Monday, December 31, 2018

Think of it as a work in progress.
Hackers use a fake wax hand to fool vein authentication security
Vein authentication, a biometric security method that scans the veins in your hand, has been cracked, reports Motherboard. Using a fake hand made out of wax, Jan Krissler and Julian Albrecht demonstrated how they were able to bypass scanners made by both Hitachi and Fujitsu, which they claim covers around 95 percent of the vein authentication market. The method was demonstrated at Germany’s annual Chaos Communication Congress.
While imprints of fingerprints can often be left behind on surfaces just by touching them, vein patterns cannot, and are considered to be much more secure as a result.

Is this in time to ensure the 2020 election is influence free?
Measuring the “Filter Bubble”: How Google is influencing what you click
DuckDuckGo Blog: “Over the years, there has been considerable discussion of Google’s “filter bubble” problem. Put simply, it’s the manipulation of your search results based on your personal data. In practice this means links are moved up or down or added to your Google search results, necessitating the filtering of other search results altogether. These editorialized results are informed by the personal information Google has on you (like your search, browsing, and purchase history), and puts you in a bubble based on what Google’s algorithms think you’re most likely to click on. The filter bubble is particularly pernicious when searching for political topics. That’s because undecided and inquisitive voters turn to search engines to conduct basic research on candidates and issues in the critical time when they are forming their opinions on them. If they’re getting information that is swayed to one side because of their personal filter bubbles, then this can have a significant effect on political outcomes in aggregate…
Now, after the 2016 U.S. Presidential election and other recent elections, there is justified new interest in examining the ways people can be influenced politically online. In that context, we conducted another study to examine the state of Google’s filter bubble problem in 2018…”

Facebook is certainly being vilified like they are responsible.
Facebook Data Scandals Stoke Criticism That a Privacy Watchdog Too Rarely Bites
Last spring, soon after Facebook acknowledged that the data of tens of millions of its users had improperly been obtained by the political consulting firm Cambridge Analytica, a top enforcement official at the Federal Trade Commission drafted a memo about the prospect of disciplining the social network.
Lawmakers, consumer advocates and even former commission officials were clamoring for tough action against Facebook, arguing that it had violated an earlier F.T.C. consent decree barring it from misleading users about how their information was shared.
But the enforcement official, James A. Kohm, took a different view. In a previously undisclosed memo in March, Mr. Kohm — echoing Facebook’s own argument — cautioned that Facebook was not responsible for the consulting firm’s reported abuses. The social network seemed to have taken reasonable steps to address the problem, he wrote, according to someone who read the memo, and most likely had not broken its promises to the F.T.C.

Smart speakers hit critical mass in 2018
... The smart speaker market reached critical mass in 2018, with around 41 percent of U.S. consumers now owning a voice-activated speaker, up from 21.5 percent in 2017.

This was the activity on my blog yesterday. Strange that once again more Russians are reading the blog than anyone else. And why can’t Google identify the country 116 users are connecting from?
Pageviews by countries.

Sunday, December 30, 2018

Not sure I would notice if the Denver Post wasn’t being delivered. I canceled my subscription years ago. (Practice for cyberwar?)
Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.
What first arose as a server outage was identified Saturday as a malware attack, which appears to have originated from outside the United States and hobbled computer systems and delayed weekend deliveries of the Los Angeles Times and other newspapers across the country.
Technology teams worked feverishly to quarantine the computer virus, but it spread through Tribune Publishing’s network and reinfected systems crucial to the news production and printing process. Multiple newspapers around the country were affected because they share a production platform.

Seems an awful long time to identify a bad card…
Report: Huge CenturyLink outage caused by bad networking card in Colorado
Brian Krebs, a veteran security journalist, posted a copy of a notice sent to CenturyLink’s “core customers” to his Twitter feed Saturday that blamed a card at its data center in Colorado for “propagating invalid frame packets across devices,” causing a series of issues that forced the company to reboot much of its networking equipment. It took CenturyLink more than two days from when it first identified the issues to sound the all-clear on Saturday morning, a period during which 911 services in several states including Washington were down or spotty.
… By the standards of modern cloud service providers, a two-day outage is an eternity. And it’s not clear how a single piece of equipment could cause an outage of such magnitude given the layers of redundancy that cloud providers build into their systems.
An FCC investigation into the outage might turn up some answers, unless CenturyLink is willing to post a moew detailed post-mortem on the outage, which is becoming a standard part of incident response.

So why are ‘innocent’ drones coming to Gatwick to die? Something fishy here.
Two drones found at Gatwick airport but still no arrests
Sussex police have found two drones at the perimeter of Gatwick airport but neither is the one responsible for last week’s runway closures and travel chaos, the force’s chief constable has revealed.

Probably cheap.
Wells Fargo is paying $575 million to states to settle fake account claims
Over the past two years, Wells Fargo has faced numerous lawsuits and government investigations stemming from a cascade of business scandals.
On Friday, it took a step to put one batch of accusations behind it.
The bank agreed to pay $575 million to all 50 states and the District of Columbia to settle civil charges related to the bank's fake-accounts scandals.
The agreement, which applies to charges brought by states' attorneys general, follows other fines and settlements Wells Fargo (WFC) has paid out since September 2016. That's when the bank admitted its employees opened as many as 3.5 million fake bank and credit card accounts without customers' knowledge.

Overreaction? If you can’t spend the day texting, perhaps you will vote?
Bangladesh shuts down mobile internet in lead up to election day
Bangladesh's telecoms regulator has ordered mobile operators to shut down high-speed mobile internet services until midnight Sunday, the day of a national election.
… "The decision has been taken to prevent rumours and propaganda surrounding the vote," Zakir Hussain Khan said.
As Bangladeshis get set for Sunday's parliamentary elections, there are fears that violence and intimidation could keep many voters away.
… A spokesman for the RAB, Bangladesh's elite security force, said on Saturday they had arrested eight men for spreading rumours on social media before the poll.

EU approved free software? I use some of them, perhaps I should use more.
In January, the EU starts running Bug Bounties on Free and Open Source Software
… In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on.
… Here is the list of Software projects and the bug bounties:

Saturday, December 29, 2018

When your failures are immediately obvious…
FCC Investigates Widespread CenturyLink Outage That Disrupted 911 Service
… The telecommunications giant CenturyLink, based in Monroe, La., says the outage began at 8:18 a.m. ET on Thursday. The website Down Detector says it primarily affected Western states, but emergency service providers on both coasts reported disruptions. CenturyLink has said "a network element ... was impacting customer services" but has offered no further details on the cause of the outage or the number of customers affected.
… The FCC says its last investigation of a 911 outage was launched in March of last year. It fined AT&T $5.25 million for two nationwide outages in March and May 2017 that lasted a total of approximately six hours and resulted in the failure of 15,200 failed 911 calls.
In addition to disrupting 911 services, the CenturyLink outage also caused outages of Verizon network services in at least two states, New Mexico and Montana. Some ATMs in Montana and Idaho also failed to work, and at the North Colorado Medical Center in Greeley, Colo., doctors and nurses for a time had difficulty accessing patient records.

These skills will be back home in a year.
National Guard From 4 States Will Help With Cyber Operations
National Guard soldiers from Colorado, North Dakota, South Dakota and Utah are deploying to Fort Meade, Maryland, as part of a cyber protection team supporting U.S. military operations in Afghanistan.
The Colorado guard said Thursday Cyber Protection Team 174 will help the Defense Department with network security and cyber defensive operations.
The team's assignment is to help commanders operate freely in the cyber domain as well as on the ground while denying adversaries that ability.

Facebook corrects all the things the Times got wrong.
Facts About Content Review on Facebook
Our policies are public, not “secret” or “closely held.”
For years, we’ve published our Community Standards, the overarching guide that outlines what is and isn’t allowed on Facebook. Earlier this year we went a step further and published the internal guidelines we use to enforce those standards. Anyone can view them at

Did you ever wonder where President Trump looks for his brainstorm?
Russia builds border fence between Crimea and Ukraine proper
Russia has built a 60km fence on the border with Ukraine on the north of the Russian-annexed Crimea, according to the de facto Crimean authorities.
… "to protect the local population from the crazy antics of the current Ukrainian government".

Friday, December 28, 2018

GDPR inspired laws are coming closer.
Isabel Carvalho, Rafael Loureiro, and Daniel Crespo of Hogan Lovells write:
The Brazilian General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), passed by Congress on 14 August 2018, will come into effect on 15 February 2020. The new data protection law significantly improves Brazil’s existing legal framework by regulating the use of personal data by the public and private sectors. Very similar to the General Data Protection Regulation (“GDPR”) implemented in the European Union, the LGPD imposes strict regulations on the collection, use, processing, and storage of electronic and physical personal data. In conjunction with the passing of the LGPD, the National Data Protection Authority will be created in order to adequately implement the new legislation.

Yeah, it’s tough. Deal with it.
Inside Facebook’s Secret Rulebook for Global Political Speech
… The company, which makes about $5 billion in profit per quarter, has to show that it is serious about removing dangerous content. It must also continue to attract more users from more countries and try to keep them on the site longer.
How can Facebook monitor billions of posts per day in over 100 languages, all without disturbing the endless expansion that is core to its business? The company’s solution: a network of workers using a maze of PowerPoint slides spelling out what’s forbidden.
… The closely held rules are extensive, and they make the company a far more powerful arbiter of global speech than has been publicly recognized or acknowledged by the company itself, The New York Times has found.
The Times was provided with more than 1,400 pages from the rulebooks by an employee who said he feared that the company was exercising too much power, with too little oversight — and making too many mistakes.

Amazon's rise forces laundry detergents to shrink
Tide and Seventh Generation have introduced redesigned laundry detergents that are several pounds lighter by cutting down on plastic in their packaging and using less water in their formulas. Why? To please Amazon and other online stores: Lighter packaging means retailers pay less to ship the detergent to shopper's doorsteps, making each sale more profitable.
… The downsized detergents are a sign of Amazon's growing influence. Companies that have designed products for decades to stand out on store shelves are now being pressured by online retailers to make their packaging lighter to cut down on shipping costs, said Gary Liu, vice president of marketing at Boomerang Commerce, which makes software for consumer goods companies.

For the Research toolkit.
Instagram viewer search engine
Pikbee is the best Instagram online web viewer on the Internet. Discovering top trending media on Instagram…”

Thursday, December 27, 2018

An article I missed. Could this be a shot at Hillary?
FEC: Lawmakers and staff may use campaign funds for personal cybersecurity
… FEC Commissioner Caroline Hunter wrote on behalf of the commission that spending on cyber hygiene and protective services would not constitute, "impermissible conversion of campaign funds to personal use."
… The unanimous vote Thursday will allow members of Congress and staff to use campaign funds to purchase a range of hardware and software products to bolster their own security, including cell phones and computers, home routers, personal software and applications, firewalls, antivirus software, security keys, secure cloud services, password management tools, consulting, incident response services and others.
"With growing threats posed by foreign governments, it's crucial that elected officials get smarter about their cybersecurity," said Wyden on Twitter.
… While members of Congress can draw from cybersecurity resources at the House and Senate Sergeant-At-Arms to protect their official devices and accounts, they were unable to do so for personal ones or those of their families.

(Related) Apparently, this is an approved use of campaign funds. “I didn’t know what they did but I gave them $750,000.”
Linkedin founder Reid Hoffman apologizes after $750,000 campaign donation linked to misinformation in Alabama senate race
Linkedin co-founder and Greylock Partner's investor Reid Hoffman apologized Wednesday for funding a group linked to a misinformation campaign during Alabama's 2017 special election for the US Senate.
… Hoffman donated $750,000 to AET, according to the Washington Post, who first reported Hoffman's statement Wednesday.
Hoffman, a vocal democratic donor, said in the statement that he was not aware of the group's work with New Knowledge before it was reported last week.

Another article I missed. Fake news is even dangerous to robots (algorithms).
Market volatility: Fake news spooks trading algorithms
Fake news and inaccurate headlines may have contributed to recent stock market volatility, as trading algorithms try to interpret market-related news.
Hugh Son, at CNBC reported that in a note written to clients by J.P. Morgan Chase's top quant, Marko Kolanovic, blamed a media landscape that's a mix of real and fake news, which makes it easy for others to amplify negative news. The effects can be seen that, in spite of a booming economy and positive signals, the markets are reacting strongly to this mix of negative news.

How Much of the Internet Is Fake? Turns Out, a Lot of It, Actually.
… For a period of time in 2013, the Times reported this year, a full half of YouTube traffic was “bots masquerading as people,” a portion so high that employees feared an inflection point after which YouTube’s systems for detecting fraudulent traffic would begin to regard bot traffic as real and human traffic as fake. They called this hypothetical event “the Inversion.”

I guess they never heard of Fake News. (Sounds like a business opportunity, but keep your plans off social media.)
IRS wants to use social media to catch tax cheats
Quartz: “The Internal Revenue Service is looking for ways to scour social media platforms like Facebook, Instagram, and Twitter in its ongoing quest to catch tax cheats. That’s according to a request for information issued December 18 by the IRS’s National Office of Procurement. The mining of social media data by the agency has been suspected in the past, but the IRS has never before confirmed the practice.
“Businesses and individuals increasingly use social media to advertise, promote, and sell products and services,” the IRS solicitation reads. “For example, taxpayers can create ‘online stores’ on social networking sites free of cost. Much of this information is unrestricted, allowing the public, businesses and various governmental agencies to discover taxpayers’ locations and income sources. But the IRS currently has no formal tool to access this public information, compile social media feeds, or search multiple social media sites.”…

An interesting approach. (So, Flipkart can’t sell anything from Walmart?)
India tightens e-commerce rules, likely to hit Amazon, Flipkart
India will ban e-commerce companies such as and Walmart-owned Flipkart Group from selling products from companies in which they have an equity interest.
… The All India Online Vendors Association (AIOVA) in October filed a petition with the anti-trust body Competition Commission of India (CCI) alleging that Amazon favours merchants that it partly owns, such as Cloudtail and Appario. The lobby group filed a similar petition against Flipkart in May, alleging violation of competition rules through preferential treatment for select sellers.

Perspective. We practiced hiding from nuclear weapons. I guess every generation needs to learn what their parents fear.
More than 4.1M students were in a school lockdown last year
Washington Post: “School shootings remain rare, even after 2018, a year of historic carnage on K-12 campuses. What’s not rare are lockdowns, which have become a hallmark of American education and a byproduct of this country’s inability to curb its gun violence epidemic. Lockdowns save lives during real attacks, but even when there is no gunman stalking the hallways, the procedures can inflict immense psychological damage on children convinced that they’re in danger. And the number of kids who have experienced these ordeals is extraordinary. More than 4.1 million students endured at least one lockdown in the 2017-2018 school year alone, according to a first-of-its-kind analysis by The Washington Post that included a review of 20,000 news stories and data from school districts in 31 of the country’s largest cities…”

Wednesday, December 26, 2018

Timely. Computer Security class starts January 2nd.
Teaching Cybersecurity Law and Policy: Revised 62-Page Syllabus/Primer
Teaching Cybersecurity Law and Policy: My Revised 62-Page Syllabus/Primer (Bobby Chesney, Charles I. Francis Professor in Law and Associate Dean for Academic Affairs at the University of Texas School of Law) – “Cybersecurity law and policy is a fun subject to teach. There is vast room for creativity in selecting topics, readings and learning objectives. But that same quality makes it difficult to decide what to cover, what learning objectives to set, and which reading assignments to use. With support from the Hewlett Foundation, I’ve spent a lot of time in recent years wrestling with this challenge, and last spring I posted the initial fruits of that effort in the form of a massive “syllabus” document. Now, I’m back with version 2.0. At 62 pages (including a great deal of original substantive content, links to readings, and endless discussion prompts), it is probably most accurate to describe it as a hybrid between a syllabus and a textbook. Though definitely intended in the first instance to benefit colleagues who teach in this area or might want to do so, I think it also will be handy as a primer for anyone—practitioner, lawyer, engineer, student, etc.—who wants to think deeply about the various substrands of this emergent field and how they relate to one another.”

Cellphones, Law Enforcement, and the Right to Privacy
“Cell phones are ubiquitous. As of 2017, there were more cell phones than people in the United States. Nearly 70 percent of those were smartphones, with 94 percent of millennials carrying a smart device. Cell phones go nearly everywhere, and users are increasingly dependent on smartphone applications for daily activities, such as texting, email, and location-assisted direction services.. This white paper surveys the landscape of government acquisition of location data about cell phone users — from cellular providers’ collection of location information to the use of technologies that pinpoint where individuals and cell phones are located. It describes how cell phones operate, how that location information is accrued and disseminated, and the technologies that can be used to establish where a phone is, where it has been, and what other users have been in proximity…The paper then analyzes both the legal and policy landscape: how courts have ruled on these issues, how they can be expected to rule in the future, and how agencies have addressed these issues internally, if at all. It adds to concerns that cell phone-based monitoring could violate the constitutional privacy rights of millions of ordinary Americans…”

Preparing for the 2020 election.
Why Americans Fell for Russian Internet Trolls
… Researchers found an average of 1.73 likes, retweets or replies for Russian trolls’ posts in Russian or any language other than English; for English-language posts, the rate was nine times that high (15.25). Americans, it turned out, were easy targets for the Russian propaganda.
… What remains unclear is why Americans were so much more vulnerable than other targets.
An answer proposed by the study’s authors was that the former Soviets were “immunized” against the Russian propaganda. Because of their history, they expect to be lied to, and so are generally more cynical than Americans.

Perspective. This neatly sums up what we’ve been saying all along. (Is there an opportunity here?)
New on LLRX – The Bullshit Algorithm
Via LLRX.comThe Bullshit Algorithm – Jason Voiovich goes directly to the heart of the matter with his statements that are a lessons learned guide that no researcher can afford to ignore – “Wasn’t the promise of data-driven, search engine and social media algorithms that they would amplify the truth and protect us from misinformation by tapping the wisdom of crowds? The fact is that they do not. And cannot. Because that is not what they are designed to do. At the heart of every social media algorithm is a fatal flaw that values persuasion over facts. Social media platforms (as well as search engines) are not designed for truth. They are designed for popularity. They are bullshit engines.”

“They’re skilled at avoiding (not evading) taxes. They make a lot of money. We should take it from them.” This was inevitable – tax laws have to change to reflect global business.
France to introduce tax on large internet, tech firms
France has been pushing hard for a new so-called "GAFA tax" -- named after Google, Apple, Facebook and Amazon -- to ensure the global giants pay a fair share of taxes on their massive business operations in Europe.
"The tax will be introduced whatever happens on January 1 and it will be for the whole of 2019 for an amount that we estimate at 500 million euros ($570 million)," Le Maire told a press conference in Paris.
… Policymakers across the world have had difficulty in taxing the US-based giants who dominate their sectors internationally, but who often route their revenues and profits via low-tax jurisdictions to reduce their liabilities.
France's move to introduce the tax on January 1 could be driven by domestic budget concerns, with the finance ministry looking for new sources of revenues and savings.
… Some other EU member states such as Britain, Spain and Italy are also working on national versions of a digital tax, with Singapore and India also planning their own schemes.

Perspective. For some reason, this astonishes my students. “Didn’t Amazon kill all the bookstores?”
Instagram is helping save the indie bookstore
The internet is killing independent bookstores. Right? Maybe not.
For years, that’s been the prevailing narrative: The internet is killing IRL bookstores, particularly your beloved mom-and-pop local independent bookstore. Since Amazon launched in 1995, it has been lamented as earth-shattering for the brick-and-mortar bookstore business. And when Amazon subsequently launched the Kindle e-reader device in 2007, it sold out immediately. People fretted that it was ushering in the death of the print book in favor of the e-book.
… Between 2009 and 2015, the number of independent bookstores grew by 35 percent, according to the American Booksellers Association. Print book sales are on the rise too: Sales of physical books have increased every year since 2013. In 2017, print book sales were up 10.8 percent from 2013, while sales of traditionally published e-books actually dropped 10 percent from 2016 to 2017.

To share with all my students.
The Top Free Online University Courses of 2018, Ranked by Popularity
… At the end of every year, I do an extensive analysis of the MOOC space. To help me with analysis, I send the top MOOC providers a set of questions, one of them being the top enrolled courses of 2018.
The list below contains the top enrolled courses from the major MOOC providers: Coursera, edX, Udacity, and FutureLearn. Combined, these providers represent a big chunk of the MOOC learners (70+ million!).
[I selected a few...

Tuesday, December 25, 2018

A Christmas gift for hackers.
How a government shutdown affects America’s cybersecurity workforce
… Among the heaviest hit agencies would be the National Institute of Standards and Technology, which would have 85 percent of its staff furloughed. Only 435 employees are considered “essential,” according to a planning document from the Department of Commerce.
… Also seeing sharp reductions are the Director of National Intelligence’s analysis and operations workforce, which would see a 60 percent reduction in active workforce to just 345 employees, according to documents.
… It appears that the Department of Homeland Security’s new Cybersecurity and Infrastructure Security Agency, created just last month, is among the most protected in the event of a government shutdown. The agency would only have 45 percent of its workforce furloughed, with 2,008 employees exempt.

For my Software Architecture students to ponder.
Last-Minute Shoppers Increasingly Trust Only Amazon to Deliver
Olivia Zimmermann started her holiday shopping early this year, buying a Bluetooth speaker from Best Buy for her sister. It was supposed to arrive by Dec. 10, two weeks before Christmas.
The speaker never showed up — and the post office said it had delivered the package to a different town. Best Buy apologized and offered to reship it. But Ms. Zimmermann, who works in marketing in Chicago, was over it.
“I just want a refund,” she told the retailer, and then added: “At this point, I have already ordered from Amazon because I know for a fact it will be here when they say it will.”

Perspective. How tight do you get before you reach Big Brotherhood?
Russia’s Tightening Control of Cyberspace Within its Borders
Russian federal lawmakers have just drafted legislation that would ban the publication of online materials that “blatantly disrespect Russian society, the state, official state symbols, the Russian Constitution, and law enforcement agencies.” Such a law would exacerbate the severity of existing laws, which Human Rights Watch has said already “sought to stigmatize criticism or alternative views of government policy as disloyal, foreign-sponsored, or even traitorous” and crack down on physical mechanisms of protest like public assembly.
At the same time as that new legislation, Russia’s internet “regulator,” Roskomnadzor, has proposed a law that would permit the agency to entirely block search engines that don’t comply with requests of state authorities.

Monday, December 24, 2018

Sometimes data has an immediate value.
Tyler Durden reports:
We break from tonight’s episode of “Powell in turmoil” to let you know that an “unknown” hacker appears to have inside info on a substantial portion of the global pipeline of upcoming M&A deals. According to The Times, thousands of “sensitive documents” have been stolen by hackers in a cyber-attack on M&A and restructuring giant Evercore.
According to the report, one of the boutique bank’s junior administrators in London was the victim of a “phishing” attack – similar to the way in which John Podesta allegedly handed over control of his inbox to an unknown hacker – in which a recipient is lured into clicking on a corrupt link in an email. The hackers gained access to her inbox, leading to the theft of 160,000 “data objects” such as diary invitations, documents and emails. It is likely that among the tens of thousands of stolen objects was confidential data on the countless merger deals the company is currently working on.
Read more on ZeroHedge.

What my Computer Security students need to watch for.
Impulsive personalities most likely to fall victim to cybercrime, research shows
New research from Michigan State University examining the behavior that leads someone to fall victim to cybercrime reveals that impulse online shopping, downloading music and compulsive email use are all signs of a certain personality trait that make you a target for malware attacks.
“People who show signs of low self-control are the ones we found more susceptible to malware attacks,” said Tomas Holt, professor of criminal justice and lead author of the research. “An individual’s characteristics are critical in studying how cybercrime perseveres, particularly the person’s impulsiveness and the activities that they engage in while online that have the greatest impact on their risk.”

Evidence based. Next we should demand facts!
Congress votes to make open government data the default in the United States
On December 21, 2018, the United States House of Representatives voted to enact H.R. 4174, the Foundations for Evidence-Based Policymaking Act of 2017, in a historic win for open government in the United States of America.
The Open, Public, Electronic, and Necessary Government Data Act (AKA the OPEN Government Data Act) is about to become law as a result. This codifies two canonical principles for democracy in the 21st century:
  1. public information should be open by default to the public in a machine-readable format, where such publication doesn’t harm privacy or security
  2. federal agencies should use evidence when they make public policy

Sunday, December 23, 2018

Will 2019 be the year everyone finally learns their security lessons? I doubt it.
Davey Winder writes:
It hasn’t been the greatest week for the non-profit sector with the revelation that two well-known charities have fallen victim to less than charitable cyber con-artists. In the same week that the Save the Children Federation confirmed it had been scammed out of $1 million by email fraudsters, so the Wellcome Trust has revealed the email of four senior executives was compromised and sensitive information monitored for several months. Without wishing to be uncharitable, both of these cyber-attacks fall firmly into the ‘oldest trick in the book’ category.
Let me start by saying that I am not in the habit of victim shaming; the focus must be on the threat actor when it comes to attributing bad guy status. That said, as we fast approach 2019, I also think the time for pussy-footing around the lack of security awareness issue within many large organizations has long since passed. The Wellcome Trust is most certainly a large organization any which way you look at it; in fact, with some £26 billion of assets, it is the biggest charity in Britain. So, when I read in my copy of the Times today that no less than four senior executives were “misled into entering their passwords when sent a link to click on” my will live to live starts fading away.
Read more on Forbes.

If the best you can do is identify “last year’s” election interference, the 2020 election is doomed!
Facebook suspends 5 accounts for 'inauthentic behavior' during Alabama special election
… One of the accounts that Facebook suspended belonged to Jonathon Morgan, the chief executive of research firm New Knowledge. Morgan confirmed that his account had been suspended through a New Knowledge spokesperson.
Morgan told The Washington Post on Dec. 18 that he had engaged in an experiment with misleading online tactics during the 2017 special election in Alabama.
During race between Republican Roy Moore and Democrat Doug Jones, who was elected to serve in the U.S. Senate, Morgan told the Post he created a Facebook page under false pretenses to test his ability to appeal to conservative voters, according to the report.

A great summary.
Privacy and Cybersecurity: A Global Year-End Review

Perspective. It is amazing that this did not happen much earlier. Implications for smartphone manufacturers.
The GPS wars have begun
… Countries around the world, including China, Japan, India and the United Kingdom plus the European Union are exploring, testing and deploying satellites to build out their own positioning capabilities.
That’s a massive change for the United States, which for decades has had a practical monopoly on determining the location of objects through its Global Positioning System (GPS), a military service of the Air Force built during the Cold War that has allowed commercial uses since mid-2000 (for a short history of GPS, check out this article, or for the comprehensive history, here’s the book-length treatment).
… Today, the only global alternative to that system is Russia’s GLONASS, which reached full global coverage a couple of years ago following an aggressive program by Russian president Vladimir Putin to rebuild it after it had degraded following the break-up of the Soviet Union.

This seemed a little “off.” But it did help to ‘justify’ resuming flights.
Gatwick drones pair 'no longer suspects'
The 47-year-old man and 54-year-old woman, from Crawley, West Sussex, were arrested on Friday night on suspicion of "the criminal use of drones".
Sussex Police said the pair were no longer suspects.
Meanwhile, Det Ch Supt Jason Tingley told Sky News officers had found a damaged drone near the airport.
… Det Ch Supt Tingley said the arrested man and woman had "fully co-operated" with inquiries and he was "satisfied that they are no longer suspects in the drone incidents at Gatwick".

Saturday, December 22, 2018

Seems trivial compared to an Equifax, but what if other school districts are equally vulnerable?
Data Breach Reported for San Diego Unified School District Students and Former Students
San Diego Unified School District officials are informing parents and former students of a large data breach. Personal data including Social Security numbers from as many as 500,000 students was compromised or possibly stolen, officials say.
The breach dating back to January 2018 was uncovered in October by district IT employees who were investigating phishing emails.
… "We are not able to confirm, specifically, whether your personal data was viewed or copied from our systems as a result of this incident. We only know that the viewing or copying of some personal data was possible or occurred between January 2018 and November 1, 2018," district officials state in the letter to parents.
Officials said the breach also allowed the unauthorized person the ability to alter data within those systems.
… Read the entire letter here.

One of many.
Apple received over 32,000 user data requests in six months
Apple's bi-annual transparency report is here and it now has its own interactive page on Apple's website. As usual, it details the personal data requests Apple received from governments worldwide. Only the new look makes it easier to review and digest thanks to a slider at the bottom that lets you scroll through report cards for each country. And if you're a fan of the old ways, you can still download a PDF crammed with the same data.
According to the report, which covers the first half of this year, Apple received 32,342 demands for user data from governments -- up 9 percent from the previous period -- spanning access to 163,823 devices. Germany made the most requests (42 percent), the majority of which were due to "stolen devices investigations," issuing 13,704 requests for data on 26,160 devices.
The US was in second place with 4,570 requests for 14,911 devices.

There is something off” here. You would expect more details about the two arrested – there are none. Did they find the drones?
Gatwick drones: Two arrested over flight disruption
A 47-year-old man and a 54-year-old woman, from Crawley, were arrested in the town at about 22:00 GMT on Friday.
… Sussex Police said it was continuing to investigate the "criminal use of drones" and appealed for information.

Perspective. Each Quarter, I ask my students if they would ride. So far, not many takers.
Self-driving car startup Zoox gets permit to transport passengers in California
While more than 60 companies have received permits to test their driverless vehicles in California, Zoox has become the first permitted to actually transport people in those vehicles.
… During the testing period, Zoox must have a safety driver behind the wheel and will not be allowed to charge passengers for rides. And, as part of the program, Zoox must provide data and reports to the CPUC regarding any incidents, number of passenger miles traveled and passenger safety protocols.

Friday, December 21, 2018

“We don’t hack and we pledge to not hack any more.”
US Indicts Chinese Govt Hackers Over Attacks in 12 Countries
The Justice Department said the hackers had targeted numerous managed service providers (MSPs), specialist firms which help other companies manage their information technology systems -- potentially giving hackers an entry into the computer networks of dozens of companies.
Companies who were hacked were not named, but 45 victims in the United States included key government agencies -- the NASA Goddard Space Center and Jet Propulsion Laboratory, the Department of Energy's Lawrence Berkeley National Laboratory, and the US Navy, where the personal information of more than 100,000 personnel was stolen.
Internationally, the hackers accessed the computers of a major bank, three telecommunications or consumer electronics companies, mining and health care companies, and business consultancies.
Rosenstein slammed Beijing for repeatedly violating a pledge made by Xi to then-president Barack Obama in 2015 to halt cyber-attacks on US companies and commercial infrastructure.
In London, the Foreign Office likewise accused China of not living up to their bilateral agreement against hacking driven by commercial and economic motives.

For my lecture on encryption.
India's Government Denies Telling Federal Agencies They Can Snoop On Every Computer, Despite An Order That Seems To Say They Can
A row broke out in India's parliament on Friday after the country's Ministry of Home Affairs, a federal government authority that controls the country’s internal security, seemingly authorized ten government agencies – including federal intelligence and law enforcement agencies – to monitor, intercept, and decrypt all data on all computers in the country.
The governmental order detailing the powers immediately drew strong criticism from both India’s privacy activists and its opposition parties, who said it enabled blanket state surveillance, and violated the fundamental right to privacy that India’s 1.3 billion citizens are constitutionally guaranteed.
… India's Information Security Act allows agencies to invoke surveillance measures in the interest of national security since 2008, but the Act demands that the government provide written reasons that clearly explain why such measures are necessary.
“This latest order completely bypasses that,” said Sinha.

Milestones in technology: Facial recognition and slurpees.
Pay with your ‘face’ as AI system starts at Seven-Eleven
… Users are required to have a photo taken of their faces by a camera tied into the cash register in advance to utilize the system.
Once users are registered in the system, all they need to do is to show their faces to make purchases, which will be deducted from their salaries.

Should we be concerned that the FCC does not control the entire world?
As it turns out, if the U.S. Federal Communications Commission asks you not to do something, you should probably not do that thing—particularly when it comes to launching to unapproved satellites into orbit.
This is the lesson currently faced by Swarm Technologies, a startup being fined $900,000 by the FCC for launching four unauthorized satellites into orbit in January.
… The satellites launched in January with the Indian Space Research Organization (ISRO) on its Polar Satellite Launch Vehicle (PSLV). Quartz reported in March that the FCC raised concerns about the size of the satellites, which the agency said were “below the size threshold at which detection by the Space Surveillance Network (SSN) can be considered routine.”

For the continuing debate in my classes.
7 Arguments Against the Autonomous-Vehicle Utopia

Thank god someone is asking the big questions.
How are algorithms distributing power between people?
Berkman Klein Center for Internet and Society at Harvard University: “Why Computer Scientists Need Philosophers, According to a Mathematician – “Lily Hu is a 3rd year PhD candidate in Applied Mathematics at Harvard University, where she studies algorithmic fairness with special interest in its interaction with various philosophical notions of justice. Currently, she is an intern at Microsoft Research New York City and a member of the Mechanism Design for Social Good research group (co-founded by Berkman affiliate Rediet Abebe). She is also passionate about education equity; she has taught subjects such as physics, biology, chemistry, English, and Spanish History/Geography in San Francisco, Cambridge, and Madrid.
I work in algorithmic fairness; in particular, I’m interested in thinking about algorithmic systems as explicitly resource distribution mechanisms. I’m not interested in necessarily how the particulars of the sorting happens; I’m interested in the final outcomes that are issued, and I am interested in the distributional outcomes that are deemed to be appropriate or inappropriate under our various fairness notions. How are algorithms distributing power between people? What kind of questions are they enabling us to ask, what kind of questions are they enabling us to solve, and not only that, but what kind of questions are they preventing us from answering? That’s kind of my big research agenda…”

Wolfram Alpha is an extremely useful math tool. This could be interesting. (The examples in the article are trivial compared to what Wolfram Alpha can do.)
Alexa now taps Wolfram Alpha to answer science and math questions
… “We rolled out an Alexa Q&A integration with Wolfram Alpha to U.S. customers, which expands Alexa’s capabilities to answer more questions related to mathematics, science, astronomy, engineering, geography, history, and more,” an Amazon spokesperson told VentureBeat. “Information curated by Wolfram Alpha has rolled out to select customers and will continue to roll out over the coming weeks and months.”
… When it arrives on Alexa-enabled smart speakers and displays, you’ll be able to ask questions like “Alexa, what is the billionth prime number?” and “Alexa, how high do swans fly?”
Here are a few additional queries Wolfram Alpha will step in to handle:
  • Alexa, what is x to the power of three plus x plus five where x is equal to seven?
  • Alexa, how fast is the wind blowing right now?
  • Alexa, how many sheets of paper will fit in a binder?
  • Alexa, how long until the moon rises?

This suggests that Congress is either much dumber (high probability) or much smarter (low probability) than they have ever shown themselves to be. Politicians may speak in vague, even misleading words (Okay, they lie) but lawmakers must not.
Can a Statute Have More Than One Meaning?
Doerfler, Ryan, Can a Statute Have More Than One Meaning? (December 12, 2018). New York University Law Review, Vol. 94, 2019. Available at SSRN:
“What statutory language means can vary from statute to statute, or even provision to provision. But what about from case to case? The conventional wisdom is that the same language can mean different things as used in different places within the United States Code. As used in some specific place, however, that language means what it means. Put differently, the same statutory provision must mean the same thing in all cases. To hold otherwise, courts and scholars suggest, would be contrary both to the rules of grammar and to the rule of law. This Article challenges that conventional wisdom. Building on the observation that speakers can and often do transparently communicate different things to different audiences with the same verbalization or written text, it argues that, as a purely linguistic matter, there is nothing to prevent Congress from doing the same with statutes. More still, because the practical advantages of using multiple meanings — in particular, linguistic economy — are at least as important to Congress as to ordinary speakers, this Article argues further that it would be just plain odd if Congress never chose to communicate multiple messages with the same statutory text. As this Article goes on to show, recognizing the possibility of multiple statutory meanings would let courts reach sensible answers to important doctrinal questions they currently do their best to avoid. Most notably, thinking about multiple meanings in an informed way would help courts explain under what conditions more than one agency should receive deference when interpreting a multi-agency statute. Relatedly, it would let courts reject as false the choice between Chevron deference and the rule of lenity for statutes with both civil and criminal applications.”

As a demonstration of military/terrorist capability, this seems to be a success. As to policy, once they determine they can do nothing they resume flights? Has the risk suddenly become acceptable? More likely the negative political repercussions of a continued halt are more important.
Flights have resumed at London’s Gatwick Airport after a full day of cancellations yesterday due to a mysterious drone that was spotted repeatedly in the area
… Other airports around the world are on high alert because if this is a coordinated disruption it obviously doesn’t take much to put an entire airport out of commission. It appears that all you need is a drone with a sufficiently long range to not get caught.
… police are reportedly trying to use radio signal jammers, just the same, in an effort to stop the drones. The airport is crawling with more police and military than usual, as would be expected. And there have been calls to just “shoot down” the drone, though that’s much more involved than it seems. First you have to catch it.
… Who’s behind the disruption? Your guess is as good as anyone’s, it would seem. Some believe that it’s domestic actors like British environmentalists. Others speculate that it could be a state actor like China or Russia testing out what it would take to shut down an airport. If it’s the latter we now know that the answer is “it doesn’t take much.”

There’s No Real System to Counter Rogue Drones

Thursday, December 20, 2018

Amazon’s “human error” suggests there is a hack waiting to happen.
Reuters reports:
A user of Amazon’s Alexa voice assistant in Germany got access to more than a thousand recordings from another user because of “a human error” by the company.
The customer had asked to listen back to recordings of his own activities made by Alexa but he was also able to access 1,700 audio files from a stranger when Amazon sent him a link, German trade publication c’t reported.
Read more on Reuters.

The cost of failure? A suit for the Cambridge Analytica nonsense finally arrives.
Facebook Has Biggest Plunge Since July as ‘Another Shoe’ Drops
Facebook Inc. tumbled on Wednesday, with shares extending their decline throughout the session after the social-media company was sued by the District of Columbia over a privacy breach.
The news followed a report from the New York Times that Facebook had allowed more than 150 companies to access more personal data from users than it had disclosed, the latest in a series of controversies that have weighed on shares in 2018.
The stock fell as much as 7.3 percent, putting it on track for its biggest one-day percentage drop since its historic collapse in late July. Wednesday’s decline extends a sell-off that has erased nearly 40 percent in value. [GDPR only wants 4%. It’s these self-inflicted wounds that truly hurt. Bob]

Would CBO believe that I do not own a cell phone? I’m guessing we won’t get any useful answers from this.
American Sues US Government For Allegedly Pressuring Him To Unlock His Phone at Airport
Haisam Elsharkawi, a 35-year-old US citizen of Egyptian descent, said he was stopped at the gate at the Los Angeles International Airport on February 9, 2017, after passing through TSA and security checks with no issues. As he was boarding his flight, according to a lawsuit filed by Elsharkawi in a California court in late October, CBP agents allegedly pulled him aside and repeatedly asked him questions, searched his belongings, and asked him to unlock his cell phones.
When he refused and asked for an attorney, CBP officers allegedly handcuffed him and took him to a room for more questioning, where a DHS officer eventually convinced him to unlock the phone and then looked through it for 15 minutes. At no point did the agents tell him why they were searching and questioning him, the lawsuit alleges, nor did they they have a warrant. According to the lawsuit, the “interrogation” lasted four hours, and Elsharkawi missed his flight.

For my Computer Architecture students.
AI makers get political
Earlier this month, Ed Felten — a Princeton professor and former adviser to President Obama — chided an international audience of artificial intelligence experts packing a cavernous Montreal convention center.
What he's saying: For too long, AI hands have been hiding in their basements, in effect playing God by deciding which technology is ultimately released to the masses, Felten said. Stop assuming that you know what's best for people, he admonished his listeners, and instead dive into the already-raging public debate of what happens next with AI.
"The group of us deeply concerned about the societal impacts of AI has grown extensively," said Brent Hecht, chair of the ACM Future of Computing Academy, an association of young computing professionals.
This movement is being pushed along by nonprofits, including the Partnership on AI and OpenAI. The Center for a New American Security, a think tank, has convened back-room conversations between policymakers and researchers.

Perspective. A mere 95 years.
All Copyrighted Works First Published In the US In 1923 Will Enter Public Domain On January 1st
… At midnight on New Year’s Eve, all works first published in the United States in 1923 will enter the public domain. It has been 21 years since the last mass expiration of copyright in the U.S. That deluge of works includes not just “Stopping by Woods on a Snowy Evening,” which appeared first in the New Republic in 1923, but hundreds of thousands of books, musical compositions, paintings, poems, photographs and films. After January 1, any record label can issue a dubstep version of the 1923 hit “Yes! We Have No Bananas,” any middle school can produce Theodore Pratt’s stage adaptation of The Picture of Dorian Gray, and any historian can publish Winston Churchill’s The World Crisis with her own extensive annotations. Any artist can create and sell a feminist response to Marcel Duchamp’s seminal Dadaist piece, The Large Glass (The Bride Stripped Bare by Her Bachelors, Even) and any filmmaker can remake Cecil B. DeMille’s original The Ten Commandments and post it on YouTube.
“The public domain has been frozen in time for 20 years, and we’re reaching the 20-year thaw,” says Jennifer Jenkins, director of Duke Law School’s Center for the Study of the Public Domain. The release is unprecedented, and its impact on culture and creativity could be huge. We have never seen such a mass entry into the public domain in the digital age. The last one—in 1998, when 1922 slipped its copyright bond—predated Google. “We have shortchanged a generation,” said Brewster Kahle, founder of the Internet Archive. “The 20th century is largely missing from the internet.” For academics fearful of quoting from copyrighted texts, teachers who may be violating the law with every photocopy, and modern-day artists in search of inspiration, the event is a cause for celebration. For those who dread seeing Frost’s immortal ode to winter used in an ad for snow tires, “Public Domain Day,” as it is sometimes known, will be less joyful. Despite that, even fierce advocates for copyright agree that, after 95 years, it is time to release these works. “There comes a point when a creative work belongs to history as much as to its author and her heirs,” said Mary Rasenberger, executive director of the Authors Guild….”

Something to slip into ye olde tool chest.
This free online tool uses AI to quickly remove the background from images
If you’ve ever needed to quickly remove the background of an image you know it can be tedious, even with access to software like Photoshop. Well, is a single-purpose website that uses AI to do the hard work for you. Just upload any image and the site will automatically identify any people in it, cut around the foreground, and let you download a PNG of your subject with a transparent background. Easy.

Sometimes the best tool for the job is not the right tool for the job.