Monday, August 13, 2018

NOW will you listen to the experts and do something about security? (Probably not.)
An 11-year-old changed election results on a replica Florida state website in under 10 minutes
An 11-year-old boy on Friday was able to hack into a replica of the Florida state election website and change voting results found there in under 10 minutes during the world’s largest yearly hacking convention, DEFCON 26, organizers of the event said.
… Nico Sell, the co-founder of the the non-profit r00tz Asylum, which teaches children how to become hackers and helped organize the event, said an 11-year-old girl also managed to make changes to the same Florida replica website in about 15 minutes, tripling the number of votes found there.
Sell said more than 30 children hacked a variety of other similar state replica websites in under a half hour.
“These are very accurate replicas of all of the sites,” Sell told the PBS NewsHour on Sunday. “These things should not be easy enough for an 8-year-old kid to hack within 30 minutes, it’s negligent for us as a society.”
Sell said the idea for the event began last year, after adult hackers were able to access similar voting sites in less than five minutes.
“So this year we decided to bring the voting village to the kids as well,” she said.

Of course they can be hacked.
Police Bodycams Can Be Hacked to Doctor Footage
As they proliferate, police body cameras have courted controversy because of the contentious nature of the footage they capture and questions about how accessible those recordings should be.
But when it comes to the devices themselves, the most crucial function they need to perform—beyond recording footage in the first place—is protecting the integrity of that footage so it can be trusted as a record of events. At the DefCon security conference in Las Vegas on Saturday, though, one researcher will present findings that many body cameras on the market today are vulnerable to remote digital attacks, including some that could result in the manipulation of footage.
… In all but the Digital Ally device, the vulnerabilities would allow an attacker to download footage off a camera, edit things out or potentially make more intricate modifications, and then re-upload it, leaving no indication of the change. Or an attacker could simply delete footage they don't want law enforcement to have.

Think of a technology that allows you to print out some data you have in your computer, send it electronically then require the recipient to re-enter it into their computer. Gosh I hate Fax machines. Technology invented before the Civil War is probably not the optimal technology to use today.
Hackers could use fax machines to take over entire networks, researchers warn
Researchers at Nasdaq-listed Check Point Software Technologies said that fax machines — which still reside in many offices — have serious security flaws. Those vulnerabilities could potentially allow an attacker to steal sensitive files through a company's network using just a phone line and a fax number.
In a report released on Sunday, Check Point researchers showed how they were able to exploit security flaws present in a Hewlett Packard all-in-one printer. Standalone fax machines are a rarity in companies today, but the fax function is still present in commonplace all-in-one printers.

American parents would panic. Is it possible the French can’t figure out how to use Smartphones in the classroom? Mon Dieu!
French school students to be banned from using mobile phones
French school students will be banned from using mobile phones anywhere on school grounds from September, after the lower house of parliament passed what it called a “detox” law for a younger generation increasingly addicted to screens.
The centrist president Emmanuel Macron had promised during his election campaign that he would outlaw children’s phones in nursery, primary and middle-schools, until around the age of 15.
The new law bans phone-use by children in school playgrounds, at breaktimes and anywhere on school premises. Legislation passed in 2010 already states children should not use phones in class.

Perspective. An interesting article.
AI is bringing a new set of rules to knowledge work
The rules of the physical world are either not applicable or are severely diminished. Things move from sparsity to abundance, where consumption does not lead to depletion. To the contrary, the more an object is consumed, the more valuable it becomes. Cost of production and distribution is no longer critical, and the concept of inventory is no longer applicable.
When things go digital, they also move from linear to exponential – a world in which new technologies and new players can enter and dominate an industry in just a few years.
Consider that each year more people take online courses offered by Harvard than the number of students who attended Harvard in its 380-year history. Each year, three times more people use online dispute resolutions to resolve disputes on eBay® than lawsuits filed in the United States. Each day, five billion videos are watched on YouTube®. For context, the first YouTube video was uploaded in 2005. I was talking to a gentleman at Facebook® recently who said, “I joined Facebook three years ago and 70 percent of the company started after me.” Talk about hyper-growth businesses!

Sunday, August 12, 2018

Not sure I’d go that far.
Why I Love the GDPR: 10 Reasons
I have a confession to make, one that is difficult to fess up to on the US side of the pond: I love the GDPR.
There, I said it. . .
In the United States, a common refrain about GDPR is that it is unreasonable, unworkable, an insane piece of legislation that doesn’t understand how the Internet works, and a dinosaur romping around in the Digital Age.
But the GDPR isn’t designed to be followed as precisely as one would build a rocket ship. It’s an aspirational law. Although perfect compliance isn’t likely, the practical goal of the GDPR is for organizations to try hard, to get as much of the way there as possible.
The GDPR is the most profound privacy law of our generation. Of course, it’s not perfect, but it has more packed into it than any other privacy law I’ve seen.

Electric scooters are going to be a tough sell…
Los Angeles residents burning, vandalizing shared electric scooters: report
Electric scooter-sharing programs are becoming increasingly common in cities across the United States, but some Los Angeles residents have become frustrated with the motorized scooter and are fighting back against them – literally – according to the Los Angeles Times.
Videos of people kicking, throwing and burying the scooters at sea have popped up across social media, the L.A. Times reported. An Instagram account titled "Bird Graveyard" – a reference to the scooter company Bird – has acquired more than 25,000 followers and features images and videos of scooters that have been have been lit on fire, tossed into canals, smeared with feces and broken into pieces.

(Related) Really tough.
A 183-year-old law created for horse-drawn carriages has frustrated Silicon Valley's buzziest startups
… Electric scooters are illegal on public UK streets and pavements, meaning Bird and its rivals would be flouting the law if they tried to launch in Britain. And that's partly thanks to a 183-year-old act originally designed to stop nuisance behaviour from horse-drawn carriage drivers, and those driving cattle.
The UK government categorises electric scooters as "carriages," which are not permitted on pavements under the 1835 Highways Act.
… And what about electric scooters on roads?
That's still (mostly) illegal, because the government requires scooter owners to register their vehicles with the DVLA, the UK's driving authority. And in order to pass the DVLA's strict requirements, a scooter would need to have three wheels (most operate with two), and be fitted with brakes and lights. That rules out most popular types of scooter.

Saturday, August 11, 2018

Another case of “Sorry. Security wasn’t on our checklist.”
Researcher Finds Hundreds of Planes Exposed to Remote Attacks
A researcher has discovered that hundreds of airplanes from several airlines could have been hacked remotely from the ground through vulnerabilities in satellite communications systems.
Back in 2014, IOActive Principal Security Consultant Ruben Santamarta published a research paper describing theoretical attack scenarios on satellite communications. The expert resumed his research in November 2017, after taking a look at the in-flight entertainment system during a Norwegian flight.
After passively collecting traffic from the airplane’s Wi-Fi network, Santamarta noticed that several commonly used services, such as Telnet, HTTP and FTP, were available for certain IP addresses, and some interfaces associated with the plane’s on-board satellite communications (satcom) modems were accessible without authentication.
According to the researcher, the flaws he has identified can be exploited to hack millions of devices found in aircraft, government agencies, and smart cities.

We just assumed the vendor check it.”
… TSMC’s personnel set up a new manufacturing tool on Friday, August 3, and then installed software for the device. The machine was not isolated and confirmed to be malware-free before connecting it to TSMC’s internal network. Consequently, the introduction of a malware-infected machine to TSMC's internal production network allowed the malware to quickly spread and infect computers, production equipment, and automated materials handling systems across TSMC’s fabs.
According to the chipmaker, the malware was a variant of the WannaCry ransomware cryptoworm.

Interesting. If this was used by a political party to influence an election, would it be illegal? Should elected officials ignore emails or Tweets like these?
Forget Astroturfing: Startups Can Just "Brobilize" Customers For Lobbying Efforts
Despite $415 million in funding and a giant fleet of electric scooters scattered all across the streets of San Francisco, the startup Bird only lasted a few months before city supervisors voted to boot them from the City by the Bay. But then, nine weeks after the sidewalks were cleared, San Francisco customers got an email asking them to help “Bring Bird Back to San Francisco!” by contacting their local elected official. The email contains a link to a website where customers can send a prewritten message, in the form of a tweet or an email, to city officials by just entering their name and contact information and clicking send.
“Please bring Bird back to San Francisco,” the email message says. “While I understand the need for reasonable regulations, it has been nearly two months since I’ve had access to this affordable, sustainable transportation option.” While it’s hard to know (for anyone other than Bird) how many people emailed, there were plenty who weren’t shy about sending a tweet.
Unlike the neighborhood bakery that wants customers to add their names and addresses to a petition for expanded outdoor seating, tech companies typically already know who and where their users are. It means startups can mobilize — or brobilize — thousands of people via a simple email or push notification to blast targeted messages to their elected officials, often with just a few clicks. It’s like astroturfing for the always-on, location-aware era.
… These click-to-lobby efforts have been ramping up for a few years now as elected officials get more serious about regulating tech (or more cognizant of the political value of appearing to do so) and startups increasingly ask their user bases to defend them in response.

Legal technology, when nothing else works!
DNC serves WikiLeaks with lawsuit via Twitter
As CBS News first reported last month, the DNC filed a motion with a federal court in Manhattan requesting permission to serve its complaint to WikiLeaks on Twitter, a platform the DNC argued the website uses regularly. The DNC filed a lawsuit in April against the Trump campaign, Russian government and WikiLeaks, alleging a massive conspiracy to tilt the 2016 election in Donald Trump's favor.
All of the DNC's attempts to serve the lawsuit via email failed, the DNC said in last month's motion to the judge, which was ultimately approved.
The lawsuit was served through a tweet from a Twitter account established Friday by Cohen Milstein, the law firm representing the DNC in the suit, with the intent of serving the lawsuit.

It’s fun to speculate. I would say option three is most useful.
What the Facebook Crypto team could build
Facebook is invading the blockchain, but how? Back in May, Facebook formed a cryptocurrency team to explore the possibilities, and today it removed a roadblock to revealing its secret plans.
Former head of Messenger David Marcus, who leads the Facebook Crypto team, today announced he was stepping down from the board of Coinbase, the biggest crypto startup.
… So what could Facebook be building? I see three main consumer-facing opportunities.
3% off with FaceCoin
Facebook could build a cryptocurrency wallet with its own token that people could use to pay for things with partnered businesses or that they discover through Facebook ads. Because blockchain can make transactions free or very cheap, Facebook and its partners could sidestep the typical credit card processing fees. That would potentially allow Facebook to offer users “3% off purchases made with FaceCoin” or a similar promotion.
P2P and micropayments
Facebook already lets you send friends money through Messenger for free, but only with a connected debit card or PayPal account. Facebook could offer cryptocurrency-based payments between friends to let a wider range of users settle debts for shared dinners or taxis through Messenger.
Facebook Connect for crypto
A top problem in the world of decentralized blockchain apps is how you bring your identity with you. Securely connecting your wallet, blockchain-based virtual goods and biographical info to new dApps can be a laborious process.
… Facebook could use its expertise in operating a popular identity platform to ease login to dApps. While the company has faced plenty of privacy issues and attacks on election integrity, Facebook has a strong record of not being traditionally hacked. It hasn’t suffered a massive user data breach like LinkedIn, Twitter and other social networks. Using an overtly centralized identity system to connect with decentralized apps might be counterintuitive, but Facebook could deliver the UX convenience necessary to unlock a new wave of blockchain utility.

Another stock I never heard of…
Google's data privacy concerns are a surprising boon for ad-tech firm Trade Desk
In April, pressured by new privacy rules in Europe, Google told advertisers they would no longer have access to some critical measurement data when building online campaigns.
Digital ad company Trade Desk is reaping the rewards.
Trade Desk shares soared 32 percent on Friday, a day after the company reported earnings that blew by analysts' estimates and raised its forecast. On the conference call with analysts, CEO Jeff Green said one of the primary drivers in the quarter was Google's move on privacy, which pushed advertisers to Trade Desk.
Here's what happened. In conjunction with the General Data Protection Regulation (GDPR) that the European Union implemented in May, Google told clients that they could no longer have access to the DoubleClick ID to analyze ad measurement data across the web.
The data is highly valuable because it allows marketers to see how ads are performing on Google sites, including YouTube, compared with the rest of the web.
… "In my view, Google's decision to remove this ID offering is driven by their increasing need to reduce risk against malicious data enablement, like what we saw Cambridge Analytica do with social data," Green said. "The risk is similar for both Google and Facebook. The risk exists because Google, at the fundamental level of their business, transacts in directly identifiable consumer data. Google knows so much about billions of consumers because of their core product, their search engine."
Green said that marketers are shifting to Trade Desk, because it gives them a neutral tool to see how campaigns are performing. Advertisers can "compare every destination on their media plan to every other destination objectively," he said.

Interesting. Would this translate to other fields? Probably.
… We’ve explored the nature of the new value-enhancing roles that will emerge and identified three new categories of AI-driven jobs:
Trainers who help AI systems learn how to perform, which includes everything from helping natural language processors and language translators make fewer errors, to teaching AI algorithms how to mimic human behaviors.
Explainers who interpret the results of algorithms to improve transparency and accountability for AI decision making and processes.
Sustainers who ensure intelligent systems stay true to their original goals without crossing ethical lines or reinforcing bias.

I always like to read about New Records! (Even if it is in a narrow area.)
Ford: This may be one of the largest frauds in the history of the United States
Ford Motor Credit filed additional documents with the bankruptcy court Friday morning, claiming this may be one of the largest floor-plan financing frauds in the history of the United States.
The documents said Reagor-Dykes Auto Group hid the "massive breach" from Ford Credit by fraudulently misrepresenting sales-reporting data to Ford Credit. The company believed Reagor-Dykes was timely paying off cars it sold to the public, however, Ford Credit said the company was selling vehicles on average of 55 days before reporting it to Ford Credit.
… The document also said Reagor-Dykes fraudulently secured double-flooring from Ford Credit. Double-flooring means automobile dealers receive funding twice for the same vehicle; it is an illegal practice where a single vehicle is used as collateral for more than one loan.
Ford Credit also claims Reagor-Dykes obtained inventory financing for cars it had already sold, representing to Ford Credit they still had the car as inventory and then obtained additional financing.

Friday, August 10, 2018

Final exam question: The default setting is “NOT SECURE.” What should your first step be?
Mallory Locklear reports:
Data leaks are par for the course these days, and the latest company to be involved in one is GoDaddy. The company, which says it’s the world’s top domain name registrar with over 18 million customers, is the subject of a new report from cybersecurity firm UpGuard that was shared exclusively with Engadget. In June, cyber risk analyst Chris Vickery discovered files containing detailed server information stored in an unsecured S3 bucket — a cloud storage service from Amazon Web Services. A look into the files revealed multiple versions of data for over 31,000 GoDaddy systems.
Read more on Engadget.

An ethical hacking tool. OR Why I remain anti-social.
New facial recognition tool tracks targets across different social networks
The Verge – The open-source program is designed for security researchers: “Today, researchers at Trustwave released a new open-source tool called Social Mapper, which uses facial recognition to track subjects across social media networks. Designed for security researchers performing social engineering attacks, the system automatically locates profiles on Facebook, Instagram, Twitter, LinkedIn, and other networks based on a name and picture. Those searches can already be performed manually, but the automated process means it can be performed far faster and for many people at once. “Performing intelligence gathering online is a time-consuming process,” Trustwave explained in a post this morning. “What if it could be automated and done on a mass scale with hundreds or thousands of individuals?” Social Mapper doesn’t require API access to social networks, a restriction that has hampered social media tracking tools like Geofeedia. Instead, the system performs automated manual searches in an instrumented browser window, then uses facial recognition to scan through the first 10 to 20 results for a match. The manual searches mean the tool can be quite slow compared to API-based scans. The developer estimates that searching a target list of 1,000 people could take more than 15 hours. The end result is a spreadsheet of confirmed accounts for each name, perfect for targeted phishing campaigns or general intelligence gathering. Trustwave’s emphasis is on ethical hacking — using phishing techniques to highlight vulnerabilities that can then be fixed — but there are few restrictions on who can use the program. Social Mapper is licensed as free software, and it’s freely available on GitHub…”

I should poll my students before showing them this.
Study – How Do Americans Feel About Online Privacy in 2018?
The Best VPN – “Concerns around online privacy have come to a head in 2018. In mid-March, The New York Times and The Guardian reported that data from 50 million Facebook profiles was harvested for data mining firm Cambridge Analytica — a number that would eventually be revised to 87 million in one of the largest data collection scandals of all time. Two months later, inboxes were flooded by a slew of privacy policy updates following the implementation of the EU’s GDPR, a privacy policy law that set guidelines for the collection and use of data. Although the law was designed to increase transparency regarding the collection of data, the updates raised user concern around how companies had been obtaining and using personal information in the past. So, with thundering headlines about data breaches and privacy loss stoking fears, just how are Americans feeling about their online privacy? To answer this question, we used Google Surveys to target 1,000 Americans of all genders and ages across the United States. Read on to see how we conducted our survey and learn more about our individual findings, or jump to view our full infographic…”

The Internet equivalent of shouting “Fire!” in a crowded theater?
Hard Questions: Where Do We Draw The Line on Free Expression?
… While we’re not bound by international human rights laws that countries have signed on to, we are a member of a global initiative that offers internet companies a framework for applying human rights principles to our platforms. We look for guidance in documents like Article 19 of the International Covenant on Civil and Political Rights (ICCPR), which set standards for when it’s appropriate to place restrictions on freedom of expression. ICCPR maintains that everyone has the right to freedom of expression — and restrictions on this right are only allowed when they are “provided by law and are necessary for: (a) the respect of the rights or reputations of others; (b) for the protection of national security or of the public order, or of public health or morals.”
… Posts that contain a credible threat of violence are perhaps the most obvious instances where restricting speech is necessary to prevent harm.
… Hate speech too can constitute harm because it creates an environment of intimidation and exclusion and in some cases may have dangerous offline implications. It is perhaps one of the most challenging of our standards to enforce because determining whether something is hate speech is so dependent on the context in which it is shared.
… It’s important to note that whether or not a Facebook post is accurate is not itself a reason to block it.

Facebook Blocks Sharing Of 3D-Printed Gun Files On Its Platforms
… “Sharing instructions on how to print firearms using 3D printers is not allowed under our Community Standards,” Facebook said in a statement. “In line with our policies, we are removing this content from Facebook.”

Security Perspective.
Don't Fear the TSA Cutting Airport Security. Be Glad That They're Talking about It.
… We don't know enough to conclude whether this is a good idea, but it shouldn't be dismissed out of hand. We need to evaluate airport security based on concrete costs and benefits, and not continue to implement security theater based on fear. And we should applaud the agency's willingness to explore changes in the screening process.
… Over the years, I have written many essays critical of the TSA and airport security, in general. Most of it is security theater – measures that make us feel safer without improving security. For example, the liquids ban makes no sense as implemented, because there's no penalty for repeatedly trying to evade the scanners. The full-body scanners are terrible at detecting the explosive material PETN if it is well concealed – which is their whole point.
There are two basic kinds of terrorists. The amateurs will be deterred or detected by even basic security measures. The professionals will figure out how to evade even the most stringent measures. I've repeatedly said that the two things that have made flying safer since 9/11 are reinforcing the cockpit doors and persuading passengers that they need to fight back. Everything beyond that isn't worth it.

'Snapchat dysmorphia' is a disturbing new phenomenon where people want to look more like their filtered selfies
Instagram and Snapchat filters are the new celebrity photo, offering up unrealistic standards of beauty that might trigger people to feel unhappy with the way they look in real life.
That's according to three Boston University researchers, who published an article about body dysmorphia in the JAMA Facial Plastic Surgery medical journal this month. The article is not a study, but an overview of industry research and studies.

Free is good!
Roku is moving beyond its own platform by launching The Roku Channel on the web. This means you no longer need to own a Roku device to watch Roku’s free, ad-supported movie channel. Instead, you just need a web browser pointed at

Thursday, August 09, 2018

Too clever for their own good. “It’s a lot easier if we don’t bother with all that security stuff.”
Security Flaws On Comcast’s Login Page Exposed Customers’ Personal Information
Comcast Xfinity inadvertently exposed the partial home addresses and Social Security numbers of more than 26.5 million customers, according to security researcher Ryan Stevenson, who discovered the security flaws. Two previously unreported vulnerabilities in the high-speed internet service provider’s online customer portal made it easy for even an unsophisticated hacker to access this sensitive information.
After BuzzFeed News reported the findings to Comcast, the company patched the flaws.
… One of the flaws could be exploited by going to an “in-home authentication” page where customers can pay their bills without signing in. The portal asked customers to verify their account by choosing from one of four partial home addresses it suggested, if the device was (or seemed like it was) connected to the customer’s home network. If a hacker obtained a customer’s IP address and spoofed Comcast using an "X-forwarded-for" technique, they could repeatedly refresh this login page to reveal the customer’s location. That’s because each time the page refreshed, three addresses would change, while one address, the correct address, remained the same.
… In the second vulnerability that Stevenson discovered, a sign-up page through the website for Comcast’s Authorized Dealers (sales agents stationed at non-Comcast retail locations) revealed the last four digits of customers’ Social Security numbers. Armed with just a customer’s billing address, a hacker could brute-force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer’s Social Security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form.

The Terminator is a hacker!
IBM Demonstrates DeepLocker AI Malware at Black Hat
IBM will detail at Black Hat USA here on Aug. 8 a new class of attacks dubbed DeepLocker that uses artificial intelligence to bypass cyber-security protections.
With DeepLocker, IBM researchers will demonstrate an evasive attack vector that has been developed as a proof of concept. According to IBM, DeepLocker can be used to keep ransomware or other malware hidden from traditional security tools. IBM's goal with the presentation is not to promote fear about AI, but rather to help organizations start to think about how attackers can use AI and how to minimize risks.
"DeepLocker malware is fundamentally different from any other malware we are aware of. It uses AI to hide a malicious application in benign payloads," Marc Ph. Stoecklin, principal research scientist and manager of Cognitive Cybersecurity Intelligence at IBM Research, told eWEEK. "With AI, we can conceal and hide the condition of when the malicious payload is being unlocked, making it almost impossible to reverse-engineer."

We’re studying computer law this week.
From Hunton Andrews Kurth:
On August 3, 2018, California-based Unixiz Inc.(“Unixiz”) agreed to shut downits “i-Dressup” website pursuant to a consent order with the New Jersey Attorney General, which the company entered into to settle charges that it violated the Children’s Online Privacy Protection Act (“COPPA”) and the New Jersey Consumer Fraud Act. The consent order also requires Unixiz to pay a civil penalty of $98,618.
The charges stemmed from a 2016 data breach in which hackers compromised more than 2.2 million unencrypted usernames and passwords, including those associated with over 24,000 New Jersey residents’ accounts. The New Jersey Attorney General alleged that Unixiz had actual knowledge that the i-Dressup website (which allowed users to “dress, style and make-up animated characters in various outfits” and featured children’s games) had collected the personal information of over 10,000 children and failed to obtain verifiable parental consent for such collection, in violation of COPPA.

My students are amazed to learn I don’t own a SmartPhone.
Department of Homeland Security-funded research by Virginia-based security firm Kryptowire has allegedly discovered major security flaws in numerous phones, according to a report on cybersecurity site Fifth Domain.
According to the report, DHS Science and Technology Directorate program manager Vincent Sritapan said at the Black Hat conference in Las Vegas that the vulnerabilities have been discovered in phones carried by all four major carriers: Verizon, AT&T, T-Mobile, and Sprint. The exact nature of the vulnerabilities were not released, though they allegedly can take control of a targeted device:
The vulnerabilities are built into devices before a customer purchases the phone. Researchers said it is not clear if hackers have exploited the loophole yet.
Department of Homeland Security officials declined to say which manufacturers have the underlying vulnerabilities.
Millions of users in the U.S. are likely at risk, a source familiar with the research said, although the total number is not clear.

(Related) The world, she is a-changing! I can’t get back into the country without a laptop for TSA to browse, now I can’t get into a Broncos’ game without a SmartPhone!
Broncos switch to mobile-only tickets: 4 things you need to know
Anyone going to a game at Broncos Stadium at Mile High will need to use mobile entry to get into the game. The team said it made the change as a way to reduce counterfeiting and fraud, and to make it easier and quicker to enter the stadium.

There will be no paper tickets

Broncos 365 app

Single-game and season tickets will only be available in the Broncos 365 app which is available for Apple and Android devices. If you don’t have an Apple or Android device, you can use your smartphone’s browser to log into your account and access your tickets.

Parking passes need to be printed

The Broncos say that printed parking passes help police and parking attendants ensure smoother entry and exit from the parking lots.

Concept. Probably much easier than, but very similar in concept to finding bad guys in the Superbowl crowd.
This robot uses AI to find Waldo, thereby ruining Where’s Waldo

YouTube is about to pass Facebook as the second biggest website in US, according to new study
In the competition to be top website, Facebook may cede its runner-up position to YouTube in the next two to three months, according to a new study shared with CNBC by market research firm SimilarWeb.
The five websites receiving the most traffic in the U.S. in the last several years have been Google, Facebook, YouTube, Yahoo and Amazon, in that order. However, Facebook has seen a severe decline in monthly page visits, from 8.5 billion to 4.7 billion in the last two years, according to the study. Although Facebook's app traffic has grown, it is not enough to make up for that loss, the study said.
… The study projects that Amazon will take over Yahoo's ranking in the next two to three months.
However, none of the bottom four of the top five comes close to Google. Although it has seen some decline in website traffic thanks to app use and voice search, it saw approximately 15 billion visits in July 2018, the study said. The others were all below 5 billion, according to the report.

I may get to teach Excel this Quarter.
Meet the 15-year-old who's the Microsoft Excel world champion (which is a real thing)
… Yes, there is an annual championship that challenges competitors on their knowledge of Microsoft Office applications — and no, your self-proclaimed proficiency in Microsoft listed under the "special skills" section of your resume probably won't make the cut.
Students between ages 13 and 22 spend months — sometimes years — preparing for the championship, working their way up through placement tests, regional and national competitions in three Microsoft categories: Word, Excel and PowerPoint.

Wednesday, August 08, 2018

Pay me now or pay me later.
At $17 million, Atlanta network recovery six times more expensive than estimated
The SamSam ransomware attack on the city of Atlanta in March is probably one of the most expensive security incidents, with the recovery cost adding up to some $17 million of taxpayers’ money, according to a seven-page “confidential and privileged” report accessed by The Atlanta Constitution-Journal and Channel 2 Action News. City officials had already secured $6 million for the recovery project, while initial forecasts said it would cost about $3 million. Now, it seems, the project will cost an extra $11 million.
After years of repeated warnings from the city’s auditor about its security vulnerabilities and lack of disaster recovery plans, the city of Atlanta didn’t invest much effort in upgrading infrastructure security.
… After refusing to pay a $51,000 ransom in bitcoin following the breach, the city is now looking at a very expensive outlay that involves paying for improved security services, software upgrades, as well as purchasing new desktops, laptops, smart phones and tablets.
… When the Department of Transportation in Colorado was hit by ransomware, by comparison, the estimated recovery cost was $2 million.

Might be amusing to have my students “compare and contrast” the responses from the various players.
Apple responds to Congress' letter on data security and privacy
Apple has just responded to Congress' inquiry on how it protects user privacy.
The House Committee on Energy and Commerce last month sent letters to Apple CEO Tim Cook and Alphabet CEO Larry Page asking about the companies' data security and privacy practices. The five-page letter to Cook asked detailed questions about how Apple collected user data and what it used it for.
In a response Tuesday, Apple reiterated that it collects as little data as possible as a practice.

An interesting tool from Programmers You Might Know…
Last year, we launched an investigation into how Facebook’s People You May Know tool makes its creepily accurate recommendations. By November, we had it mostly figured out: Facebook has nearly limitless access to all the phone numbers, email addresses, home addresses, and social media handles most people on Earth have ever used. That, plus its deep mining of people’s messaging behavior on Android, means it can make surprisingly insightful observations about who you know in real life—even if it’s wrong about your desire to be “friends” with them on Facebook.
In order to help conduct this investigation, we built a tool to keep track of the people Facebook thinks you know. Called the PYMK Inspector, it captures every recommendation made to a user for however long they want to run the tool. It’s how one of us discovered Facebook had linked us with an unknown relative. In January, after hiring a third party to do a security review of the tool, we released it publicly on Github for users who wanted to study their own People You May Know recommendations.

Would this apply to any violent rally?
Subpoena for app called ‘Discord’ could unmask identities of Charlottesville white supremacists
… Discord, which was started in 2015 as a secure chat app for videogamers, also happened to be conducive for white supremacists, white nationalists, neo-Nazis and other members of the alt-right movement who sought to keep their identities secret.
… Attorneys for the counterprotesters have argued that these Discord messages and hundreds of others are central to proving that Unite the Right organizers “conspired to commit acts of violence, intimidation and harassment” against people in Charlottesville that weekend. The attorneys filed a subpoena for Discord, seeking to obtain the messages and account information of more than 30 anonymous users who appear to have participated in the Unite the Right rally.
But one anonymous woman, the one called “kristall.night,” filed suit seeking to quash the subpoena that could unmask her and dozens of other users. She claimed the counterprotesters were intentionally seeking to “out” her as a member of the alt-right movement, putting her in fear of her own safety. Revealing her identity, her attorney argued, would infringe on her First Amendment rights to engage in “anonymous speech” and to associate with a politically unpopular group.
On Monday, however, a magistrate in California disagreed.
U.S. Chief Magistrate Judge Joseph C. Spero declined to fully quash the Discord subpoena, finding that the plaintiffs’ interest in discovering her identity as a possible witness or co-conspirator behind the Unite the Right rally outweighed her right to speak anonymously on the Internet.
… Spero agreed to quash the portion of the subpoena seeking the contents of the messages, saying it violates the Stored Communications Act.

Perspective. Why would anyone decide to give up an audience? Is compliance that expensive? Perhaps this is an opportunity for someone to provide the tools for a nominal fee?
More than 1,000 U.S. news sites are still unavailable in Europe, two months after GDPR took effect
Websites had two years to get ready for the GDPR. But rather than comply, about a third of the 100 largest U.S. newspapers have instead chosen to block European visitors to their sites.
… The GDPR requires websites to obtain consent from users before collecting personal information, explain what data are being collected and why, and delete a user’s information if requested. Violating the GDPR can draw a hefty fine — as much as 4 percent of a company’s annual revenue.
Websites had two years to get ready for the GDPR. Rather than comply, about a third of the 100 largest U.S. newspapers have opted to block their sites in Europe. They include the Chicago Tribune, New York Daily News, Dallas Morning News, Newsday and The Virginian-Pilot.
… GateHouse and Tronc did not respond to requests for comment about the GDPR. Lee Enterprises has no plans to comply. Company spokesperson Charles Arms said Lee’s websites wouldn’t draw enough visitors from the more than 30 countries in the EU and the European Economic Area to justify compliance.
“Internet traffic on our local news sites originating from the EU and EEA is de minimis, and we believe blocking that traffic is in the best interest of our local media clients,” Arms said.
From a financial standpoint, that position is justified, according to Alan Mutter, who teaches media economics at the University of California at Berkeley. He said international web traffic might benefit The New York Times, Wall Street Journal and Washington Post but “ads served in Paris, Palermo, or Potsdam don’t help advertisers in Peoria.”
But being available in Europe can help customer relations. And about 16 million Americans visited Europe last year.
… “It is naive and wholly irresponsible to think that U.S. news holds no relevance beyond U.S. borders,” Toporoff said. “U.S. brands should be better at knowledge sharing with their European counterparts and learn how to serve audiences within the GDPR’s parameters. Not to do so is quite undemocratic.”

(Related) Perhaps EU readers are worth something after all?
This year Instapaper celebrated its tenth birthday and, now that we are an independent company, we’ve been thinking a lot about the next ten years of Instapaper and beyond.
To ensure Instapaper can continue for the foreseeable future, it’s essential that the product generates enough revenue to cover its costs. In order to do so, we’re relaunching Instapaper Premium today.
As a reminder, Instapaper Premium is a subscription for $2.99/month or $29.99/year
… Additionally, today we are bringing back Instapaper to European Union users. Over the past two months we have taken a number of actions to address the General Data Protection Regulation, and we are happy to announce our return to the European Union.
We are very sorry for the extended downtime and, as a token of our apology, we are giving six months of Instapaper Premium to all EU users affected by the outage.
We’ve updated our privacy policy to include the rights afforded to EU users under the General Data Protection Regulation (GDPR). Additionally, in the interest of transparency, we are posting our privacy policy to GitHub where you can view a versioned history of all the changes to our privacy policy.

(Related) Action from the beginning...
Onwards and Upwards: Our GDPR Journey and Looking Ahead
For the better part of the last two years, Imperva has laid the foundation for our compliance with the EU General Data Protection Regulation (GDPR). At roughly ninety pages with 173 recitals and 99 articles, it’s a massive regulation that fundamentally shifts the data privacy and data protection universe.