Thursday, May 10, 2018

Will any regulatory body take action, or even notice?
Remember all that advice that I and Brian Krebs tend to give consumers about putting “freezes” on your credit reports instead of “alerts?” The freezes are supposed to prevent entities from opening up any new lines of credit or accounts in your name. They are supposed to prevent problems instead of just detecting problems after they’ve already occurred.
Well, so much for the peace of mind that approach might have given you. Cory Doctorow reports:
If you’ve had your identity stolen or if you’re worried about having been doxxed by Equifax, you can freeze your credit record, and then Equifax, Experian, Trans Union and Innovis will block any requests to access your credit report.
But that doesn’t really matter. Equifax operates a secondary, noncompliant credit bureau called National Consumer Telecommunications and Utilities Exchange (NCTUE), on behalf of a secretive cartel of owners led by AT&T, but also including mysterious organizations like “Centralized Credit Check Systems.”
Freezing your credit report has no effect on NCTUE; what’s more, NCTUE operates in a careless and incompetent fashion, with invalid SSL certificates and other glaring errors. NCTUE has a separate system for freezing your credit report there, but it doesn’t work — filling in the form and submitting it just returns obscure errors. You may be able to freeze your report by calling NCTUE, but they might charge you a separate fee, and there’s no guarantee you’ll get through.
Read more on BoingBoing.
I tried to connect to the registration site, but couldn’t connect on the first try (possibly everyone trying after reading Cory’s article), but when I tried in Chrome, I got a warning that the site was insecure:
I would have emailed NCTUE for a press statement in response to Cory’s article and the SSL problem, but there’s no press contact on their site, it seems. Oh well…
h/t, Joe Cadillic
Update: Apologies to Brian Kreb. When I posted the above, I did not realize that he had posted an article on this earlier this morning. You can read it here. As always, he does a great job on these stories.

...and one example.
… The World Health Organization (WHO) defines a medical device as “any instrument, apparatus, implement, machine, appliance, implant, reagent for in vitro use, software, material […] intended by the manufacturer to be used […] for human beings, for one or more […] specific medical purpose”.
Although that sounds quite complicated, it just means any device or software that may be used for medical purposes.
… The interface between software and hardware often exposes exploitable vulnerabilities, as Saurabh Harit showed at Black Hat Europe 2017. He obtained an IV infusion pump, which injects medications into a patient’s blood, which could be programmed and operated remotely.
After accessing the pump’s admin mode with a default password found online, he was able to use the unit’s infrared and an old PDA purchased from eBay to import their Wi-Fi credentials to the pump’s network settings.
After accessing the pump’s admin mode with a default password found online, he was able to use the unit’s infrared and an old PDA purchased from eBay to import their Wi-Fi credentials to the pump’s network settings.

Something my students who work for defense contractors are long familiar with.
IBM bans all staff from using USB drives out of security concern
IBM is banning all removable storage, company-wide, in a new policy that seeks to avoid financial and reputational damage stemming from a misplaced or misused USB drive.
IBM global chief Information security officer Shamla Naidoo told staff in an internal e-mail that the company “is expanding the practise of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive).”
Although some departments already had this policy in place for a while, “over the next few weeks we are implementing this policy worldwide,” Naidoo said, according to The Register.

Consider this in the hands of evil doers…
… Google Duplex is, in a nutshell, a scary glimpse of the future. It’s a next-level artificial intelligence. One that’s able to have natural-sounding conversations with real-life human beings. And that enables Duplex to make phone calls on your behalf.
As demonstrated by Google CEO Sundar Pichai, Duplex can make appointments for you over the phone. And all without the person on the other end of the call being aware they’re talking to an AI.
… Google has programmed Duplex to sound human. Instead of monotonal responses there’s human language patterns. And Google has even programmed in the pauses and random words such as “Um” and “Ah” humans use in conversations.

I think I understand! Scary.
Privacy by Design: Building a Privacy Policy People Actually Want to Read
Privacy by Design: Building a Privacy Policy People Actually Want to Read By Richard Mabey, CEO of Juro, the end-to-end contract management platform.
“We’ve been banging on about legal design at Juro for some time now. So, when it came to updating our privacy policy ahead of GDPR it was important to us from the get-go that our privacy policy was not simply a compliance exercise. Legal documents should not be written by lawyers for lawyers; they should be useful, engaging and designed for the end user. But it seemed that we weren’t the only ones to think this. When we read the regulations, it turned out the EU agreed. Article 12 mandates that privacy notices be “concise, transparent, intelligible and easily accessible”. Legal design is not just a nice to have in the context of privacy; it’s actually a regulatory imperative. With this mandate, the team at Juro set out with a simple aim: design a privacy policy that people would actually want to read. Here’s how we did it…”

A marketing guide?
Russia's 2016 Facebook Strategy Exposed in Trove of 3,500 Ads
A trove of thousands of Russian-backed Facebook ads, being made public for the first time, shows that Russia’s main goal was provoking discontent in the U.S., leading to and continuing beyond Donald Trump’s election in 2016.
The ads, which are one of the clearest demonstrations of Russia’s financial investment in disrupting American politics, have been much discussed by Congress, Facebook and Special Counsel Robert Mueller behind closed doors.
… The 3,519 ads, released Thursday by Democrats on the House Intelligence Committee, were posted between 2015 and 2017. They were designed to draw clicks from people who had liked Facebook groups on both sides of emotional issues involving gun regulations, Muslims, gay rights, immigration, African-Americans – and various candidates.

Making it hard to trust government?
DHS: Not Entitled to Its Own Facts
The Department of Homeland Security (DHS) came out with a press release late last week, proclaiming that the “number of illegal border crossers” at the southwest border had more than tripled in April 2018 in comparison to April 2017. For the second month in a row, according to DHS, “we have seen more than 50,000 individuals try to illegally enter the United States.” Despite DHS’s breathless claims to the contrary, the numbers don’t demonstrate a “continuing security crisis along our southwest border.” Rather, DHS’s blatant misrepresentation of newly released Customs and Border Protection (CBP) data is typical of the agency’s efforts to re-make data in support of the Trump administration’s anti-immigrant agenda. It follows the bad example set by the misleading and inaccurate January 2018 report issued by DHS and the Department of Justice (DOJ), which cherry-picked information to find ways to blame foreign nationals and foreign-born Americans (especially Muslims) for all terrorism in the U.S., and which has prompted the Brennan Center and others to file a lawsuit under the Data Quality Act.
… The press release also attempts to pull a sly bait-and-switch: immediately after telling us that illegal border crossings are up, it tells us that “more than 50,000 individuals tr[ied] to illegally enter the United States.” But all 50,000 did not actually enter the U.S. illegally, because the total number includes 12,690 people who were deemed inadmissible when they asked to be admitted through ports of entry at the border. Folks lining up to have their passports checked at the border is hardly the stuff of a “security crisis.”
Finally, the context regarding the tripling of numbers between April 2017 and April 2018 that DHS fails to mention is critical here. The April 2017 numbers were not only the lowest for any month of 2017, and not only the lowest of any April in at least the last six years, but the lowest number of any month for at least the last six years, making the comparison an outlier at best. Nor is the April 2018 number a particularly alarming spike in the broader view. April numbers for both 2013 and 2014 were higher than April 2018 by thousands.

Self driving vehicles are annoying?
Tech founders take their self-driving food-delivery robots out of San Francisco to focus on cities where they feel more welcome
… Beginning in 2016, companies like Marble and Starship Technologies started road testing self-driving delivery robots that ferry food and groceries to a customer's door. These bots promised to bring convenience for city dwellers and reduce the number of delivery vehicles on the road.
But San Francisco threw the brakes on delivery robots. In December, city officials passed some of the US's most restrictive regulations on delivery robots.
Starship's founders, Ahti Heinla and Janus Friis, both of whom previously helped launch Skype, say their robots have left San Francisco to focus on cities where they're welcome.

Interesting. After all, 5 billion flies can’t be wrong, eat garbage!
Crowdsourcing & Data Analytics: The New Settlement Tools
Chao, Bernard and Robertson, Christopher T. and Yokum, David V., Crowdsourcing & Data Analytics: The New Settlement Tools (April 30, 2018). U Denver Legal Studies Research Paper No. 18-13. Available at SSRN:
“In the jury trial rights, the State and Federal Constitutions recognize the fundamental value of having laypersons resolve civil and criminal disputes. Nonetheless, settlement allows parties to avoid the risks and cost of trials, and settlements help clear court dockets efficiently. But achieving settlement can be a challenge. Parties naturally view their cases from different perspectives, and these perspectives often cause both sides to be overly optimistic. This article describes a novel method of providing parties more accurate information about the value of their case by incorporating layperson perspectives. Specifically, we suggest that working with mediators or settlement judges, the parties should create mini-trials and then recruit hundreds of online mock jurors to render decisions. By applying modern statistical techniques to these results, the mediators can show the parties the likelihood of possible outcomes and also collect qualitative information about strengths and weaknesses for each side. These data will counter the parties’ unrealistic views and thereby facilitate settlement.”

It’s not the fine, it’s the future.
RBS is swallowing a 'milestone' $4.9 billion fine for its role in the financial crisis — and shares are going up
RBS announced on Thursday it has reached a deal with the US Department of Justice to pay a civil penalty of $4.9 billion to settle allegations of misselling mortgage-backed securities in the US between 2005 and 2007. These complex debt products, which were underpinned by bundled of mortgages, were one of the key triggers of the crisis.
… RBS shares jumped as much as 6% at the open in London.
While the share jump may seem counterintuitive, the fine brings resolution to an issue that has long hung over RBS and is also not as bad as some feared. Last year investors worried that the bank could be hit with a fine as big as $10 billion for its actions in the run-up to the crisis.

No comments: