Saturday, August 11, 2018

Another case of “Sorry. Security wasn’t on our checklist.”
Researcher Finds Hundreds of Planes Exposed to Remote Attacks
A researcher has discovered that hundreds of airplanes from several airlines could have been hacked remotely from the ground through vulnerabilities in satellite communications systems.
Back in 2014, IOActive Principal Security Consultant Ruben Santamarta published a research paper describing theoretical attack scenarios on satellite communications. The expert resumed his research in November 2017, after taking a look at the in-flight entertainment system during a Norwegian flight.
After passively collecting traffic from the airplane’s Wi-Fi network, Santamarta noticed that several commonly used services, such as Telnet, HTTP and FTP, were available for certain IP addresses, and some interfaces associated with the plane’s on-board satellite communications (satcom) modems were accessible without authentication.
According to the researcher, the flaws he has identified can be exploited to hack millions of devices found in aircraft, government agencies, and smart cities.

We just assumed the vendor check it.”
… TSMC’s personnel set up a new manufacturing tool on Friday, August 3, and then installed software for the device. The machine was not isolated and confirmed to be malware-free before connecting it to TSMC’s internal network. Consequently, the introduction of a malware-infected machine to TSMC's internal production network allowed the malware to quickly spread and infect computers, production equipment, and automated materials handling systems across TSMC’s fabs.
According to the chipmaker, the malware was a variant of the WannaCry ransomware cryptoworm.

Interesting. If this was used by a political party to influence an election, would it be illegal? Should elected officials ignore emails or Tweets like these?
Forget Astroturfing: Startups Can Just "Brobilize" Customers For Lobbying Efforts
Despite $415 million in funding and a giant fleet of electric scooters scattered all across the streets of San Francisco, the startup Bird only lasted a few months before city supervisors voted to boot them from the City by the Bay. But then, nine weeks after the sidewalks were cleared, San Francisco customers got an email asking them to help “Bring Bird Back to San Francisco!” by contacting their local elected official. The email contains a link to a website where customers can send a prewritten message, in the form of a tweet or an email, to city officials by just entering their name and contact information and clicking send.
“Please bring Bird back to San Francisco,” the email message says. “While I understand the need for reasonable regulations, it has been nearly two months since I’ve had access to this affordable, sustainable transportation option.” While it’s hard to know (for anyone other than Bird) how many people emailed, there were plenty who weren’t shy about sending a tweet.
Unlike the neighborhood bakery that wants customers to add their names and addresses to a petition for expanded outdoor seating, tech companies typically already know who and where their users are. It means startups can mobilize — or brobilize — thousands of people via a simple email or push notification to blast targeted messages to their elected officials, often with just a few clicks. It’s like astroturfing for the always-on, location-aware era.
… These click-to-lobby efforts have been ramping up for a few years now as elected officials get more serious about regulating tech (or more cognizant of the political value of appearing to do so) and startups increasingly ask their user bases to defend them in response.

Legal technology, when nothing else works!
DNC serves WikiLeaks with lawsuit via Twitter
As CBS News first reported last month, the DNC filed a motion with a federal court in Manhattan requesting permission to serve its complaint to WikiLeaks on Twitter, a platform the DNC argued the website uses regularly. The DNC filed a lawsuit in April against the Trump campaign, Russian government and WikiLeaks, alleging a massive conspiracy to tilt the 2016 election in Donald Trump's favor.
All of the DNC's attempts to serve the lawsuit via email failed, the DNC said in last month's motion to the judge, which was ultimately approved.
The lawsuit was served through a tweet from a Twitter account established Friday by Cohen Milstein, the law firm representing the DNC in the suit, with the intent of serving the lawsuit.

It’s fun to speculate. I would say option three is most useful.
What the Facebook Crypto team could build
Facebook is invading the blockchain, but how? Back in May, Facebook formed a cryptocurrency team to explore the possibilities, and today it removed a roadblock to revealing its secret plans.
Former head of Messenger David Marcus, who leads the Facebook Crypto team, today announced he was stepping down from the board of Coinbase, the biggest crypto startup.
… So what could Facebook be building? I see three main consumer-facing opportunities.
3% off with FaceCoin
Facebook could build a cryptocurrency wallet with its own token that people could use to pay for things with partnered businesses or that they discover through Facebook ads. Because blockchain can make transactions free or very cheap, Facebook and its partners could sidestep the typical credit card processing fees. That would potentially allow Facebook to offer users “3% off purchases made with FaceCoin” or a similar promotion.
P2P and micropayments
Facebook already lets you send friends money through Messenger for free, but only with a connected debit card or PayPal account. Facebook could offer cryptocurrency-based payments between friends to let a wider range of users settle debts for shared dinners or taxis through Messenger.
Facebook Connect for crypto
A top problem in the world of decentralized blockchain apps is how you bring your identity with you. Securely connecting your wallet, blockchain-based virtual goods and biographical info to new dApps can be a laborious process.
… Facebook could use its expertise in operating a popular identity platform to ease login to dApps. While the company has faced plenty of privacy issues and attacks on election integrity, Facebook has a strong record of not being traditionally hacked. It hasn’t suffered a massive user data breach like LinkedIn, Twitter and other social networks. Using an overtly centralized identity system to connect with decentralized apps might be counterintuitive, but Facebook could deliver the UX convenience necessary to unlock a new wave of blockchain utility.

Another stock I never heard of…
Google's data privacy concerns are a surprising boon for ad-tech firm Trade Desk
In April, pressured by new privacy rules in Europe, Google told advertisers they would no longer have access to some critical measurement data when building online campaigns.
Digital ad company Trade Desk is reaping the rewards.
Trade Desk shares soared 32 percent on Friday, a day after the company reported earnings that blew by analysts' estimates and raised its forecast. On the conference call with analysts, CEO Jeff Green said one of the primary drivers in the quarter was Google's move on privacy, which pushed advertisers to Trade Desk.
Here's what happened. In conjunction with the General Data Protection Regulation (GDPR) that the European Union implemented in May, Google told clients that they could no longer have access to the DoubleClick ID to analyze ad measurement data across the web.
The data is highly valuable because it allows marketers to see how ads are performing on Google sites, including YouTube, compared with the rest of the web.
… "In my view, Google's decision to remove this ID offering is driven by their increasing need to reduce risk against malicious data enablement, like what we saw Cambridge Analytica do with social data," Green said. "The risk is similar for both Google and Facebook. The risk exists because Google, at the fundamental level of their business, transacts in directly identifiable consumer data. Google knows so much about billions of consumers because of their core product, their search engine."
Green said that marketers are shifting to Trade Desk, because it gives them a neutral tool to see how campaigns are performing. Advertisers can "compare every destination on their media plan to every other destination objectively," he said.

Interesting. Would this translate to other fields? Probably.
… We’ve explored the nature of the new value-enhancing roles that will emerge and identified three new categories of AI-driven jobs:
Trainers who help AI systems learn how to perform, which includes everything from helping natural language processors and language translators make fewer errors, to teaching AI algorithms how to mimic human behaviors.
Explainers who interpret the results of algorithms to improve transparency and accountability for AI decision making and processes.
Sustainers who ensure intelligent systems stay true to their original goals without crossing ethical lines or reinforcing bias.

I always like to read about New Records! (Even if it is in a narrow area.)
Ford: This may be one of the largest frauds in the history of the United States
Ford Motor Credit filed additional documents with the bankruptcy court Friday morning, claiming this may be one of the largest floor-plan financing frauds in the history of the United States.
The documents said Reagor-Dykes Auto Group hid the "massive breach" from Ford Credit by fraudulently misrepresenting sales-reporting data to Ford Credit. The company believed Reagor-Dykes was timely paying off cars it sold to the public, however, Ford Credit said the company was selling vehicles on average of 55 days before reporting it to Ford Credit.
… The document also said Reagor-Dykes fraudulently secured double-flooring from Ford Credit. Double-flooring means automobile dealers receive funding twice for the same vehicle; it is an illegal practice where a single vehicle is used as collateral for more than one loan.
Ford Credit also claims Reagor-Dykes obtained inventory financing for cars it had already sold, representing to Ford Credit they still had the car as inventory and then obtained additional financing.

Friday, August 10, 2018

Final exam question: The default setting is “NOT SECURE.” What should your first step be?
Mallory Locklear reports:
Data leaks are par for the course these days, and the latest company to be involved in one is GoDaddy. The company, which says it’s the world’s top domain name registrar with over 18 million customers, is the subject of a new report from cybersecurity firm UpGuard that was shared exclusively with Engadget. In June, cyber risk analyst Chris Vickery discovered files containing detailed server information stored in an unsecured S3 bucket — a cloud storage service from Amazon Web Services. A look into the files revealed multiple versions of data for over 31,000 GoDaddy systems.
Read more on Engadget.

An ethical hacking tool. OR Why I remain anti-social.
New facial recognition tool tracks targets across different social networks
The Verge – The open-source program is designed for security researchers: “Today, researchers at Trustwave released a new open-source tool called Social Mapper, which uses facial recognition to track subjects across social media networks. Designed for security researchers performing social engineering attacks, the system automatically locates profiles on Facebook, Instagram, Twitter, LinkedIn, and other networks based on a name and picture. Those searches can already be performed manually, but the automated process means it can be performed far faster and for many people at once. “Performing intelligence gathering online is a time-consuming process,” Trustwave explained in a post this morning. “What if it could be automated and done on a mass scale with hundreds or thousands of individuals?” Social Mapper doesn’t require API access to social networks, a restriction that has hampered social media tracking tools like Geofeedia. Instead, the system performs automated manual searches in an instrumented browser window, then uses facial recognition to scan through the first 10 to 20 results for a match. The manual searches mean the tool can be quite slow compared to API-based scans. The developer estimates that searching a target list of 1,000 people could take more than 15 hours. The end result is a spreadsheet of confirmed accounts for each name, perfect for targeted phishing campaigns or general intelligence gathering. Trustwave’s emphasis is on ethical hacking — using phishing techniques to highlight vulnerabilities that can then be fixed — but there are few restrictions on who can use the program. Social Mapper is licensed as free software, and it’s freely available on GitHub…”

I should poll my students before showing them this.
Study – How Do Americans Feel About Online Privacy in 2018?
The Best VPN – “Concerns around online privacy have come to a head in 2018. In mid-March, The New York Times and The Guardian reported that data from 50 million Facebook profiles was harvested for data mining firm Cambridge Analytica — a number that would eventually be revised to 87 million in one of the largest data collection scandals of all time. Two months later, inboxes were flooded by a slew of privacy policy updates following the implementation of the EU’s GDPR, a privacy policy law that set guidelines for the collection and use of data. Although the law was designed to increase transparency regarding the collection of data, the updates raised user concern around how companies had been obtaining and using personal information in the past. So, with thundering headlines about data breaches and privacy loss stoking fears, just how are Americans feeling about their online privacy? To answer this question, we used Google Surveys to target 1,000 Americans of all genders and ages across the United States. Read on to see how we conducted our survey and learn more about our individual findings, or jump to view our full infographic…”

The Internet equivalent of shouting “Fire!” in a crowded theater?
Hard Questions: Where Do We Draw The Line on Free Expression?
… While we’re not bound by international human rights laws that countries have signed on to, we are a member of a global initiative that offers internet companies a framework for applying human rights principles to our platforms. We look for guidance in documents like Article 19 of the International Covenant on Civil and Political Rights (ICCPR), which set standards for when it’s appropriate to place restrictions on freedom of expression. ICCPR maintains that everyone has the right to freedom of expression — and restrictions on this right are only allowed when they are “provided by law and are necessary for: (a) the respect of the rights or reputations of others; (b) for the protection of national security or of the public order, or of public health or morals.”
… Posts that contain a credible threat of violence are perhaps the most obvious instances where restricting speech is necessary to prevent harm.
… Hate speech too can constitute harm because it creates an environment of intimidation and exclusion and in some cases may have dangerous offline implications. It is perhaps one of the most challenging of our standards to enforce because determining whether something is hate speech is so dependent on the context in which it is shared.
… It’s important to note that whether or not a Facebook post is accurate is not itself a reason to block it.

Facebook Blocks Sharing Of 3D-Printed Gun Files On Its Platforms
… “Sharing instructions on how to print firearms using 3D printers is not allowed under our Community Standards,” Facebook said in a statement. “In line with our policies, we are removing this content from Facebook.”

Security Perspective.
Don't Fear the TSA Cutting Airport Security. Be Glad That They're Talking about It.
… We don't know enough to conclude whether this is a good idea, but it shouldn't be dismissed out of hand. We need to evaluate airport security based on concrete costs and benefits, and not continue to implement security theater based on fear. And we should applaud the agency's willingness to explore changes in the screening process.
… Over the years, I have written many essays critical of the TSA and airport security, in general. Most of it is security theater – measures that make us feel safer without improving security. For example, the liquids ban makes no sense as implemented, because there's no penalty for repeatedly trying to evade the scanners. The full-body scanners are terrible at detecting the explosive material PETN if it is well concealed – which is their whole point.
There are two basic kinds of terrorists. The amateurs will be deterred or detected by even basic security measures. The professionals will figure out how to evade even the most stringent measures. I've repeatedly said that the two things that have made flying safer since 9/11 are reinforcing the cockpit doors and persuading passengers that they need to fight back. Everything beyond that isn't worth it.

'Snapchat dysmorphia' is a disturbing new phenomenon where people want to look more like their filtered selfies
Instagram and Snapchat filters are the new celebrity photo, offering up unrealistic standards of beauty that might trigger people to feel unhappy with the way they look in real life.
That's according to three Boston University researchers, who published an article about body dysmorphia in the JAMA Facial Plastic Surgery medical journal this month. The article is not a study, but an overview of industry research and studies.

Free is good!
Roku is moving beyond its own platform by launching The Roku Channel on the web. This means you no longer need to own a Roku device to watch Roku’s free, ad-supported movie channel. Instead, you just need a web browser pointed at

Thursday, August 09, 2018

Too clever for their own good. “It’s a lot easier if we don’t bother with all that security stuff.”
Security Flaws On Comcast’s Login Page Exposed Customers’ Personal Information
Comcast Xfinity inadvertently exposed the partial home addresses and Social Security numbers of more than 26.5 million customers, according to security researcher Ryan Stevenson, who discovered the security flaws. Two previously unreported vulnerabilities in the high-speed internet service provider’s online customer portal made it easy for even an unsophisticated hacker to access this sensitive information.
After BuzzFeed News reported the findings to Comcast, the company patched the flaws.
… One of the flaws could be exploited by going to an “in-home authentication” page where customers can pay their bills without signing in. The portal asked customers to verify their account by choosing from one of four partial home addresses it suggested, if the device was (or seemed like it was) connected to the customer’s home network. If a hacker obtained a customer’s IP address and spoofed Comcast using an "X-forwarded-for" technique, they could repeatedly refresh this login page to reveal the customer’s location. That’s because each time the page refreshed, three addresses would change, while one address, the correct address, remained the same.
… In the second vulnerability that Stevenson discovered, a sign-up page through the website for Comcast’s Authorized Dealers (sales agents stationed at non-Comcast retail locations) revealed the last four digits of customers’ Social Security numbers. Armed with just a customer’s billing address, a hacker could brute-force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer’s Social Security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form.

The Terminator is a hacker!
IBM Demonstrates DeepLocker AI Malware at Black Hat
IBM will detail at Black Hat USA here on Aug. 8 a new class of attacks dubbed DeepLocker that uses artificial intelligence to bypass cyber-security protections.
With DeepLocker, IBM researchers will demonstrate an evasive attack vector that has been developed as a proof of concept. According to IBM, DeepLocker can be used to keep ransomware or other malware hidden from traditional security tools. IBM's goal with the presentation is not to promote fear about AI, but rather to help organizations start to think about how attackers can use AI and how to minimize risks.
"DeepLocker malware is fundamentally different from any other malware we are aware of. It uses AI to hide a malicious application in benign payloads," Marc Ph. Stoecklin, principal research scientist and manager of Cognitive Cybersecurity Intelligence at IBM Research, told eWEEK. "With AI, we can conceal and hide the condition of when the malicious payload is being unlocked, making it almost impossible to reverse-engineer."

We’re studying computer law this week.
From Hunton Andrews Kurth:
On August 3, 2018, California-based Unixiz Inc.(“Unixiz”) agreed to shut downits “i-Dressup” website pursuant to a consent order with the New Jersey Attorney General, which the company entered into to settle charges that it violated the Children’s Online Privacy Protection Act (“COPPA”) and the New Jersey Consumer Fraud Act. The consent order also requires Unixiz to pay a civil penalty of $98,618.
The charges stemmed from a 2016 data breach in which hackers compromised more than 2.2 million unencrypted usernames and passwords, including those associated with over 24,000 New Jersey residents’ accounts. The New Jersey Attorney General alleged that Unixiz had actual knowledge that the i-Dressup website (which allowed users to “dress, style and make-up animated characters in various outfits” and featured children’s games) had collected the personal information of over 10,000 children and failed to obtain verifiable parental consent for such collection, in violation of COPPA.

My students are amazed to learn I don’t own a SmartPhone.
Department of Homeland Security-funded research by Virginia-based security firm Kryptowire has allegedly discovered major security flaws in numerous phones, according to a report on cybersecurity site Fifth Domain.
According to the report, DHS Science and Technology Directorate program manager Vincent Sritapan said at the Black Hat conference in Las Vegas that the vulnerabilities have been discovered in phones carried by all four major carriers: Verizon, AT&T, T-Mobile, and Sprint. The exact nature of the vulnerabilities were not released, though they allegedly can take control of a targeted device:
The vulnerabilities are built into devices before a customer purchases the phone. Researchers said it is not clear if hackers have exploited the loophole yet.
Department of Homeland Security officials declined to say which manufacturers have the underlying vulnerabilities.
Millions of users in the U.S. are likely at risk, a source familiar with the research said, although the total number is not clear.

(Related) The world, she is a-changing! I can’t get back into the country without a laptop for TSA to browse, now I can’t get into a Broncos’ game without a SmartPhone!
Broncos switch to mobile-only tickets: 4 things you need to know
Anyone going to a game at Broncos Stadium at Mile High will need to use mobile entry to get into the game. The team said it made the change as a way to reduce counterfeiting and fraud, and to make it easier and quicker to enter the stadium.

There will be no paper tickets

Broncos 365 app

Single-game and season tickets will only be available in the Broncos 365 app which is available for Apple and Android devices. If you don’t have an Apple or Android device, you can use your smartphone’s browser to log into your account and access your tickets.

Parking passes need to be printed

The Broncos say that printed parking passes help police and parking attendants ensure smoother entry and exit from the parking lots.

Concept. Probably much easier than, but very similar in concept to finding bad guys in the Superbowl crowd.
This robot uses AI to find Waldo, thereby ruining Where’s Waldo

YouTube is about to pass Facebook as the second biggest website in US, according to new study
In the competition to be top website, Facebook may cede its runner-up position to YouTube in the next two to three months, according to a new study shared with CNBC by market research firm SimilarWeb.
The five websites receiving the most traffic in the U.S. in the last several years have been Google, Facebook, YouTube, Yahoo and Amazon, in that order. However, Facebook has seen a severe decline in monthly page visits, from 8.5 billion to 4.7 billion in the last two years, according to the study. Although Facebook's app traffic has grown, it is not enough to make up for that loss, the study said.
… The study projects that Amazon will take over Yahoo's ranking in the next two to three months.
However, none of the bottom four of the top five comes close to Google. Although it has seen some decline in website traffic thanks to app use and voice search, it saw approximately 15 billion visits in July 2018, the study said. The others were all below 5 billion, according to the report.

I may get to teach Excel this Quarter.
Meet the 15-year-old who's the Microsoft Excel world champion (which is a real thing)
… Yes, there is an annual championship that challenges competitors on their knowledge of Microsoft Office applications — and no, your self-proclaimed proficiency in Microsoft listed under the "special skills" section of your resume probably won't make the cut.
Students between ages 13 and 22 spend months — sometimes years — preparing for the championship, working their way up through placement tests, regional and national competitions in three Microsoft categories: Word, Excel and PowerPoint.

Wednesday, August 08, 2018

Pay me now or pay me later.
At $17 million, Atlanta network recovery six times more expensive than estimated
The SamSam ransomware attack on the city of Atlanta in March is probably one of the most expensive security incidents, with the recovery cost adding up to some $17 million of taxpayers’ money, according to a seven-page “confidential and privileged” report accessed by The Atlanta Constitution-Journal and Channel 2 Action News. City officials had already secured $6 million for the recovery project, while initial forecasts said it would cost about $3 million. Now, it seems, the project will cost an extra $11 million.
After years of repeated warnings from the city’s auditor about its security vulnerabilities and lack of disaster recovery plans, the city of Atlanta didn’t invest much effort in upgrading infrastructure security.
… After refusing to pay a $51,000 ransom in bitcoin following the breach, the city is now looking at a very expensive outlay that involves paying for improved security services, software upgrades, as well as purchasing new desktops, laptops, smart phones and tablets.
… When the Department of Transportation in Colorado was hit by ransomware, by comparison, the estimated recovery cost was $2 million.

Might be amusing to have my students “compare and contrast” the responses from the various players.
Apple responds to Congress' letter on data security and privacy
Apple has just responded to Congress' inquiry on how it protects user privacy.
The House Committee on Energy and Commerce last month sent letters to Apple CEO Tim Cook and Alphabet CEO Larry Page asking about the companies' data security and privacy practices. The five-page letter to Cook asked detailed questions about how Apple collected user data and what it used it for.
In a response Tuesday, Apple reiterated that it collects as little data as possible as a practice.

An interesting tool from Programmers You Might Know…
Last year, we launched an investigation into how Facebook’s People You May Know tool makes its creepily accurate recommendations. By November, we had it mostly figured out: Facebook has nearly limitless access to all the phone numbers, email addresses, home addresses, and social media handles most people on Earth have ever used. That, plus its deep mining of people’s messaging behavior on Android, means it can make surprisingly insightful observations about who you know in real life—even if it’s wrong about your desire to be “friends” with them on Facebook.
In order to help conduct this investigation, we built a tool to keep track of the people Facebook thinks you know. Called the PYMK Inspector, it captures every recommendation made to a user for however long they want to run the tool. It’s how one of us discovered Facebook had linked us with an unknown relative. In January, after hiring a third party to do a security review of the tool, we released it publicly on Github for users who wanted to study their own People You May Know recommendations.

Would this apply to any violent rally?
Subpoena for app called ‘Discord’ could unmask identities of Charlottesville white supremacists
… Discord, which was started in 2015 as a secure chat app for videogamers, also happened to be conducive for white supremacists, white nationalists, neo-Nazis and other members of the alt-right movement who sought to keep their identities secret.
… Attorneys for the counterprotesters have argued that these Discord messages and hundreds of others are central to proving that Unite the Right organizers “conspired to commit acts of violence, intimidation and harassment” against people in Charlottesville that weekend. The attorneys filed a subpoena for Discord, seeking to obtain the messages and account information of more than 30 anonymous users who appear to have participated in the Unite the Right rally.
But one anonymous woman, the one called “kristall.night,” filed suit seeking to quash the subpoena that could unmask her and dozens of other users. She claimed the counterprotesters were intentionally seeking to “out” her as a member of the alt-right movement, putting her in fear of her own safety. Revealing her identity, her attorney argued, would infringe on her First Amendment rights to engage in “anonymous speech” and to associate with a politically unpopular group.
On Monday, however, a magistrate in California disagreed.
U.S. Chief Magistrate Judge Joseph C. Spero declined to fully quash the Discord subpoena, finding that the plaintiffs’ interest in discovering her identity as a possible witness or co-conspirator behind the Unite the Right rally outweighed her right to speak anonymously on the Internet.
… Spero agreed to quash the portion of the subpoena seeking the contents of the messages, saying it violates the Stored Communications Act.

Perspective. Why would anyone decide to give up an audience? Is compliance that expensive? Perhaps this is an opportunity for someone to provide the tools for a nominal fee?
More than 1,000 U.S. news sites are still unavailable in Europe, two months after GDPR took effect
Websites had two years to get ready for the GDPR. But rather than comply, about a third of the 100 largest U.S. newspapers have instead chosen to block European visitors to their sites.
… The GDPR requires websites to obtain consent from users before collecting personal information, explain what data are being collected and why, and delete a user’s information if requested. Violating the GDPR can draw a hefty fine — as much as 4 percent of a company’s annual revenue.
Websites had two years to get ready for the GDPR. Rather than comply, about a third of the 100 largest U.S. newspapers have opted to block their sites in Europe. They include the Chicago Tribune, New York Daily News, Dallas Morning News, Newsday and The Virginian-Pilot.
… GateHouse and Tronc did not respond to requests for comment about the GDPR. Lee Enterprises has no plans to comply. Company spokesperson Charles Arms said Lee’s websites wouldn’t draw enough visitors from the more than 30 countries in the EU and the European Economic Area to justify compliance.
“Internet traffic on our local news sites originating from the EU and EEA is de minimis, and we believe blocking that traffic is in the best interest of our local media clients,” Arms said.
From a financial standpoint, that position is justified, according to Alan Mutter, who teaches media economics at the University of California at Berkeley. He said international web traffic might benefit The New York Times, Wall Street Journal and Washington Post but “ads served in Paris, Palermo, or Potsdam don’t help advertisers in Peoria.”
But being available in Europe can help customer relations. And about 16 million Americans visited Europe last year.
… “It is naive and wholly irresponsible to think that U.S. news holds no relevance beyond U.S. borders,” Toporoff said. “U.S. brands should be better at knowledge sharing with their European counterparts and learn how to serve audiences within the GDPR’s parameters. Not to do so is quite undemocratic.”

(Related) Perhaps EU readers are worth something after all?
This year Instapaper celebrated its tenth birthday and, now that we are an independent company, we’ve been thinking a lot about the next ten years of Instapaper and beyond.
To ensure Instapaper can continue for the foreseeable future, it’s essential that the product generates enough revenue to cover its costs. In order to do so, we’re relaunching Instapaper Premium today.
As a reminder, Instapaper Premium is a subscription for $2.99/month or $29.99/year
… Additionally, today we are bringing back Instapaper to European Union users. Over the past two months we have taken a number of actions to address the General Data Protection Regulation, and we are happy to announce our return to the European Union.
We are very sorry for the extended downtime and, as a token of our apology, we are giving six months of Instapaper Premium to all EU users affected by the outage.
We’ve updated our privacy policy to include the rights afforded to EU users under the General Data Protection Regulation (GDPR). Additionally, in the interest of transparency, we are posting our privacy policy to GitHub where you can view a versioned history of all the changes to our privacy policy.

(Related) Action from the beginning...
Onwards and Upwards: Our GDPR Journey and Looking Ahead
For the better part of the last two years, Imperva has laid the foundation for our compliance with the EU General Data Protection Regulation (GDPR). At roughly ninety pages with 173 recitals and 99 articles, it’s a massive regulation that fundamentally shifts the data privacy and data protection universe.

Tuesday, August 07, 2018

Targeting technology. The modern equivalent of WWI’s “third man on a match.” Apparently it only took that long for a sniper to target troops on a smoke break.
Pentagon bans use of geolocators on fitness trackers, smartphones
The Pentagon is banning deployed personnel from using fitness trackers, smartphones and potentially even dating apps that use geolocating features that could reveal the user's location.
The ban was announced in a Pentagon memorandum issued Friday and signed by Deputy Secretary of Defense Patrick Shanahan.
"Effective immediately, Defense Department personnel are prohibited from using geolocation features and functionality on government and non-government-issued devices, applications and services while in locations designated as operational areas," the policy memo said.

The new normal?
Campaigns on Their Own as Cyber Threats Roil Midterms
Kamala Harris has been the target of social media misinformation campaigns since she became a U.S. senator.
Every month for the last 18 months, her office has discovered on average between three and five fake Facebook profiles pretending to be hers, according to a Harris aide. It's unclear who creates the pages, which are often designed to mislead American voters about the ambitious Democratic senator's policies and positions.
The aide spoke on the condition of anonymity, like more than a half dozen campaign officials contacted for this story, for fear of attracting unwanted attention from adversaries or scrutiny on the Senate office's evolving cybersecurity protocols.
The Democratic National Committee has worked to strengthen its own internal security protocols and encouraged state parties to do the same, according to Raffi Krikorian, who previously worked for Uber and Twitter and now serves as the DNC's chief technology officer.
But in an interview, he acknowledged there are limits to how much the national party can protect the thousands of Democratic campaigns across the country.
"At the end of the day, the U.S. government is not putting any type of a bubble around any (campaign). They do not have the authority, capacity or capability to do it," said Shawn Henry, a former senior FBI official who now leads the cybersecurity firm CrowdStrike, which works with political campaigns. "NSA is not sitting in the ISPs filtering out malicious traffic."
Henry added: "They've got to take pro-active actions themselves."

(Related) Yet technology keeps moving.
West Virginia to introduce mobile phone voting for midterm elections
West Virginians serving overseas will be the first in the country to cast federal election ballots using a smartphone app, a move designed to make voting in November's election easier for troops living abroad. But election integrity and computer security experts expressed alarm at the prospect of voting by phone, and one went so far as to call it "a horrific idea."

Florida would be crazy not to ask if your children are crazy! Another example of distinguishing mental health from any other medical information.
From the road-to-Hell-has-been-traveled-too-frequently dept.
Carrie Seidman has a commentary on Florida law that all parents of Florida students should read, and parents in other states should take note of in case the same provision is proposed in their states. Seidman writes, in part:
Buried amid the school security measures swiftly passed by the Florida Legislature in the wake of the shootings last February at Marjorie Stoneman Douglas High School in Parkland is a mostly overlooked provision that requires parents or guardians registering a child for public school to disclose any mental health information in the prospective student’s past.
Sounds good, right? Having school officials made aware of a child dealing with mental health challenges means that the student and family can be connected to all available services, and school staff will be on alert to provide additional support. Who could argue with that?
As always, the devil lies in the details, which include everything from whether the person doing the registering will feel comfortable disclosing the information to how that sensitive information will be managed and shared. Those are questions that every school district in Florida is now grappling with.
Read more on Herald-Tribune. Seidman provides useful examples of how different districts are attempting to translate the requirement and so some are asking for very very detailed information, while others ask for less.
But should they be asking at all? Well, the law says they should, but the executive director of NAMI, quoted in the story, really captures the concerns about this type of provision. So let me highlight a few questions:
  1. Should districts be collecting this information or do families have the right to withhold health information about their child if they are not seeking accommodations for it or special services for it by the school district? Under the new Florida provisions, they seemingly no longer have the right to withhold health information of this kind. But where is the evidence to justify this mandated disclosure? Should there be a strict scrutiny standard? If not, what standard would be appropriate to justify a law that intrudes on privacy of sensitive information?
  2. If parents notify the school district, what responsibility under I.D.E.A. do school districts then incur to screen the student for the need for special education services?
  3. If parents notify the school district, what liability do school districts then incur if they do not provide mental health screening and services, and the student then acts out behaviorally?
In my experience, I know that many families — and many students — do NOT want the school district knowing about a diagnosis, if the diagnosed condition is stigmatizing. And many, if not most, psychiatric/psychological diagnoses are viewed that way by parents and students.
As always, in a rush to be reactive and kidding ourselves that we’re being proactive, the Florida legislature has enacted legislation that perhaps would best have not been enacted. And given how utterly horrible most school districts are at protecting student data, has the state of Florida just provided threat actors like TheDarkOverlord with just more low-hanging fruit to attack?

If it’s in the Wall Street Journal, it must be so?
Facebook to Banks: Give Us Your Data, We’ll Give You Our Users
The social-media giant has asked large U.S. banks to share detailed financial information about their customers, including card transactions and checking-account balances, as part of an effort to offer new services to users.
Facebook increasingly wants to be a platform where people buy and sell goods and services, besides connecting with friends. The company over the past year asked JPMorgan Chase & Co., Wells Fargo & Co., Citigroup Inc. and U.S. Bancorp to discuss potential offerings it could host for bank customers on Facebook Messenger, said people familiar with the matter.
Facebook has talked about a feature that would show its users their checking-account balances, the people said. It has also pitched fraud alerts, some of the people said.
… Banks face pressure to build relationships with big online platforms, which reach billions of users and drive a growing share of commerce. They also are trying to reach more users digitally. Many struggle to gain traction in mobile payments.
Yet banks are hesitant to hand too much control to third-party platforms such as Facebook. They prefer to keep customers on their own websites and apps.
As part of the proposed deals, Facebook asked banks for information about where its users are shopping with their debit and credit cards outside of purchases they make using Facebook Messenger, the people said.

(Related) A carefully worded denial. In order to provide the services customers are “opting in to” Facebook must have access to the data.
Facebook denies seeking users' bank data
Facebook has denied reports that it is actively asking banks for details of users' financial transactions.
… Facebook said some users opted in to accessing some financial information in its Messenger app.
… However, Facebook said that users must opt in to linking the Messenger chat app to their bank accounts.

I agree. How do we live with it?
AI Weapons Are Here to Stay
The debate around the ethics of AI weapons has involved everyone from advocacy groups, to government officials, to Google engineers. Many agree that AI weapons carry very significant ethical concerns. Which begs the question, will these concerns, and the efforts of anti-AI weapons advocacy groups, result in a ban of their use or a strong taboo? Some seem to think that an international agreement will be enough to stop their adoption in the world’s militaries. However, the development of a taboo around the use of AI weapons depends on something much more straightforward, their effectiveness on the battlefield.