nickerson Administration Building were hacked by a phishing scheme that used malware to obtain access to the school’s accounts, according to an e-mail from the school president, John Cox, sent Friday afternoon to school faculty and staff.
Read more on Boston Globe.
[From the article:
The college has replaced all infected hard drives, [Not a normal procedure, were they unable to remove (delete) the malware? Bob] according to the president’s e-mail. It will conduct more cybersecurity training for faculty, staff, and students. Stone, the school spokesman, said the college plans to invest in more sophisticated software to prevent attacks in the future.

I’m guessing that it was either create a procedure like this or Marriott would have to replace them all.
Identity stolen because of the Marriott breach? Come and claim your new passport
… The company on Friday confirmed to The Register that customers who fall victim to fraud as a result of forged passports will be eligible to claim a replacement passport at Marriott's expense.
"As it relates to passports and potential fraud, we are setting up a process to work with our guests who believe that they have experienced fraud as a result of their passports being involved in this incident," a spokesperson told El Reg.
"If, through that process, we determine that fraud has taken place, then the company will reimburse guests for the costs associated with getting a new passport."

For my lectures on cryptography…
Back Issues of the NSA's Cryptolog
Five years ago, the NSA published 23 years of its internal magazine, Cryptolog. There were lots of redactions, of course.
What's new is a nice user interface for the issues, noting highlights and levels of redaction.

A million here, a million there, pretty soon we’re talking real money! Do you suppose this is coming out of someone’s bonus?
Alex Hern reports:
Facebook has been fined €10m (£8.9m) by Italian authorities for misleading users over its data practices.
The two fines issued by Italy’s competition watchdog are some of the largest levied against the social media company for data misuse, dwarfing the £500,000 fine levied by the British Information Commissioner’s Office in September – the maximum that body is able to issue.
The Italian regulator found that Facebook had breached articles 21, 22, 24 and 25 of the country’s consumer code …..
Read more on The Guardian.

Privacy as the Chinese see it.
Barbara Li and Bohua Yao report:
On November 30, 2018 the Cyber Security Protection Bureau, under the auspices of the PRC Ministry of Public Security (the “MPS”), issued a draft Guideline for Internet Personal Information Security Protection (the “Guideline”) along with a request for public comments.
Even though, upon reaching final form and taking effect, the Guideline will not be a mandatory regulation, it nonetheless has a key implementing role in relation to the PRC Cyber Security Law (the “CSL”) and the Administrative Measures for the Multi-Level Protection of Information Security (the “Multi-Level Protection Measures”) in respect of protecting information systems and personal information in China.
Read more on Norton Rose Fulbright Data Protection Report.

Are we ready for this future?
Amazon, AI and Medical Records: Do the Benefits Outweigh the Risks?
Last month, Amazon unveiled a service based on AI and machine-learning technology that could comb through patient medical records and extract valuable insights. It was seen as a game changer that could alleviate the administrative burden of doctors, introduce new treatments, empower patients and potentially lower health care costs. But it also carries risks to patient data privacy that calls for appropriate regulation, according to Wharton and other experts.

Friday, December 07, 2018

Two of my students know they are impacted by this breach.
Chinese Government Suspected in Marriott Hack: Report
Reuters’ sources said the hackers left behind some clues suggesting that the attack was part of an intelligence gathering operation conducted by the Chinese government. This assumption is based on the use of tools, techniques and procedures (TTPs) known to be associated with Chinese threat actors.
The potential involvement of the Chinese government in the breach suggests that the goal was espionage rather than financial gain.

CPOs should already know about this. Did they bother to tell their software architects?
Google Facing Complaints of GDPR Violations From Consumer Groups in 7 Countries
As soon as the European General Data Protection Regulation (GDPR) went into effect in May 2018, it was only a matter of time before tech giants like Google would start to receive complaints about potential GDPR violations. And now just six months later, Google is facing its first challenge under Europe’s strict new data protection regulations. A group of seven European Union member state countries – Czech Republic, Greece, Norway, the Netherlands, Poland, Slovenia and Sweden – are now asking European privacy regulators to take action against Google for its “deceptive practices” related to location tracking.
… For example, it’s a lot harder to deliver Google Maps information that is relevant if “Location History” is turned off. However, in the interests of personal privacy, some users might wish to turn “Location History” off.
And it’s here that Google appears to have created a legal headache for itself in terms of potential GDPR violations. As the BEUC has noted, simply toggling “Location History” off doesn’t mean that Google stops tracking you. Instead, in order to really stop Google from tracking you, you also need to turn off a second type of functionality called “Web and App Activity,” otherwise Google will continue to use your GPS location data in various ways. The fact that toggling something “off” doesn’t actually turn something “off” is what is so deceptive, according to the BEUC.

An issue of Privacy?
Microsoft Wants to Stop AI’s 'Race to the Bottom'
After a hellish year of tech scandals, even government-averse executives have started professing their openness to legislation. But Microsoft president Brad Smith took it one step further on Thursday, asking governments to regulate the use of facial-recognition technology to ensure it
does not invade personal privacy or [Would my face ever be considered “personal space?” Bob]
become a tool for discrimination or surveillance. [Can you view/record/recognize my face without surveilling me? Bob]
… To address bias, Smith said legislation should require companies to provide documentation about what their technology can and can’t do in terms customers and consumers can understand. He also said laws should require “meaningful human review of facial recognition results prior to making final decisions” for “consequential” uses, such as decisions that could cause bodily or emotional harm or impinge on privacy or fundamental rights.
… Smith also said lawmakers should extend requirements for search warrants to the use of facial-recognition technology. [Not gonna happen. Bob] He noted a June decision by the US Supreme Court requiring authorities to obtain a search warrant to get cellphone records showing a user’s location. “Do our faces deserve the same protection as our phones?” he asked.

But could it tell that the depression is due to an AI monitoring my smartphone? Will Big Brother make such monitoring mandatory so the government can intervene with mood altering drugs?
Your smartphone’s AI algorithms could tell if you are depressed
MIT Technology Review: “Your smartphone’s AI algorithms could tell if you are depressed. Smartphones that are used to track our faces and voices could also help lower the barrier to mental-health diagnosis and treatment. Depression is a huge problem for millions of people, and it is often compounded by poor mental-health support and stigma. Early diagnosis can help, but many mental disorders are difficult to detect. The machine-learning algorithms that let smartphones identify faces or respond to our voices could help provide a universal and low-cost way of spotting the early signs and getting treatment where it’s needed. In a study carried out by a team at Stanford University, scientists found that face and speech software can identify signals of depression with reasonable accuracy. The researchers fed video footage of depressed and non-depressed people into a machine-learning model that was trained to learn from a combination of signals: facial expressions, voice tone, and spoken words. The data was collected from interviews in which a patient spoke to an avatar controlled by a physician. In testing, it was able to detect whether someone was depressed more than 80% of the time. The research was led by Fei-Fei Li, a prominent AI expert who recently returned to Stanford from Google. While the new work is at an early stage, the researchers suggest that it could someday provide an easier way for people to get diagnosed and helped…”

Are they all wrong?
Analysis | The Technology 202: More than 200 companies are calling for a national privacy law. Here's an inside look at their proposal.
The Business Roundtable’s consumer privacy legislation framework, provided exclusively to The Technology 202, calls on the United States to adopt a national privacy law that would apply the same data collection requirements to all companies regardless of sector -- while ramping up Federal Trade Commission staffing and funding to enforce the rule. It calls on companies to give consumers more control of their data and form a national standard for breach notification.

Since you’re not driving, ads won’t be a distraction. Unless you are trying to sleep or study for my exam. Perhaps we could include voice: “Hey look! A McDonald’s! You should get a Big Mac!”
Firefly Nets $21.5 Million Seed Round To Boost Ride-Hail Driver Revenues With On-Car Ads
… A new iteration on that on-car billboard, Firefly replaces backlit printed placards with screens connected to sensors and a location-aware computer that pipes in locally-sourced ads to display for all to see. In turn, the company car-mounted screen modules will come with a set of sensors that ingest information about the outside world. The company brokers access to both.

Fortunately, NASA did not include heavy weapons.
Space station robot goes rogue: International Space Station’s artificial intelligence has turned belligerent
… But, as numerous books and movies have clearly warned us — shortly after being switched on for the first time, CIMON has developed a mind of its own.
And it appears CIMON wants to be the boss.
This has CIMON’s ‘personality architects’ scratching their heads.

Dilbert explains the size of government bureaucracies.

Thursday, December 06, 2018

The new normal: Assume you’ve been hacked. Devote resources to finding out where and how.
Zack Whittaker reports:
It’s going to take more than a bunch of posies to make up for this one.
The Canadian branch of 1-800-FLOWERS revealed in a filing with the California attorney general’s office that malware on its website had siphoned off customers’ credit cards over a four-year period.
Four years. Let that sink in.
The company said it believes the malware was scraping credit cards between August 15, 2014 to September 15, 2018, but that the company’s main 1-800-FLOWERS.com website was unaffected.
Read more on TechCrunch.

(Related) That’s a fact, Jack.
Your Personal Data is Already Stolen

Old normal: Assume you are going to be sued. How will, “We didn’t think we needed that much security” sound to a jury?
Attorneys General File First Multistate HIPPA-Related Data Breach Lawsuit
Attorneys General from 12 U.S. states this week filed a lawsuit against a healthcare tech solutions provider over a data breach suffered by the company in 2015.
… Authorities claim MIE failed to implement basic data security measures, it did not have security mechanisms in place for preventing the exploitation of vulnerabilities in its systems, it failed to encrypt sensitive personal and medical information, and had an inadequate and ineffective response to the breach.

Is it possible DHS is no longer of strategic importance?
Why the U.S. Needs a Homeland Security Strategy
The last time the U.S. government published a National Homeland Security Strategy, Osama bin Laden was still alive

For consideration by my Computer Security students. The US & UK governments are not the only ones “stockpiling” vulnerabilities. Perhaps not even the best.
UK Spy Agency Joins NSA in Sharing Zero-Day Disclosure Process
On November 15, 2017, the U.S. government made public its vulnerability equities process (VEP). This is the process used to decide whether a government agency should disclose a discovered vulnerability or keep it secret for its own purposes. Exactly one year and two weeks later, the UK government did similar, disclosing its own Equities Process.
Both governments admit to stockpiling vulnerabilities. This is not open to discussion – they just do. The equities process is the means by which they decide which vulnerabilities should be kept secret from vendors, security companies and the public.

Question: When is a Cyber attack an escalation?
Ukraine Accuses Russia of Cyberattack on Judiciary Systems
Ukrainian security service SBU announced on Tuesday that its employees blocked an attempt by Russian special services to breach information and telecommunications systems used by the country’s judiciary.
According to the SBU, the attack started with a malicious email purporting to deliver accounting documents. The documents hid a piece of malware that could have been used to disrupt judicial information systems and steal data.
Another recent cyber incident involving Russia and Ukraine was revealed on Wednesday, when Adobe announced that a Flash Player security update addressed a zero-day vulnerability.
Researchers who spotted attacks involving the exploit said the target was the FSBI "Polyclinic No. 2" of the Administrative Directorate of the President of the Russian Federation.
The attack was launched just days after Russian border guards opened fire on three Ukrainian vessels in the Kerch Strait. The Ukrainian vessels and their crew were captured.

The UK grabbed these papers last month. Looks like they moved fast.
The secret Facebook documents have just been published by British Parliament
… A redacted version of the papers was pushed live on the website of the Digital, Culture, Media, and Sport Committee, which is investigating Facebook's privacy standards as part of an inquiry into "disinformation and fake news."

While some companies — most large banks, Ford and GM, Pfizer, and virtually all tech firms — are aggressively adopting artificial intelligence, many are not. Instead they are waiting for the technology to mature and for expertise in AI to become more widely available. They are planning to be “fast followers” — a strategy that has worked with most information technologies.
We think this is a bad idea. It’s true that some technologies need further development, but some (like traditional machine learning) are quite mature and have been available in some form for decades. Even more recent technologies like deep learning are based on research that took place in the 1980s. New research is being conducted all the time, but the mathematical and statistical foundations of current AI are well established.
Beyond the technical maturity issue, there are several other problems with the idea that companies will be able to adopt quickly once technologies are more capable.

Every Leader’s Guide to the Ethics of AI

Perspective. Would you believe: As goes Twitter, so goes the nation? (Looks like that might be backward)
By the numbers: Political tweets turn blue in 2018
Axios: “New data from Twitter shows the top 10 U.S. politicians who were most tweeted about in the few months after the midterm election were Democrats, replacing a list that was once dominated by GOP lawmakers the majority of 2018. Why it matters: The political clout and conversation is changing with its politicians. Republicans like Speaker of the House Paul Ryan and Sen. Ted Cruz (R-Texas) who once dominated the subject of tweets, are now being replaced by nominated House speaker Nancy Pelosi and outgoing Texas Rep. Beto O’Rourke in the rankings, per Twitter…”

Austria clears German who imported damaged euros from China
… The man, in his 40s, was detained in Austria earlier this year after police found 117kg (257lb) of the coins, worth €15,000 ($17,000; £13,000), in his car.
However an Austrian court has now ruled that his actions were not illegal.
The accused, referred to only as Mr H, had explained how he frequently travelled to China with cash to procure the coins, which he said were found in scrap metal items sent there to be destroyed.
He said that because the euro coins were not used as currency in China, he could purchase large quantities by weight at a fraction of their value and return to convert them for notes at Austrian banks using coin-counting machines

Wednesday, December 05, 2018

Looks like the 2020 Election meddling has begun. These folks have had a couple of years to get their act together. Were the hackers that good? (ie State Sponsored)
Alex Isenstadt and John Bresnahan report:
The House GOP campaign arm suffered a major hack during the 2018 election, exposing thousands of sensitive emails to an outside intruder, according to three senior party officials.
The email accounts of four senior aides at the National Republican Congressional Committee were surveilled for several months, the party officials said. The intrusion was detected in April by an NRCC vendor, who alerted the committee and its cybersecurity contractor. [Not good for their reputation. Bob]
Read more on Politico.
[From the article:
However, senior House Republicans — including Speaker Paul Ryan of Wisconsin, Majority Leader Kevin McCarthy of California and Majority Whip Steve Scalise of Louisiana — were not informed of the hack until Politico contacted the NRCC on Monday with questions about the episode. Rank-and-file House Republicans were not told, either.

(Related) Another tool for spreading disinformation.
Chatbots Are a Danger to Democracy
We need to identify, disqualify and regulate chatbots before they destroy political speech.

Be careful how you hack. Valuing your house at $5 million might seem a bit suspicious in a neighborhood of $250,000 identical homes.
Letting Algorithms Replace Human Appraisers
  • Home appraisals could be done electronically without the need for a licensed human regulator, according to new proposals
  • Regulators say the vast majority of homes could be appraised using electronic algorithms which could make house buying faster and cheaper
  • About 214,000 home sales could have been made last year with the change
  • House appraisers were largely blamed for inflating prices during the crash…”

“We know everything about you and we can’t stop knowing.”
Google personalizes search results even when you’re logged out, new study claims
The amount of personalization inherent in any one of Google’s many massive software products runs deep, based on everything from your search history to your location to every single search link you might have clicked. And avoiding that personalization seems to have become more difficult over the years. According to a new study conducted by Google competitor DuckDuckGo, it does not seem possible to avoid personalization when using Google search, even by logging out of your Google account and using the private browsing “incognito” mode.

Probably seemed like a good idea at the time. If compliance is difficult, find an easier way!
Could GDPR Consent String Fraud Bring Down the Whole Ad Tech Ecosystem?
In an effort to get around some of the more onerous provisions of the European General Data Protection Regulation (GDPR), which went into effect in May 2018, some ad tech vendors appear to be engaging in a form of data privacy fraud known as “consent string fraud.” If this type of data privacy fraud becomes rampant and European regulators begin to assess fines against ad tech companies knowingly circumventing the GDPR, it could bring down the whole ad tech ecosystem. At the very least, it could have a chilling effect on the entire digital advertising industry as publishers and advertisers decide to scale back their activity.

How easily could you organize a “fake protest” using “fake news?”
How Facebook Groups sparked a crisis in France
What commentators are saying, both inside France and out, is that the movement has been organized primarily on Facebook. The writer Frederic Filloux described some of the group’s methods:
Two weeks ago, more than 1,500 Yellow Vests-related Facebook events were organized locally, sometimes garnering a quarter of a city’s population. Self-appointed thinkers became national figures, thanks to popular pages and a flurry of Facebook Live. One of them, Maxime Nicolle (107,000 followers), organizes frequent impromptu “lives”, immediately followed by thousands of people. His gospel is a hodgepodge of incoherent demands but he’s now a national voice.
Writing for Bloomberg (and quoting a French-language column I couldn’t read myself), Leonid Bershidsky argues that Facebook’s decision to promote posts from groups in the News Feed may have exacerbated the protests.

Perspective. The world is about to change (again). Not everywhere and not for everyone.
Riding in Waymo One, the Google spinoff’s first self-driving taxi service
… Waymo, the self-driving subsidiary of Alphabet, launched its first commercial autonomous ride-hailing service here in the Phoenix suburbs on Wednesday — a momentous moment for the former Google self-driving project that has been working on the technology for almost a decade. I was one of the lucky few to test out the company’s robot taxi experience a week before the launch. And I say “lucky” because to ride in one of Waymo’s autonomous minivans, not only do you have to live in one of four suburbs around Phoenix, but you also have to be in a very exclusive, 400-person club called the Early Riders.
… The cars aren’t fully driverless yet: they will include “trained drivers” behind the steering wheel until Waymo decides to pull them out. Chu says it will test a variety of “configurations;” the company says it will eventually offer driverless rides, but it declined to give an exact date.

Perspective. This is largely about self-driving cars and the switch to electric cars.

Keeping up with my students. (More likely, their children)

Something for my students to consider.
Kik is an instant messenger service that’s increasingly popular with teens and young adults, but it doesn’t have the best reputation
… You sign up using an email address and password, negating the need for a phone number. If you want hands-on experience yourself, it’s free for iPhone and Android.

I gotta get me one of these!