Saturday, June 09, 2018

Still not an act of war. More like ‘industrial espionage.’
Chinese Government Hackers Steal Trove of U.S. Navy Data: Report
Chinese government hackers have stolen a massive trove of sensitive information from a US Navy contractor, including secret plans to develop a new type of submarine-launched anti-ship missile, the Washington Post reported Friday.
Investigators told the newspaper that breaches were executed in January and February by a division of the Chinese Ministry of State Security, operating out of the Chinese province of Guangdong.
The contractor, which was not named in the report, works for the Naval Undersea Warfare Center, based in Newport, Rhode Island. It conducts research and development for submarines and underwater weapons systems.
According to the Post, hackers swiped 614 gigabytes of data that included information relating to sensors, submarine cryptographic systems and a little-known project called Sea Dragon.
Chinese hackers have for years targeted the US military to steal information and the Pentagon says they have previously swiped crucial data on the new F-35 stealth fighter, the advanced Patriot PAC-3 missile system and other highly sensitive projects.

Let’s hope they get this right. It is not a game for individuals! Why limit this to China and Russia?
US Lawmakers Propose ‘Hack Back’ Law to Allow Cyber Retaliation Without Permission of Third-Party Country
US legislators are proposing new legislation that would empower US cyber defenses to hack back at cyber aggressors, even if they’re using a third-party country’s infrastructure, without the explicit consent of the respective country. [How to win friends… Bob]
The National Defense Authorization Act would also create a new cyber entity with the technology and skills to strike back at cyber aggressors, namely China and Russia, that seek to disrupt US critical infrastructure or weaken its cyber resilience. If approved, the bill not only let the US military “hack back” at aggressors, but also creates a “Cyberspace Solarium Commission” whose purpose is to propose and implement strategic cyber defenses that augment the United States’ resilience towards cyber-attacks.
“The committee recommends a provision that would authorize the National Command Authority to direct the Commander, U.S. Cyber Command (CYBERCOM), to take appropriate and proportional action through cyberspace to disrupt, defeat, and deter systematic and ongoing attacks by the Russian Federation in cyberspace,” reads the proposed bill. “The provision would also authorize the Secretary of Defense to conduct, through the Commander, U.S. Cyber Command, surveillance in networks outside the United States of personnel and organizations engaged at the behest or in support of the Russian Federation…”

Think of them as self-driving Titanics. Another well known security problem that still isn’t properly addressed.
Hackers Can Hijack, Sink Ships: Researchers
Insecure configurations and vulnerabilities in communications and navigation systems can allow hackers to remotely track, hijack and sink ships, according to researchers at penetration testing and cybersecurity firm Pen Test Partners.
In October 2017, Pen Test Partners presented its research into vulnerabilities affecting the satellite communications (satcom) systems used by vessels. The company has continued to analyze software and hardware used in the maritime industry and found that they are affected by serious flaws.
It has also created an interactive map that can be used to track vulnerable ships. The tracker combines data from Shodan with GPS coordinates and it can show vulnerable ships in real time. However, the company will only periodically refresh the data shown on the map in an effort to prevent abuse.
Satellite communications is the component that exposes ships to remote hacker attacks, as shown by Pen Test Partners last year and, at around the same time, by researchers at IOActive.
While there are some vulnerabilities in these systems themselves, the main issue is that many satcom terminals continue to use default credentials, allowing unauthorized users to gain admin-level access.
An even bigger problem, researchers warn, is that once an attacker gains access to the satcom terminal, they can move laterally to other systems. One of them is the Electronic Chart Display and Information System (ECDIS), which is used by vessels for navigation.
Since the ECDIS can be connected directly to the autopilot feature, hacking this system can allow an attacker to take control of a ship.

Heads-up students!
Patch your Flash Player now! Zero-day actively exploited in the wild
Adobe has released patches for all users running Flash Player and earlier versions, addressing critical flaws in its trouble-plagued platform.
Whether you are running the software on Windows, macOS, Linux or Chrome OS, the Flash Player creators urge you to install the newest version immediately!
… Users of Flash Player Desktop Runtime must install version via the update mechanism within the product. The procedure applies to all desktop users, regardless of their OS
Adobe Flash Player Download Center. [Be sure to turn off the McAfee add ins! Bob]

An example of ‘overly broad?”
I woke up this morning, showered, and fired up the laptop while I waited for the coffee to perc. My first clue that something was up was seeing that I had 28 notifications waiting for me on Twitter. That seemed high for overnight. I soon found the explanation: a tweet by @abtnatural:
This apparently genuine subpoena by @bsfllp demands Twitter produce “documents sufficient to identify the owner of” @popehat, @PogoWasRight, and every other account that ever tagged @wikileaks in a tweet between 1/1/15 and 6/1/18.
For those who do not recognize some of those Twitter handles, back in October, 2017, @abtnatural (Virgil), @Popehat (former federal prosecutor Ken White) and I had all been informed by Twitter Legal that they had received legal process compelling them to produce our information. A grand jury in Texas had subpoenaed our details. Why had they subpoenaed mine, you wonder? It turns out that they subpoenaed my information simply because someone had tagged me in a tweet in a conversation that I was never in. The tweet was a smilie – nothing more than that, but because the tweeter was being prosecuted criminally and he tweeted to me, the grand jury wanted my details. Needless to say, I was not understanding of the grand jury’s demand for my details.
Eventually the subpoena for my details was withdrawn, although I remained fully prepared to fight it in court, if need be. Now my details were being subpoenaed again, it seems.
This time, it is a civil case, Rich vs. Butowsky, and no court had signed off on this subpoena.
Note that the subpoena, embedded below, does not name my Twitter account specifically in Paragraph 3, but my account would fall under “Secondary Accounts” as defined in Paragraph 4, where a secondary account is any account that communicated with any of the 20 named primary accounts.
To make matters even more offensive and absurd, the overly broad subpoena includes not just details as to who owns an account, but asks for the contents of the account, including tweets and private (direct) messages, and also metadata.
If Michael Gottlieb of Boies Schiller Flexner, attorneys for the plaintiff, wanted to provide a useful demonstration of over-the-top disregard for free speech and privacy, he just did it.
This subpoena deserves to be smacked down and lawyers who engage in such conduct should face the wrath of a privacy-conscious public.
I do not expect Twitter to ever provide my details to Mr. Gottlieb or his law firm in this matter. I have not even contacted my lawyers about this because it is so absurd.
Michael Gottlieb and I follow each other on Twitter. If we run into each other at a privacy law conference or privacy + security forum, I’d like to have a few words with him.
But no, this was not a good way to wake up this morning.

An exercise for my students.
We Built A Powerful Amazon Facial Recognition Tool For Under $10
The democratization of mass surveillance is upon us. Insanely cheap tools with the power to track individuals en masse are now available for anyone to use, as exemplified by a Forbes test of an Amazon facial recognition product, Rekognition, that made headlines last month.
… And because Rekognition is open to all, Forbes decided to try out the service. Based on photos staff consensually provided, and with footage shot across our Jersey City and London offices, we discovered it took just a few hours, some loose change and a little technical knowledge to establish a super-accurate facial recognition operation.
… Amazon didn’t provide comment for this article, but pointed Forbes to a blog post from last week, in which the company noted there has been “no reported law enforcement abuse of Amazon Rekognition.” Dr. Matt Wood, general manager of artificial intelligence at AWS, wrote that the company's Acceptable Use Policy (AUP) prohibits the use of services for “any activities that are illegal, that violate the rights of others, or that may be harmful to others.” [Does that make you feel all warm and fuzzy? Bob]
… To get things started with Rekognition, we enlisted the help of independent researcher Matt Svensson. He set up an AWS database (known as an S3 bucket) into which we poured a mix of stock photos and Forbes staff mugshots.
… Our video teams in Jersey City and London took some simple footage mimicking CCTV footage, shots still or pivoting slightly. This meant employees might be at a distance or at potentially difficult angles for Rekognition to recognise.
As we’d expected, though, Amazon’s tech didn't struggle. It had little trouble picking up people’s faces as soon as we put the footage through it. In every case where a Forbes employee was included in the database and a filming, a successful match was made, as shown by the little red squares drawn around their faces.
… This small-scale test was essentially free, largely thanks to Svensson not charging. In a professional deployment the cost would still be minuscule. “Even if we include costs of testing, figuring out AWS and actually running the facial recognition on our scenario, it’s going to be under $10,” Svensson added.
Law enforcement are already enjoying the low cost: the ACLU found the Orlando Police Department spent just $30.99 to process 30,989 images.

Drew Harwell reports:
The facial-recognition cameras installed near the bounce houses at the Warehouse, an after-school recreation center in Bloomington, Ind., are aimed low enough to scan the face of every parent, teenager and toddler who walks in.
The center’s executive director, David Weil, learned earlier this year of the surveillance system from a church newsletter, and within six weeks he had bought his own, believing it promised a security breakthrough that was both affordable and cutting-edge.
Since last month, the system has logged thousands of visitors’ faces — alongside their names, phone numbers and other personal details — and checked them against a regularly updated blacklist of sex offenders and unwanted guests. The system’s Israeli developer, Face-Six, also promotes it for use in prisons and drones.
Read more on Washington Post.

Filled already? Perhaps these ads were “fake news?”
Facebook Wants To Make Its News More Credible With New Hires And Partnerships
… On Thursday, Facebook posted job listings at its California headquarters for two news credibility specialists. The person who takes the position would, in theory, evaluate the various companies and outlets that publish media on the site to promote more trustworthy outlets, according to Business Insider.
According to the now-removed listing, the two new hires, who we can only hope would be credible, journalistic editors, would have to evaluate Facebook’s media policies and help find credible sources of news among those that publish on Facebook.

Interesting ideas.
… In our recent HBR article, we argued that financial statements fail to capture the value created by modern digital companies. Since then, we interviewed several chief financial officers (CFOs) of leading technology companies and senior analysts of investment banks who follow technology companies. We asked: (i) what makes the valuation of digital companies more challenging?; and (ii) how can digital firms improve their financial reports to communicate sources of value creation in their businesses? We distilled seven key insights from those discussions.
Financial capital is assumed to be virtually unlimited, while certain types of human capital are in short supply.
Risk is now considered a feature, not a bug.
Investors are paying more attention to ideas and options than to earnings.
Corporate venturing is becoming more important.
Financial reporting requirements won’t change any time soon.
Analysts increasingly rely on non-GAAP metrics.
Sadly, accounting is no longer considered a value-added function.

… Built by IBM and Nvidia for the US Department of Energy’s Oak Ridge National Laboratory, Summit is a 200 petaflop machine, meaning it can perform 20 quadrillion calculations per second. That’s about a million times faster than a typical laptop computer.
… The machine, with its 4,608 servers, 9,216 central processing chips, and 27,648 graphics processors, weighs 340 tons. The system is housed in a 9,250 square-foot room at Oak Ridge National Laboratory’s facility in Tennessee. To keep this machine cool, 4,000 gallons of water are pumped through the system. The 13 megawatts of energy required to power this behemoth could light up over 8,000 US homes.
Summit is now the world’s most powerful supercomputer, and it is 60 percent faster than the previous title holder, China’s Sunway TaihuLight.
… As MIT Technology Review explains, Summit is the first supercomputer specifically designed to handle AI-specific applications, such as machine learning and neural networks. Its thousands of AI-optimized chips, produced by Nvidia and IBM, allow the machine to crunch through hideous amounts of data in search of patterns imperceptible to humans. As noted in an release, “Summit will enable scientific discoveries that were previously impractical or impossible.”

How I find the best security blogs…
Finalists of European Security Blogger Awards 2018

Friday, June 08, 2018

No doubt I’ll have more recruiters interrupting my Computer Security class. Backups people, backups!
Atlanta officials reveal worsening effects of cyber attack
… Atlanta’s administration has disclosed little about the financial impact or scope of the March 22 ransomware hack, but information released at the budget briefings confirms concerns that it may be the worst cyber assault on any U.S. city.
More than a third of the 424 software programs used by the city have been thrown offline or partially disabled in the incident, Atlanta Information Management head Daphne Rackley said. Nearly 30 percent of the affected applications are considered “mission critical,” affecting core city services, including police and courts.
Initially, officials believed the reaches of the cyber assault on city software was close to 20 percent and that no critical applications were compromised, Rackley said.
… Rackley anticipated an additional $9.5 million would be needed by her department in the coming year due to the hacking. That would be a sharp increase from the $35 million Mayor Keisha Lance Bottoms suggested for the technology department in her budget pitch, which was delayed in the cyber incident.
… Departments citywide, including municipal courts, told the council on Wednesday about their struggles to regain workplace normalcy since the attack. Interim City Attorney Nina Hickson said her office lost 71 of 77 computers as well as a decade of legal documents.
The discussions came two days after Atlanta Police Chief Erika Shields told local television news station WSB-TV 2 that the hack wiped out police dash-cam recordings. “That is lost and will not be recovered,” she said in a brief televised interview.

Something my Computer Security students should be asking their organization’s lawyers. WWTJS: What Would Thomas Jefferson Say (T-shirts sold separately.)
Alison Frankel writes about what she calls the less obvious takeaway from the 11th Circuit’s LabMD opinion:
FTC enforcement actions for unfair practices cannot be based just on consumer injury, even “substantial” injury.
This is going to get wonky, but, trust me, it’s what cybersecurity defense lawyers are already buzzing about.
Read more on Reuters. And yes, that aspect of the ruling did not go unnoticed or uncommented upon on Twitter when the opinion was released. Consider, for example, this footnote from the opinion:
24 Section 5(n) now states, with regard to public policy, “In determining whether an act or practice is unfair, the Commission may consider established public policies as evidence to be considered with all other evidence. Such public policy considerations may not serve as a primary basis for such determination.” We do not take this ambiguous statement to mean that the Commission may bring suit purely on the basis of substantial consumer injury. The act or practice alleged to have caused the injury must still be unfair under a well-established legal standard, whether grounded in statute, the common law, or the Constitution.
So there’s a lot to discuss about this opinion, and I think this point is going to pose a major hurdle for the FTC going forward in data security cases. Where are they going to find statutory, common law, or constitutional bases for declaring specific acts or practices “unfair?” Will they start engaging in rule- or regulation-writing? I am guessing, based on their history of enforcement, that they will turn to common law, but I look forward to reading what scholars and litigators think.

New laws to consider. Will anyone summarize what we learn?
New Data Privacy Regulations
… If consumers don't even know where these data brokers are getting their data from and what they're doing with it, they can't make intelligent buying choices.
This is starting to change, thanks to a new law in Vermont and another in Europe. And more legislation is coming.
Vermont first . At the moment, we don't know how many data brokers collect data on Americans. Credible estimates range from 2,500 to 4,000 different companies. Last week, Vermont passed a law that will change that.
The law does several things to improve the security of Vermonters' data, but several provisions matter to all of us. First, the law requires data brokers that trade in Vermonters' data to register annually.
… A 2018 California ballot initiative could help. Among its provisions, it gives consumers the right to demand exactly what information a data broker has about them. If it passes in November, once it takes effect, lots of Californians will take the list of data brokers from Vermont's registration law and demand this information based on their own law.
… We will also benefit from another, much more comprehensive, data privacy and security law from the European Union. The General Data Protection Regulation (GDPR) was passed in 2016 and took effect on 25 May. The details of the law are far too complex to explain here, but among other things, it mandates that personal data can only be collected and saved for specific purposes and only with the explicit consent of the user. We'll learn who is collecting what and why, because companies that collect data are going to have to ask European users and customers for permission.
… In the coming weeks and months, you're going to see other companies disclose what they're doing with your data. One early example is PayPal: in preparation for GDPR, it published a list of the over 600 companies it shares your personal data with. Expect a lot more like this.

"Amateurs talk strategy. Professionals talk logistics." Gen. Omar Bradley (probably)
Google Renounces AI Weapons; Will Still Work With Military
Google pledged not to use its powerful artificial intelligence for weapons, illegal surveillance and technologies that cause "overall harm." But the company said it will keep working with the military in other areas, giving its cloud business the chance to pursue future lucrative government deals.

All of this had to be shipped to a rather small geographic area, right? Amazon didn’t notice that?
How this young Indiana couple stole $1.2 million from Amazon
On Monday, a U.S. District Court judge sentenced a Muncie, Indiana married couple to nearly six years in prison apiece for stealing more than $1.2 million in consumer electronics from e-commerce giant Amazon.
… Between 2014 and 2016, the Finans created hundreds of fake online identities and Amazon accounts. They then used them to order more than 2,700 electronics products — GoPro digital cameras, Microsoft Xboxes, Apple Macbooks, Microsoft Surface tablets and more, federal authorities said in a press release announcing their sentencing.
After ordering the products, the Finans would tell the company that the products had arrived damaged or that they did not work.
Amazon's famously friendly customer service policy allows customers to "receive a replacement before they return a broken item," in some cases, according to a release from the U.S. Attorney's Office, Southern District of Indiana.
Amazon keeps a close eye on customers' accounts to track any potential fraud. But the government said the Finans were able to get away with receiving the replacement products before returning the supposedly damaged goods by using their long list of false identities to simply abandon each fake account before their fraud was discovered.
So the Finans would ask Amazon to send replacement products at no charge. Once Amazon would comply, the Finans then sold the stolen merchandise to an accomplice, Danijel Glumac, 29, who sold the items to an entity in New York that would sell the products to the public.

Who’d a thunk it?
Paper – Scholarly Twitter metrics
Scholarly Twitter metrics, Stefanie Haustein (Submitted on 6 Jun 2018) – to be published in W. Gl\”anzel, H.F. Moed, U. Schmoch, & M. Thelwall (Eds.), Handbook of Quantitative Science and Technology Research, Springer. 40 pages, 5 figures, 7 tables. Cite as: arXiv:1806.02201 [cs.SI] (or arXiv:1806.02201v1 [cs.SI] for this version)
“Twitter has arguably been the most popular among the data sources that form the basis of so-called altmetrics. Tweets to scholarly documents have been heralded as both early indicators of citations as well as measures of societal impact. This chapter provides an overview of Twitter activity as the basis for scholarly metrics from a critical point of view and equally describes the potential and limitations of scholarly Twitter metrics. By reviewing the literature on Twitter in scholarly communication and analyzing 24 million tweets linking to scholarly documents, it aims to provide a basic understanding of what tweets can and cannot measure in the context of research evaluation. Going beyond the limited explanatory power of low correlations between tweets and citations, this chapter considers what types of scholarly documents are popular on Twitter, and how, when and by whom they are diffused in order to understand what tweets to scholarly documents measure. Although this chapter is not able to solve the problems associated with the creation of meaningful metrics from social media, it highlights particular issues and aims to provide the basis for advanced scholarly Twitter metrics.”

(Related) Scholarly Facebook data.
From Bach to Rock: How Music Preferences Predict Behavior
If the aggressive rap of Eminem is an auditory assault that sends you searching for smooth jazz, you’re probably a person with a high level of openness. That’s one interpretation from a study that looks at the link between music and personality. The study, by Wharton marketing professor Gideon Nave, has wide-ranging implications in our data-driven world. Companies that collect data to tailor product offerings, for example, can gain more insight by looking at their customers’ online playlists. Nave joined Knowledge@Wharton to discuss the paper, “Musical Preferences Predict Personality: Evidence from Active Listening and Facebook Likes.”

Thursday, June 07, 2018

Are we unable to conduct CyberWar or just unwilling to risk the consequences.
An Example of Deterrence in Cyberspace
In 2016, the US was successfully deterred from attacking Russia in cyberspace because of fears of Russian capabilities against the US.
I have two citations for this. The first is from the book Russian Roulette: The Inside Story of Putin's War on America and the Election of Donald Trump, by Michael Isikoff and David Corn. Here's the quote:
… The second is from the book The World as It Is, by President Obama's deputy national security advisor Ben Rhodes. Here's the New York Times writing about the book.
… When people try to claim that there's no such thing as deterrence in cyberspace, this serves as a counterexample.

“We just don’t put too much effort into these obsolete technologies...”
Landline Phone Service, Which Still Exists, Goes Down Across the U.S.
Comcast’s Xfinity landline service has been experiencing issues across the U.S. since this morning, with thousands of problems still being reported this afternoon, according to The outage map indicates that customers throughout the U.S. have encountered issues, with the most recent reports coming from San Francisco, Chicago, Portland, Mountain View, Denver, Seattle, Atlanta, Houston, New York, and Philadelphia.
… But perhaps most troubling are emergency responder lines impacted by the massive outage. The Epping Police Department and Kingston Fire Department in New Hampshire have said their phone lines were down, and while Schuylkill County Emergency Management in Pennsylvania and Greater Spokane Emergency Management in Washington said they weren’t having trouble fielding calls, both informed locals to use their mobile phones in the event of an emergency while the landlines were down.

I have my students design data centers. None of them have thought of this angle.
The newest green-tech idea: drown data centers at sea
In a bid to save the planet while making some money, Microsoft just drowned one of its data centers at sea. Project Natick is now operating at about 100 ft below the surface of the North Sea near the UK’s Orkney islands, fully powered by renewable energy.
The logic is sound: Bringing data centers close to hubs of computing power benefits customers, enabling smoother web surfing or game playing by cutting down the back-and-forth between users and servers. Microsoft says nearly half the world’s population lives within 150 km (120 miles) of the ocean. And because oceans are uniformly cool below a certain depth, keeping the machines under the sea would cut down the cooling costs that make up a large chunk of the operating budget of data centers.
The Project Natick data center is made up of 864 servers packed in a 40 foot container that now sits about 22 km (14 miles) from the coast. That’s a tiny fraction of some of the huge servers—covering hundreds of thousands of square feet—that tech companies like Microsoft operate. But it may be enough to do a pilot test, and prove that the server could be deployed at commercial scale.

So, what is “inadequate security?”
BREAKING NEWS: Eleventh Circuit vacates FTC order against LabMD
The Court of Appeals for the Eleventh Circuit has vacated the Federal Trade Commission’s order:
This is an enforcement action brought by the Federal Trade Commission (“FTC” or “Commission”) against LabMD, Inc., alleging that LabMD’s data- security program was inadequate and thus constituted an “unfair act or practice” under Section 5(a) of the Federal Trade Commission Act (the “FTC Act” or “Act”), 15 U.S.C. § 45(a).1 Following a trial before an administrative law judge (“ALJ”), the Commission issued a cease and desist order directing LabMD to create and implement a variety of protective measures. LabMD petitions this Court to vacate the order, arguing that the order is unenforceable because it does not direct LabMD to cease committing an unfair act or practice within the meaning of Section 5(a). We agree and accordingly vacate the order.
I haven’t had time to read it yet, but this is huge news. Here’s the opinion:

This sounds very strange to my ears. Do they mean to say they want access to Unencrypted data? Digital requires new tools, but not new laws.
Australia drafts laws forcing Facebook and Google to reveal encrypted data
Technology companies such as Facebook and Google would be forced to give Australian security agencies access to encrypted data under legislation to be introduced by the Turnbull government.
But the government has refused to say how the security agencies would access the data.
… On ABC radio on Wednesday, the cyber security minister, Angus Taylor, said the bill would “modernise” existing laws to give security agencies access to information transferred through encrypted messaging apps. [That would be the encrypted data. Bob]
… “Those laws were developed during an analogue era decades ago and they are now out of date. Much data and information is transferred through messaging apps and it’s digital not analogue. There’ve been very substantial changes in the technology and we need to update the powers.”
Taylor has said the legislation will avoid introducing “weaknesses” in encrypted data devices by avoiding using “backdoor” methods of accessing data, such as a so-called “key” to de-encrypt data.
… But Taylor hopes to avoid those roadblocks by legislating to allow alternate access to data. [I have no idea what that would mean. Bob]
… What he is proposing though is unclear. On Wednesday he dodged multiple questions about whether the legislation would mean forcing companies to include surveillance codes in devices, so that agencies could access data before it is encrypted.
… But Nigel Phair, from the Centre for Internet Safety at the University of Canberra, said if the legislation avoided having to use a backdoor entry to encrypted data then it was likely that it would use a “frontdoor”, a means of accessing the information before it was encrypted.

Is “no ads” better than a few Russian ads? Is this a “baby with the bath water” moment? (Should all laws give enough lead time for technology companies to comply?)
Google will pause election ads in Washington state in unprecedented response to new law
Google says it will stop running state and local election ads in Washington state, citing new rules that require what amounts to real-time disclosure of detailed information about election ads in response to public records requests.
The company has never before paused election ads in a U.S. state. Google says it wants to comply with the law, but its systems aren’t prepared for the rules as implemented. Starting Thursday, Google AdWords won’t accept ads for candidates or ballot measures in the state.
Google’s decision was announced Wednesday evening in an AdWords policy update. The new state rules go into effect Thursday, less than a month after they were approved by the state Public Disclosure Commission as part of implementing HB 2938.
… The company did not provide a timeline for resuming political ads in the state.
… Earlier this week, Washington state Attorney General Bob Ferguson filed suit against Facebook and Google, alleging that they hadn’t followed existing state law for disclosing campaign finance information.
The new rules approved by the Public Disclosure Commission add extra requirements to state campaign finance law. They say digital communication platforms must provide information including “approximate description of the geographic locations and audiences targeted, and total number of impressions generated by the advertisement or communication” in response to public disclosure requests.
The rules say the information “must be made available as of the time when the advertisement or communication has initially received public distribution or broadcast.”

Facial recognition, starting with the biggest crooks?
How The New York Times Uses Software To Recognize Members of Congress
Even if you’ve covered Congress for The New York Times for a decade, it can be hard to recognize which member you’ve just spoken with. There are 535 members, and with special elections every few months, members cycle in and out relatively frequently. So when former Congressional Correspondent Jennifer Steinhauer tweeted “Shazam, but for House members faces” in early 2017, The Times’s Interactive News team jumped on the idea.
Our first thought was: Nope, it’s too hard! Computer vision and face recognition are legitimately difficult computer science problems. Even a prototype would involve training a model on the faces of every member of Congress, and just getting the photographs to train with would be an undertaking.
But we did some Googling and found the Amazon Rekognition API. This service has a “RecognizeCelebrity” endpoint that happens to include every member of Congress as well as several members of the Executive branch.
… To use the prototype, a congressional reporter could snap a picture of a congress member, text it to a our app, and get back an annotated version of the photograph identifying any members and giving a confidence score.
… If you’re interested in running your own version, the code for Who The Hill is open sourced under the Apache 2.0 license.

Not sure this is significant, yet.
People Are Changing the Way They Use Social Media
Posts are getting less personal—and privacy breaches like Cambridge Analytica could be partly to blame, an Atlantic survey finds

I try to include a little history of technology in all of my classes and these tools could help.
5 Tools to Help You Search the Archived Internet
Tech.Co – Adam Rowe: “The archived internet deserves more recognition. Online security has been a hot button topic in the tech community recently, with data scandals and privacy policy updates constantly driving the conversation. But, keeping the internet a stable and reliable network isn’t all about data security – it’s also about data preservation. Anything that’s low tech is dismissed as “from the stone age,” but stone is by far the most stable way to record information. Not only will the hard drives and networked routers of today never last a thousand years, but plenty of information online won’t even last the decade. As local newspapers or long-in-the-tooth startups go under, they all leave dead links scattered across the internet, constantly replaced with fresh links that will themselves eventually die. Wow, sorry, didn’t mean to get too dark there. My point is, memories that you might want to keep are increasingly likely to exist only on the internet — rambling G-Chat conversations with your best friend, say, or your first WordPress blog. If you want to preserve, protect, or search through your online footprint, read on to learn which five online tools can best help you comb through the archived internet.

My students have been asking.
Why Microsoft Is Willing to Pay So Much for GitHub
Microsoft’s $7.5 billion acquisition of GitHub is a perfect illustration of how value is ascribed differently in Silicon Valley than in the rest of the world. GitHub was acquired for close to 30x annual recurring revenue (an astronomical multiple). To put this in perspective, Microsoft acquired LinkedIn for $26 billion in 2016 (7.2x revenue), in what was considered one of the richest tech deals ever.
… In Silicon Valley there are basically two ways of creating shareholder value: financial and strategic. Financial value is the stuff of business school and stock markets. It’s about multiples of revenue or earnings, sales growth, profit margins, and management theory.
… Strategic value, on the other hand, has little to do with any of those things and almost everything to do with how a company’s product and/or market position help or hinder another company’s (usually a bigger one’s) ability to be successful. Strategic value is realized not by a business’s ability to make money independently, but by its ability to generate (or in some cases protect) profit for someone else.
… In other words, Microsoft is not paying $7.5 billion for GitHub for its ability to make money (its financial value). It’s paying for the access it gets to the legions of developers who use GitHub’s code repository products on a daily basis (the company’s strategic value) — so they can be guided into the Microsoft developer environment, where the real money is made.

No doubt all these locations are low on the tourist wish list.
Investigative report – Murder with impunity: Where killings go unsolved
“The Post has mapped more than 50,000 homicides in major U.S. cities over the past decade and found that the nation’s urban areas contain pockets of impunity — places where killings routinely go unpunished. The analysis goes beyond what is known nationally about unsolved homicides, revealing block by block where police fail to make arrests… The data, which The Post is making public, is more precise than the national homicide data published annually by the FBI. The federal data fails to distinguish whether a case was closed due to an arrest or other circumstances, such as the death of the suspect, and does not have enough detail to allow for the mapping of unsolved homicides…” [This is outstanding work that reveals critical disparities in the rate of unsolved homicides specific to neighborhoods throughout America.]
Explore The Post’s homicide database – Out of 52,179 homicides in 50 cities over the past decade, 51 percent did not result in an arrest.

For my students.
5 Streaming Sites for People Who Want More Than Netflix
Consumer Reports – These alternatives will appeal to fans of British TV, classic movies, horror, or other niche content: “When it comes to streaming video services, Netflix clearly looms large over its competitors, accounting for more than one-third of all peak-time downstream traffic, according to research firm Sandvine. Maybe that explains why you never hear anyone say they’re going to a friend’s house to “Hulu and chill.” But that doesn’t mean there are no worthy streaming alternatives. Here are five services for people with a taste for something different. Many offer free plans and access via computers, mobile devices, smart TVs, and streaming devices such as Apple TV and Roku. (You should also check our guide to all the major streaming services.)…”

Kentucky Fake Chicken? Kentucky Fried Cauliflower?
KFC Plans to Test Out Vegetarian Fried Chicken in the U.K.
As fast food chains scramble to provide healthier alternatives to traditional menus known for high caloric fries and sugary sodas, KFC U.K. shared its plans to add vegetarian fried chicken to the registry.
The creation of a new meat-free, chicken-inspired option is part of KFC U.K.’s mission to cut their calories per serving by 20%.
… In April, White Castle added the option to switch for a vegan Impossible Burger on any of their sliders. Burger King also offers alternative options such as a Morningstar veggie burger, vegan apple pie, and vegan French toast sticks.
At the start of the year, TGI Fridays introduced its first plant-based burger, the Beyond Meat Cheeseburger.

If only I could convince my students that this was a fatal disease.

Wednesday, June 06, 2018

Is failure to notice you’ve been hacked evidence of negligence? Certainly suggests poor security. (Will future AI systems steal DNA to create clone slaves?)
Hacked: 92 Million Account Details for DNA Testing Service MyHeritage
When you sign up to a website handling sensitive information, perhaps a medical service or social network, one of the basic things you’re probably hoping for is that the site can keep control of its users’ data. Unfortunately for customers of MyHeritage, a genealogy and DNA testing service, a researcher uncovered 92 million account details related to the company sitting on a server, according to an announcement from MyHeritage.
The data relates to users who signed up to MyHeritage up to and including October 26, 2017—the date of the breach—the announcement adds.
Users of the Israeli-based company can create family trees and search through historical records to try and uncover their ancestry. In January 2017, Israeli media reported the company has some 35 million family trees on its website.
In all, the breach impacted 92,283,889 users, according to MyHeritage’s disclosure.
… MyHeritage says it has no reason to believe other user data was compromised. Customer credit card information is processed by third-parties such as PayPal, and users’ DNA data is stored on systems separate to those containing customer’s email addresses, the company claimed.

“Because we need to know who is escaping?”
New Homeland Security system will bring facial recognition to land borders this summer
… In August, Customs and Border Protection will deploy a new system for scanning drivers’ faces as they leave the US, The Verge has learned. The pilot, called the Vehicle Face System (or VFS), is planned for installation at the Anzalduas border crossing at the southern tip of Texas and scheduled to remain in operation for a full year. The project is currently moving through the necessary privacy reviews, and it is set to be officially announced and submitted to the Federal Register in the coming months.
According to a Customs spokesperson, the purpose of the project will be “to evaluate capturing facial biometrics of travelers entering and departing the United States and compare those images to photos on file in government holdings.”
… The project is part of the broader Biometric Exit program, which seeks to physically verify visa-holders’ identities as they leave the country. The largest arm of that program has been the installation of facial recognition systems at airports, which are currently being piloted in New York, Los Angeles, and six other major cities. Enforcing biometric exit at land borders has been more challenging, but customs officials hope that more sophisticated cameras could allow similar facial recognition systems to be used at land borders.
… The Vehicle Face System will go further than those tests, aiming to capture a facial recognition-ready image for every passenger in every car in both the inbound and outbound lanes. Those images will be matched against visa and passport photos already on file with CBP, verifying travelers before they even reach the turnstile.

You have to vet your tools?
EU Court Says German Education Entity and Facebook Must Share the Blame for Privacy Gaffes
Barbara Leonard reports:
A German education entity that benefitted from Facebook’s collection of user data failed to persuade the EU’s top court Tuesday that it had no share in the blame.
Wirtschaftsakademie Schleswig-Holstein came under fire in its homeland seven years ago when a government agency dedicated to data protection ordered it to deactivate a fan page it administrated on Facebook.
Using a free tool called Facebook Insights, Wirtschaftsakademie was able to obtain statistical data on users who visited its page, but German regulators found that the page failed to disclose Facebook’s use of cookies for data-collection purposes.
Read more on Courthouse News.

You knew this was coming and you knew California would be the first to jump.
California Voters Likely to Consider Enacting GDPR-Like Privacy Law in November
David M. Stauss, Gregory Szewczyk, and Malia K. Rogers of Ballard Spahr write:
With more than double the number of required signatures well ahead of the verification deadline late this month, the citizen-initiated measure “The California Consumer Privacy Act of 2018” appears headed for the statewide ballot on November 6. If approved by a majority of Golden State voters, the ballot measure would greatly expand right-to-know and opt-out requirements, subjecting covered businesses to increased costs for compliance and strict liability for any violations.
If enacted into law, the ballot measure will apply to companies that conduct business in California or collect California residents’ personal information. Small businesses, however, will be spared, as the measure only applies to businesses that have annual gross revenues over $50 million, annually sell (alone or in combination) the personal information of 100,000 or more consumers or devices, or derive 50 percent or more of annual revenue from selling consumers’ personal information.
Read more on National Law Review.

Have the Copyright Cops gotten soft or is Facebook just buying new users?
Facebook allows videos with copyrighted music, tests Lip Sync Live
Facebook users will no longer have their uploaded videos with copyrighted background music taken down thanks to a slew of deals with all the major record labels plus many indies.
Facebook is also starting to test a feature designed to steal users from teen sensation app Musically. Facebook’s new Lip Sync Live lets users pick a popular song to pretend to sing on a Facebook Live broadcast.
… When users upload videos with music with the new rules in effect, they’ll be quickly notified if that song is allowed via the deals and fine to share, or if their video will be muted unless they submit a dispute to the copyright holder who then okays it through Facebook’s Rights Manager tool. Facebook will compensate artists and labels whose music is used, but it wouldn’t disclose the rates or whether they’re calculated by upload or video view.

All is not roses in India?
Walmart-Flipkart deal in question as Indian trade bodies protest
Indian traders, workers and farmers have stepped up their campaign against U.S. retailer Walmart's proposed acquisition of India’s biggest e-tailer Flipkart, demanding that the government stop the $16 billion deal on the grounds that it will harm the nation’s economic and digital sovereignty and hit millions of jobs.
… The acquisition of Flipkart “is the latest step in a series of developments aimed at circumventing the existing FDI [foreign direct investment] cap in multi-brand retail by permitting foreign-owned online retail in India, and developing a digital stranglehold by foreign companies over India’s consumer goods value chain,” the organizations said in their statement, adding that allowing FDI in e-retail was “a backdoor entry” point for foreign players into multi-brand retail.
At present, up to 51% FDI is allowed in multi-brand retail, subject to certain conditions – one of which is that at least 30% of the value of procurement of manufactured/processed products purchased should be sourced from Indian micro, small and medium-sized industries. However, the rules on FDI in online retail lack clarity, and traders have long sought an e-commerce policy.

(Related) Never miss an opening…
Report: Amazon commits $2 billion to Indian market
Amazon is getting back in the game in India, reportedly investing $2 billion in the market, after it lost the acquisition of key local competitor Flipkart to Walmart in May. CNBC's Indian affiliate broke the news.
Why it matters: Amazon and Walmart are fighting for the upper hand in India, which is the fastest-growing e-commerce market in the world.

Perspective. Has Uber done half-a-billion dollars worth of damage to its reputation?
Uber to Spend Up to $500 Million on Ad Campaign
Uber plans to spend up to $500 million on a global marketing effort this year, according to a person familiar with the matter. It marks Uber’s first large-scale brand campaign and is part of an effort to repair the company’s image after last year’s scandals.
… The ads are controversial internally, people familiar with the matter said, both due to Mr. Khosrowshahi’s prominent role in them and the fact that they take a contrite tone, when some viewers might not even be aware of all of Uber’s missteps. Amid Uber’s challenges last year, Lyft launched a brand advertising campaign that cost tens of millions of dollars, The Information reported in September.

Clearly, this justifies investment in AI and Robotics.
There are now more job openings than people unemployed
The latest figures from the Bureau of Labor Statistics shows that there are now 6.7 million job openings in the U.S. and 6.35 million people counted as unemployed — making 2018 the first year on record that the U.S. has had more available jobs to fill than people looking for jobs.

A GitHub alternative?
GitLab’s high-end plans are now free for open source projects and schools
The fact that Microsoft is buying GitHub has left a lot of developers with a deep feeling of unease and a lot of them are now looking for alternatives. One of those is GitLab and that company has decided to strike the iron while it’s hot. To attract even more developers to its platform, GitLab today announced that its premium self-hosted GitLab Ultimate plan and its hosted Gold plan are now available for free to open source projects and educational institutions.
… The Gold and Ultimate offerings, however, would typically cost $99 per user per month and include virtually every feature you can think of, including all the basics you want from a code repository up to tools for publishing roadmaps, dependency and container scanning, Kubernetes cluster monitoring and, in the near future, tools for license and portfolio management.
One caveat here is that the free Gold and Ultimate plans do not include support. Developers and open source projects that do want support, though, can still buy it at $4.95 per user and month.
The other limitation is that this applies to schools but not individual students. “To reduce the administrative burden for GitLab only educational institutions can apply on behalf of their students,” the company says.

A “thing” for nerds and power users.
Firefox has a new side-by-side tab feature for multitaskers
Firefox is jazzing things up with a couple of new test features that should embolden multitaskers and those who like to tinker with aesthetics. Side View lets you view a pair of tabs side-by-side without needing to open a new browser window. Once you click the Side View button on your toolbar, you can pick which tab you want to see on the side. It can be one you already have open or a tab you recently closed. You can open a browser link in the sidebar too.

Alternatives to buying a car…
Uber Expands Electric-Bicycle Rentals With European Debut
Uber Technologies Inc. announced it would roll out its on-demand electric-bicycle service to Europe, as it seeks to expand its international offerings to include more environmentally-friendly forms of transportation.

Scoop: GV to lead $250 million round in scooter startup Lime

For my graduating students.
Bill Gates is giving away copies of his favorite book of the year to 2018 college graduates
Bill Gates recently revealed his five recommended books for summertime reading. Now, he’s giving away one of those five — his favorite book of the year so far — to this year’s college graduates.
The book is “Factfulness: Ten Reasons We’re Wrong About the World — And Why Things Are Better Than You Think” by Hans Rosling, with Ola Rosling and Anna Rosling Ronnlund. And all 2018 graduates, from any accredited college or university in the United States, can go to Gates Notes to download a complimentary copy (in .epub format). Graduates will need to sign up or log in as a Gates Notes Insider, and then select their university or college from a drop-down menu in order to download the book. The download will be available for about two or three days.

Tuesday, June 05, 2018

Eventually the details come out.
Hacker Stole 26 Million Email And Home Addresses Of Ticketfly Users
Ticketfly’s parent company Eventbrite said it's still investigating the incident, and hasn’t revealed the extent of the data breach, nor how much or what kind of data was stolen. Motherboard downloaded a series of CSV database files posted on a public server by the hacker last week and shared it with Troy Hunt, the founder of the “Have I Been Pwned,” a website dedicated of informing users of data breaches.
Hunt analyzed the databases and found 26,151,608 unique email addresses. The databases did not include passwords nor credit card details. But for most users, they did include their home and billing address and phone numbers.
The hacker told Motherboard that they reached out to Ticketfly before the breach, alerting the company of a vulnerability, and demanding a ransom of 1 bitcoin to help them fix the flaw. After the company did not respond to their emails, the hacker defaced the site.
… As of Monday, the service is still offline. It’s now been offline for five days.

Not the right Washington? Is this the start of a flood?
Washington state sues Facebook, Google over election ad disclosure
The state of Washington said on Monday it had sued Facebook Inc and Alphabet Inc’s Google for allegedly violating state campaign finance law by failing to maintain information about who buys election ads.
The state's attorney general, Bob Ferguson, who posted copies of the lawsuits here and here on his website, said he was seeking penalties against the companies and an injunction for failing to disclose ad spending in state elections since 2013.
… Unlike most U.S. jurisdictions, both Washington state and the city of Seattle have laws dating to the 1970s that require companies that sell advertising, such as radio stations, to disclose who buys political ads. Other states put the burden of disclosure on the buyers themselves.

Are we protecting “methods and capabilities?”
What If Police Use ‘Rekognition’ Without Telling Defendants?
At least two US law enforcement departments — and Motorola, which sells equipment to the government — have already purchased access to Amazon’s “Rekognition” system. This technology combines facial recognition and artificial intelligence to identify people and track their movements, including in crowds.
Among the many civil-liberties implications of programs like these is the real possibility that people in the United States facing imprisonment or deportation will never learn about law enforcement’s use of such systems during investigations, thanks to the U.S. government practice known as “parallel construction.” This means the constitutionality of such activities could go unchallenged by defendants and unexamined by judges, who are essential to providing checks on police powers.
… For courts to play their vital role in ensuring that any government investigative measures—including sophisticated emerging technologies—are lawful, both judges and the defense need to know what law enforcement is doing. Congress should require the government to disclose complete information about the methods used to obtain evidence—and in the meantime, judges should strongly consider doing the same. The digital age, with its unprecedented capabilities to catalogue intimate details about our lives, is no time to relax our vigilance in defending rights.

When can I video my students? When are they not students?
William J. Zee of Barley Snyder writes, in part:
…. Prior to the recent issuance of the “FAQs on Photos and Videos under FERPA,” the issue of surveillance video as an education record was addressed in the December 7 “Letter to Wachter.” The new guidance does not deviate substantially from the information provided in the letter, but it does offer a more detailed and comprehensive analysis applicable to determining when a photo or video of a student is deemed an education record under FERPA. It also address what steps schools need to take in handling requests for such information.
Determining when a visual representation of a student is directly, rather than incidentally, related to a particular student is a very context-specific analysis.
Read more on Barley Snyder.

Conway is not exactly on the boarder with Canada. Is there something special about that area?
Planning a vacation with Joe Cadillic is probably not a typical planning experience. 🙂
Joe writes:
Since last year, the Department of Homeland Security (DHS) and the U.S. Customs and Border Patrol (CBP) have been conducting immigration checkpoints in Hew Hampshire’s White Mountains.
NH’s motto ‘Live Free or Die’ is fast becoming a joke to all who visit.
Why would I say that?
Because this past Memorial Day weekend, State Police with DHS funding, conducted a DWI ‘saturation patrol’ in Conway from 9 PM-3 AM stopping ninety motorists. Anyone familiar with North Conway knows that most bars and restaurants close at 1AM and stopping ninety Conway residents would have caused a public outcry.
So who were the police targeting?
Read more on MassPrivateI.

It’s not just robots that “take” jobs.
How a Genetically Modified Soybean Helped Modernize an Economy
As Brazil’s farms became more efficient, workers shifted to manufacturing.

My students are watching this market.
Waymo, the self-driving car spinoff of Google, made a big splash last week by announcing it struck a deal with Fiat Chrysler to add 62,000 Chrysler Pacficia hybrid minivans to its upcoming fleet of autonomous taxis. Turns out, the move could have a big impact not only on Waymo’s bottom line but also potential buyers of electric cars in years to come, too. It appears that nothing’s stopping the company from seeking as much as $465 million in federal tax credits as a result of the order, according to experts who spoke to Jalopnik.
Even if Waymo decides against claiming the electric vehicle tax credit—worth up to $7,500 per car—on its annual returns, the Pacifica order will impact the ability of future car buyers to purchase a FCA electric or hybrid model at a more affordable price, experts said. The Pacifica order represents more than 30 percent of the 200,000 vehicle cap set under federal regulators for the tax credit; once a manufacturer hits that ceiling, the credit begins to phase out.

Perspective. Some programmers actively hate Microsoft. Not sure that’s a valid strategy.
13,000 Projects Ditched GitHub for GitLab Monday Morning
On Monday morning, Microsoft announced that it had acquired the popular collaborative software development platform Github for $7.5 billion in Microsoft stock. The announcement was met with mixed reactions from the developer community. Some looked at the acquisition as inevitable and the only way to sustain a free platform that had grown as large as Github. Others saw it as the death knell for a neutral, community-driven platform that was the de facto home of open source software development.
Rumors of the acquisition first began circulating over the weekend, which led to a mass migration of Github projects to its competitor’s platform, GitLab. A real-time tracker on GitLab shows a massive spike in imported Github projects early on Monday morning, with over 13,000 projects being imported within a single hour. Yet GitLab’s CEO and co-founder Sid Sijbrandij said the mass migration has been going on for nearly a week.
“Within the past seven days, we have imported nearly 50,000 projects,” Sijbrandij told me in an email. “We’ve scaled up the servers for three times already.”
… Although 50,000 projects being transferred to GitLab is nothing to bat an eye at, it’s still a relatively small portion of the roughly 80 million projects hosted on GitHub.

You can’t make this stuff up. At least, I can’t.
… The fourth generation (Series 3) of the Apple Watch was the first to get built-in cellular connectivity, letting you leave your iPhone at home. To make it easier to reach out to other Apple Watch users, a new Walkie-Talkie app is being introduced with watchOS 5.0 that lets users send quick voice memos back and forth over a cellular connection, or Wi-Fi. It looks like it’s a faster alternative to placing a call, and may be considerably lighter on data usage.

Useful tools?
New on LLRX – Popular Face-to-Face Conferencing Software
Via LLRXPopular Face-to-Face Conferencing SoftwareBrandon Wright Adler reviews free and fee based meeting/conferencing software that meets the requirements to support effective communications with team and/or group members in disparate locations.