Sunday, February 16, 2020

What makes this one different? Perhaps this is a demonstration of evolving skills, but it could also be an intelligence gathering hack vs cash raising or military harassment. We had best learn to deal with this kind of hack.
How the suspected Equifax hackers covered their tracks
Even for U.S. law enforcement, the Equifax hack was different.
Unlike in previous examples of apparent Chinese government-backed cyber-operations, the hackers behind the Equifax breach stymied police for months. After the Office of Personnel Management hack in 2015, and the Marriott breach which was disclosed in 2018, investigators were confident enough that China was involved to tell the Wall Street Journal and New York Times about their suspicions soon afterward.
With Equifax, the search for who was responsible was remarkably harder. Data stolen from the credit monitoring firm hadn’t appeared for sale on criminal forums, a possible indication of a nation-state’s involvement. And while the trove of financial information would certainly be useful to foreign intelligence agencies, using forensic data to validate that theory would prove to be a tall order.
The charges announced Monday outline a conspiracy to not only steal a massive trove of information on 145 million Americans but also get away with the theft.

Glyn Moody writes:
The speech by US Attorney General William P. Barr hardly seems earth-shattering. But buried within its business-like announcement of the indictment of four Chinese military hackers, there is the following statement, which has huge implications for privacy:
For years, we have witnessed China’s voracious appetite for the personal data of Americans, including the theft of personnel records from the U.S. Office of Personnel Management, the intrusion into Marriott hotels, and Anthem health insurance company, and now the wholesale theft of credit and other information from Equifax.
The first of the intrusions that Barr mentions took place in 2014, but was only revealed in November 2018, when Marriott Hotels admitted that it had discovered there was unauthorized access to its Starwood guest reservation database. The system held details of 500 million guests, and Marriott said that for around 327 million of these guests, the information included some combination of name, mailing address, phone number, email address, passport number, date of birth, gender, arrival and departure information, reservation date, and communication preferences. Four years is plenty of time to exfiltrate all those details.

Ethical arguments for fun and profit?
We know ethics should inform AI. But which ethics?
Consider the difference between deontological and teleological ethical standards. The former focuses on the intention and the means, while the latter on the ends and outcomes.
Another useful yardstick is the so-called golden rule of ethics, which invites you to treat others in the way you would like to be treated. The difficulty in applying this principle to the burgeoning field of AI lies in the gulf separating the billions of people whose data are being accumulated and analysed from the billions of potential beneficiaries.
… Consider one last set of ethical standards: cultural relativism versus universalism. The former invites us to evaluate practices through the lens of the values and norms of a given culture, while the latter urges everyone to live up to a mutually agreed standard.

Saturday, February 15, 2020

You could see this one coming. Is the First Amendment a defense?
Class action suit against Clearview AI cites Illinois law that cost Facebook $550M
Just two weeks ago Facebook settled a lawsuit alleging violations of privacy laws in Illinois (for the considerable sum of $550 million ). Now controversial startup Clearview AI, which has gleefully admitted to scraping and analyzing the data of millions, is the target of a new lawsuit citing similar violations.
Clearview made waves earlier this year with a business model seemingly predicated on wholesale abuse of public-facing data on Twitter, Facebook, Instagram and so on. If your face is visible to a web scraper or public API, Clearview either has it or wants it and will be submitting it for analysis by facial recognition systems.
Just one problem: That’s illegal in Illinois, and you ignore this to your peril, as Facebook found.
The lawsuit, filed yesterday on behalf of several Illinois citizens and first reported by Buzzfeed News, alleges that Clearview “actively collected, stored and used Plaintiffs’ biometrics — and the biometrics of most of the residents of Illinois — without providing notice, obtaining informed written consent or publishing data retention policies.”

An unreasonable request? Doesn’t the EU do much the same?
Twitter, Facebook Fined for Not Moving User Data to Russia
A court in Moscow fined Twitter and Facebook 4 million rubles each Thursday for refusing to store the personal data of Russian citizens on servers in Russia, the largest penalties imposed on Western technology companies under internet use laws.
The fines of nearly $63,000 are the first five-figure fines levied on tech companies since Russia adopted a flurry of legislation starting in 2012 designed to tighten the government’s grip on online activity.
Commenting on Thursday’s court rulings, Roskomnadzor said Twitter and Facebook would be fined 18 million rubles ($283,000) each if they don’t comply this year.
Last year, Twitter and Facebook were fined the equivalent of $47 each for violating the same personal data regulation. The punishment had no effect on the two companies, so in December Russian authorities increased the fines.

Oh yeah, Privacy. We were going to address that someday.
Ring to tighten privacy amid concerns it shares customer data with Facebook and Google
Ring, the Amazon-owned maker of smart-home doorbells and web-enabled security cameras, is changing its privacy settings two weeks after a study showed the company shares customers' personal information with Facebook, Google and other parties without users' consent.
The change will let Ring users block the company from sharing most, but not all, of their data. A company spokesperson said people will be able to opt out of those sharing agreements "where applicable." The spokesperson declined to clarify what "where applicable" might mean.

This is the first such ruling I recall. Once identified, will they try to re-gruntle this disgruntled customer?
SBS News reports:
The Federal Court of Australia has granted a Melbourne dentist an order which forces tech giant Google to reveal the identification of an anonymous online reviewer.
The lawyer for a Melbourne dentist who received an anonymous online negative review has welcomed the decision by an Australian Federal Court judge compelling Google to release the identity of the reviewer.
Dr Matthew Kabbabe claims the reputation of his Melbourne dental practice has suffered, following a scathing review left by a disgruntled customer late last year.
Read more on SBS News.

Need I say, Architecture!
Top 13 enterprise architecture tools for 2020
These popular and emerging EA tools offer businesses everything they need to support enterprise architecture and digital transformation.
Enterprise architecture (EA) tools help organizations align business objectives with IT goals and infrastructure. These tools help manage information related to EA while helping companies plan roadmaps for digital transformation. They offer collaboration, reports, testing, simulations and more to help organizations create and implement models for better business and IT processes, development and architecture.

One Architecture perspective.
AIoT – Convergence of Artificial Intelligence with the Internet of Things
Last such great convergence occurred in the late 1990s as mobile phones and the internet collided to change the course of human history. The convergence of AI and the IoT will bring in a similar revolution on an even grander scale.
The ability to capture data through IoT is a large scale evolution that has exploded on the scene over the past five years. These new advancements have been accompanied by new concerns and threats associated with privacy and security. Large volumes of confidential company information and user data are tempting targets for dark web hackers as well as the global government entities. The high level of risk has also brought in newer and more responsibilities that accompany the increased capability.
Sensors are now applied to almost everything. This indicates that infinitely more data can be collected from every transaction or process in real-time. IoT devices are the front line of the data collection process in manufacturing environments and also in the customer service departments. Any device with a chipset can potentially be connected to a network and begin streaming data 24/7.

Obvious, but not commonly known. Parallels the changes businesses must make to remain competitive.
From July 2014 to April 2015, a period of about 10 months, experts estimate there were 23 million tweets involved in the self-proclaimed Islamic State’s online marshalling of support and influence operations. These tweets contained critical information about the group’s leadership, information narratives, and even indications of tactical activities. While the Islamic State didn’t tweet its way into Mosul, this open-source data was of significant intelligence value. But it’s impossible for any given analyst to sort and understand 23 million tweets manually. This illustrates the dilemma that recent advances in technology pose for traditional methods of intelligence analysis: The digitization of human society has made huge amounts of information available for analysis. This information comes from an ever-increasing number of sources, like online social networks, digital sensors, or ubiquitous surveillance, and has been increasingly useful for intelligence. Too much information is being produced too quickly for an intelligence analyst to even comprehend it using current analysis techniques and software, much less derive meaningful intelligence from it or verify its veracity.
The changing information environment will force the conduct of military intelligence analysis to change too. This change cannot simply be the acquisition of some new analysis software or implementation of a new policy, but rather must be more comprehensive changes across all military intelligence organizations. To meet the new realities of the information environment, and by corollary the new realities of intelligence analysis, the whole of military intelligence needs to modernize in three areas. First, military intelligence organizations like the Army G-2, the J-2, and Futures Command should continue modernizing the tools and infrastructure supporting intelligence analysis and make these changes more broadly available to the force. Second, the military intelligence schoolhouse ought to update how it trains and develops intelligence analysts. Third, military intelligence research organizations — like Intelligence Advanced Research Projects Activity and elements within U.S. Army Intelligence and Security Command — need research into potential disruptive technologies to maintain the integrity of intelligence analysis.

Security tools.
The Private Internet Access Android app is being open sourced
Private Internet Access (PIA) is open sourcing its Android VPN app and dependencies code to the public as part of its commitment to open sourcing all clients in the name of transparency and privacy. The Free and Open Source Software (FOSS) community is a cornerstone of everything we enjoy on the internet.
Private Internet Access first announced their plans to open source their VPN client software on all platforms in 2018. Over the last few years, PIA has open sourced its Chrome Extension, Firefox Add-On,, Private Internet Access tunnel for Apple Platforms, and Desktop client. The open source PIA desktop client even includes the code for how to allow users to resolve Handshake names. It is with great pleasure that the PIA team releases the code for the PIA VPN Android App to the public for anyone to review.
Links to all of the repositories can be found at pia-foss on Github. More information on PIA’s FOSS codebases can also be found here

We’re trying to help our students navigate the new interview process.
Cost Cutting Algorithms Are Making Your Job Search a Living Hell
More companies are using automated job screening systems to vet candidates, forcing jobseekers to learn new and absurd tricks to have their résumés seen by a human.

Policy: Double check before taking any irreversible action.

Friday, February 14, 2020

Ransomware Attacks Predicted to Occur Every 11 Seconds in 2021 with a Cost of $20 Billion

Election security takes planning. No evidence of that here.
Nevada Democrats Say They’ll Replace Their Caucus App With iPads And A Google Form
In just two days, Nevadans will begin early voting in the state’s Democratic caucuses. For the past few weeks, it’s been unclear how those votes would be integrated into the overall vote tallies after Nevada Democrats were spooked by the chaos in Iowa’s Democratic primary and decided to toss a previous plan to use an app. But today, the state Democratic party revealed how it intends to incorporate those early votes into the live caucuses on Feb. 22: “a simple, user-friendly calculator.”
What that means, exactly, is still a bit unclear. In a memo sent to campaigns Thursday and shared with FiveThirtyEight, the party wrote that “the caucus calculator will only be used on party-purchased iPads provided to trained precinct chairs and accessed through a secure Google web form.”
The memo didn’t provide any specifics about whether the calculator would be accessed through the Google form, or whether the Google form itself is the calculator.

The Simple Lessons from a Complicated Iowa Caucus
The first lesson is clear: Anything computerized can fail for a slew of reasons, from hacking to software defects to inadequate training of election workers. This includes tablets, voting machines, ballot scanners, electronic poll books, and apps on phones and tablets.
That is why a central tenet of the joint election protection work of the Brennan Center for Justice at New York University and Common Cause is to push states and counties to rigorously test equipment before it’s rolled out to voters, and to have backups for every critical part of the election, such as ballots, poll books, and voter registration databases. It’s important that officials have plenty of those supplies on hand so that they don’t run out, and to make sure workers understand how to use the backups.

'Sloppy' Mobile Voting App Used in Four States Has 'Elementary' Security Flaws
MIT researchers say an attacker could intercept and alter votes, while making voters think their votes have been cast correctly, or trick the votes server into accepting connections from an attacker.

For my Disaster Recovery lecture.
Coronavirus Is a Data Time Bomb
So far, less than 0.0008 percent of the humans on Earth have been diagnosed with the coronavirus known as COVID-19. But thanks to the circulation of disease and capital, the whole world has been affected.
Chinese manufacturing cities such as Wuhan, the epicenter of the outbreak, are intimately entangled with the supply chains of the entire world. That means that both the disease and the containment measures enacted to control it (take, for example, the quarantine still in place for 70 million people) will have a dramatic effect on businesses across disparate industries.

For my continuing education.
The Myth of the Privacy Paradox
I have posted to SSRN a copy of my latest draft article, The Myth of the Privacy Paradox. It’s available for download for free.
Here’s the abstract:
In this article, I deconstruct and critique the privacy paradox and the arguments made about it. The “privacy paradox” is the phenomenon where people say that they value privacy highly, yet in their behavior relinquish their personal data for very little in exchange or fail to use measures to protect their privacy.

Because politicians have done such a lousy job we haven’t been able to clear it up in 200 years?
Ohio to use artificial intelligence to evaluate state regulations
Lt. Gov. Jon Husted said his staff will use an AI software tool, developed for the state by an outside company, to analyze the state’s regulations, numbered at 240,000 in a recent study by a conservative think-tank, and narrow them down for further review.
This gives us the capability to look at everything that’s been done in 200 years in the state of Ohio and make sense of it,” Husted said. [prior to this, nonsense? Bob]
The project is part of two Husted-led projects — the Common Sense Initiative, a state project to review regulations with the goal of cutting government red tape, and InnovateOhio, a Husted-led office that aims to use technology to improve Ohio’s government operations

LC – New Online Collection: Military Legal Resources
In Custodia Legis: “This collection includes material from the William Winthrop Memorial Library at the U.S. Army Judge Advocate General’s Legal Center and School in Charlottesville, Virginia. The Judge Advocate General’s Corps (JAG) is the legal arm of the United States Army, established on July 29, 1775 by General George Washington. Judge Advocates are stationed in the United States and abroad. They are most known for representing soldiers during courts-martial, but their duties encompass a wide range of legal disciplines. Selections of their physical library collection have been digitized and made available to the public online, including primary source materials and publications in the field of military law. The collection is divided into three webpages to best highlight the type of material available: JAG Legal Center & School Materials, Historical Materials, and Military Law and Legislative History. These pages contain the digitized material, as well as descriptions of the collections and, in some cases, historical and contextual significance. The three webpages organize the collection with drop-down menus, under which you can find the descriptions and links to the PDFs…”

Thursday, February 13, 2020

Failure in architecture? Perhaps just politicians who thought they understood computing?
What the Iowa Caucus Tells Us About Cavalier Approaches to Technology
As details emerge about the tech issues that have delayed the results of the Iowa caucus and thrown the public into states of confusion and frustration, I marvel at the familiarity of the story to anyone who has spent long enough working on the front lines of enterprise technology.
reports so far focus on the haphazard roll-out of a new voting app designed to facilitate (ostensibly) the transmission of results from caucus locations to centralized election monitors. A number of problems appear to have occurred with this process – ranging from caucus-site volunteers being unable to log-in to report results to rumored compromising by outside parties to scramble the results-logging process. Whatever the final assessment, it’s certainly not too early to call this a disaster, with a bungled roll-out as catalyst.

(Related) Elections come every two years. The Census had 10 years to prepare.
Watchdog Warns Census Faces Cybersecurity, Hiring Risks Before National Rollout
The bureau recently discovered during testing that its main IT system for collecting online census responses was not able to allow enough users to fill out census forms at the same time "without experiencing performance issues," according to the GAO report released to the public on Wednesday during a House Oversight and Reform Committee hearing. Bureau officials have decided to switch to a backup system that they say will allow as many as 600,000 users to respond to the census online simultaneously.

A worry for my Architecture students.
Telltale signs of IT dysfunction — and how to fix it
The role of IT is evolving, and digital transformation has brought with it a new set of responsibilities and assumptions that can lead to IT dysfunction. An explosion of new initiatives, the need to produce more quickly, constant interaction with the business, managing third-party cloud environments instead of traditional data centers — with so much coming at IT these days, it’s little wonder that organizational tensions and challenges are rising.
Despite the focus on technology, some industry analysts say the root of today’s dysfunction can be traced to lingering silos in the business, organizational structures that measure performance vertically instead of horizontally, and an unwillingness to collaborate, which is fundamental to a corporate-wide, shared digital strategy.

Washington tries again.
A New U.S. Model for Privacy? Comparing the Washington Privacy Act to GDPR, CCPA, and More
In Washington State, a new comprehensive privacy law is moving quickly: last week, the Washington Privacy Act (SSB 6281 ) was voted out of the Washington Senate Ways & Means Committee, and appears likely to be voted on by the Senate. If approved, it will reach the House, which is currently considering (and amending) an almost identical companion bill. The deadline for the bill to be voted on by both Senate and House (including, if applicable, resolving any differences) is March 12, 2020.

Privacy more than pays for itself? What a concept!
Companies With Data Privacy Practices Enjoy Big Financial Benefits
Businesses investing in their privacy experience pronounced financial benefits, a new Cisco study suggests. According to the paper, entitled ‘Cisco Data Privacy Benchmark Study 2020’, businesses see an average return of 2.7 times on their original investment when they bankroll data privacy practices — confirming for the first time what had long been suspected by privacy advocates.

Computers and the Law, not just laws that include the word ‘computer?’ Should I encourage my Computer Science majors to go to Law School?
Why are Lawyers writing code?
British Legal Technology Forum: “We find ourselves in the midst of the 4th Industrial Revolution, and this digital transformation brings with it a need for change in our working practices. There is a shift towards a more innovative, fresh and connected way of doing business. Organisations that are digitally savvy, in every sector, are leading the way and growing exponentially. The legal sector is no exception – indeed in many ways, lawyers are ahead of the game. Legal firms are embracing digital legal software – reimagining their business, streamlining processes, integrating real-time systems, providing mobile access and automating routine tasks. As part of this, increasing numbers of lawyers are choosing to find out more about what is going on behind the technology that is transforming the way they work. Some want to become more familiar with technology ‘buzz words’ so they can converse knowledgeably with suppliers and optimise the use of their software. Others are learning to code for themselves. With apps and Artificial Intelligence (AI) becoming a lynchpin in the way forward-thinking legal firms now operate, and with these technologies so heavily reliant on coding, it is clear to see why lawyers are taking an interest… and why on Twitter #LawyersWhoCode is on the rise…”

More contact is probably good.
Nextdoor Wants to Be a One-Stop Shop for Police
The new Nextdoor for Public Agencies app, which launched publicly on February 12, enables police and fire departments, public schools, and City Hall agencies to post updates, push out alerts geo-targeted to reach specific neighborhoods, and read their messages on the go.

I like it, but it’s not for everyone.
This App Automatically Cancels and Sues Robocallers
DoNotPay, the family of consumer advocacy services meant to protect people from corporate exploitation, is launching a new app aimed at helping end our long national nightmare surrounding robocalls by giving you a burner credit card to get their contact details then giving you a chatbot lawyer to automatically sue them.

I might have to try some of these.
How To Teach Artificial Intelligence
A World Economic Forum report indicated that 89% of U.S.-based companies are planning to adopt user and entity big data analytics by 2022
First, everyone needs to be able to recognize AI and its influence on people and systems, and be proactive as a user and citizen. Second, everyone should have the opportunity to use AI and big data to solve problems. And third, young people interested in computer science as a career should have a pathway for building AI.
Recognizing AI. AI4K12 is an initiative of leading computer scientists that have identified five big ideas that every student should know about AI:
  • Computers perceive the world using sensors.
  • Agents maintain representations of the world and use them for reasoning.
  • Computers can learn from data.
  • Intelligent agents require many types of knowledge to interact naturally with humans.
  • AI applications can impact society in both positive and negative ways.
The MIT Media Lab developed a middle school AI+Ethics course that hits many of these learning objectives.
For high school students interested in AI, data science and more broadly in computer science, a dedicated pathway or academy is a great option. A recommended course sequence includes:
A new college credit option is the MicroBachelors Program in Computer Science Fundamentals from edX (the three courses are free; the credit costs $500).
Industry certifications are an increasingly popular supplement to (or even replacement for) college credit courses. AWS Educate offers free cloud computing courses and stackable badges. Google also offers cloud training and certification.
Microsoft offers many training classes resulting in certificates. They have bundled resources into Imagine Academy, a set of resources used by schools in 135 countries.