Thursday, May 24, 2018

Better encryption, but will anyone implement it?
Fitting Forward Secrecy into Today's Security Architecture
Forward Secrecy’s day has come – for most. The cryptographic technique (sometimes called Perfect Forward Secrecy or PFS), adds an additional layer of confidentiality to an encrypted session, ensuring that only the two endpoints can decrypt the traffic. With forward secrecy, even if a third party were to record an encrypted session, and later gain access to the server private key, they could not use that key to decrypt a session protected by forward secrecy. Neat, huh?
Forward secrecy thwarts large-scale passive surveillance (such as might be conducted by a snooping nation state or other well-resourced threat actor) so it is seen a tool that helps preserve freedom of speech, privacy, and other rights-of-the-citizenry.
It is supported and preferred by every major browser, most mobile browsers and applications, and nearly 90% of TLS hosts on the Internet, according to a recent TLS Telemetry report (PDF). The crypto community applauds forward secrecy’s broad acceptance today.
Of course there’s a snag, for some.

Something for my students to debate.
Facebook and Free Speech
In the weeks since Mark Zuckerberg’s testimony to Congress, Facebook has made two important policy announcements. The company released a document explaining what posts and accounts it removes on the basis of its internal rules, known as “community standards,” and it engaged outside consultants to review the social media platform’s impact on various communities. The company also released its first transparency report on the enforcement of its community standards.
These are all welcome developments, but they lay bare a fundamental question raised by Zuckerberg himself: What obligations does the public want companies to fulfill when deciding which speech deserves a place on the Internet and social media? The Supreme Court recently called the internet and social media platforms “the most important places…for the exchange of views,” so the question is not simply an academic exercise.

Is Facebook the only one doing this?
Facebook users worldwide are being asked to review their privacy settings as GDPR looms
Facebook users will soon see a notice on their accounts asking them to review their privacy settings, as the company prepares for the rollout of new data protection rules in Europe.
The alert, which starts appearing this week, asks users across the globe to reassess their preferences for the types of personal data Facebook can use for ad targeting and whether they'll submit to facial recognition. They'll be given the chance to review the information they share on their profiles, including political and religious affiliations and relationship status.
Consumers will see how Facebook uses their activity to send targeted ads and what the company does with its facial recognition tools. Facebook will show them which features they currently have turned on, allowing them to opt out if they choose.
Though Facebook is facing a barrage of criticism in the U.S. over data protection, following the Cambridge Analytica scandal in March, this week's notice is in response to the General Data Protection Regulation in Europe. The alert has already appeared for European users, but this time it is getting a worldwide rollout.

Lots of Facebook action today.
Exclusive: Facebook Opens Up About False News
… Facebook is today making three important announcements on false news, to which WIRED got an early and exclusive look.
… The first new announcement is a request for proposals from academics eager to study false news on the platform. Researchers who are accepted will get data and money; the public will get, ideally, elusive answers to how much false news actually exists and how much it matters. The second announcement is the launch of a public education campaign that will utilize the top of Facebook’s homepage, perhaps the most valuable real estate on the internet. Users will be taught what false news is and how they can stop its spread. Facebook knows it is at war, and it wants to teach the populace how to join its side of the fight. The third announcement—and the one the company seems most excited about—is the release of a nearly 12-minute video called “Facing Facts,” a title that suggests both the topic and the repentant tone.

Sufficient to deter Russian interference in elections?
United Kingdom Att’y General’s Speech on International Law and Cyber: Key Highlights
On Wednesday, the United Kingdom’s Attorney General, Jeremy Wright, QC MP, gave a speech at Chatham House on the role of international law in cyberspace. It is the first official statement of the UK’s overarching view on the topic, including on some specific issues that are at the center of international policy and debate (the speech can be found here.) Here are eight key points:
First, it is important for states to publicly articulate their understanding of international law, especially in cyberspace. Wright acknowledged that rapidly changing technology and developing norms made clear rules difficult, but he warned against allowing cyberspace to become a “grey area.”

Helping US voters find the Not-Fake News.
Twitter adds candidate labels ahead of midterm elections
Twitter will start adding labels to the profiles of candidates running in the 2018 midterm elections after May 30th.
The label, which will apply to all candidates running for state governor, U.S. Senate or U.S. House of Representatives, will contain the office the candidate is running for, the state the office is located in, their district number (when applicable), and other identifying information.
  • The label will be marked with a small icon of a government building, and will appear on the Twitter page of the candidate as well as alongside all tweets sent or retweeted by the account.

We keep getting smaller. Is subcutaneous next?
I’m not into watches or wristbands, but for the last few weeks I’ve been wearing a fitness tracker on my finger. It knows how long I sleep and detects when I walk or run, and all I’ve gotta do is wear it like jewelry and forget about it.
The device is the Motiv Ring. Its features and its iOS app are minimalist compared to what a Fitbit or an Apple Watch can do, which is part of why I like it.
… The ring doesn’t have a screen, just a tiny light that changes color when it charges or when it’s syncing with your phone. (You can force it to sync by spinning the ring around your finger, or ask it to ring your phone by spinning one way and then the other.) The ring doesn’t need to sync constantly, so you don’t need to worry if your phone dies or if you’d rather go to the gym without your phone. It can hang onto a few days’ data if needed.

Tracks with my student opinions.
AAA: American Trust in Autonomous Vehicles Slips
Following high-profile incidents involving autonomous vehicle technologies, a new report from AAA’s multi-year tracking study indicates that consumer trust in these vehicles has quickly eroded. Today, three-quarters (73 percent) of American drivers report they would be too afraid to ride in a fully self-driving vehicle, up significantly from 63 percent in late 2017. Additionally, two-thirds (63 percent) of U.S. adults report they would actually feel less safe sharing the road with a self-driving vehicle while walking or riding a bicycle.

Perspective. Maybe the next Indian billionaire is in my classroom.
Why Walmart’s Flipkart Deal Will Spur Entrepreneurship in India
Walmart’s agreement on June 9 to purchase 77% of Flipkart for $16 billion mints two engineer billionaires in India. Binny Bansal and Sachin Bansal, who co-founded Flipkart and who are not related, each reportedly own about 5% of the Indian online retailer. They will have a net worth about $1 billion when the transaction with Walmart is completed later this year. It will mark a major business success for professionals in India, outside the information technology businesses. The example of the founders, including their initial failures, will inspire more professionals in India to risk starting an enterprise.
Flipkart is India’s largest online retailer with an estimated 40% market share. Amazon, its main and tough competitor, has about a third of the market.

Perspective. Too trusting or setting the President up for further legal action?
Judge rules Trump can't block users on Twitter
A federal district court judge on Wednesday ruled that President Trump can't block people from viewing his Twitter feed over their political views.
Judge Naomi Reice Buchwald, of the U.S. District Court for the Southern District of New York, said President Trump’s Twitter account is a public forum and blocking people who reply to his tweets with differing opinions constitutes viewpoint discrimination, which violates the First Amendment.
… Buchwald, who was appointed by former President Clinton, rejected Trump’s argument that the First Amendment does not apply in this case and that the president’s personal First Amendment interests supersede those of the plaintiffs.
She suggested in her 75-page opinion that Trump could have ignored his opponents’ reply tweets.
… But Buchwald did not order Trump or Scavino to unblock the individual plaintiffs in the case or prohibit them from blocking others from the account based on their views as the plaintiffs’ had asked.
She said a declaratory judgment should be sufficient.
“Because no government official is above the law and because all government officials are presumed to follow the law once the judiciary has said what the law is, we must assume that the President and Scavino will remedy the blocking we have held to be unconstitutional,” Buchwald wrote.

Perhaps this is part of the cost to acquire a new CEO?
Chipotle Mexican Grill to close Denver headquarters, relocate staff to California and Ohio
The company said in a news release the headquarters will move to Newport Beach, Calif. and other functions within the Denver office will move to the company’s existing office in Columbus, Ohio.
… The news comes as a surprise to some in Denver, as the company announced in December it was moving its headquarters to a new office tower downtown that was still under construction.
"We wish @ChipotleTweets all the best. We want their existing employees to know we have services that can help them find new jobs," Gov. John Hickenlooper tweeted Wednesday afternoon. His wife, Robin, has sat on Chipotle's board of directors since December 2016.
It signed a 15-year lease for five floors of a 40-story skyscraper located on 15th Street between Arapahoe and Lawrence streets. The status of the lease is currently unclear, though the building held its grand opening in recent months.
The CEO at the time, Steve Ells, said: “Our roots are here, and this contemporary, collaborative and modern space will position us to look ahead to the next 25 years.”
… Paul Seaborn, an assistant professor of management at the University of Denver, has watched Chipotle's performance closely and co-wrote a case study last year for an international competition that focused on the key challenges facing the company. He said Chipotle's new CEO is cooking up a culture shock with this latest move.
… Seaborn also said he believes there are no real benefits to moving the headquarters to Newport Beach other than the new CEO's own connections to California. As the former CEO of Taco Bell its headquarters are in nearby Irvine, California.
"This seems much more of a personal management decision," said Seaborn. "This particular move is going to create a big question around retention and who are the key employees that they feel are really pushing the company forward and can they get them to move to California."

Stupid is as stupid does. F. Gump
Cake shop hilariously censors Latin phrase on US graduate's cake
Cara Koscinski ordered a graduation cake for her 18-year-old son Jacob, who graduated with an impressive 4.89 grade point average, The Washington Post reports.
Ms Koscinski had ordered the cake online from cake shop Publix.
She wanted it to say: "Congrats Jacob! Summa Cum Laude, Class of 2018." The Latin phrase translates in English to "with the highest distinction".
However Publix's online system auto-corrected the middle Latin word, picking it up as bad language.

I might want to try this.
How to Embed Your Slideshows Into Your Blog

Wednesday, May 23, 2018

“Go ahead and lie. Who will they believe, us or a bunch of techies?”
FBI inflated encrypted device figures, misleading public
Contrary to what the FBI told the public, we now know that instead of 7,775 encrypted smartphones proving stumbling blocks to FBI criminal investigations, there are no more than 2,000.
… Wray called this a "major public safety issue", and used it to push a "responsible encryption" mantra – in other words, encryption backdoors.
The FBI denied ZDNet's request for information on these phones. The bureau said the information was exempt from disclosure, as the records "could reasonably be expected to interfere with enforcement proceedings."
Internally though the FBI knew they miscounted the devices as of a month ago. The bureau still doesn't have an accurate count of how many encrypted phones it has from last year.

I guess we don’t want to “fall behind” China.
Amazon is selling police departments a real-time facial recognition system
The Verge: “Documents obtained by the ACLU of Northern California have shed new light on Rekognition, Amazon’s little-known facial recognition project. Rekognition is currently used by police in Orlando and Oregon’s Washington County, often using nondisclosure agreements to avoid public disclosure. The result is a powerful real-time facial recognition system that can tap into police body cameras and municipal surveillance systems. According to further reporting by The Washington Post, the Washington County Sheriff pays between $6 and $12 a month for access to Rekognition, which allows the department to scan mug shot photos against real-time footage. The most significant concerns are raised by the Orlando project, which is capable of running real-time facial recognition on a network of cameras throughout the city. The project was described by Rekognition project director Ranju Das at a recent AWS conference in Seoul…”

There are probably many, many “special circumstances.” No doubt some future AI will deal with them.
Google Under Fire For Revealing Rape Victims' Names
The company's been accused of displaying the names of rape victims through its Autocomplete and Related Search functions – even when the victims have been granted anonymity by the courts.
The problem is that both features use data gathered from previous searches to predict what information the user is looking for and make suggestions. If enough people know a victim's name and use it as one of their search terms, Google's algorithm will provide a helpful prompt to those that don't.
In the US, there's no legal prohibition on publishing the names of rape victims, although the media tend to avoid doing so. In many countries, however, it's against the law. And the UK's Times newspaper has uncovered several cases in which Autocomplete and Related Search have revealed the names of rape victims and others who have official anonymity.

(Related) Somehow, “send us your private porn so we can block your private porn” does not seems to be entirely satisfactory. Imagine the lawsuits if this database leaks!
Facebook Safety
People shouldn’t be able to share intimate images to hurt others
By Antigone Davis, Global Head of Safety
It’s demeaning and devastating when someone’s intimate images are shared without their permission, and we want to do everything we can to help victims of this abuse. We’re now partnering with safety organizations on a way for people to securely submit photos they fear will be shared without their consent, so we can block them from being uploaded to Facebook, Instagram and Messenger. This pilot program, starting in Australia, Canada, the UK and US, expands on existing tools for people to report this content to us if it’s already been shared.

Tuesday, May 22, 2018

No real chance that customers would win a lawsuit, so why spend money ensuring security?
Comcast website bug leaks Xfinity customer data
… The website, used by customers to set up their home internet and cable service, can be tricked into displaying the home address where the router is located, as well as the Wi-Fi name and password.
… The site returned the Wi-Fi name and password – in plaintext -- used to connect to the network for one of the customers who uses an Xfinity router. The other customer was using his own router – and the site didn't return the Wi-Fi network name or password.

Retaliation is a step to all-out cyberwar.
Inside 'Project Indigo,' the quiet info-sharing program between banks and U.S. Cyber Command
A confidential information-sharing agreement between the Financial Services Information Sharing and Analysis Center (FS-ISAC) and U.S. Cyber Command reveals the blurring line between the country’s public and private sectors as the U.S. government becomes increasingly receptive to launching offensive hacking operations.
… The broad purpose of Project Indigo is to help inform U.S. Cyber Command about nation-state hacking aimed at banks. In practice, this intelligence is independently evaluated and, if appropriate, Cyber Command responds under its own unique authorities.
It’s possible that a bank could tip off the military about a cyberattack against the financial industry, prompting Cyber Command to react and take action. That could include providing unique insight back to FSARC or even taking offensive measures to disrupt the attacker — such as retaliatory hacking — if it’s appropriate and the Pentagon approves it, according to current and former U.S. officials.

Isn’t this what Hillary Clinton said about email servers? Good thing the President doesn’t email…
Too inconvenient’: Trump goes rogue on phone security
President Donald Trump uses a White House cellphone that isn’t equipped with sophisticated security features designed to shield his communications, according to two senior administration officials — a departure from the practice of his predecessors that potentially exposes him to hacking or surveillance.
The president, who relies on cellphones to reach his friends and millions of Twitter followers, has rebuffed staff efforts to strengthen security around his phone use, according to the administration officials.
… While aides have urged the president to swap out the Twitter phone on a monthly basis, Trump has resisted their entreaties, telling them it was “too inconvenient,” the same administration official said.
The president has gone as long as five months without having the phone checked by security experts. It is unclear how often Trump’s call-capable phones, which are essentially used as burner phones, are swapped out.

Told ya so!
Explaining Efail and Why It Isn’t the End of Email Privacy
Last week the PGPocalipse was all over the news… Except that, well, it wasn’t an apocalypse.
A team of researchers published a paper(PDF) where they describe how to decrypt a PGP encrypted email via a targeted attack. The research itself is pretty well documented and, from a security researcher perspective, it’s a good paper to read, especially the cryptography parts.
But we here at Hackaday were skeptical about media claims that Efail had broken PGP. Some media reports went as far as recommending everyone turn off PGP encryption on all email clients, but they weren’t able to back this recommendation up with firm reasoning. In fact, Efail isn’t an immediate threat for the vast majority of people simply because an attacker must already have access to an encrypted email to use the exploit. Advising everyone to disable encryption all together just makes no sense.
Aside from the massive false alarm, Efail is a very interesting exploit to wrap your head around. Join me after the break as I walk through how it works, and what you can do to avoid it.

More that TSA on steroids, this is Big Brothering at its best. Any country could do this, including the US.
China's social credit system has blocked people from taking 11 million flights and 4 million train trips
China's social credit system has blocked people from taking 11.14 million flights and 4.25 million high-speed train trips.
The numbers, from the end of April, were included in a report by China's state-run news outlet Global Times, but it is unclear what offenses those targeted in the travel ban have committed.
The social credit system is actually a collection of blacklists, of which there are more than a dozen at the national level. Each list is based on similar offenses — such as misbehavior on planes and trains, or failing to abide by a court judgment — and determines the punishments people face, from throttling internet speeds to blocking loans.

Keeping up with the players in the intelligence game.
… the Directorate for Signals Intelligence, Japan’s version of the National Security Agency.
The directorate has a history that dates back to the 1950s; its role is to eavesdrop on communications. But its operations remain so highly classified that the Japanese government has disclosed little about its work – even the location of its headquarters. Most Japanese officials, except for a select few of the prime minister’s inner circle, are kept in the dark about the directorate’s activities, which are regulated by a limited legal framework and not subject to any independent oversight.
Now, a new investigation by the Japanese broadcaster NHK — produced in collaboration with The Intercept — reveals, for the first time, details about the inner workings of Japan’s opaque spy community. Based on classified documents and interviews with current and former officials familiar with the agency’s intelligence work, the investigation shines light on a previously undisclosed internet surveillance program and a spy hub in the south of Japan that is used to monitor phone calls and emails passing across communications satellites.

… while digital marketers are aware of the strict new regulatory regime, seemingly few have taken active steps to address how it will impact their day-to-day operations.
GDPR will force marketers to relinquish much of their dependence on behavioral data collection. Most critically, it will directly implicate several business practices that are core to current digital ad targeting. The stipulation that will perhaps cause most angst is the new formulation for collecting an individual’s consent to data gathering and processing; GDPR requires that consent be active (as opposed to passive) and represent a genuine and meaningful choice. Digital marketers know that users of internet-based services like Snapchat, Facebook, and Google technically provide consent by agreeing to these companies’ terms of service when they sign up. But does this constitute an active and genuine choice? Does it indicate that the user is willing to have her personal data harvested across the digital and physical worlds, on- and off-platform, and have that data used to create a behavioral profile for digital marketing purposes? Almost certifiably not.

Most GDPR emails unnecessary and some illegal, say experts
… Many companies, acting based on poor legal advice, a fear of fines of up to €20m (£17.5m) and a lack of good examples to follow, have taken what they see as the safest option for hewing to the General Data Protection Regulation (GDPR): asking customers to renew their consent for marketing communications and data processing.
… “Businesses are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR,” Vitale said. “The first question to ask is: which of the six legal grounds under the GDPR should you rely on to process personal data? Consent is only one ground. The others are contract, legal obligation, vital interests, public interest and legitimate interests.

How Human-Computer ‘Superminds’ Are Redefining the Future of Work
The ongoing, and sometimes loud, debate about how many and what kinds of jobs smart machines will leave for humans to do in the future is missing a salient point: Just as the automation of human work in the past allowed people and machines to do many things that couldn’t be done before, groups of people and computers working together will be able to do many things in the future that neither can do alone now.

No doubt this is their strategy to entice kids to write rather than Tweet.
U.S. Postal Service announces first-ever scratch and sniff stamp with popsicle scent
… The U.S. Postal Service said Monday that it will issue its first-ever scratch-and-sniff stamps that will aim to evoke the sweet scent of summer. The 10 different stamp designs each feature a watercolor illustration of two different ice pops on a stick.
There will be one scent for all of the stamps and the secret smell will be unveiled when the Postal Service issues the stamps on June 20, according to U.S. Postal Service public relations representative Mark Saunders.

Monday, May 21, 2018

Are there devices that are not being used by the police?
Potential Spy Devices Which Track Cellphones, Intercept Calls Found All Over DC MD VA
NBC News4 I-Team – Washington, DC – “The technology can be as small as a suitcase, placed anywhere at any time, and it’s used to track cell phones and intercept calls. The News4 I-Team found dozens of potential spy devices while driving around Washington, D.C., Maryland and Northern Virginia. “While you might not be a target yourself, you may live next to someone who is. You could still get caught up,” said Aaron Turner, a leading mobile security expert. The device, sometimes referred to by the brand name StingRay, is designed to mimic a cell tower and can trick your phone into connecting to it instead. The News4 I-Team asked Turner to ride around the capital region with special software loaded onto three cell phones, with three different carriers, to detect the devices operating in various locations. “So when you see these red bars, those are very high-suspicion events,” said Turner. If you live in or near the District, your phone has probably been tracked at some point, he said. A recent report by the Department of Homeland Security called the spy devices a real and growing risk. And the I-Team found them in high-profile areas like outside the Trump International Hotel on Pennsylvania Avenue and while driving across the 14th Street bridge into Crystal City. The I-Team got picked up twice while driving along K Street — the corridor popular with lobbyists. “It looks like they don’t consider us to be interesting, so they’ve dropped us,” Turner remarked looking down at one of his phones. Every cellphone has a unique identifying number. The phone catcher technology can harness thousands of them at a time. DHS has warned rogue devices could prevent connected phones from making 911 calls, saying, “If this type of attack occurs during an emergency, it could prevent victims from receiving assistance.” “Absolutely. That’s a worry,” said D.C. Councilwoman Mary Cheh, adding that the spy technology should be a concern for all who live and work in the District. The I-Team’s test phones detected 40 potential locations where the spy devices could be operating, while driving around for just a few hours…”

I had not considered the benefits to this ‘industry.’
WaPo – Technology has made the repo man ruthlessly efficient
Washington Post – “Technology has made the repo man ruthlessly efficient, allowing this familiar angel of financial calamity to capitalize on a dark corner of the United States’ strong economy: the soaring number of people falling behind on their car payments.”
“…Derek Lewis works for Relentless Recovery, the largest repo company in Ohio and its busiest collector of license plate scans. Last year, the company repossessed more than 25,500 vehicles — including tractor trailers and riding lawn mowers. Business has more than doubled since 2014, the company said. Even with the rising deployment of remote engine cutoffs and GPS locators in cars, repo agencies remain dominant. Relentless scanned 28 million license plates last year, a demonstration of its recent, heavy push into technology. It now has more than 40 camera-equipped vehicles, mostly spotter cars. Agents are finding repos they never would have a few years ago. The company’s goal is to capture every plate in Ohio and use that information to reveal patterns… “It’s kind of scary, but it’s amazing,” said Alana Ferrante, chief executive of Relentless… Repo agents are responsible for the majority of the billions of license plate scans produced nationwide. But they don’t control the information. Most of that data is owned by Digital Recognition Network (DRN), a Fort Worth company that is the largest provider of license-plate-recognition systems. And DRN sells the information to insurance companies, private investigators — even other repo agents. DRN is a sister company to Vigilant Solutions, which provides the plate scans to law enforcement, including police and U.S. Immigration and Customs Enforcement. Both companies declined to respond to questions about their operations… For repo companies, one worry is whether they are producing information that others are monetizing…”

I wonder if I could integrate Fakey into my Computer Security class. (Probably, yes.)
3 new tools to study and counter online disinformation
Indiana University Bloomington: “Researchers at CNetS, IUNI, and the Indiana University Observatory on Social Media have launched upgrades to two tools playing a major role in countering the spread of misinformation online: Hoaxy and Botometer. A third tool Fakey — an educational game designed to make people smarter news consumers — also launches with the upgrades. Hoaxy is a search engine that shows users how stories from low-credibility sources spread on Twitter. Botometer is an app that assigns a score to Twitter users based on the likelihood that the account is automated. The two tools are not integrated so that one can now easily detect when information is spreading virally, and who is responsible for its spread. Hoaxy and Botometer currently process hundreds of thousands of daily online queries. The technology has enabled researchers, including a team at IU, to study how information flows online in the presence of bots. Examples are a study on the cover of the March issue of Science that analyzed the spread of false news on Twitter and an analysis from the Pew Research Center in April that found that nearly two-thirds of the links to popular websites on Twitter are shared by automated accounts. Fakey is a web and mobile news literacy game that mixes news stories with false reports, clickbait headlines, conspiracy theories and “junk science.” Players earn points by “fact-checking” false information and liking or sharing accurate stories. The project, led by IU graduate student Mihai Avram, was created to help people develop responsible social media consumption habits. An Android app is available, and an iOS versions will launch shortly…”

Soon, all chatbot speech will be indistinguishable from human speech.
Microsoft acquires conversational AI startup Semantic Machines to help bots sound more lifelike
Microsoft announced today that it has acquired Semantic Machines, a Berkeley-based startup that wants to solve one of the biggest challenges in conversational AI: making chatbots sound more human and less like, well, bots.

Perspective. What is a good number? How much do we spend to predict/prevent school shootings?
The Unknown Cost of America’s Counterterrorism Efforts
A Stimson Center working group released a study last week on the costs of America’s counterterrorism efforts, and it found about what you’d expect: nearly 17 years after 9/11, we still don’t know exactly how much we have spent, but it’s a ton. Over $2.8 trillion, at least. The staggering numbers grabbed headlines on Wednesday, as they should. With this struggle closing in on the two-decade mark, we need to have a frank accounting of the threats we face and how much spending is enough to keep Americans safe. But beyond the matter of raw dollars spent, the report raises deeper questions about what counts as counterterrorism and whether our funding matches our strategy.
… What at first glance might appear to be a bean counting exercise is anything but. At a deeper level, this is about our strategy and priorities in what we once aptly called the long war. For example, my working group colleague John Mueller sees the terrorist threat as dramatically less severe than I do, but he nonetheless makes strong points, grounded in economic analysis, to argue that we are overspending compared to the threat. In Mueller’s estimation, our counterterrorism efforts would need to have saved at least 250,000 lives to justify the expenditures we have made. These are direct costs only. Mueller goes further in arguing that the indirect economic costs of, for example, longer lines at airports and border crossings and increased security at high profile venues have cost us many billions more dollars.

Perspective. The latest infographic.
How Much Data Do We Create Every Day? The Mind-Blowing Stats Everyone Should Read
The amount of data we produce every day is truly mind boggling. There are 2.5 quintillion bytes of data created each day at our current pace, but that pace is only accelerating with the growth of the Internet of Things (IoT). Over the last two years alone 90 percent of the data in the world was generated.

(Related) and this is just the UK.
Public can now search UK government’s entire digital archive
BusinessCloud: “The British government’s entire online presence comprising billions of web pages has been indexed and digitally archived to the cloud for the first time. Manchester tech firm MirrorWeb has devised an all-new indexing to create an accessible, searchable and user-friendly resource for the public. The National Archives’ gigantic 120TB web archive encompasses billions of web pages – from every government department website and social media account – from 1996 to the present. It took MirrorWeb – named among our 101 Rising Stars of the UK Start-up Scene last year – just two weeks to transfer the data from 72 hard drives at The National Archives to internal hard drives before transferring and digitally archiving more than two decades of government internet history to the cloud. As part of a four-year contract, MirrorWeb was tasked with both moving the data to the cloud using Amazon Web Services as well as indexing it. Indexing the data meant that MirrorWeb had to write a complete replacement for the UK Government Web Archives’ previous search functionality. As a result, 1.4bn documents were indexed and are now accessible and searchable to researchers, students and the members of the public who need to use them, enabling them to view websites and social media content in their original form as well as search for content on specific topics. John Sheridan, digital director of The National Archives, said: “We are preserving 1,000 years of British history and a big part of that is preserving the digital record of government today…”

One must choose nicknames carefully…

Sunday, May 20, 2018

Hackers will read this looking for tips & tricks.
How North Korean hackers became the world’s greatest bank robbers
The Reconnaissance General Bureau, North Korea’s equivalent to the CIA, has trained up the world’s greatest bank-robbing crews. In just the past few years, RGB hackers have struck more than 100 banks and cryptocurrency exchanges around the world, pilfering more than $650 million. That we know of.
… These thieves also have one distinct advantage over other syndicates: They are absolutely confident that they’ll never be charged. So it goes when your own country sponsors your criminal mischief.

Interesting but inconclusive.
Germany Acts to Tame Facebook, Learning From Its Own History of Hate
… Spread over five floors, hundreds of men and women sit in rows of six scanning their computer screens. All have signed nondisclosure agreements. Four trauma specialists are at their disposal seven days a week.
They are the agents of Facebook. And they have the power to decide what is free speech and what is hate speech.
This is a deletion center, one of Facebook’s largest, with more than 1,200 content moderators. They are cleaning up content — from terrorist propaganda to Nazi symbols to child abuse — that violates the law or the company’s community standards.

This could be useful.
My Data Request’ lists guides to get data about you
GDPR is right around the corner, so it’s time to prepare your personal data requests. If you live in the European Union, tech companies have to comply with personal data requests after May 25th. And there’s a handy website that helps you do just that.
My Data Request lists dozens of tech companies and tells you how you can contact them. The website also links to the privacy policy of each service and tells you what to do even if you don’t live in the EU.
Some companies, such as Facebook, LinkedIn, Twitter, Google, Tinder and Snapchat have made that easy as they have created a page on their website to download a zip archive with all your personal data.
… For most companies (including Amazon), you’ll have to email them yourself. My Data Request has created handy email templates. You just have to copy the message, put your name and contact information and send the email. The email addresses are listed on My Data Request’s site too.

Perspective. Will Chatbots need to be customized for each industry/company? Possibly. Will I have to remember dozens of different names to get anything done? (Or will there be an App for that?)
Bank of America debuts its AI-powered assistant, Erica
Bank of America on Friday officially introduced Erica, an AI-powered virtual assistant for its 25 million mobile customers.
Erica, which Bank of America began rolling out to customers in March, can help people conduct banking via voice commands, text or with gestures from within the Bank of America app. She can currently help customers with a variety of tasks:
  • Searching for past transactions, such as checks written or shopping activity
  • Accessing key information, such as routing numbers or the closest ATM
  • Scheduling face-to-face meetings at a Bank of America financial center
  • Viewing bills and scheduling payments
  • Locking and unlocking debit cards
  • Transferring money between accounts or sending money to friends with Zelle

Saturday, May 19, 2018

Let this be a lesson to my Computer Security students.
Mark Satter reports:
The nation relies on teachers to educate our children and help them when they make mistakes. But when it comes to protecting students’ data, it is often the teachers and school staff who mistakenly let bad actors in to school computer systems, officials say.
In a hearing Thursday before the House Committee on Education and the Workforce, a panel of educators, privacy experts and U.S. Department of Education officials pointed to accidental online errors by school staff as the main threat to protecting school data.
In the state of Kentucky, which experienced more than 4 billion attempted attacks on the computer systems of K-12 services last year, the greatest number of data breaches were the result of staff who fell for email phishing scams, according to David Couch, CIO for the Kentucky Education Technology System (KETS) at the Kentucky Department of Education.
“By far the greatest vulnerability to our systems is internal staff who fall victim to phishing attempts,” Couch said during the hearing.
Read more on EdScoop.

(Related) Perhaps a class or two on Ethics?
Violet Ikonomova reports:
Leave it to kids in one of Michigan’s best school districts to have figured out how to hack the district’s grading system and (presumably) give themselves A’s.
A message posted to the Bloomfield Hills Schools website alerts parents that “a couple” students made “some poor choices lately,” hacking into the district’s student information system and manipulating their personal grades, attendance, and lunch balance information. The data base houses all of the district’s student and family data, the notice says.
The students are in high school and modified the information of their own accounts and others high schoolers, Bloomfield Hills Schools Superintendent Robert Glass says in a video message elsewhere on the website. A total of 20 students saw changes made in the form of improved grades, improved attendance, and reduced lunch balances.
Read more on Detroit Metro Times.

Aggregating data for resale.
200 Million Sets of Japanese PII Emerge on Underground Forums
A dataset allegedly containing 200 million unique sets of personally identifiable information (PII) exfiltrated from several popular Japanese website databases emerged on underground forums, FireEye reports.
Advertised by a Chinese threat actor at around $150, the dataset contained names, credentials, email addresses, dates of birth, phone numbers, and home addresses, and was initially spotted in December 2017.
The data appears sourced from a variety of Japanese websites, including those in the retail, food and beverage, financial, entertainment, and transportation sectors, and FireEye believes that the cybercriminals obtained it via opportunistic compromises.

It’s cheaper (for the state) if you have no rights!”
Gavin Reinke of Alston & Bird writes:
The Georgia Court of Appeals recently reaffirmed its prior conclusion that there is no duty to safeguard personal information under Georgia law. In McConnell v. Ga. Dep’t of Labor, — S.E.2d —-, 2018 WL 2173252 (Ga. App. May 11, 2018), the Court of Appeals addressed whether a plaintiff whose social security number and other personal identifying information (“PII”) had allegedly been negligently disclosed by an employee of the Georgia Department of Labor stated a negligence claim in connection with the unauthorized disclosure.
In urging that the Court of Appeals should recognize such a duty, the plaintiff in McConnellrelied on the Georgia Personal Identity Protection Act (the “GPIPA”). The plaintiff argued that the GPIPA supported recognizing a duty to safeguard PII because the statute reflects the General Assembly’s “intent to protect citizens from the adverse effects of disclosure of personal information and created a general duty to preserve and protect personal information.” McConnell, 2018 WL 2173252.

You have no ‘right to be forgotten.’
All of’s alleged co-owners arrested on extortion charges
Two alleged owners of—Sahar Sarid and Thomas Keesee—have been arrested in south Florida on a recently issued California warrant. The notorious website publishes mugshots and then demands payment for their removal.
… "This pay-for-removal scheme attempts to profit off of someone else's humiliation," said Attorney General Becerra in a statement. "Those who can't afford to pay into this scheme to have their information removed pay the price when they look for a job, housing, or try to build relationships with others. This is exploitation, plain and simple."
… The 29-page affidavit provides a lengthy explanation of what prosecutors call a "business permeated with fraud."

(Related) For all my students!
I sometimes think people don’t realize the amount of time and passion Joe Cadillic dedicates to informing you all of surveillance issues and online threats to our privacy. We’ll get back to that later in this post, but for now:
This week, one of the links he sent me to share with you all is a treasure.
Michael Bazzell writes:
Posted on May 15th, 2018
I received an email today from a reader of the latest edition of my privacy book Hiding from the Internet. In the book, I include an entire chapter of opt-out links for removing personal information from people-search, data-mining, marketing, and data broker websites. The reader asked if I maintained a digital version of the workbook with active hyperlinks for easy navigation. While I try to maintain a page for hyperlinks from the book, it did not quite replicate the workbook model that is in the official publication. Today, I am releasing the entire workbook in PDF format for free. I hope it helps the process of cleaning up unwanted online details. The direct link is below.

Computers and the Constitution.
From EPIC:
EPIC has filed a “friend of the court” brief, joined by forty-four technical experts and legal scholars (members of the EPIC Advisory Board), in the OPM Data Breachcase. The case concerns the data breach at the US Office of Personnel and Management in 2015 that affected 22 million federal employees, their friends, and family members. In the brief to the federal appeals court, EPIC said that “when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained.” In a 2011 case NASA v. Nelson, EPIC urgedthe Supreme Court to limit data collection by federal agencies, citing the growing risk of data breach in the federal government.

Adding ‘touch’ to Tech. Hand holding for people not comfortable with e-commerce?
Walmart has quietly launched Jetblack, a ‘members-only’ personal shopping service for affluent city moms
Code Eight, a stealthy personal-shopping startup incubated inside of Walmart, has rebranded itself as Jetblack, Recode has learned.
In job listings, the service is described as a “members-only personal shopping and concierge service that combines the convenience of e-commerce with the customized attention of a personal assistant.”
Visitors to are greeted by a landing page that says, “Nice work, you found us!”
“Jetblack is currently in beta in Manhattan,” the site says. It gives visitors an option to request early access.
A new Walmart subsidiary, called Code Eight, has recently started testing a personal shopping service for “busy NYC moms,” according to multiple sources, with the goal of letting them get product recommendations and make purchases simply through text messaging.
The target customer of Code Eight is described in an online job listing as a “high net worth urban consumer” — translation: A rich city dweller — certainly not the historical sweet spot for Walmart’s main business.
Household items are delivered for free within 24 hours; other purchases are delivered within two business days. Returns are picked up for free at a customer’s apartment building or house.

Friday, May 18, 2018

Here is how the pros do it. I wonder if anyone has recommended an App to President Trump?
North Korea-tied hackers used Google Play and Facebook to infect defectors
Researchers said a team of hackers tied to North Korea recently managed to get the Google Play market to host at least three Android apps designed to surreptitiously steal personal information from defectors of the isolated nation.
The three apps first appeared in the official Android marketplace in January and weren’t removed until March when Google was privately notified. That’s according to a blog post published Thursday by researchers from security company McAfee. Two apps masqueraded as security apps, and a third purported to provide information about food ingredients. Hidden functions caused them to steal device information and allow them to receive additional executable code that stole personal photos, contact lists, and text messages.
The apps were spread to selected individuals, in many cases by contacting them over Facebook. The apps had about 100 downloads when Google removed them. Nation-operated espionage campaigns frequently infect a small number of carefully selected targets and keep the number small in an attempt to remain undetected. Thursday’s report is the latest to document malicious apps that bypassed Google filters designed to keep bad wares out of the Play market.
… In January, McAfee reported finding malicious apps targeting North Korean journalists and defectors. Some of the Korean words found in the control servers weren’t used in South Korea but were used in North Korea. The researchers also found a North Korean IP address in a test log file of some Android devices that were connected to accounts used to spread the malware. McAfee said the developers didn’t appear to be connected to any previously known hacking groups. The researchers named the group Sun Team after finding a deleted folder called “sun Team Folder.”

Just one of millions of the tiny errors that hacker exploit.
Cell phone tracking firm exposed millions of Americans' real-time locations
… The company, LocationSmart, is a data aggregator and claims to have "direct connections" to cell carriers to obtain locations from nearby cell towers. The site had its own "try-before-you-buy" page that lets you test the accuracy of its data. The page required explicit consent from the user before their location data can be used by sending a one-time text message to the user. When we tried with a colleague, we tracked his phone to a city block of his actual location.
But that website had a bug that allowed anyone to track someone's location silently without their permission.
"Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," said Robert Xiao, a PhD student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call.
"The implication of this is that LocationSmart never required consent in the first place," he said. "There seems to be no security oversight here."

It’s a start...
DHS Publishes New Cybersecurity Strategy
The U.S. Department of Homeland Security (DHS) this week published its long-delayed Cybersecurity Strategy. It had been mandated by Congress to deliver a strategy by March 2017, and did so on May 15, 2018.
The strategy is defined in a high-level document (PDF) of 35 pages. Its scope is to provide "the Department with a framework to execute our cybersecurity responsibilities during the next five years to keep pace with the evolving cyber risk landscape by reducing vulnerabilities and building resilience; countering malicious actors in cyberspace; responding to incidents; and making the cyber ecosystem more secure and resilient."
Of necessity, however, the five pillars and seven goals are defined in very basic terms. They define objectives, sub-objectives and outcomes – but with little on methods. For example, goal #1 (the risk identification pillar) is to assess evolving cybersecurity risks. This will be achieved by working with "stakeholders, including sector-specific agencies, nonfederal cybersecurity firms, and other federal and nonfederal entities, to gain an adequate understanding of the national cybersecurity risk posture, analyze evolving interdependencies and systemic risk, and assess changing techniques of malicious actors."
However, nobody was able to predict, detect or prevent Russian meddling in the 2016 presidential election, nor the WannaCry and NotPetya outbreaks. The implication is that something new and beyond just increased interagency cooperation needs to be done to achieve genuine risk identification.

Another failed IT project?

Sort of a multi-generational Big Brother to guide the entire human race. You can’t say they don’t think big.
Google's Hypothetical 'Selfish Ledger' Imagines Collecting All Your Data to Push You to Change Society
A couple of years ago, Alphabet’s X “moonshot factory” conjured up a concept that describes how total and absolute data collection could be used to shape the decisions you make. And now a video about that concept has leaked online.
The video was obtained and published on Thursday by The Verge. It describes a so-called “Selfish Ledger” that would collect all of your data, including actions you make on your phone, preference settings, and decisions you make, and not just keep it there for future evaluation. Instead, the ledger, which would be designed and managed by Google, would interpret that information and guide you down a path towards reaching a goal, or on a broader scale, doing your part to help solve poverty or other societal problems.

20 years of the Laws of Cyberspace
What if an architecture emerges that permits constant monitoring; an architecture that facilitates the constant tracking of behavior and movement. What if an architecture emerged that would costlessly collect data about individuals, about their behavior, about who they wanted to become. And what if the architecture could do that invisibly, without interfering with an individual’s daily life at all? … This architecture is the world that the net is becoming. This is the picture of control it is growing into. As in real space, we will have passports in cyberspace. As in real space, these passports can be used to track our behavior. But in cyberspace, unlike real space, this monitoring, this tracking, this control of behavior, will all be much less expensive. This control will occur in the background, effectively and invisibly. -Lawrence Lessig, “The Laws of Cyberspace,” 1998

My cousin, the crook?
DNA Data From 100 Crime Scenes Has Been Uploaded To A Genealogy Website — Just Like The Golden State Killer
The remarkable sleuthing method that tracked down the Golden State Killer was not a one-off. A company in Virginia is now working with several law enforcement agencies to solve cases using the same “genetic genealogy” approach that led investigators in California to arrest Joseph James DeAngelo.
The company, Parabon NanoLabs, has already loaded DNA data from about 100 crime scenes into a public genealogy database called GEDmatch. And in about 20 of these cases, the company says, it has found matches with people estimated to be the suspect’s third cousins or even closer relatives.
“We were actually pretty surprised,” Ellen Greytak, Parabon’s director of bioinformatics, told BuzzFeed News. With those known genetic connections, she said, investigators have a good chance of using genealogical research to draw family trees and identify possible suspects. Some arrests could come quickly, she suggested. “I think there is going to be press around this very soon.”

About time!
Tech Firms Move to Put Ethical Guard Rails Around AI
… At Microsoft, Horvitz helped establish an internal ethics board in 2016 to help the company navigate potentially tricky spots with its own AI technology. The group is cosponsored by Microsoft’s president and most senior lawyer, Brad Smith. It has prompted the company to refuse business from corporate customers, and to attach conditions to some deals limiting the use of its technology.
Horvitz declined to provide details of those incidents, saying only that they typically involved companies asking Microsoft to build custom AI projects. The group has also trained Microsoft sales teams on applications of AI the company is wary of.
Google … promised that it would require a new, hyperrealistic form of its voice assistant to identify itself as a bot when speaking with humans on the phone. The pledge came two days after CEO Sundar Pichai played impressive—and to some troubling—audio clips in which the experimental software made restaurant reservations with unsuspecting staff.

What Google isn't telling us about its AI demo
… Axios asked Google for the name of the hair salon or restaurant, in order to verify both that the businesses exist and that the calls were not pre-planned. We also said that we'd guarantee, in writing, not to publicly identify either establishment (so as to prevent them from receiving unwanted attention).
A longtime Google spokeswoman declined to provide either name.
We also asked if either call was edited, even perhaps just cutting the second or two when the business identifies itself. And, if so, were there other edits? The spokeswoman declined comment, but said she'd check and get back to us. She didn't.

Perspective. But all the political journalists do.
Very Few Voters Actually Read Trump’s Tweets
… since politicians are known for boring, repetitive, long-winded speeches, what could be a better political platform than one that literally forbids using more than 280 characters at a time? Twitter seems good for Trump, too: As his allies often say, it gives the president a way to speak directly to the American electorate, getting around the media’s filter. Trump’s Twitter account is followed by 52 million people, not that far off from the nearly 63 million who voted for him in 2016.
But some data released this week should give Trump and his supporters pause about the power of his Twitter account in directly reaching American voters — and push the media to think carefully about its coverage of Trump’s tweets. Only 8 percent of U.S. adults say they follow Trump’s Twitter account (@realDonaldTrump), and only 4 percent say they follow his account and regularly read the president’s tweets, according to a new Gallup poll.

Zillman makes large and useful collections. Always worth a careful read!
New on LLRX – 2018 New Economy Resources and Tools
Via LLRX.com2018 New Economy Resources and Tools – This guide by Marcus Zillman provides researchers in multiple disciplines – law, economists, academia, government, corporate, and journalism – the latest, most reliable web resources for discovering sources to meet the multifaceted needs of time sensitive, specific, actionable work product. The global economic landscape is rapidly changing as transparency, big data and the ability to access data from new and now accessible databases are increasingly available through portals and sites around the world. Understanding how to locate and leverage new economy analytics, resources and alerts will provide you with keep tools and techniques to expand access to requisite knowledge that you can apply daily in your work place.

Could be handy for my researchers…