Saturday, September 02, 2017

I don’t think I’ve ever seen a breach update claiming that fewer records were lost than initially believed.  At least they updated quickly. 
That Instagram hack is shaping up to be way bigger than anyone thought
A bug in the social media company's API reportedly allowed hackers to gain access to account holders' phone numbers and email addresses, with Instagram assuring everyone on Aug. 30 that it was the celebs of the world who were targeted.  But that was then. 
Things are looking just a tad bit different now, with reports suggesting that as many as 6 million accounts were possibly affected and that regular old users may have fallen victim as well. 
The company issued a new statement on Sept. 1, copping to the fact that things may be worse than it originally admitted. 


It’s all in the timing…
Yes, let’s release a breach notification at 5 pm on the Friday of a big holiday weekend….
In this case, it’s The Neurology Foundation in Rhode Island, reporting on an incident involving employee wrongdoing.  You can read the full press release here.  Note that although the problem was discovered months ago, notification of the breach was delayed “as a result of law enforcement’s investigation.”  But does that mean that law enforcement actually asked them to delay notification, or did they just decide to delay notification themselves due to the investigation?

(Related).
And yet another breach disclosed at the beginning of a holiday weekend – this one posted by the State of Alaska:
September 1, 2017 ANCHORAGE – The Alaska Department of Health and Social Services had a security breach that may have disclosed personal information of individuals who have interacted with the Office of Children’s Services.  Due to the potential for stolen personal information, DHSS urges Alaskans who have been involved with OCS to take actions to protect themselves from identity theft.
On July 5 and July 8, two OCS computers were infected with a Trojan horse virus, resulting in a potential HIPAA breach of more than 500 individuals.  It is not yet known if the division’s confidential information was accessed.  It is possible that OCS reports and documents containing family case files, personal information, medical diagnoses and observations, and other related information was accessed during this breach.  


How to turn a (relatively) small breach into a true nightmare.
We haven’t seen many data security enforcement actions under the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, but a recent case is a good opportunity to remind entities that they may be covered by it even if they didn’t know it.
Edward McAndrew, Kim Phan, and Zaven Sargsian of Ballard Spahr write:
The Federal Trade Commission (FTC) this week announced a consent order with TaxSlayer, LLC, an online tax preparation services provider, to settle claims that the company violated the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and Privacy Rule.
As part of the online tax preparation process, TaxSlayer customers are asked to provide a significant amount of sensitive personal information, including Social Security number, telephone number, address, income, marital status, family size, bank names, and bank accounts.
Between October and December 2015, hackers were able to access account information for approximately 8,800 TaxSlayer customers, resulting in an unknown number of false tax returns being filed.
Read more on JDSupra.
As the authors note, the FTC also blogged about this case on the FTC’s site.  Lesley Fair of the FTC writes, in part:
For a two-month period in 2015, TaxSlayer was subject to a list validation attack, which allowed remote attackers to access the accounts for about 8,800 TaxSlayer users.  (A list validation attack, also known as credential stuffing, is where hackers steal login credentials from one site and then – banking on the fact that some consumers use the same password on multiple sites – use them to access accounts on other popular sites.)  In an unknown number of cases, criminals used the data to commit tax identity theft.  They filed fake returns with altered routing numbers and pocketed refunds they weren’t owed.  And what a mess that left for victimized consumers.  Long delays in getting their rightful refunds, freezes or holds on their credit, and endless hours trying to unscramble the ID theft egg.
In the proposed complaint, the FTC alleges that TaxSlayer violated the Privacy Rule and Reg P by failing to give customers the privacy notices they were due.  What’s more, TaxSlayer violated the Safeguards Rule by failing to have a written information security program, failing to conduct the necessary risk assessment, and failing to put safeguards in place to control those risks – specifically, the risk that remote attackers would use stolen credentials to take over consumers’ TaxSlayer accounts and commit tax identity theft.
Tracking the settlements in several other GLB cases, TaxSlayer must comply with the rules and will be subject to every-other-year independent assessments for the next decade.  You can file a comment about the proposed settlement by September 29, 2017.


The same concerns just before every election.  Someone is going to get burned. 
Russian Election Hacking Efforts, Wider Than Previously Known, Draw Little Scrutiny


Same technique is used to select “smart bomb” targets.  (With much better resolution.)
Facebook maps populations in 23 countries to expand internet
In a bid to expand the reach of internet to every corner of the world, Facebook said that it has created a data map of the human population of 23 countries by combining government census numbers with information obtained from satellites.
Citing Janna Lewis, Facebook's head of strategic innovation partnerships and sourcing, the Media reported that the mapping technology can pinpoint any man-made structures in any country on Earth to a resolution of five metres.


I might have my students use this to record their Digital Forensics homework.  (Looks like this is Chrome only for now.)
Loom - Screencast on Chromebooks, Macs, and PCs
Loom is a free screencasting tool that works on Chromebooks, Macs, and Windows computers.  Loom is a Chrome extension.  With Loom installed you can record your desktop, an individual tab, and or your webcam.  That means that you could use Loom to just record a webcam video on a Chromebook.  Of course, this also means that you can use Loom to record your webcam while also recording your desktop.  Loom recordings can be up to ten minutes long.  A completed recording can be shared via social media and email.  You can also download your recordings as MP4 files to upload to YouTube or any other video hosting service.
Applications for Education
This is the time of year when you're likely to be introducing some new tools to your students and or your colleagues.  Creating a screencast video that your students or colleagues can watch whenever they need reminders of how to use a tool can save you a lot of time in the long run.  Loom makes it easy to quickly record a screencast video on almost any computer. 

Friday, September 01, 2017

Contempt, where deserved is a good thing.
Medicare data breach: government response ‘contemptible’, says former AFP officer
The federal government’s response to a Medicare data breach that led to patient details being sold on the dark web was “disappointing, confusing and often contemptible,” according to a former detective who headed the Australian federal police’s investigations into high-tech crime.
   A Guardian Australia investigation revealed in July that a darknet vendor on a popular auction site for illegal products was selling access to anyone’s Medicare card details.  The seller used an Australian Department of Human Services logo to advertise what they called “the Medicare machine”.
   A few days after Guardian Australia revealed the data breach, Tudge and Hunt announced a review into the the security of Medicare online.  The government has still not announced how the breach occurred.  The review’s final report is due by 30 September.  The government was warned in 2014 in a report from the auditor-general’s department that Medicare data security procedures did not fully comply with mandatory information security requirements.  


Should be interesting to see who reacts (and how) when all of this data is released.
Ben Hancock reports:
Civil liberties advocates scored a win at the California Supreme Court on Thursday with a unanimous ruling that data gathered by police license plate readers are not generally exempt from public disclosure under state law.
The American Civil Liberties Union, the Electronic Frontier Foundation, and various news organizations have sought data collected by automated license plate readers (ALPRs) to raise awareness about how much data is collected by police on innocent civilians.
Read more on The Recorder.


Social Media can be useful?  Who knew?
After Harvey, Small Social Networks Prove Their Might
   In the aftermath of Hurricane Harvey — which has left thousands seeking shelter — small, locally oriented social networks like Zello are showing their strength as organizing tools.  Though social networks are an imperfect substitute for rescue infrastructure, a listen into Zello, or a peek into Nextdoor (where neighbors are working to inform and help each other), or even a visit to Harvey-related Facebook groups shows why people are relying on these networks.  They are focused and intensely local, and put critical information in front of the right audiences quickly with little distraction or noise.


Isn’t this how deliveries were made before things like postal services?  Are there more start-up potentials in Ye Olde Way of doing other things? 
Same-day delivery startup Deliv expands to 1,400 cities, rivalling Amazon’s Prime Now
As Amazon continues to expand its retail muscle beyond its own e-commerce portal, there’s been some activity among startups and businesses hoping to develop systems that can help others compete better with it.  Deliv, a “crowdsourced” same-day delivery startup that currently partners with some 4,000 retailers to help them offer same-day delivery services to rival those of Amazon, today announced that it has expanded its service to 33 markets and 1,400 cities, up from 19 markets previously.
   Deliv squarely addresses one aspect of the commerce retail chain: getting delivery of goods purchase online, and getting them quickly — a service and expectation that has become a norm for many in today’s on-demand world.
“Same day delivery is quickly becoming table stakes across every retail segment.  With Deliv, retailers can offer their customers that same exceptional level customer experience without the need to invest in their own asset-based delivery fleet,” said Daphne Carmeli, CEO and founder of Deliv, in a statement.


Mark wishes to remind you that he is not running for President in 2020.
Mark Zuckerberg calls on Trump to protect ‘dreamers’ from immigration reforms
Facebook CEO Mark Zuckerberg and other tech executives are calling on President Donald Trump to preserve the rights of "dreamers" under any immigration reform plan.
   In an open letter published Thursday, the executives urged the president to retain the policy, saying that the U.S. economy would lose hundreds of billions of dollars if workers and students currently protected by DACA were faced with deportation.


I’ll bet most of my students don’t know these tricks.  (Or that they have a middle button on their two button mouse.)


Next Quarter, I’m teaching Spreadsheets again.  

Thursday, August 31, 2017

In addition to not noticing that their employees were gaming the system to “earn” higher bonuses, they apparently couldn’t even count how many times it had happened!
Wells Fargo: There were nearly 70 percent more potentially fake accounts opened than originally thought
   On Thursday, the bank said the review of 165 million retail accounts opened from January 2009 to September 2016 identified 3.5 million as potentially unauthorized.  That is up from the 2.1 million accounts originally identified in a narrower review that only covered 93.5 million accounts opened from May 2011 to mid-2015.


Didn’t they have backups?
Drew Tripp reports:
Dorchester School District 2 officials say no student or staff member’s identity information was stolen or compromised in a ransomware attack on the district’s computer network servers over the summer, but that some files were corrupted and lost, and the district was forced to pay a ransom to regain access to other data.
In a letter sent to parents and staff Wednesday, DD2 officials revealed its operating system and database were left disabled on 25 of the 65 servers for the district’s computer network after they were infected with a ransomware virus during the summer.
Read more on ABC4.


Just another “Thing” on the Internet of Things.
TheNewsaper.com reports:
The push to connect vehicles to one another and to the Internet has created a role for federal agencies to clarify its privacy protection role, the Government Accountability Office (GAO) concluded in a report released on Monday.  The government watchdog agency is worried that vehicles will continue to collect more and more data while federal standards continue to fall behind, failing to keep up with the pace of change in the industry.
[…]
GAO researchers contacted the sixteen automakers responsible for 90 percent of the cars and trucks sold in the United States and found that thirteen of them offered automobiles that connected to the Internet.  In 2014, GAO released a report focusing on the privacy of in-car navigation devices (view report), but this report focused specifically on systems that use a SIM card to connect to wireless data providers to provide services such as roadside assistance or automatic crash notification.
Read more on TheNewspaper.com.
A copy of the report is available in a 3mb PDF file at the source link below.
Source: Vehicle Data Privacy (Government Accountability Office, 8/28/2017)


Too busy to follow all the rules?  Does that suggest the rules are poorly written or just time consuming?  Do we need the rules at all? 
From HHS, clarification during these difficult times:
In response to Hurricane Harvey, U.S. Department of Health and Human Services (HHS) Secretary Tom Price, M.D., declared a public health emergency in Texas and Louisiana and has exercised the authority to waive sanctions and penalties against a Texas or Louisiana covered hospital that does not comply with the following provisions of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule:
  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
  • The requirement to honor a request to opt out of the facility directory
  • The requirement to distribute a notice of privacy practices
  • The patient’s right to request privacy restrictions
  • The patient’s right to request confidential communications
Other provisions of the Privacy Rule continue to apply, even during the waiver period.
For more detailed information regarding HIPAA privacy and disclosures in emergency situations, click here.
For more detailed information regarding emergency situation preparedness, planning, and response, click here.
To utilize the Disclosures for Emergency Preparedness Decision Tool, click here.


Making Artificial Intelligence deliberately stupid?
Researchers Poison Machine Learning Engines
The more that artificial intelligence is incorporated into our computer systems, the more it will be explored by adversaries looking for weaknesses to exploit.  Researchers from New York University (NYU) have now demonstrated (PDF) that convolutional neural networks (CNNs) can be backdoored to produce false but controlled outputs.
Poisoning the machine learning (ML) engines used to detect malware is relatively simple in concept.  ML learns from data.  If the data pool is poisoned, then the ML output is also poisoned -- and cyber criminals are already attempting to do this.
   CNNs, however, are at a different level of complexity -- and are used, for example, to recognize and interpret street signs by autonomous vehicles.


A shame this is limited to rural areas…
Rural America Is Building Its Own Internet Because No One Else Will
   About 19 million Americans still don't have access to broadband internet, which the Federal Communication Commission defines as offering a minimum of 25 megabits per second download speeds and 3mbps upload speeds.  Those who do have broadband access often find it's too expensive, unreliable, or has prohibitive data caps that make it unusable for modern needs.  
In many cases, it's not financially viable for big internet service providers like Comcast and CharterSpectrum to expand into these communities
   Here, a look at three rural counties, in three different states, demonstrates how country folk are leading their communities into the digital age the best way they know how: ingenuity, tenacity, and good old-fashioned hard work.


Amusement for my Ethical hacking students.  Nice and secure, except for the override tool. 
The Hotel Room Hacker
   Onity didn’t patch the security flaw in its millions of vulnerable locks.  In fact, no software patch could fix it.  Like so many other hardware companies that increasingly fill every corner of modern society with tiny computers, Onity was selling a digital product without much of a plan to secure its future from hackers.  It had no update mechanism for its locks.  Every one of the electronic boards inside of them would need to be replaced.  And long after Brocious’ revelation, Onity announced that it wouldn’t pay for those replacements, putting the onus on its hotel customers instead.  Many of those customers refused to shell out for the fix—$25 or more per lock depending on the cost of labor—or seemed to remain blissfully unaware of the problem.
And so instead of Brocious’ research protecting millions of hotel rooms from larceny-minded hackers, it served up a rare, wide-open opportunity to criminals.


Something for our Criminal Justice students to dive into?
Bureau of Justice Statistics Arrest Data Analysis Tool
by on
Bureau of Justice Statistics Arrest Data  Analysis Tool: “This dynamic data analysis tool allows you to generate tables and figures of arrest data from 1980 onward.  You can view national arrest estimates, customized either by age and sex or by age group and race, for many offenses.  This tool also enables you to view data on local arrests.  Select National Estimates or Agency-Level Counts from the menu above.  Use the Annual Tables to view tables of arrest data broken down by sex, race, age, or juvenile and adult age groups.  Select Trend Tables by Sex or Trend Tables by Race to create customized tables of long-term trends. In National Estimates, you can also view figures of long-term trends by sex or by race and age-arrest curves for many offenses.  The underlying data are from the FBI’s Uniform Crime Reporting (UCR) Program.  BJS has expanded on the FBI’s estimates to provide national arrest estimates detailed by offense, sex, age, and race.  The Methodology tab describes estimation procedures and the limitations of the arrest data.  The Terms & Definitions tab explains the meaning or use of terms, including the FBI’s offense definitions.  You can download output to Excel format.  This User’s Guide provides everything you need to get started.”

Wednesday, August 30, 2017

"War is the continuation of politics by other means."  Well, so is state sponsored hacking. 
North Korea Accused of Stealing Bitcoin to Bolster Finances
   This basic premise that North Korea is targeting bitcoins is reiterated in a report from the United Press International news agency.  It says, "The CWIC Cyber Warfare Research Center in South Korea stated a domestic exchange for bitcoin, the worldwide cryptocurrency and digital payment system, has been the target of an attempted hacking...  CWIC's Simon Choi said it is 'not only one or two exchanges where attack attempts have been made'."


Use any advantage you can find (or create)?
Jamie Williams and Amul Kalia write:
Good news out of a court in San Francisco: a judge just issued an early ruling against LinkedIn’s abuse of the notorious Computer Fraud and Abuse Act (CFAA) to block a competing service from perfectly legal uses of publicly available data on its website.  LinkedIn’s behavior is just the sort of bad development we expected after the United States Court of Appeals for the Ninth Circuit delivered two dangerously expansive interpretations of the CFAA last year—despite our warnings that the decisions would be easily misused.
Read more on EFF.
[From the article: 
Within weeks after the decisions came out, LinkedIn started sending out cease and desist letters citing the bad case law—specifically Power Ventures—to companies it said were violating its prohibition on scraping.  One company LinkedIn targeted was hiQ Labs, which provides analysis of data on LinkedIn user’s publicly available profiles.  Linkedin had tolerated hiQ’s behavior for years, but after the Power Ventures decision, it apparently saw an opportunity to shut down a competing service.  LinkedIn sent hiQ letters warning that any future access of its website, even the public portions, were “without permission and without authorization” and thus violations of the CFAA. 


Interesting, but will customers be willing to walk to the curb (in rain, snow, dark of night, or from their 12th floor apartment) to retrieve their pizzas? 
Ford driverless cars to deliver Domino's pizzas
   Participants will receive text messages as the self-driving vehicle approaches with instructions on how to retrieve their pizza, which can be unlocked from a “heatwave compartment” inside the vehicle using a unique code.


Perspective.  Because one AI isn’t enough?  Note that they won’t share data. 
Alexa meets Cortana: Amazon and Microsoft to integrate their digital assistants
Amazon and Microsoft announced something of a curveball this morning as they released plans to integrate Alexa and Cortana, their respective voice-activated digital assistants.
Later this year, consumers will be able to request Cortana support through Alexa-powered devices, such as Amazon’s range of Echo smart speakers, while those using a Cortana-enabled device will be able to beckon Alexa.


Who could possibly be interested. 
FBI shuts down request for files on Hillary Clinton by citing lack of public interest
The FBI is declining to turn over files related to its investigation of former Secretary of State Hillary Clinton’s emails by arguing a lack of public interest in the matter.
   in a letter sent this week and obtained by Fox News, the head of the FBI’s Records Management Division told Clevenger that the bureau has “determined you have not sufficiently demonstrated that the public’s interest in disclosure outweighs personal privacy interests of the subject.”


How could I pass up an article with a title like this?
Who Falls for Fake News? The Roles of Analytic Thinking, Motivated Reasoning, Political Ideology, and Bullshit Receptivity
by on
Pennycook, Gordon and Rand, David G., Who Falls for Fake News?  The Roles of Analytic Thinking, Motivated Reasoning, Political Ideology, and Bullshit Receptivity (August 21, 2017).  Available at SSRN: https://ssrn.com/abstract=3023545
“Inaccurate beliefs pose a threat to democracy and fake news represents a particularly egregious and direct avenue by which inaccurate beliefs have been propagated via social media.  Here we investigate the cognitive psychological profile of individuals who fall prey to fake news.  We find a consistent positive correlation between the propensity to think analytically – as measured by the Cognitive Reflection Test (CRT) – and the ability to differentiate fake news from real news (“media truth discernment”).  This was true regardless of whether the article’s source was indicated (which, surprisingly, also had no main effect on accuracy judgments).  Contrary to the motivated reasoning account, CRT was just as positively correlated with media truth discernment, if not more so, for headlines that aligned with individuals’ political ideology relative to those that were politically discordant.  The link between analytic thinking and media truth discernment was driven both by a negative correlation between CRT and perceptions of fake news accuracy (particularly among Hillary Clinton supporters), and a positive correlation between CRT and perceptions of real news accuracy (particularly among Donald Trump supporters).  This suggests that factors that undermine the legitimacy of traditional news media may exacerbate the problem of inaccurate political beliefs among Trump supporters, who engaged in less analytic thinking and were overall less able to discern fake from real news (regardless of the news’ political valence).  We also found consistent evidence that pseudo-profound bullshit receptivity negatively correlates with perceptions of fake news accuracy; a correlation that is mediated by analytic thinking.  Finally, analytic thinking was associated with an unwillingness to share both fake and real news on social media.  Our results indicate that the propensity to think analytically plays an important role in the recognition of misinformation, regardless of political valence – a finding that opens up potential avenues for fighting fake news.”  


Cute.  I haven’t seen a tool like this in years. 
Interactive web visualization of information about capabilities consequences of missile launches
by on
MISSILEMAP is an interactive web visualization meant to aid in the understanding of information about the capabilities and consequences of missile launches, in particular nuclear-armed ballistic missiles.  It allows for the graphical representation of ranges, great-circle paths, accuracy (Circular Error Probable), blast damage, and probabilities of kill (the chance that a given weapon will put a particular amount of blast damage on a target).  It was made to aid in discussions about missile development, since the technical nature of honest-to-god “rocket science” can make it rather impenetrable from the perspective of laymen, yet many of the fundamental questions are key to local understanding of geopolitical questions (e.g., “could North Korea hit my city with their latest missile?”).  It was created by Alex Wellerstein, a historian of science and technology at the College of Arts and Letters at the Stevens Institute of Technology, in Hoboken, New Jersey, USA.  The site’s hosting is paid for by the College of Arts and Letters.  It is programmed in Javascript, making extensive use of JQuery and the D3.js libraries, as well as the Google Maps Web API.  Professor Wellerstein is a historian of nuclear weapons, the creator of the NUKEMAP, the author of the Restricted Data Blog, and developed this application using Cold War-era algorithms that have long since been declassified…”


How to test online students? 
Skype’s new ‘Interviews’ feature lets you test candidates using a real-time code editor
Skype recently introduced a feature designed to cement its place among business users who aren’t as interested in things like emoji reactions or “Stories.”  It now supports conducting technical interviews via its service through a new Skype Interviews feature.  From a dedicated website, interviewers can test candidates in seven programing languages over Skype using a real-time code editor.
The feature was introduced a few days ago as a technical preview, and currently only works in the browser version of Skype, Microsoft tells us.
Of course, there are already a number of solutions for conducting interviews with remote technical talent on the market, like HackerRank, Codility, Interview Zen, CoderPad, Remoteinterview.io, HireVue’s CodeVue (née CodeEval), and others.
But the benefit to using Skype is the platform’s ubiquity, which makes it a regular tool for doing remote video calls of any kind.  Bundling in an interview testing feature within Skype could speed up the interview process, as subjects won’t have to switch to a different tool to complete the technical screening.

Tuesday, August 29, 2017

You should probably keep your public facing website and you back-office applications separate, as in “not linked.”  Just saying… 
WHEC reports:
Major League Lacrosse is investigating a massive data leak that exposed every individual player’s personal information.
According to an email the league sent to all players Monday evening — that was in turn sent to News10NBC by a player — a link on one of their website pages mistakenly re-directed browsers to a spreadsheet.  The spreadsheet contained every player in the league’s names, phone numbers, email and mailing addresses, Social Security numbers and more.
Read more on WHEC.  That “more” in the personal info sentence was defined in the email sent to players as:
full name, address, telephone number, email address, Social Security number, citizenship, date of birth, height, weight, position, college, graduation year, team, and non-MLL occupation.
According to the MLL, they have 230 players in 9 teams.


I think they got something wrong.  None of this is new.  Granted, some was not used by personal devices, but the technology has been around for years. 
Spying on the Smart Home: Privacy Attacks and Defenses on Encrypted IoT Traffic
by on
“The growing market for smart home IoT devices promises new conveniences for consumers while presenting new challenges for preserving privacy within the home.  Many smart home devices have always-on sensors that capture users’ offline activities in their living spaces and transmit information about these activities on the Internet.  In this paper, we demonstrate that an ISP or other network observer can infer privacy sensitive in-home activities by analyzing Internet traffic from smart homes containing commercially-available IoT devices even when the devices use encryption.  We evaluate several strategies for mitigating the privacy risks associated with smart home device traffic, including blocking, tunneling, and rate-shaping.  Our experiments show that traffic shaping can effectively and practically mitigate many privacy risks associated with smart home IoT devices.  We find that 40KB/s extra bandwidth usage is enough to protect user activities from a passive network adversary.  This bandwidth cost is well within the Internet speed limits and data caps for many smart homes.”


Interesting.  You can keep on spreading Russian propaganda but we don’t want you to profit from it?  Was that ever their primary objective?  Would kicking them off Facebook be a better solution? 
Facebook says Pages that regularly share false news won’t be able to buy ads
The company has already been working with outside fact-checkers like Snopes and the AP to flag inaccurate news stories.  (These aren’t supposed to be stories that are disputed for reasons of opinion or partisanship, but rather outright hoaxes and lies.)  It also says that when a story is marked as disputed, the link can no longer be promoted through Facebook ads.
The next step, which the company is announcing today, involves stopping Pages that regularly share these stories from buying any Facebook ads at all, regardless of whether or not the ad includes a disputed link.


Because we are more intellectual or because we are more technical?
Intellectual Property in the New Technological Age: 2017 – Chapters 1 and 2
by on
Menell, Peter S. and Lemley, Mark A. and Merges, Robert P., Intellectual Property in the New Technological Age: 2017 – Chapters 1 and 2 (July 18, 2017). Intellectual Property in the New Technological Age 2017: Vol. II Copyrights, Trademarks and State IP Protections; ISBN-13: 978-1945555077; UC Berkeley Public Law Research Paper; Stanford Public Law Working Paper. Available at SSRN: https://ssrn.com/abstract=2999038
“Rapid advances in digital and life sciences technology continue to spur the evolution of intellectual property law.  As professors and practitioners in this field know all too well, Congress and the courts continue to develop intellectual property law and jurisprudence at a rapid pace.  For that reason, we have significantly augmented and revised Intellectual Property in the New Technological Age…”


Cheaper access to research means better student papers?
New studies continue to predict troubled waters ahead for paywall journals
by on
Phys.org – “Two independent studies looking at two aspects of paywalls versus free access to research papers suggest that trouble may lie ahead for traditional journals that continue to expect payment for access to peer-reviewed research papers.  In the first study, a small team of researchers from the U.S. and Germany looked at the number of freely available papers on the internet using a web extension called Unpaywall—users enter information and the extension lists sources online for free.  In the second study, a team with members from Canada, the U.S. and Germany looked at the popularity of a website known as Sci-Hub that collects and freely distributes research papers.  Both groups have written papers describing their studies and results and have uploaded them to the PeerJ Preprints server.  Free access to research papers is a hot topic in the research community, perhaps indicating coming changes to the status quo…”
[Get the extension for Firefox: http://unpaywall.org/  ]


Will this inspire my students?  
Uber's New CEO May Get at Least $200 Million to Exit Expedia
   Dara Khosrowshahi, who spent 12 years at the helm of Expedia Inc., held unvested stock options in that company worth $184.4 million as of Friday’s close in New York, according to data compiled by Bloomberg.  Companies typically grant replacement awards to executives who must forfeit unvested equity when they leave before their employment terms have expired.
The ride-hailing company will likely also grant Khosrowshahi additional compensation, such as an annual salary and stock awards that vest over several years to ensure he remains on the job for the forseeable future.  That could push his total price tag north of $200 million.


Something for my students to fiddle with.
Glitch is a playground for coders of all kinds.  Through it, you can make your own app or remix any of the existing projects on the site.  You can be creative without the fear of breaking anything — and there are veteran coders who are standing by to help you do it.
It’s an open and free collaborative coding site that’s basically a miniature programming school.
Glitch gives you all the tools to instantly create, remix, edit, and host an app, bot, or site.  You can invite collaborators who can simultaneously edit the code with you.  Right now, the programming sandbox only supports Node.js.


I have to admit, none of these seem appealing, but maybe someone will like them.


Let’s see how many of my students already know about this.
Amazon Offers Students Music Unlimited for $4.99/Month
To coincide with everyone going back to school, Amazon is offering students a Music Unlimited subscription for just $4.99/month.  That's a saving of $60 per year for non-Prime members.  But it gets even better if you are a Prime Student member.  Amazon is offering you six months access for just $6.  After that, it reverts to the $4.99/month price as long as you remain a student.
In order to take advantage of this student offer, Amazon requires customers first validate their status as a student.  For that, Amazon uses third-party service SheerID, which apparently happens without interruption to the customer.

(Related).  Take a look at what SheerID claims to be able to verify. 
SheerID
   Our most popular products are military verification, college student verification, and teacher verification.

Monday, August 28, 2017

Interesting to me when mainstream magazines start reporting on Apps invading Privacy.  Maybe they are finally recognizing that, “We were planning to add a feature for you, but we changed our mind” isn’t really an excuse.  Especially when that feature would have announced to everyone on your Contacts list that you were using the “Anonymous” messaging App. 
Sarahah Has Been Downloading All the Data In Your Address Book
The anonymous messaging app, biled as a platform for honest feedback, has reportedly also been saving all the contacts in your phone.  According to The Intercept, when users download the app for the first time, “it immediately harvests and uploads all phone numbers and email addresses in your address book.”  In some cases, Sarahah does ask for permission to access your contacts, but it does not disclose that it will be saving the data to its own servers. 
Sarahah’s founder, Zain al-Abidin Tawfiq, tweeted in response to The Intercept's article , saying that the contacts were being uploaded for a planned “find your friends” feature.  The feature was then delayed due to “technical issues” and was accidentally not removed from the current version of the app.  He added that “the data request will be removed on next update.”

(Related).
It seemed like such a friendly App…
With weather on everyone’s mind this week, this might be a good time to point out that AccuWeather was caught sending user location data – even when location sharing is off.
Last week, Zack Whittaker reported:
Popular weather app AccuWeather has been caught sending geolocation data to a third-party data monetization firm, even when the user has switched off location sharing.
AccuWeather is one of the most popular weather apps in Apple’s app store, with a near perfect four-star rating and millions of downloads to its name.  But what the app doesn’t say is that it sends sensitive data to a firm designed to monetize user locations without users’ explicit permission.
Read more on ZDNet and do read their follow-up how the problem persisted even after it was allegedly fixed.


There is value in anonymous speech.
China Tightens the Noose on Free Online Speech, Again
Chinese authorities have stepped up their war against free online speech by banning web platforms from accepting comments from anonymous users.
China's "cyberspace administration" said in rules published Friday that internet forum providers had to force their users to register using their real names, which they must verify, reports The Diplomat.  The web companies must also immediately report illegal comments to the authorities, and pre-screen comments on current affairs.
Illegal comments include those that spread rumors, potentially disrupt social order, leak secrets, damage China's national honor, incite hatred, undermine the state's policies about religion, and insult people.

(Related).
Hundreds of Russians Protest Tighter Internet Controls
About 1,000 Russians braved pouring rain in Moscow on Saturday to demonstrate against the government's moves to tighten controls on internet use, with police arresting about a dozen protesters.
,,,   In July, Russia's parliament voted to outlaw web tools that let internet users sidestep official bans of certain websites.
It allows telecommunications watchdog Roskomnadzor to compile a list of so-called anonymiser services and prohibit any that fail to respect the bans, while also requiring users of online messaging services to identify themselves with a telephone number.
"Innovation and technology will win!  We will defend our freedoms!" one protester said, according to a broadcast of the march on YouTube.
Russia's opposition groups rely heavily on the internet to make up for their lack of access to the mainstream media.
But the Russian authorities have been clamping down on such online services, citing security concerns.


Fits in to the discussion my classes are having.
Kill animals and destroy property before hurting humans, Germany tells future self-driving cars
Germany’s government has answered the car ethics question once and for all: driverless cars should prioritize the protection of human life over the destruction of animals or property.
On Wednesday, the nation's Federal Ministry of Transport and Digital Infrastructure – a curious combination that suggests they took "information superhighway" too literally – announced it will "implement" guidelines devised by a panel of experts scrutinizing self-driving technology.
Back in June, the ministry's ethics commission produced a report on how computer-controlled vehicles should be programmed and designed in future.  The panel of 14 scientists and legal eggheads suggested some 20 rules autonomous rides should follow.  Now, Germany's transport regulator has pledged to enforce them in one way or another.
Among the proposed rules are:
  • The protection of human life always has top priority. If a situation on the road goes south, and it looks as though an accident is going to happen, the vehicle must save humans from death or injury even if it means wrecking property or mowing down other creatures.
  • If an accident is unavoidable, the self-driving ride must not make any choices over who to save – it can't wipe out an elderly person to save a kid, for instance. No decisions should be made on age, sex, race, disabilities, and so on; all human lives matter.
Ultimately, drivers will still bear responsibility if their autonomous charabanc crashes, unless it was caused by a system failure, in which case the manufacturer is on the hook.


I always thought of fingerprints as solid science.  Perhaps the procedure needs review? 
New on LLRX – Fingerprint Forensics: From Lore to Law
by on
Notable developments in courtrooms, academia and government institutions, both state and federal, are laying the groundwork for challenges to fingerprint matching.  This extensively researched, comprehensive annotated bibliography by Ken Strutin includes new and noteworthy materials such as key opinions, significant articles and online resources concerning accuracy, reliability, validity as well as authenticity of fingerprint evidence.  It also includes information on scientific and technological developments that are pushing the frontiers of biometric analysis.


Tossing the baby out with the bathwater?  Are we missing an opportunity to point out the errors in their logic and more importantly, the opportunity to laugh at them?  Worth reading. 
Nazis, The Internet, Policing Content And Free Speech
    I want to discuss an issue that's already received plenty of attention: how various platforms -- starting with GoDaddy and Google, but with much of the attention placed on Cloudflare -- decided to stop serving the neo-Nazi forum site the Daily Stormer.
   Let's start with the basics: Nazis -- both the old kind and the new kind -- are bad.  My grandfather fought Nazis in Europe and Northern Africa during WWII, and I have no interest in seeing Nazis in America of all places.  But even if you believe that Nazis and whoever else uses the Daily Stormer are the worst of the absolute worst, there are many other issues at play here beyond just "don't provide them service."  Of course, lots of services are choosing not to.  Indeed, both the Washington Post and Quartz are keeping running tallies of all the services that have been booting Nazis and other racist groups.  And, I think it's fairly important to state that these platforms have their own First Amendment rights, which allow them to deny service to anyone.  There's certainly no fundamental First Amendment right for people to use any service they want.  That's not how free speech works.  
   As many experts in the field have noted, these things are complicated.  And while I know many people have been cheering on each and every service kicking off these users, we should be careful about what that could lead to.  Asking platforms to be the arbiters of what speech is good and what speech is bad is frought with serious problems.


If nothing else, you must admit he can catch the spotlight whenever he wants to.  (Which seems to be, every time he thinks people are beginning to forget him.)  
Kim Dotcom Wants YouTube Stars to Test His Bitcoin Payment System
Kim Dotcom, the file-sharing entrepreneur who is currently fighting extradition from New Zealand to the U.S. on copyright violation charges, has provided a glimpse of the new payments platform he says will make it easier to reward creators for their work.
Dotcom first talked about his Bitcache micropayments platform a year ago, when he said the bitcoin-connected system could provide a new business model for file-sharing—this would involve those who upload copyrighted media being able to charge downloaders small amounts. However, on the weekend he showed off how the platform could be used.
In a YouTube video, Dotcom showed how YouTube creators could embed a bar at the bottom of their videos, encouraging their viewers to give them very small amounts of money through their Bitcache accounts.

(Related)
Kim Dotcom to shift to Queenstown after assets and money released
   Dotcom, who is fighting extradition to the US, tweeted a Hong Kong judge had released some of his fortune and four container loads of property.
   The entrepreneur has fought for the past five years to have assets worth US$42.57m ($57.4m) released after they were seized under the instruction of the US government.
   Dotcom is flagging new court action against the New Zealand Government after a High Court judgment revealed he was under GSCB surveillance far longer than spies had previously admitted.