Saturday, September 22, 2018

There are many ways to learn what should be done. Why is it still so common to find managers who don’t bother to check what they have done?
Eileen Yu reports:
Investigation into Singapore’s most severe cybersecurity breach has uncovered several poor security practices, including the use of weak administrative passwords and unpatched workstations.
The findings were revealed on the first day of hearings led by the Committee of Inquiry (COI), a team set up to probe a July 2018 security breach that compromised personal data of 1.5 million SingHealth patients. The incident also compromised outpatient medical data of 160,000 patients that visited the healthcare provider’s facilities, which included four public hospitals, nine polyclinics, and 42 clinical specialties.
Read more on ZDNet.

Is it really possible to ‘opt out’ of face scanning technology? Every face is scanned. They may ask for alternative identification, but if it does not agree with what the face scanner tells them, what will they do?
Ben Mutzabaugh reports:
Delta Air Lines is set to introduce what it’s calling the “first biometric terminal in the U.S.”
The carrier says it’s equipping the Atlanta airport’s international terminal (Terminal F) with face-scanning technology that will allow international passengers to use facial recognition technology “from curb to gate.” It also will be available to passengers flying nonstop from Atlanta on Delta partner airlines Aeromexico, Air France-KLM or Virgin Atlantic.
Delta says the biometric updates will fully roll out to the terminal “later this year,” though it adds the process will be “optional.”
If customers do not want to participate, they just proceed normally, as they’ve always done, through the airport,” Delta says in a statement.
Read more on USA Today.

Useful in every course I teach.
One of the most overused expressions thrown around by wannabe “Wall Street Rambos” is business is war. But sometimes war tactics really can help in business.
Among these tactics is CARVER, a system for assessing and ranking threats and opportunities.
… It can be both offensive and defensive, meaning it can be used for identifying your competitors’ weaknesses and for internal auditing. In addition, many security experts consider it the definitive assessment tool for protecting critical assets. In fact, the U.S. Department of Homeland Security has recommended it as a preferred assessment methodology.

Will this stir a debate? Can we assume a free, uncensored Internet will be more useful than a carefully censored one?
Ex-Google CEO: Internet will split in two, with China controlling half
“I think the most likely scenario now is not a splintering, but rather a bifurcation into a Chinese-led internet and a non-Chinese internet led by America,” Schmidt told tech-heads at a private event in San Francisco on Wednesday, organized by investment firm Village Global VC.
Schmidt warned that a Chinese-controlled internet would be subject to the Chinese government's censorship.

(Related) Just to stir things up a bit.
Marc Randazza Is Fighting To Keep Nazis And Trolls On Twitter In The New Speech Wars. Here’s Why.

If companies are forced to provide backdoors, there will be a market for simple to use encryption software that can be controlled by individuals. Like PGP. Since I can write the code myself, what will “the five eyes” have to do to make me write a backdoor?
Five Eyes Want Access to Data from Tech Companies
The “Five Eyes”, the consortium of intelligence agencies from the predominant English-speaking countries, has put the tech industry on notice. The agencies are suggesting that major tech companies such as Google voluntarily build encryption-circumventing measures into their products to provide them with unlimited access to data, or they may eventually be forced to by law.

My students will design the software architecture for this.
Is Amazon Preparing to Disrupt Fast Food and Fast Casual?
… in a market where success is driven at least partly by speed, there's room for disruption. And that disruption may not come from the restaurant or convenience store sectors. Instead, it could come from Amazon.
The online retail leader has dipped a toe in these waters by launching a handful of cashierless convenience stores. Some of its early Amazon Go stores offer selections not unlike those of a 7-Eleven (albeit fresher) with prepared meals, sandwiches, and salads alongside a limited selection of groceries and snacks.
However, two Seattle-area Amazon Go locations carry only ready-made meals and snacks. That makes them less an upscale version of a convenience store, and more of a variation on the fast food/fast casual dining model – but with a self-serve, no-wait twist that offers an unprecedented level of ease for consumers.

(Related) Everything will change as new technology integrates. This is an inadequate model. Can we (my students and I) develop a better one?
How can the IoT transform the sports business?
The business of sports is continuously evolving – from fan expectations and venue operations to player insights and analytics. Having instant access to all the relevant information is crucial to winning, and the Internet of Things (IoT) is helping create a competitive advantage for owners, leagues and teams. Here are four ways that IoT is transforming sports via smart venue technology.

(Related) We’re putting a lot of faith in Jeff Bezos.
Amazon Is Invading Your Home With Micro-Convenience
The company’s new line of voice-automated products, including a wall clock and a microwave, could help it amass an enormous database of consumer behavior.

Something for my students to play with. And I’ll work it backwards to ensure I’m teaching the right (most marketable) skills.

Friday, September 21, 2018

It’s always good to have things gathered up for you. As long as you take the time to ensure you agree with the points they make.
FPF Releases Understanding Facial Detection, Characterization, and Recognition Technologies and Privacy Principles for Facial Recognition Technology in Commercial Applications
These resources will help businesses and policymakers better understand and evaluate the growing use of face-based biometric technology systems when used for consumer applications.

Facebook, the king maker?
Facebook to Give Less Direct Support to Trump in 2020 Campaign
Facebook Inc. said that for future presidential campaigns, it will pull back from the kind of on-site support it gave Donald Trump for his 2016 presidential race -- a relationship that came under scrutiny by Congress.
The company will still offer technical support and basic training to candidate campaigns and political advocacy organizations, but it won’t visit campaign headquarters with as much frequency or provide as much strategic support as it did for Trump ahead of the 2016 election. Instead, Facebook officials said they are working to improve the company’s political advertising website to give free advice to campaigns more broadly.
… Facebook told Congress it “offered identical support” to both campaigns. Trump’s campaign accepted, and Clinton’s didn’t.

If not fact based, what is their policy based on?
Facebook Is Reviewing its Policy on White Nationalism After Motherboard Investigation, Civil Rights Backlash
"Facebook ignores centuries of history, legal precedent, and expert scholarship that all establish that white nationalism and white separatism are white supremacy."
Facebook told Motherboard it’s currently reviewing its policies on white supremacy, white nationalism, and white separatism after a series of meetings with civil rights leaders, reporting by Motherboard on these policies, and a forceful letter from a civil rights group formed under the direction of President John F. Kennedy.
Leaked internal documents show that Facebook’s content moderators are explicitly instructed to allow “white separatism” and “white nationalism” on the platform, but note that “white supremacy” is banned. Facebook makes this distinction because it argues in those documents that white nationalism “doesn't seem to be always associated with racism (at least not explicitly.)”

Free Culture?
1500 US Museums offer free entrance on Museum Day
Smithsonian: “On Saturday, September 22, more than 1,500 museums will open their doors for free as part of Museum Day. Organized by Smithsonian magazine, the annual event includes free admission to museums and cultural institutions in all 50 states. Participating museums range from large, popular institutions like the Zoo Miami to quirky and fascinating specialty museums, like the National Barber Museum in Canal Winchester, Ohio. Visitors are allowed to download one ticket per email address, and each ticket provides free general admission for two people. Not sure which museum to choose? Here are ten can’t-miss museums for consideration…”
[Many in Denver, including:
Counterterrorism Education Learning Lab (CELL)

Streaming now accounts for 75 percent of music industry revenue
The Recording Industry Association of America released a report today that details how the music industry has grown in 2018, and while the data isn’t surprising — the world still isn’t buying records — the specific numbers are still fascinating. Turns out, streaming makes more money than physical CDs, digital downloads, and licensing deals combined.
Streaming in this context includes paid subscriptions to services such as Spotify and Tidal, but also radio broadcasts and video streaming services such as VEVO. It’s a broad category that nonetheless has made $3.4 billion dollars in 2018 so far, a total that amounts to 75 percent of overall revenue for the record industry.

I thought it was at least 90%. (Don’t listen to the hype, Bob.)
Report: Digital now makes up 51% of US ad spending
Ad sales up, especially digital. Magna says that “net advertising sales” will grow by 6.9 percent this year to reach $207 billion, which is “a new all-time high.” And, for the first time, digital ad revenues surpassed 50 percent of total ad spending in the US. The company said that digital ad revenue in 2018 will reach $106 billion, or 51.5 percent of total ad sales.
Digital advertising on mobile devices accounts for roughly two-thirds of all digital ad spending, representing a 30 percent growth rate year over year. Magna says that mobile now exceeds TV and is twice desktop ad revenue.

A reminder for my students.
Get Free Credit Freezes from Equifax, Experian, TransUnion Starting Sept. 21
Credit freezes at the three major credit-reporting bureaus will be free across the U.S. starting on Sept. 21 after a new federal law takes effect.

Thursday, September 20, 2018

This site is popular with geeks. (Includes a screenshot of the code used.)
NewEgg cracked in breach, hosted card-stealing code within its own checkout
The popular computer and electronics Web retailer NewEgg has apparently been hit by the same payment-data-stealing attackers who targeted TicketMaster UK and British Airways. The attackers, referred to by researchers as Magecart, managed to inject 15 lines of JavaScript into NewEgg's webstore checkout that forwarded credit card and other data to a server with a domain name that made it look like part of NewEgg's Web infrastructure. It appears that all Web transactions over the past month were affected by the breach.

This is the firm that lost all your data, remember?
Equifax slapped with UK’s maximum penalty over 2017 data breach
Credit rating giant Equifax has been issued with the maximum possible penalty by the UK’s data protection agency for last year’s massive data breach.
Albeit, the fine is only £500,000 because the loss of customer data occurred when the UK’s prior privacy regime was in force — rather than the tough new data protection law, brought in via the EU’s GDPR, which allows for maximum penalties of as much as 4% of a company’s global turnover for the most serious data failures.
So, again, Equifax has managed to dodge worse consequences over the 2017 breach, despite the hack resulting from its own internal process failings after it failed to patch a server that was known to be vulnerable for months — thereby giving hackers a soft-spot to attack and swipe data on 147 million consumers.
… Reporting the result of its investigation, the ICO said Equifax contravened five out of eight data protection principles of the Data Protection Act 1998 — including, failure to secure personal data; poor retention practices; and lack of legal basis for international transfers of UK citizens’ data.
“Equifax Ltd has received the highest fine possible under the 1998 legislation because of the number of victims, the type of data at risk and because it has no excuse for failing to adhere to its own policies and controls as well as the law,” said information commissioner Elizabeth Denham in a statement.

An EPIC “I told you so?”
The Drug Enforcement Agency has released to EPIC a new FOIA production about the AT&T “Hemisphere” program. Hemisphere is a massive call records database made available to government agents by the nation’s largest telecommunication company. AT&T discloses to the government billions of detailed customer phone records, including location data, without judicial review. The new release to EPIC reveals that both the FBI and CBP obtained access to these call details records. EPIC filed suitagainst the DEA in 2013 after the agency failed to respond to EPIC’s FOIA request for information about the Hemisphere program. EPIC previously argued that the names of other agencies with access to Hemisphere records should be released. In June, the Supreme Court held in Carpenter v US that government access to location data is a search subject to Fourth Amendment review. EPIC filed an amicus brief in the Carpenter case.

This is another firm that has all your data. Allocating resources to politicians rather than finding solutions that work for everyone? Making a show of protecting elections without having to spend too much money.
Facebook Boosts Protections for Political Candidates
The social platform, which has taken various steps towards protecting elections from abuse and exploitation on its platform, including the takedown of fake pages and accounts involved in political influence campaigns, is now launching new tools to defend candidates and campaign staff.
… The new pilot program is open for candidates for federal or statewide office, as well as for staff members and representatives from federal and state political party committees, Facebook announced. The additional security protections can be added both to Pages and to accounts.
To apply for the program, Page admins should head to Once enrolled, they will be able to add others from their campaign or committee.

(Related) Not quite there yet.
Inside Facebook’s Election ‘War Room’
… an approximately 25-foot-by-35-foot conference room is under construction.
Thick cords of blue wiring hang from the ceiling, ready to be attached to window-size computer monitors on 16 desks. On one wall, a half-dozen televisions will be tuned to CNN, MSNBC, Fox News and other major networks. A small paper sign with orange lettering taped to the glass door describes what’s being built: “War Room.”
Although it is not much to look at now, as of next week the space will be Facebook’s headquarters for safeguarding elections. More than 300 people across the company are working on the initiative, but the War Room will house a team of about 20 focused on rooting out disinformation, monitoring false news and deleting fake accounts that may be trying to influence voters before elections in the United States, Brazil and other countries.

(Related) Politicians will demand better protection that what firms offer the hoi palloi. Are they suggesting that they have unprotected servers like Hillary Clinton’s?
Lawmaker: US Senate, Staff Targeted by State-Backed Hackers
Foreign government hackers continue to target the personal email accounts of U.S. senators and their aides — and the Senate’s security office has refused to defend them, a lawmaker says.
the senator said the Office of the Sergeant at Arms, which oversees Senate security, informed legislators and staffers that it has no authority to help secure personal, rather than official, accounts.
This must change,” Wyden wrote in the letter. “The November election grows ever closer, Russia continues its attacks on our democracy, and the Senate simply does not have the luxury of further delays.” A spokeswoman for the security office said it would have no comment.

Why does this headline read “plan to” rather than “already have?” Perhaps a business opportunity?
Sophie Meunier reports:
If you look someone up on Facebook or LinkedIn, you’ll be able to gather huge amounts of information about them without them ever knowing. Until recently, nobody seemed to think about the risks involved; it was just the way things were, and if you didn’t get on board, you were left out from a whole virtual world.
But thanks to the recent Facebook data scandal and the introduction of the EU GDPR (General Data Protection Regulation), more people seem to be thinking twice about giving their information away so readily.
A survey conducted by 3GEM and SAS in June 2018 found that 43% of respondents wanted to remove their personal data from social media.
Read more about their intentions on IT Governance.

For my Software Architects: How long should it take to patch a serious flaw in your software?
Password bypass flaw in Western Digital My Cloud drives puts data at risk
A security researcher has published details of a vulnerability in a popular cloud storage drive after the company failed to issue security patches for over a year.
Remco Vermeulen found a privilege escalation bug in Western Digital’s My Cloud devices, which he said allows an attacker to bypass the admin password on the drive, gaining “complete control” over the user’s data.
The exploit works because drive’s web-based dashboard doesn’t properly check a user’s credentials before giving a possible attacker access to tools that should require higher levels of access.
The bug was “easy” to exploit, Vermeulen told TechCrunch in an email, and was remotely exploitable if a My Cloud device allows remote access over the internet — which thousands of devices do. He posted a proof-of-concept video on Twitter.
Details of the bug were also independently found by another security team, which released its own exploit code.
Vermeulen reported the bug over a year ago, in April 2017, but said the company stopped responding. Normally, security researchers give 90 days for a company to respond, in line with industry-accepted responsible disclosure guidelines.

Sic ‘em! If this is the public policy, what is the intelligence community allowed to do?
US military given more authority to launch preventative cyberattacks
The US military is taking a more aggressive stance against foreign government hackers who are targeting the US and is being granted more authority to launch preventative cyberstrikes, according to a summary of the Department of Defense's new Cyber Strategy.
The Pentagon is referring to the new stance as "defend forward," and the strategy will allow the US military "to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict."
The new military strategy, signed by Defense Secretary James Mattis, also emphasizes an intention to "build a more lethal force" of first-strike hackers.
… This new strategy provides a roadmap for the military to wipe out the enemy computer network in a friendly country, said Healey.
"It's extremely risky to be doing this," Healey told CNN on Tuesday. "If you loosen the rules of engagement, sometimes you're going to mess that up."
… However, under the new strategy, US offensive cyberattacks will not target civilian infrastructure, because the US must abide by a UN agreement that prohibits "damaging civilian critical infrastructure during peacetime."

(Related) Much less understood.
Shining a Light on Federal Law Enforcement’s Use of Computer Hacking Tools
… On Sept. 10, Privacy International (PI), the American Civil Liberties Union (ACLU), and the Civil Liberties & Transparency Clinic of the University at Buffalo School of Law (CLTC) filed a series of Freedom of Information Act (FOIA) requests seeking essential records about the use of such hacking tools by U.S. federal law enforcement agencies. The FOIA requests aim to uncover the basic rules governing the use of these techniques, information about how frequently they are used, and any internal investigations into potential misuse. Privacy International and its partners submitted the requests to seven federal law enforcement agencies as well as four Offices of Inspector General.
… As it stands, the public is largely in the dark about how the government perceives the rules that govern its use of these tools for law enforcement purposes. The Fourth Amendment generally requires warrants based upon a finding of probable cause before there is a search or seizure. But it is unclear whether and when law enforcement agencies regard hacking techniques as being subject to a warrant requirement, judicial authorization short of a warrant, or no prior authorization at all. Further, little is known about the internal rules that law enforcement agencies have adopted to regulate the deployment of hacking techniques.

This is still a choice, there are many other companies that do not require a tracker. What does this do for John Hancock?
It will no longer be possible to buy a life insurance policy from John Hancock – one of the largest insurers in the US – without agreeing to use an activity tracker. This can be either a wearable device like an Apple Watch or Fitbit, or a smartphone capable of logging activity, like an iPhone.
The firm announced the change today for new policies, with existing policies also adopting the requirement from next year …
Reuters reports that the company made the decision three years after making so-called ‘interactive’ policies optional.
… As Reuters notes, the move could have disturbing implications.
Privacy and consumer advocates have raised questions about whether insurers may eventually use data to select the most profitable customers, while hiking rates for those who do not participate.
The insurance industry says that the law means it can only hike premiums if it can show an increased risk, but it does raise the question of how far this type of approach could go. Will policyholders be penalised for walking through a sketchy area, logged by the GPS in their device? What about an activity tracker logging a strenuous hike as a risk factor? Or deciding that someone is cycling or skiing dangerously fast? This could be the beginning of an incredibly slippery slope.

Apple sold 43% of all phones priced above $400 globally in Q2, earned majority of handset profits
… Apple's 62 percent share of profits generated in Q2 was far ahead of Samsung's 17 percent, and was over three times the profit share of China's Huawei, OPPO, Vivo and Xiaomi put together. The remaining profits of more than 600 other handset brands amounted to less than 1 percent.
… Above $800, Counterpoint stated that Apple dominated with 88 percent of all sales being iPhones.

Apple Finishes Paying $15.3B in Back Taxes to Ireland, Prompting EU Regulators to Drop Lawsuit

Wednesday, September 19, 2018

Part “free journals for research,” part “looking for classified research?” i.e. Selling is not as interesting as their ability to gather the information in the first place.
Lisa Vaas reports:
Iranian hackers have reportedly breached top British universities – including Oxford and Cambridge – to steal what the Telegraph says are “millions” of papers and academic research documents that they then put up for sale via WhatsApp and websites.
The publication reported on Friday that much of the subject matter is bland, but some of the papers covered topics including nuclear development and computer encryption.
Whoever stole the papers is reportedly selling them on Farsi language websites in addition to the end-to-end encrypted WhatsApp messaging app, where they’re going for as little as £2 (USD $2.63).
Read more on Naked Security.

Failing the “Caeser’s wife” test? Would this ever be appropriate?
Simon Boazman & Jeremy Young report:
Long Beach, Southern California – Al Jazeera’s Investigative Unit has discovered that a self-deleting messaging app called Tiger Text has been adopted by at least one US police department, which may have used it to share sensitive and potentially incriminating information that they wouldn’t want to be disclosed to a court.
Current and former officers from the Long Beach Police Department in Southern California have told Al Jazeera that their police-issued phones had Tiger Text installed on them.
The Tiger Text app is designed to erase text messages after a set time period. Once the messages have been deleted, they cannot be retrieved – even through forensic analysis of the phone.
Read more on Al Jazeera.

Clearly one election to watch (along with Russian hackers).
Georgia's Use of Electronic Voting Machines Allowed for Midterms
Judge Amy Totenberg ruled Monday that the state of Georgia's existing plans for the midterm elections to be conducted via some 27,000 Diebold AccuVote DRE touchscreen voting machines must stand. Her remarks, however, suggest that this should be the last time.
Plaintiffs, comprising the Coalition for Good Governance and citizens of Georgia, had filed a Motion for Preliminary Injunction against the Secretary of State for Georgia, Brian Kemp, in an attempt to force a switch to paper-based voting in time for the November elections. The primary argument is that the direct-recording election (DRE) machines to be used cannot produce a paper-based audit trail to verify accurate elections.
This coupled with the exposure of the registration details of 6.7 million Georgia voters on an unprotected internet-facing database, repeated demonstrations that such voting machines can be hacked, federal government advice that audit trails are necessary, and the constitutional right for citizens to vote was the basis of the plaintiffs' argument.
The Secretary of State's response, while insisting that the machines are secure, was primarily focused on the cost, lack of time, and potential confusion that such a late switch could cause.

(Related) Voting is now social? (Perhaps not voting is anti-social.)
Instagram will promote mid-term voting with stickers, registration info
Facebook is getting ready to purposefully influence the U.S. mid-term elections after spending two years trying to safeguard against foreign interference. Instagram plans to run ads in Stories and feed powered by TurboVote that will target all US users over 18 and point them towards information on how to get properly registered and abide by voting rules. Then when election day arrives, users will be able to add an “I Voted” sticker to their photos and videos that link to voting info like which polling place to go to.

Follow the law, expose yourself to lawsuits? Spoiler: NO!
lex M. Pearce of Ellis & Winters LLP writes:
….. When a business suffers a data breach, state laws require the business to send a notice to affected individuals. Those laws typically prescribe the contents of the required notice—sometimes in detail. North Carolina’s data breach notification statute, for instance, requires the notice to include “[a]dvice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.”
An interesting new decision from a federal court in California called Brett v. Brooks Brothers examines how this advice—which one might read as tacitly acknowledging that breaches create a risk of future fraud and identity theft—can affect a court’s standing analysis.
Read more on Lexology.

Perspective. A new record!
Visa, Mastercard Face Next Fight After $6.2 Billion Settlement
In the largest-ever class-action settlement of a U.S. antitrust case, Visa Inc. and Mastercard Inc. agreed to pay between $5.54 billion and $6.24 billion to a class of more than 12 million merchants who accept the payment networks’ cards, according to a regulatory filing on Tuesday. The total is in line with sums the companies previously set aside to cover the costs of the litigation.
But retailers are gearing up for the next round in their fight with the world’s biggest payment networks. Tuesday’s settlement addresses only monetary damages associated with the lawsuit. There’s a separate class of merchants fighting for changes to Visa and Mastercard’s business practices.

(Related) On the other hand…
Yahoo settles for $47 million in litigation following data breach of 3 billion accounts
Everyone remembers the Yahoo breach — it was simply historical and created mass hysteria at the time. The company ultimately confirmed in late 2017 that, following an alleged state-sponsored attack, all user accounts had been breached – that is 3 billion users. If you can’t really put your finger on what that number means, 3 billion was the world population in 1959.
… “We are also pleased to announce today that we have reached an agreement in principle (subject to court approval) to settle the consumer class action litigation related to the Yahoo data breach,” reads the letter. “We have also received final court approval of the securities class action settlement, and we have negotiated an agreement to settle the shareholder derivative litigation (subject to court approval). We estimate that the Company will incur an incremental net $47 million in litigation settlement expenses to resolve all three cases. Together, these developments mark a significant milestone in cleaning up our contingent liabilities related to the Yahoo data breach.”

Perspective. I don’t think of Amazon as an advertising giant. Clearly, I should.
Amazon becoming 3rd-biggest digital ad platform
Amazon’s ad business will bring in $4.61 billion this year, according to a new eMarketer study, up a whopping 60% from the projection of $2.89 billion in March.
Why it matters: The new projection puts Amazon ahead of Microsoft in its share of the U.S. digital ad market. While it's still a distant third behind Google and Facebook, Amazon's share is growing so fast that some analysts argue it could one day catch up with those leaders.

Sometimes, my classroom.

Tuesday, September 18, 2018

And my students wonder why I don’t have a cellphone.
Report – Almost half of US cellphone calls will be scams by next year
Cision Newswire: “First Orion, a leading provider of phone call and data transparency solutions, today announced their inaugural 2018 Scam Call Trends and Projections Report, detailing the need for new, adaptive technologies to combat the exponential increase in scam calls. First Orion powers call protection solutions to tens of millions of mobile subscribers in the U.S. market and has carefully analyzed over 50 billion calls made to these customers over the past 18 months. By combining specific call patterns and behaviors with other phone number attributes, First Orion now predicts that nearly half of all calls to mobile phones will be fraudulent in 2019 unless the industry adopts and implements more effective call protection solutions. To combat this rapidly growing epidemic, First Orion will fully deploy its groundbreaking, in-network technology known as CallPrinting™—which quickly and accurately identifies new scam techniques and thwarts fraudulent calls—into a Tier-One U.S. carrier’s network this fall where the company projects it will significantly mitigate the volume of scam traffic beginning in the 4th quarter of 2018. Over the past year, First Orion’s data shows a drastic increase in mobile scam calls—from 3.7% of total calls in 2017 to 29.2% in 2018—and that number is projected to reach 44.6% by early 2019…”

Automated policing…
Artificial Intelligence and Policing: Hints in the Carpenter Decision
Joh, Elizabeth E., Artificial Intelligence and Policing: Hints in the Carpenter Decision (August 24, 2018). __ Ohio State Journal of Criminal Law __, 2018. Available at SSRN:
“In the 2018 Carpenter case, Chief Justice Roberts focuses on the quality of the information sought by the police as a means of deciding the case in Carpenter’s favor. Less obviously, however, the majority opinion also stresses the nature of the policing involved in Carpenter’s case: new technologies that do not just enhance human abilities. The majority makes no explicit clams about this focus. But the Carpenter decision reveals the Supreme Court’s first set of views on how it might evaluate police use of artificial intelligence. That contention, and the questions it raises, form the subject of this essay.”
[From the article:
In these ways the tools of artificial intelligence are changing the nature of policing itself.
Another way to think of this development is that policing is becoming increasingly automated.
today the increasing interest in social network analysis, locational predictive policing, and threat analysis means that even those the task of assessing suspicious behavior is subject to automation as well.
In finding that we possess Fourth Amendment protections in locational data even when recorded by third parties, the Court chose to describe the data collection technique in Carpenter as superhuman, passive, and automated. This is noteworthy: these descriptions also characterize the very technologies of artificial intelligence that are becoming more commonplace in policing.

UK Serious Fraud Office trialling AI for data-heavy cases
naked security – sophos: “The BBC says it looks like a kids’ digital game: a mass of blue and green rubber balls bounce around the screen like they’re on elastic bands in a galaxy of paddle balls. It’s no game, however. It is a new artificial intelligence (AI) tool that connects, and then visualizes, the parties and their interactions in a complex fraud inquiry. The UK’s Serious Fraud Office (SFO) recently gave the BBC a look at the system, called OpenText Axcelerate, which staff have been training on Enron: a massive corporate fraud case from 2001 that’s no longer actively being investigated. The lines between the colored balls represent links between two people involved in the fraud inquiry, including the emails they sent and received, the people they carbon-copied, and the more discrete messages in which nobody was cc’ed. SFO investigator Edgar Pacevicius told the BBC that a major advantage of the AI is that it can spot connections between individuals far more quickly than humans can. It’s designed to help investigators keep track of all the parties involved in a given, wide-scale fraud, with all their communications, along with individuals’ interactions with each other. The tool also groups documents with similar content, and it can pick out phrases and word forms that might be significant to an investigation…”

This should be useful.
LII Announces U.S. Constitution Annotated
U.S. Constitution Annotated – “This edition of the Congressional Research Service’s U.S. Constitution Annotated is a hypertext interpretation of the CRS text, updated to the currently published version. It links to Supreme Court opinions, the U.S. Code, and the Code of Federal Regulations, as well as enhancing navigation through search, breadcrumbs, linked footnotes and tables of contents… The content of the U.S. Constitution Annotated was prepared by the Congressional Research Service (CRS) at the Library of Congress, and published electronically in plaintext and PDF by the Government Printing Office. Dating back to 1911, the initial online annotations were published in 1992. This edition is a hypertext interpretation of the CRS text, updated to the currently published version. It links to Supreme Court opinions, the U.S. Code, and the Code of Federal Regulations, as well as enhancing navigation through linked footnotes and tables of contents. LII is grateful to Professor William Arms and the CS 5150 “Save the Constitution” team: Anusha Chowdhury, Garima Kapila, Tairy Davey, Brendan Rappazzo, and Max Anderson for their work on the project. Special thanks go to Josh Tauberer of GovTrack and Daniel Schuman of Demand Progress for their help with the data.”

I suppose that’s one way to save on your Christmas shopping.
A man is wanted by police after being filmed sending his daughter inside a BarBerCut Lite cabinet, where she was able to get her tiny hands on some prizes and retrieve them before the pair (and another child, believed to be the man’s son) left the scene.
… You can see footage of the incident, uploaded and modified by the Salem PD, below:

For my students.

Student researchers should look at these too.
10 Investigative Tools You Probably Haven’t Heard Of
Global Investigative Journalism Network: “Investigations, the saying goes, are just regular stories with a lot more labor put in. Investigative reporters spend inordinate amounts of time sifting through documents, verifying sources and analyzing data — and that’s if they can even get the data. As an investigative reporter with way too many stories I want to do, these are the tools I use to keep up with sources, stories and leads at a rapid rate. Let’s take a look at 10 of the best new tools for unearthing, accelerating, and keeping track of investigations…”

Monday, September 17, 2018

This is a new one.
Your Social Security Number isn’t suspended. Ever. “A caller says that he’s from the government and your Social Security Number (SSN) has been suspended. He sounds very professional. So you should do exactly what he says to fix things…right? Wrong. T he FTC has gotten reports about scammers trying to trick people out of their personal information by telling them that they need to “reactivate” their supposedly “suspended” SSNs. The scammers say the SSN was suspended because of some connection to fraud or other criminal activity. They say to call a number to clear it up – where they’ll ask you for personal information. Thing is, Social Security Numbers do not get suspended. This is just a variation of a government imposter scam that’s after your SSN, bank account number, or other personal information. In this variation of the scheme, the caller pretends to be protecting you from a scam while he’s trying to lure you into one. … If someone has tried to steal your personal information by pretending to be from the government, report it to the FTC.”

I suspect this process is to labor intensive for social media. Automating the process isn’t easy either.
Satellite Images and Shadow Analysis: How The Times Verifies Eyewitness Videos
The New York Times: Understanding the times Visual investigations based on social media posts require a mix of traditional journalistic diligence and cutting-edge internet skills.
“Visual investigations based on social media posts require a mix of traditional journalistic diligence and cutting-edge internet skills. In an effort to shed more light on how we work, The Times is running a series of short posts explaining some of our journalistic practices. Read more of this series here. Was a video of a chemical attack really filmed in Syria? What time of day did an airstrike happen? Which military unit was involved in a shooting in Afghanistan? Is this dramatic image of glowing clouds really showing wildfires in California. These are some of the questions the video team at The New York Times has to answer when reviewing raw eyewitness videos, often posted to social media. It can be a highly challenging process, as misinformation shared through digital social networks is a serious problem for a modern-day newsroom. Visual information in the digital age is easy to manipulate, and even easier to spread. What is thus required for conducting visual investigations based on social media content is a mix of traditional journalistic diligence and cutting-edge internet skills, as can be seen in our recent investigation into the chemical attack in Douma, Syria. The following provides some insight into our video verification process. It is not a comprehensive overview, but highlights some of our most trusted techniques and tools…”

Extend this to online site with updates sent as new legislation created, debated and approved.
50-state survey of social media privacy legislation
“Social media and related issues in the workplace can be a headache for employers. Seyfarth Shaw LLP’s Social Media Practice Group is pleased to provide you with an easy-to-use guide to social media privacy legislation and what employers need to know. The Social Media Privacy Legislation Desktop Reference 2017-2018:
  • Describes the content and purpose of the various states’ social media privacy laws.
  • Delivers a detailed state-by-state description of each law, listing a general overview, what is prohibited, what is allowed, the remedies for violations, and special notes for each state.
  • Provides an easy-to-use chart listing the states that have enacted social media privacy laws and the features of the law in all such states.
  • Offers our thoughts on the implications of this legislation in other areas, including trade secret misappropriation, bring your own device issues and concerns, social media discovery and evidence considerations, and use of social media in internal investigations.”

This is a common story. “Belief” overriding “science.”
Hard Words Why aren’t kids being taught to read?
American Public Media Reports – “…The basic assumption that underlies typical reading instruction in many schools is that learning to read is a natural process, much like learning to talk. But decades of scientific research has revealed that reading doesn’t come naturally. The human brain isn’t wired to read. Kids must be explicitly taught how to connect sounds with letters — phonics. “There are thousands of studies,” said Louisa Moats, an education consultant and researcher who has been teaching and studying reading since the 1970s. “This is the most studied aspect of human learning.” But this research hasn’t made its way into many elementary school classrooms. The prevailing approaches to reading instruction in American schools are inconsistent with basic things scientists have discovered about how children learn to read. Many educators don’t know the science, and in some cases actively resist it. The resistance is the result of beliefs about reading that have been deeply held in the educational establishment for decades, even though those beliefs have been proven wrong by scientists over and over again. Most teachers nationwide are not being taught reading science in their teacher preparation programs because many deans and faculty in colleges of education either don’t know the science or dismiss it. As a result of their intransigence, millions of kids have been set up to fail….” [includes a Podcast]

'The Digital Revolution Has Introduced New Addictions.' Fortnite Is Being Cited in Divorce Cases
Fortnite apparently is not just a video game phenomenon. It seems it’s also a relationship killer.
According to Divorce Online, a U.K.-based “online divorce website”, the video game Fortnite: Battle Royale has been cited in at least 200 divorce petitions filed through the site since January. That’s about 5% of the divorce petitions the website received in the same period.
… In July, the free-to-access game passed the billion-dollar threshold through in-game sales alone, and some colleges are even starting to offer scholarships to top players.

The same story from two perspectives.
The Robot Takeover Is Coming: Machines Will Do Half Our Work by 2025
Machines and automated software will be handling fully half of all workplace tasks within seven years, a new report from the World Economic Forum forecasts.

A.I. and robotics will create almost 60 million more jobs than they destroy by 2022, report says
Machines will overtake humans in terms of performing more tasks at the workplace by 2025 — but there could still be 58 million net new jobs created in the next five years, the World Economic Forum (WEF) said in a report on Monday.
Developments in automation technologies and artificial intelligence could see 75 million jobs displaced, according to the WEF report "The Future of Jobs 2018." However, another 133 million new roles may emerge as companies shake up their division of labor between humans and machines, translating to 58 million net new jobs being created by 2022, it said.

How Donald Trump learned that it is okay to lie as long as the lies are believed by voters?
Al Gore's claim about Hurricane Florence doused by scientists
Another climate-change claim by former Vice President Al Gore is coming under fire, this one involving Hurricane Florence.
Mr. Gore said Friday that two major storms from the Atlantic and Pacific oceans had never made landfall at the same time, referring to Hurricane Florence, the Category 1 hurricane that struck North Carolina on Friday, and Super Typhoon Mangkhut, which hit the Philippines early Saturday.
… “Al Gore just (fraudulently) claimed without any evidence that we’ve never had hurricanes in both the Atlantic and Pacific making landfall at the same time,” tweeted Mr. Maue, an adjunct scholar at the free-market Cato Institute.
University of Colorado Boulder meteorologist Roger A. Pielke Sr. also took issue with the claim by Mr. Gore, known for his 2006 climate-change film, An Inconvenient Truth, and the 2017 follow-up, An Inconvenient Sequel.
… Numerous articles and even books have been written fact-checking and challenging Mr. Gore’s climate predictions and pronouncements, including meteorologist Roy Spencer’s An Inconvenient Deception, and “Al Gore’s Science Fiction: A Skeptic’s Guide to an Inconvenient Truth,” a 154-page paper by the Competitive Enterprise Institute’s Marlo Lewis Jr.

In 601 days, President Trump has made 5,001 false or misleading claims

FEMA to test 'Presidential Alert' system next week
… Next Thursday, the Federal Emergency Management Agency will do its first test of a system that allows the president to send a message to most U.S. cellphones.
More than 100 mobile carriers, including all the major wireless firms, are participating in the roll out, FEMA stated in a message on its website posted Thursday.
"The EAS [Emergency Alert System] is a national public warning system that provides the President with the communications capability to address the nation during a national emergency," FEMA said.
… Users whose phones are on will twice hear a tone and vibration and then see an English-only (for now) message: "THIS IS A TEST of the National Wireless Emergency Alert System. No action is needed.”
… The test is supposed to take place at 2:18 p.m. EDT on Sept. 20. Under the Warning, Alert, and Response Network (WARN) Act of 2006, cellphone users cannot opt out of the presidential alerts.

Sunday, September 16, 2018

Why “error handling” is part of the security checklist.
A new CSS-based web attack will crash and restart your iPhone
Sabri Haddouche tweeted a proof-of-concept webpage with just 15 lines of code which, if visited, will crash and restart an iPhone or iPad. Those on macOS may also see Safari freeze when opening the link.
The code exploits a weakness in iOS’ web rendering engine WebKit, which Apple mandates all apps and browsers use, Haddouche told TechCrunch. He explained that nesting a ton of elements — such as
tags — inside a backdrop filter property in CSS, you can use up all of the device’s resources and cause a kernel panic, which shuts down and restarts the operating system to prevent damage.
“Anything that renders HTML on iOS is affected,” he said. That means anyone sending you a link on Facebook or Twitter, or if any webpage you visit includes the code, or anyone sending you an email, he warned.

Someone should tell the FBI because this will allow them to grab the encryption key on laptops.
F-Secure Says Almost All Computers Are Vulnerable to New Cold Boot Attack
According to security firm F-Secure, almost every computer is vulnerable to this type of attack.
At the heart of this attack is the way computers manage RAM via firmware. Cold boot attacks aren’t new — the first ones came along in 2008. Back then, security researchers realized you could hard reboot a machine and siphon off a bit of data from the RAM. This could include sensitive information like encryption keys and personal documents that were open before the device rebooted. In the last few years, computers have been hardened against this kind of attack by ensuring RAM is cleared faster. For example, restoring power to a powered-down machine will erase the contents of RAM.
The new attack can get around the cold boot safeguards because it’s not off — it’s just asleep. F-Secure’s Olle Segerdahl and Pasi Saarinen found a way to rewrite the non-volatile memory chip that contains the security settings, thus disabling memory overwriting. After that, the attacker can boot from an external device to read the contents of the system’s RAM from before the device went to sleep.
Rather than letting computers go to sleep, F-Secure recommends using hibernation. Hibernation will clear encryption keys from RAM, but other files could still be at risk. Shutting your computer all the way off is still the best defense.

Should make for some interesting arguments.
New York sues U.S. to stop fintech bank charters
New York state’s top banking regulator on Friday sued the federal government to void its decision to award national bank charters to online lenders and payment companies, saying it was unconstitutional and put vulnerable consumers at risk.
… She said New York could best regulate those markets, but the OCC decision left consumers “at great risk of exploitation” by weakening oversight of predatory lending, allowing the creation of more “too big to fail” institutions, and undermining the ability of local banks to compete.
… OCC spokesman Bryan Hubbard said in an email that the regulator, part of the U.S. Department of Treasury, would vigorously defend its authority to grant national charters to qualified companies “engaged in the business of banking.”
Vullo’s complaint joins a slew of litigation from regulators in Democratic-controlled or -leaning states challenging Trump administration policies.
It seeks a declaration that the OCC exceeded its authority under the National Bank Act and violated the Constitution’s 10th Amendment by usurping state powers.