Saturday, September 29, 2018

Much more significant than that 50 million number suggests.
An estimated 50 million Facebook user profiles were affected by a security breach, the company confirmed in a blog post today. The breach could have allowed attackers to take over the accounts of affected users, as well as login into a vast number of external sites using Facebook’s single sign-on feature. The full extent of the attack, however, remains unknown.
The breach, which the company says it discovered on Tuesday, “exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else.”
… The vulnerability allowing the exploit, according to Facebook, “stemmed from a change we made to our video uploading feature in July 2017.”

(Related) Noticing that something unusual is happening is a sign of good management and by extension, good security.
Facebook says it detected security breach after traffic spike
An unusual traffic spike is what alerted Facebook engineers that something might be wrong, and it was an investigation into this heightened activity that led engineers to discover a massive security breach this week.
… The access token harvesting operation triggered the massive traffic spike on Facebook servers. Sifting through the traffic, Facebook engineers realized what was happening on September 26, and rushed to put together a patch for the vulnerability last night, on September 27, before going public with their findings this morning.

Facebook Data Breach – What To Do Next
… If you’ve been affected by the breach, Facebook logged you out of your account yesterday.
… However, an important thing to note: If you were logged out, you weren’t necessarily breached. Facebook has also logged out everyone who used the ‘View As’ feature since the vulnerability was introduced as a “precautionary measure”. The social network says this will require another 40 million people or more to log back into their accounts, adding: “We do not currently have any evidence that suggests these accounts have been compromised.”
… It believes it has fixed the security vulnerability, which enabled hackers to exploit a weakness in Facebook’s code to access the ‘View As’ privacy tool that allows users to see how their profile looks to other people.
Attackers would then be able to steal the access tokens that allow people to stay logged into their accounts. Then, Facebook admits, they could use these to take over people’s profiles.
… it can be hard to know what you’ve logged into using your account. This information can be found in your settings. First, go to ‘apps and websites’, then ‘logged in using Facebook’.
Does this breach come under GDPR?
Many of the 50 million customers breached will reside in Europe, so their data does fall under the EU general update to data protection regulation (GDPR). We don’t know exactly what information has been impacted - fines are applicable for sensitive and personal data such as credit card details, which Facebook initially said has not been affected. However, if attackers have accessed personal messages, all kinds of sensitive information could have been breached.

Earlier today, Facebook announced to the public that a series of vulnerabilities had allowed hackers access to an estimated 50 million user profiles. The company now faces its first class-action lawsuit over its apparent inability to protect this data, likely the first of many such suits to come if the legal fallout after the Cambridge Analytica scandal serves as any indicator.
Carla Echavarrai and Derrick Walker—both average Facebook users by their descriptions in the suit, filed today in California’s Northern District Court—accuse the social network of violating its home state’s unfair competition law, negligence, and of concealing its “grossly inadequate” security measures.
… Read the full suit below:

Very smart organizations can still fall for a good bit of social engineering.
What Happened? On August 27, 2018, personal information of 73 residents of Washington was acquired by unauthorized persons from computer systems maintained by attorney Matt Rovner in Seattle, Washington. The information was acquired when administrative access to the systems was provided to persons fraudulently pretending to be a computer support services firm.
What Information Was Involved? The personal information was principally from records of Social Security disability matters and included names and Social Security numbers and medical records of 6 individuals in records dating from October 2009 through June 2010, January 2013, and March 2017. In most cases no contact information is available for the individuals.
What We Are Doing. Access to the systems was shut off within 40 minutes when the fraud was discovered and the systems were reviewed to determine the scope of the access and ensure no unauthorized software or access channels remained. Reports were filed with the Federal Bureau of Investigation. The systems have since been shut down.
… For more information about this breach e-mail Matt Rovner at
Posted Seattle Times – September 26, 2018

How “normal” can this be if this is the only place in the US where DHS is doing this?
More security theatre? Or more opportunity to try to surveill law-abiding citizens? What is going on?
Lauren Hernandez reports:
Uniformed Department of Homeland Security officers seen patrolling BART trains and stations this week are members of a Transportation Security Administration team, according to BART and Department of Homeland Security officials.
Photos posted to social media, including a tweet by Janice Li, a San Francisco resident running for the Bay Area Rapid Transit Board of Directors, show a line of at least eight armed, uniformed DHS officials walking in the aisle among seated passengers on a train bound for the Civic Center BART station in San Francisco.
Read more on San Francisco Chronicle.

There is nothing in the TribLive article to explain why “taxpayers” would pick up the tab for a political group. Perhaps they are all Democrats?
Deb Erdley reports:
Pay now, or pay later.
Leaders of the Pennsylvania Senate Democratic Caucus faced those options when hackers infected their computer system in March 2017, holding it hostage with ransomware.
Officials at the Westmoreland County Housing Authority faced the same dilemma when hackers held their computers and phones hostage in July. The Housing Authority paid a ransom of $6,500 through a single Bitcoin, a digital currency that allows users to exchange money anonymously over the internet.
Senate Democrats balked at a demand for 28 Bitcoin — valued at just over $30,000 when the lockout began — and adhered to the FBI’s advice against paying ransom.
Instead, state records released to the Tribune-Review through a Right-to-Know request revealed taxpayers underwrote the $703,697 Microsoft charged to rebuild and enhance the system.
Read more on TribLive.

How would an individual know his thermostat is not in compliance?
California just became the first state with an Internet of Things cybersecurity law
California Governor Jerry Brown has signed a cybersecurity law covering “smart” devices, making California the first state with such a law. The bill, SB-327, was introduced last year and passed the state senate in late August.
Starting on January 1st, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification, or information disclosure. If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means no more generic default credentials for a hacker to guess.

Perspective. Perhaps the judge understands that the encryption is done on the user’s phone and can not be decrypted by Facebook. (This makes news in Europe, but not in the US? Fake News by omission?)
Exclusive: In test case, U.S. fails to force Facebook to wiretap Messenger calls - sources
U.S. investigators failed in a recent courtroom effort to force Facebook to wiretap voice calls over its Messenger app in a closely watched test case, according to two people briefed on the sealed ruling.
Members of a joint federal and state task force probing the international criminal gang MS-13 had tried in August to hold Facebook in contempt of court for failing to carry out a wiretap order, Reuters reported last month.
Arguments were heard in a sealed proceeding in a U.S. District Court in Fresno, California weeks before 16 suspected gang members were indicted there, but the judge ruled in Facebook’s favor, the sources said.
The details of his reasoning were not available.

An explanation of risk.
Not Too Big To Fail: Why Lehman Had to Go Bankrupt
… “It’s pretty clear in my mind why AIG had to be saved and why Lehman should have been let go, because they (Lehman) could have helped themselves, but they failed,” said Antoncic. “Lehman basically put the nail in [its own] coffin.”

Friday, September 28, 2018

How the Big Boys hack.
Fancy Bear, the Russian Election Hackers, Have a Nasty New Weapon
Russia’s GRU has secretly developed and deployed new malware that’s virtually impossible to eradicate, capable of surviving a complete wipe of a target computer’s hard drive, and allows the Kremlin’s hackers to return again and again.
The malware, uncovered by the European security company ESET, works by rewriting the code flashed into a computer’s UEFI chip, a small slab of silicon on the motherboard that controls the boot and reboot process. Its apparent purpose is to maintain access to a high-value target in the event the operating system gets reinstalled or the hard drive replaced—changes that would normally kick out an intruder.
… “There’s been no deterrence to Russian hacking,” said former FBI counterterrorism agent Clint Watts, a research fellow at the Foreign Policy Research Institute. “And as long as there’s no deterrence, they’re not going to stop, and they’re going to get more and more sophisticated.” [Thank you Captain Obvious! Bob]

What will it take to secure the election process?
“Election machines used in more than half of U.S. states carry a flaw disclosed more than a decade ago that makes them vulnerable to a cyberattack, according to a report to be delivered Thursday on Capitol Hill. The issue was found in the widely used Model 650 high-speed ballot-counting machine made by Election Systems & Software LLC, the nation’s leading manufacturer of election equipment. It is one of about seven security problems in several models of voting equipment described in the report, which is based on research conducted last month at the Def Con hacker conference. The flaw in the ES&S machine stood out because it was detailed in a security report commissioned by Ohio’s secretary of state in 2007, said Harri Hursti, an election-security researcher who co-wrote both the Ohio and Def Con reports. “There has been more than plenty of time to fix it,” he said.

Copycat or continued probing for the coming CyberWar? This may be worse than they are suggesting. Based on what they are not saying…
San Diego port hit by ransomware attack
The Port released a statement saying the malware had infiltrated its computer network and was disrupting administration systems.
It said the attack had not stopped ships or boats using the port, or put members of the public in danger.
The FBI and Department of Homeland Security are helping the Port investigate and clean up in the wake of the outbreak.
"This is mainly an administrative issue and normal Port operations are continuing as usual," Randa Coniglio, chief executive of the port, said in a statement.
The main impact would be on the issuing of park permits, public records requests and general business services, it added.

Even non-IT managers can fail to secure their assets.
Hellcat heist: Car thieves hit Fiat Chrysler factory area third time in a year
For the third time over the past year thieves have stolen a batch of brand new Fiat Chrysler cars awaiting shipment near its Jefferson North factory in Detroit.
On early Wednesday morning, a vehicle rammed through the security fence of a separately managed shipping company yard across the street from the plant and dropped off several crooks, who grabbed three Dodge Challenger Hellcat muscle cars and a Jeep Cherokee and took off, the Detroit News reported.
The same facility was hit in a similar fashion in July when seven vehicles were stolen, most of which were eventually recovered. Last November, six Jeep Grand Cherokee Trackhawks worth $86,000 each were also lifted from the near the facility.

First-Ever Conviction For Drunken Scootering In LA
An intoxicated man who knocked over a pedestrian while riding a scooter in West Los Angeles has become the first person in L.A. to be convicted for a scooter-related DUI.
Nicholas Kauffroath, 28, pled no contest Thursday to one count of operating a motorized scooter under the influence and one count of hit-and-run. He was sentenced to 36 months of probation and ordered to pay a $550 fine, along with restitution to the victim.

Perspective. Interesting interview.
The Supreme Court on Smart Phones: An Interview of Bart Huffman about Law and Technology

The Surprising History (and Future) of Fingerprints
Fascinating read via The Paris Review: “…Thumb marks were used as personal seals to close business in Babylonia, and, in 1303, a Persian vizier recounted the use of fingerprints as signatures during the Qin and Han Dynasties, noting, “Experience has shown that no two individuals have fingers precisely alike.” The Chinese had realized that before anyone: a Qin dynasty document from the third-century B.C.E, titled “The Volume of Crime Scene Investigation—Burglary,” pointed up fingerprints as a means of evincing whodunnit.

Worth noting.
Google Images to Show Credit Information
Google has coordinated with international standards organizations to show copyright and author information in Google images. The new feature will show on images containing author and copyright metadata.

Thursday, September 27, 2018

“In hackers we trust?” Part of a larger management problem at the time.
Uber to pay record $148 million over 2016 data breach

Uber will pay $148 million to settle an investigation into a 2016 data breach that the company was accused of intentionally concealing.

The settlement with attorneys general for all 50 states and Washington, DC, will be split among the states. It's the largest ever multi-state data breach settlement, according to the New York attorney general.
The investigation was called to look into allegations that the ride-share company violated state-level notification laws by intentionally withholding that hackers stole the personal information of 57 million users in 2016.
The breach wasn't disclosed until late 2017, when Uber revealed that it paid the hackers $100,000 to destroy the data. In April, Uber settled a case with the Federal Trade Commission, which was investigating claims that Uber deceived customers over this breach.
As part of the settlement, Uber has agreed to develop and implement a corporate integrity program for employees to report unethical behavior. It also agreed to adopt model data breach notification and data security practices, as well as hire an independent third party to assess its data security practices.
… The settlement comes as Uber attempts to clean up its practices. In July, for example, Uber finally hired a chief privacy officer: Ruby Zefo, became Uber's top executive focused on privacy. Matt Olsen also joined as chief trust and security officer.

Coming soon to a precinct near you!
The Crisis of Election Security
… when Jenkins met E.A.C. officials and the executive director of the National Association of Secretaries of State for a brief discussion before the scheduled call, what was supposed to be a half-hour meeting bled into four hours, as he and his staff got a crash course in election administration. Internet voting, they learned, was the least of their concerns; the real problems were the machines used to cast and tally votes and the voter-registration databases the Russians had already shown interest in hacking. The entire system — a Rube Goldberg mix of poorly designed machinery, from websites and databases that registered and tracked voters, to electronic poll books that verified their eligibility, to the various black-box systems that recorded, tallied and reported results — was vulnerable.
Two years later, as the 2018 elections approach, the American intelligence community is issuing increasingly dire warnings about potential interference from Russia and other countries, but the voting infrastructure remains largely unchanged.

I wonder if they offered him a scholarship? (Or if Apple is paying his tuition…)
Apple hacking teenager avoids jail time for 'Hacky hack hack'
He pleaded guilty to accessing Apple's systems multiple times over a period of two years, but today an Australia teenager (who cannot be named for legal reasons) escaped conviction and will not serve time in prison for hacking Apple.
The boy accessed Apple's mainframe from his Melbourne home, reportedly because he was a fan of the company and wanted to work there in the future. He was 16 years old when he first gained access.
He downloaded 90GB of data and stored them in a folder on a family computer called "Hacky hack hack".
"Your offending is serious, sustained and sophisticated," the magistrate said, as reported by The Age. "You knew what you were doing was wrong."
The teenager pleaded guilty back in August, but was sentenced Thursday, Sept. 27. No conviction will be recorded, but an eight month probation order will be put in place.
The teenager has since been accepted into university to study criminology and cyber safety.

Probably not a good way to test your upgrades.
H-E-B stores across Texas briefly shut down because of software problem
H-E-B stores across Texas were briefly closed late this morning because of software glitch.
… H-E-B officials said that all stores were open by early Wednesday afternoon.
… The H-E-B store on Weber Avenue closed and all customers were forced to leave the facility for a few minutes shortly after the glitch was discovered.
… Many people tweeted that H-E-B employees were passing out treats and cookies to keep customers calm while they waited. It wasn’t a surprise, Campos told the Express-News.
… Some customers mentioned on Twitter that some products were ringing up free at checkout.

RTFM! Read The Freaking Manual!
The Always-On Police Camera
Last summer, the Baltimore police officer Richard Pinheiro submitted body-camera footage as evidence in a drug bust. In Pinheiro’s video, filmed on an Axon Body 2 camera, he wanders through a junky backyard for a few moments before spotting, among the detritus, a discarded soup can. He picks it up and pulls out a small baggie of white pills that he and two other officers would later claim belonged to the suspect. Pinheiro and the other officers arrested the man, then submitted the evidence against him—the baggie, their testimony, and the video—to the Baltimore Police Department.
What Pinheiro and the other officers didn’t seem to realize was that the Axon Body 2 camera has a “fail-safe” feature. The camera is always on and always saves the 30 seconds of footage prior to the officer activating the record button. Those 30 seconds told an entirely different story. In footage Pinheiro was unaware anyone—let alone a jury—would ever see, he pulls a baggie of drugs from his pocket. In full view of the two other officers, he places the baggie in the soup can and drops it on the ground. Pinheiro then presses record and, with the cameras rolling, serendipitously “discovers” the soup can.

A sneaky test? Are they that concerned about a negative precedent?
Test Case Probes Jurisdictional Reach of GDPR
Given the potential size of GDPR fines, it has always been likely that there would be GDPR appeals. While business needs to know how the regulators will enforce the regulation, the regulators need to know how the courts will react to appeals. It has always been likely that the regulators would test the water quietly before embarking on any major action against a major company.
It should be no surprise that this has already happened. The UK's Information Commissioner's Office (ICO) quietly delivered a GDPR enforcement notice on the Canadian firm AggregateIQ Data Services Ltd (AIQ) back on July 6, 2018. The ICO did not publish the notice on its 'enforcement action' page as it usually does (including, for example, details of the £500,000 fine it imposed on Equifax, dated September 20, 2018).
Instead, the AIQ notice was published as an addendum to a report entitled 'Investigation into the use of data analytics in political campaigns'. Here it remained unnoticed until found and highlighted by law firm Mishcon de Reya LLP last week.
Equally unnoticed is that AIQ has unsurprisingly appealed the notice. Since appeals are not handled by the ICO, there is no mention of it on the ICO website. Appeals against ICO notices are handled by the General Regulatory Chamber (GRC) of HM Courts & Tribunals Service. This site lists that an AggregateIQ Data Services Ltd ("AIQ") appeal against an unreferenced ICO decision notice was received on 30 July 2018 – which brings it perilously close to the allowed 28-day appeal period.
No further details are given, and no hearing date is listed. SecurityWeek has requested a copy of the appeal (reference EA/2018/0153); which may or may not be allowable under the Freedom of Information Act.
In effect, this is a test case to see how the courts view the extension of European regulations (in this instance, specifically the UK implementation of GDPR) beyond the borders of the European Union. AIQ is a Canadian firm, and Canada is a softer target than the United States. Nevertheless, the case is likely to provide important information to European regulators before they take on any of the big U.S. tech companies. Smaller U.S. firms should still monitor the outcome to gauge their own exposure to GDPR.

See how new data-science tools are determining who gets hired, in this episode of Moving Upstream: “Hiring is undergoing a profound revolution. Nearly all Fortune 500 companies now use some form of automation — from robot avatars interviewing job candidates to computers weeding out potential employees by scanning keywords in resumes. And more and more companies are using artificial intelligence and machine learning tools to assess possible employees. DeepSense, based in San Francisco and India, helps hiring managers scan people’s social media accounts to surface underlying personality traits. The company says it uses a scientifically based personality test, and it can be done with or without a potential candidate’s knowledge. The practice is part of a general trend of some hiring companies to move away from assessing candidates based on their resumes and skills, towards making hiring decisions based on people’s personalities…”

Tech Giants Launch New AI Tools as Worries Mount About Explainability
Concerns about transparency and ethics in artificial intelligence are mounting, prompting cloud services companies to launch new tools that explain the decision-making behind their AI algorithms.
Executives in regulated industries such as accounting and finance say it’s crucial that both data scientists and non-technical business managers understand the processes behind an algorithmic decision. That knowledge could have far-reaching impacts in guarding against potential ethical and regulatory breaches, especially as enterprise-level AI algorithms become widespread.
About 60% of 5,000 executives polled in a recent study by IBM’s Institute of Business Value said they were concerned about being able to explain how AI is using data and making decisions in order to meet regulatory and compliance standards. That’s up from 29% in 2016.

(Related) ...and it’s not just AI.
How computer software can make policy, explained by family separation at the border
I was listening to the New York Times daily podcast a few weeks ago when a segment caught my attention.
… The podcast detailed how border agents process people coming across the border. They use a computer program that allows them to categorize people in one of three ways: as an “unaccompanied minor,” an “individual adult,” or an “adult with children,” which refers to the whole family unit. Each case gets assigned an identification number, and families (”adults with children”) shared one ID number.
This seemed to work fine, until the Trump administration ordered these agents to separate these same families. In order to do that, border agents reprocessed members of families as either individual adults or unaccompanied minors, and gave everyone new identification numbers, thus losing the one piece of data that connected the members of the family in the system. So, when the court ordered that agents reunite families, those same processing center records no longer reflected which children belonged to which parents.

This is (probably) not fake news!
Tech and ad giants sign up to Europe’s first weak bite at ‘fake news’
The European Union’s executive body has signed up tech platforms and ad industry players to a voluntary Code of Practice aimed at trying to do something about the spread of disinformation online.
Something, just not anything too specifically quantifiable.
According to the Commission, Facebook, Google, Twitter, Mozilla, some additional members of the EDIMA trade association, plus unnamed advertising groups are among those that have signed up to the self-regulatory code, which will apply in a month’s time.

Perspective. How many is too many?
Detroit's Bird, Lime rental scooter craze hits an obstacle
The rental scooter trend has collided with its first major obstacle in Detroit: a city government-imposed cap on the number of scooters.
The two companies that dropped off handfuls of scooters in Detroit this summer — Bird Rides and Lime — have quickly expanded and recently hit the city's per-company limit of 300 scooters.
So, for now, the total number of electric scooters available in Detroit will stay at or below 600.
This restriction could frustrate some weekend sightseers as well as downtown-area residents and workers who have come to rely on finding nearby Birds and Limes for their rush-hour work commutes and just getting around. But non-riders who consider the scooter craze annoying may appreciate the cap.

For my geeks.
Google Curriculum, College Credit
“Google made its first substantial foray into postsecondary education in January, with the creation of a new online certificate program aimed at people who are interested in working in entry-level IT support roles. Necessity was a key motivator for the technology giant, which like most has struggled to find enough IT hires and also is seeking to diversify its work force. And many observers say the move by such a powerful player in the economy is an intriguing sign of what could happen if big employers in high-demand industries increasingly take a hands-on role in postsecondary education and training. In its first five months, more than 40,000 learners enrolled in the Google certificate program, with 1,200 completing. “It’s a whole new marketplace, and it’s driven by the employers and the students,” said Ray Schroeder, associate vice chancellor for online learning at the University of Illinois at Springfield. “These companies for the most part don’t want to get into education. They’re going to do it because it needs to be done.” Instead of the typical approach of designing credential programs to meet employer demand, a growing number of colleges are following Google’s lead and creating college credit-bearing and accredited versions of the new certificate. So far more than 25 community colleges and Northeastern University have signed on to offer credit for the certificate program. Company officials say its content can be tweaked easily by college faculty members to create a customized certificate or stackable pathway to a degree. “We built the curriculum to be modularized,” said Natalie Van Kleef Conley, a senior product manager for Grow With Google. “It’s very flexible for them to use it as they see fit.” Finding qualified candidates for IT support jobs has long been a problem for Google and its parent company, Alphabet, which employs 85,000 people. “We were struggling to find hires. And we knew we couldn’t be the only company,” Conley said, adding that “we realized that being qualified didn’t mean having a four-year degree.” IT support is a hot occupation, currently accounting for 150,000 open positions in the U.S., according to Burning Glass Technologies, which analyzes the employment market. These are typically middle-class jobs, with federal data showing an average starting salary of $52,000…”

Worth browsing?
Einstein's Archives Online
More than 80,000 of Albert Einstein's documents and drawings are now available to view for free at Einstein Archives Online. The archives include not only his scientific work but also his images and documents from his travels and thoughts on the world in general.

Are you sure Scott Adams isn’t talking about the White House?

Wednesday, September 26, 2018

Computer failure sounds bad, let’s call it something else.
Delta blames 'technology issue' for ground stop
Delta Air Lines said late Tuesday it had issued a ground stop order due to a "technology issue" with some of its computer tracking systems.
… Delta's Twitter account was busy Tuesday afternoon responding to angry customers of the airline who complained of travel delays and being unable to log in to the company's website and app.

Does not seem to force India to back off the creep toward mandatory use of Aadhaar.
The World’s Largest Biometric Database Is Legal, A Court Just Ruled
India’s Supreme Court has ruled that the government’s controversial Aadhaar program — the world’s largest biometric database — is constitutionally valid and does not violate the privacy of the 1.2 billion people enrolled in it. However, it imposed restrictions on key sections of the program.
A three-judge majority on a panel of five judges struck down sections of a law that allowed private companies like banks and mobile phone carriers in India to ask people for an Aadhaar ID before providing services. The judges also ruled that India’s government could not require people to ask for an Aadhaar ID for peripheral issues like identifying students taking exams. However, Indians will still be required to enrol into the program for paying income tax and accessing government-provided welfare services.
The decade-old Aadhaar program was conceived as a voluntary identity system for millions of Indians who didn’t have any form of ID, and was positioned by the Indian government as a way to stamp out corruption in the country’s welfare systems.
… But over time, India’s government and private companies have made having an Aadhaar ID effectively mandatory by requiring it for everything from getting government subsidies to opening new bank accounts and getting cellphone connections.

Coming soon? The hunt for Jeff Bezos?
Federal, state law enforcement signaling new willingness to investigate tech giants
A meeting of the country’s top federal and state law enforcement officials on Tuesday could presage a series of sweeping new investigations of Apple, Amazon, Facebook, Google and their tech industry peers, stemming from lingering frustrations that these companies are too big, fail to safeguard users’ private data and don’t cooperate with legal demands.
The gathering at the Justice Department had been designed to focus on social media platforms and the ways in which they moderate content online, following complaints from President Donald Trump and other top Republicans that Silicon Valley companies deliberately seek to silence conservative users and views online.
Attorney General Jeff Sessions opened the meeting by raising questions of possible ideological bias among the tech companies, and sought to bring the conversation back to that topic at least twice more, according to Karl Racine, attorney general for the District of Columbia.
But the discussion proved far more wide-ranging, as attorneys general from nine states — and officials from five others — steered the conversation toward the privacy practices of Silicon Valley. Those in the meeting did not zero in on specific business tactics, but did cover issues ranging from how companies collect user data to what they do with it once the information is in their hands.
“We were unanimous. Our focus is going to be on antitrust and privacy. That’s where our laws are,” said Jim Hood, Mississippi’s attorney general, in an interview.

What to expect when Apple, Amazon, and Google get grilled in Congress this week
Starting at 10 a.m. Wednesday, the Senate Commerce Committee plans to quiz representatives of six big tech firms about privacy on their services and in their apps. And the answers that committee members get from Amazon, Apple, AT&T, Charter, Google and Twitter executives may give us a better sense of how these companies use our data and try not to lose it.
Or, as we saw earlier this month when a House interrogation of Twitter CEO Jack Dorsey turned into an airing of GOP grievances, the session could simply tell us how high each tech firm ranks on the enemies lists of individual senators.

Tuesday, September 25, 2018

A world class hack?
How Russia Helped Swing the Election for Trump
A meticulous analysis of online activity during the 2016 campaign makes a powerful case that targeted cyberattacks by hackers and trolls were decisive.
Donald Trump has adopted many contradictory positions since taking office, but he has been unwavering on one point: that Russia played no role in putting him in the Oval Office. Trump dismisses the idea that Russian interference affected the outcome of the 2016 election, calling it a “made-up story,” “ridiculous,” and “a hoax.” He finds the subject so threatening to his legitimacy that—according to “The Perfect Weapon,” a recent book on cyber sabotage by David Sanger, of the Times—aides say he refuses even to discuss it.
… “Cyberwar: How Russian Hackers and Trolls Helped Elect a President—What We Don’t, Can’t, and Do Know,” by Kathleen Hall Jamieson, a professor of communications at the University of Pennsylvania, dares to ask—and even attempts to answer—whether Russian meddling had a decisive impact in 2016. Jamieson offers a forensic analysis of the available evidence and concludes that Russia very likely delivered Trump’s victory.

Those who can’t hack, bash!
There are many ways to communicate displeasure. reports:
Opposition to the lowering of speed limits on departmental roads in France continued to be taken out on the country’s most profitable automated ticketing machines last week. France 3 found the number of tickets issued in the Pyrenees-Atlantiques department has tripled since July, but motorists have fought back by covering cameras with trash bags and posters opposing the new 80 km/h (50 MPH) speed limit on departmental roads.
On Friday, the speed camera on the D619 in Maizieres-la-Grande-Paroisse was destroyed by fire, according to L’Est Eclair. In Peaugres, the speed camera on the RD820 was torched on Sunday, France Bleu reported.

Will it keep some parents from seeking help for their children?
Children registering for school in Florida this year were asked to reveal some history about their mental health.
The new requirement is part of a law rushed through the state legislature after the February shooting at Marjory Stoneman Douglas High School in Parkland, Fla.
On registration forms for new students, the state’s school districts now must ask whether a child has ever been referred for mental health services.
“If you do say, ‘Yes, my child has seen a counselor or a therapist or a psychologist,’ what does the school then do with that?” asked Laura Goodhue, who has a 9-year-old son on the autism spectrum and a 10-year-old son who has seen a psychologist. “I think that was my biggest flag. And I actually shared the story with a couple of mom friends of mine and said, ‘Can you believe this is actually a thing?’”
Goodhue said she worries that if her children’s mental health history becomes part of their school records, it could be held against them.
… Parents express concern that the information could fall into the wrong hands and may follow children throughout their education, said Alisa LaPolt, executive director of the Florida chapter of the National Alliance on Mental Illness.
“In a perfect world, getting treatment for mental health challenges would be no different than getting medical treatment for a skin rash or a bad cold or a broken leg,” LaPolt said. “But that’s not the world we live in right now. There is stigma around mental illness and getting treatment for it.”
… School counselors say they understand the stigma surrounding mental illness. Some say the way the law was written doesn’t help. The mental health question was grouped with requirements to report arrests or expulsions.

“What we have here is failure to communicate.”
One Big Problem With Medicaid Work Requirement: People Are Unaware It Exists
Arkansas is the first state to test it, and thousands have been kicked off the program.
… In the first month that it was possible for people to lose coverage for failing to comply, more than 4,300 people were kicked out of the program for the rest of the year. Thousands more are on track to lose health benefits in the coming months. You lose coverage if you fail to report three times, and the program, in effect for three months, is slowly phasing in more people.
… State officials said they worked hard to get the word out — mailing letters, sending emails, placing phone calls, briefing medical providers, putting posts on social media sites and distributing fliers where Medicaid patients might find them.
… But it seems that not everyone opened or read their mail. Ray Hanley, the president of the Arkansas Foundation for Medical Care, which ran a call center for the state, told my colleague Robert Pear that many people never answered their phones. The state said the open rate on emails was between 20 and 30 percent.

Worth a peak?
Ethics & Algorithms Toolkit
“Government leaders and staff who leverage algorithms are facing increasing pressure from the public, the media, and academic institutions to be more transparent and accountable about their use. Every day, stories come out describing the unintended or undesirable consequences of algorithms. Governments have not had the tools they need to understand and manage this new class of risk. GovEx, the City and County of San Francisco, Harvard DataSmart, and Data Community DC have collaborated on a practical toolkit for cities to use to help them understand the implications of using an algorithm, clearly articulate the potential risks, and identify ways to mitigate them.
  • We saw a gap. There are many calls to arms and lots of policy papers, one of which was a DataSF research paper, but nothing practitioner-facing with a repeatable, manageable process.
  • We wanted an approach which governments are already familiar with: risk management. By identifing and quantifying levels of risk, we can recommend specific mitigations.

Our goals for the toolkit are to:

  • Elicit conversation.
  • Encourage risk evaluation as a team.
  • Catalyze proactive mitigation strategy planning.

For my students, there is no such thing as ‘before Google.’
Google is 20 years old — here's what it looked like when it first launched
The company's official birthday is September 27, 1998, which is when Google first launched its webpage.
… If you want the full retro experience, you can see what Google's search results looked like back then by searching "Google in 1998."

Google Wants to Answer the Questions You Haven't Even Asked Yet
… The search giant announced a raft of new features at an event Monday to celebrate its 20th anniversary. A Facebook-like newsfeed populated with videos and articles the company thinks an individual user would find interesting will now show up on the Google home page just below the search bar on all mobile web browsers.
“It helps you come across the things you haven’t even started looking for,” Karen Corby, a product manager on Google’s search team, said in a blog post.

I have to make my students ready to live in this environment.
The hot race for 5G will change the world we know now
… If you somehow missed all the hype, simply stated, 5G stands for the “fifth generation” of wireless telecommunications services. In cellular chronology, 1G, or the first generation of wireless, was all about voice — and boy did we embrace the mobile phones in our cars and in our hands — however clunky they were by today’s standards. 3G laid the foundation for today’s smartphones and 4G built the app economy with even more speed and data capabilities.
… A senior Verizon executive claims that 5G will historically “transform industries across every sector of the economy … redefining work, elevating living standards, and having a profound and sustained impact on our global economic growth.”

(Related) See why I wanted cities to own the infrastructure?
Cities Feel Run Over in 5G Race as FCC Sides With AT&T, Verizon
San Jose found a way to help the disadvantaged as it struck deals to let AT&T Inc. and Verizon Communications Inc. put antennas on 4,000 city-owned light poles, laying groundwork for super-fast 5G signals while feeding the city’s treasury.
The capital of Silicon Valley gets $750 annually for each pole, and a total of $24 million of the revenue has been pledged toward bringing broadband to unserved neighborhoods.
Too bad other towns won’t be able to do the same thing. The U.S. Federal Communications Commission is poised to vote Wednesday to limit fees localities can charge, tighten deadlines for responding to industry and discourage deals like San Jose’s that fund broadband projects.
… “We are shocked,” Samir Saini, New York City’s commissioner of information technology, said in an emailed statement. The proposed action is “an unnecessary and unauthorized gift to the telecommunications industry and its lobbyists” and an effort “to subsidize a trillion dollar industry under the guise of helping broadband deployment,” Saini said.
Under the proposed FCC order, cities couldn’t charge more than it costs them to process applications and manage rights-of-way – an amount the FCC estimated at $270.
That’s far short of charges in some cities. New York City charges as much at $5,100 a year in Manhattan south of 96th Street, and as little as $148 annually in places where it’s trying to encourage deployment.

Perspective. Tracking vegetables like bitcoins. Pinning down the liability?
Walmart will use blockchain to ensure the safety of leafy greens
Walmart is anxious about the safety of its food following bacterial outbreaks for lettuce and other food, and it's hoping technology will set shoppers' minds at ease. It's telling its leafy green suppliers to use a blockchain system (designed with IBM's help) to track the shipments of their produce. The secure, distributed ledger will help trace the vegetables' path from the farm to the store, revealing the source of any potential outbreak in seconds instead of days. This isn't just for Walmart's internal benefit, either. Eventually, you could scan a bag and use the blockchain to find out where your spinach came from.

Monday, September 24, 2018

This hack should work in any situation where money is to be transferred.
Hackers Target Real Estate Deals, With Devastating Impact
James and Candace Butcher were ready to finalize the purchase of their dream retirement home, and at closing time wired $272,000 from their bank following instructions they received by email.
Within hours, the money had vanished.
Unbeknownst to the Colorado couple, the email account for the real estate settlement company had been hacked, and fraudsters had altered the wiring instruction to make off with the hefty sum representing a big chunk of the Butchers' life savings, according to a lawsuit filed in state court.
A report by the FBI's Internet Crime Complaint Center said the number of victims of email fraud involving real estate transactions rose 1,110 percent between 2015 to 2017 and losses rose nearly 2,200 percent.
Nearly 10,000 people reported being victims of this kind of fraud in 2017 with losses over $56 million, the FBI report said.
The problem is growing as hackers take advantage of lax security in the chain of businesses involved in real estate and a potential for a large payoff.

Are we finally getting serious? Do we sense some vague future threat or have we experienced an event that really got our attention? Has someone crossed the line?
Britain to create 2,000-strong cyber force to tackle Russia threat
Britain is significantly increasing its ability to wage war in cyberspace with the creation of a new offensive cyber force of up to 2,000 personnel, Sky News understands.
The plan by the Ministry of Defence and GCHQ comes amid a growing cyber threat from Russia and after the UK used cyber weapons for the first time to fight Islamic State.
The new force – expected to be announced soon – would represent a near four-fold increase in manpower focused on offensive cyber operations.

If surveillance equates to more revenue, we’re doomed. reports:
The tax office is to be given new powers to check car owners have paid road tax by scanning every car on the Dutch roads and comparing the number plate to a data base, RTL reported on Friday. The measure is included in the government’s tax plans for 2019 but was hidden away under ‘other fiscal measures’, the broadcaster said. The tax office will make use of footage taken by speed cameras and cameras used to monitor road conditions using technology known as ANPR. There are some 800 ANPR cameras monitoring Dutch roads.

I have been saying this for at least 30 years.
Hannah Martin reports:
Do you remember when the floppy-disk was more than the ‘save’ button in Microsoft Word? Or the goose-bump inducing sound of dial-up internet ringing through your ears?
Technology has come a long way since then.
In a New Zealand hospital today a surgeon can assist a robotic operation; an anxious child can go through a procedure before it happens through a virtual-reality headset – and down the corridor, a doctor will pick up a patient’s sensitive medical information from an antiquated, stuttering fax machine.
Today, the fax machine – or the ‘electric printing telegraph’ as it was patented in 1843 – has all but disappeared, but lives on in our hospitals.
Read more on Stuff.
Given all of the breaches that still occur because of misdirected faxes, I agree it would be better for faxes to be retired from use.

Similar to what Amazon wants to do?
App-Only Banks Rise in Europe and Aim at Traditional Lenders
Greg Stevenson was trying to refinance the mortgage on his four-bedroom home in eastern England when things started going awry. An attempt by his bank, TSB, to shift data to a new computer system had gone spectacularly wrong. For several maddening days, he could not connect to his account, transfer funds or reach anybody at the bank for help.
“I felt abandoned,” said Mr. Stevenson, a 31-year-old software developer. “I needed to be moving money around, and I needed access to my bank.”
The systems failure in April, affecting nearly two million TSB customers, was a breaking point for Mr. Stevenson. He moved his money to Monzo, a British start-up that is among a growing number in Europe offering checking accounts and A.T.M. cards, but lack physical branches — everything is done through an app.

For my architecture students.
How Platform Strategies Continue to Create Value
Platforms were once considered small and even quirky additions to business strategy. This is no longer the case: In 2018, companies deploying platform business models continue to surprise and challenge conventional approaches to creating value.

Typical. “Let me be perfectly clear. This started as 40 pages, then we ran it through the new AI powered ‘Obfuscatry Engine.’ Ain’t science wonderful?”
After What Congress Did at 2:52 A.M. Saturday, Life May Change Radically for Airline Passengers and Flight Attendants. Here Are the Details
Literally in the middle of the night this weekend, Congress released a bill to reauthorize the Federal Aviation Administration, which has to be passed by Sept. 30. It's 1,200 pages long and packed with things, including some truly radical changes for airline passengers and flight attendants.

I find the variety of formats interesting. While neither difficult nor expensive, few other organizations would bother.
The 2019 Medicare & You Handbook is now available

Perspective. Who knew? I wonder if that spike is due to a very small fraction of Facebook’s users.
When Facebook goes down, people go read the news
What happens when internet users can’t go on Facebook? Some turn to other social media platforms to joke about it. A lot of them, it turns out, spend that time reading the news.
When Facebook experienced a 45-minute outage on Aug. 3 in many parts of the world, traffic to news websites sharply spiked, according to a data from Chartbeat, a firm used by many major news publishers to track traffic to their websites.

Confusion? The way I read it is that some in each group prefer both YouTube and books.
YouTube is replacing textbooks in classrooms across America
Generation Z students, classified as being between the ages of 14 and 23, believe that YouTube is a bigger contributor to their education than textbooks, according to a study by Pearson Education.
… YouTube was the preferred education method for Gen. Z students, but was less prevalent among Millennials.
  • 59% of Gen. Z students preferred to learn from YouTube, while only 55% of Millennials preferred it.
  • 60% of Millennials said they preferred to learn from textbooks, while 47% of Gen. Z students preferred the same.

Dilbert explains…

Sunday, September 23, 2018

It’s not just the elections. “It’s not suspicious if they agree with me.”
FCC Shielding Evidence Of Suspected Russian Role In Ending Net Neutrality: Lawsuit
The American public is a victim of an “orchestrated campaign by the Russian to corrupt” democratic rule-making, The New York Times argues.
The Federal Communications Commission has obstinately hidden information concerning its system for gathering public input about its unpopular plan to kill net neutrality — regardless of signs of Russian manipulation of the comment procedure, according to a New York Times lawsuit.
The newspaper’s Freedom of Information Act requests concerning the comment system were turned down repeatedly by the FCC as the Times attempted to investigate possible influence by Russia after huge numbers of comments were linked to Russian emails.
Stonewalling by the FCC has made the the American public the “victim of an orchestrated campaign by the Russians to corrupt the notice-and-comment process and undermine an important step in the democratic process of rule-making,” states the Times’ lawsuit, which was filed Thursday in U.S.District Court in the Southern District of New York.
The agency also ignored similar demands — at least nine times — from the New York attorney general last year as his office investigated millions of suspicious comments.

(Related) Fodder for our debate on what they should do.
How Can Social Media Firms Tackle Hate Speech?

For my architecture students. “Open the pod bay doors, Hal.”
AI Weekly: Transparency challenges stand in the way of ambient computing
… For example, if you tell an Echo speaker, “Alexa, good night,” it might say in response, “By the way, your living room light is on. Do you want me to turn it off?”
This sort of personalized, contextual experience — commonly referred to as ambient computing — was once the stuff of science fiction, but advancements in artificial intelligence (and ambitious new startups taking full advantage of those advancements) are fast making it a reality.

For Museums, Augmented Reality Is the Next Frontier

For my geeks.
A great many websites are run using a trio of services: Apache, MySQL, and PHP. It is a tried and tested combination which works phenomenally well, most of the time.
… First thing first: what is a WAMP server? WAMP stands for Windows Apache, MySQL, and PHP.

Our tech support needs a lead lined box.