Saturday, November 03, 2018

Taking advantage of “an App for that!” Making life easier for customers sometimes makes it easier for hackers too.
SMS Phishing + Cardless ATM = Profit
… A number of financial institutions are now offering cardless ATM transactions that allow customers to withdraw cash using nothing more than their mobile phones. But this also creates an avenue of fraud for bad guys, who can leverage phished or stolen account credentials to add a new phone number to the customer’s account and then use that added device to siphon cash from hijacked accounts at cardless ATMs.
In May 2018, Cincinnati, Ohio-based financial institution Fifth Third Bank began hearing complaints from customers who were receiving text messages on their phones that claimed to be from the bank, warning recipients that their accounts had been locked.
The text messages contained a link to unlock their accounts and led customers to a Web site that mimicked the legitimate Fifth Third site. That phishing site prompted visitors to enter their account credentials — including usernames, passwords, one-time passcodes and PIN numbers — to unlock their accounts.
All told, that scam netted credentials for approximately 125 Fifth Third customers — most of them in or around the Cincinnati area. The crooks then used the phished data to withdraw $68,000 from 17 ATMs in Illinois, Michigan, and Ohio in less than two weeks using Fifth Third’s cardless ATM function.

Now that GDPR has blazed the trail to higher levels of punishment, expect others to follow.
One question that occasionally pops up is how often businesses go out of business after or due to a data breach. My answer to that is “not often,” but we do it occasionally. In some cases, the breach may just have been a final straw for an already shaky business.
Yesterday, during a webinar with Protenus, I mentioned a case where the New Jersey Attorney General settled charges against Virtua Medical Group over a breach at their transcription vendor that impacted 1,650 patients. It was a breach that I have reported on in the past, and I mentioned it because it shows how even when OCR may not take enforcement action, states can take action.
In response to this breach, Virtua Medical had terminated its contract with Best Medical Transcription.
Today, there’s yet one more follow-up to this case, as it appears that the NJ Attorney General’s Office also filed charges against the transcription service itself. Stunningly, and in one of the most severe enforcement outcomes I have ever seen, the settlement bars the vendor owner from ever managing or owning a business in New Jersey.
Read more on Courier Post.
The state’s press release:
The consent judgement can be found here.

Not GDPR inspired, but another escalation. I have to assume any retaliation would not be against Russian election systems. What would you target?
The Pentagon has prepared a cyber attack against Russia
The U.S. intelligence community and the Pentagon have quietly agreed on the outlines of an offensive cyber attack that the United States would unleash if Russia electronically interferes with the 2018 midterm election on Nov. 6, according to current and former senior U.S. officials who are familiar with the plan.
In preparation for its potential use, U.S. military hackers have been given the go-ahead to gain access to Russian cyber systems that they feel is needed to let the plan unfold quickly, the officials said.
… The existence of such a plan means that America is more fully integrating offensive cyber attacks into its overall military planning systems, a move likely to make cyber combat more likely and eventually more commonplace, sometimes without first gaining specific presidential approval. Cyber attacks are now on a more obvious path, in short, to becoming a regular currency of warfare.
… The senior official clarified that it would be direct interference – efforts to tamper with voting registration and recording votes – that would bring “swift and severe action.”
… According to the officials’ accounts, military planners in the past were sometimes held back by the intelligence community from hacking into foreign networks for fear of compromising access that spies considered useful for collecting information, particularly when it was uncertain whether any offensive operation would eventually be approved. With only a small number of skilled military hackers available, they were also hesitant to invest time in gaining access to systems not explicitly part of an approved strike.
… While some officials and cyber experts have said that certain offensive cyber operations risk violating international law, because of the possibility they might cause collateral damage and harm civilians outside target networks, government lawyers have approved the new approach after deciding that letting the military hack into a foreign system is not an act of war, so long as a cyber weapon hasn’t yet been emplaced and the specific system being targeted isn’t actually destroyed.

Sounds too good to be true.
TSA gives green light to test new technology that can screen passengers from 25 feet away
The Transportation Security Administration has given the go-ahead to test technology that is designed to screen multiple airport passengers at the same time from a distance of up to 25 feet away.
… The TSA has purchased several terahertz screening devices from Britain-based Thruvision to test in a TSA facility near Arlington, Va.
… The screening device, which is about the size of an old-fashioned PC computer tower and weighs about 50 pounds, reads the outline of people to reveal firearms and explosives hidden under their clothes.
… , the passive terahertz technology reads the energy emitted by a person, similar to thermal imaging used in night-vision goggles.
“It’s 100% passive. There is no radiation coming out of our device,” he said. “You don’t have to stand directly in front of the device.”

(Related) Not really much here either. That 10X14 blind spot might need some work.
  • Successfully passed extensive TSA laboratory testing and operational trials programme
  • Allowing users to see the size, shape and location of both metallic and non-metallic items concealed in clothing.
TAC device
  • Minimum object size of 5cm x 5cm (2in x 2in) at 5m (15ft) on stationary person and 35cm x 25cm (14in x 10in) at 8m (24ft) on walking person

Perspective. How to invade the US market.
TikTok surpassed Facebook, Instagram, Snapchat & YouTube in downloads last month
Beijing-based ByteDance’s 2017 acquisition of tween and teen-focused social app is paying off. The company this year merged with its own short video app TikTok as a means of entering the U.S. market. Today, the result of that merger is sitting at the top of the U.S. App Store, ahead of Facebook. More importantly, it recently surpassed Facebook, Instagram, YouTube and Snapchat in monthly installs for the first time in September.
… Today, it’s ahead of Facebook (No. 7) and Messenger (No. 5) as it sits in the No. 4 position, for example. But it’s behind YouTube (No. 1), Instagram (No. 2) and Snapchat (No. 3).
… In June, TikTok (known as Douyin in China) reported reaching a global monthly active user count of 500 million across 150 countries and regions, which is around the time when Instagram reached one billion monthly actives, for comparison’s sake.

Friday, November 02, 2018

Illogical? Sounds like Facebook has no control over leaks that occur as users send and receive data that is “tapped” by an extension in their browser.
Private messages from 81,000 hacked Facebook accounts for sale
… Facebook said its security had not been compromised. [Because they had no security on third party extensions? Bob]
And the data had probably been obtained through malicious browser extensions.
Facebook added it had taken steps to prevent further accounts being affected. [Were the steps a request to browsers to stop using these extensions? Bob]
… "We have contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores," said Facebook executive Guy Rosen.
… According to Facebook, it was one such extension that quietly monitored victims' activity on the platform and sent personal details and private conversations back to the hackers.
Facebook has not named the extensions it believes were involved but says the leak was not its fault.
… He claimed that his hacking group could offer data from 120 million users, of whom 2.7 million were Russians.
But Digital Shadows told the BBC that this claim was doubtful because it was unlikely Facebook would have missed such a large breach.

We need someone who has studied the writings of people like this. I know only one. No wonder the police have problems interpreting social media rants.
Law Enforcement Faces Dilemma in Assessing Online Threats
The perpetrators of mass shootings often provide a treasure trove of insight into their violent tendencies, but the information is not always seen by law enforcement until after the violence is carried out. In addition, rants and hate speech rarely factor into whether someone passes a background check to buy guns.
"We can go out on Twitter and there are loads of people saying insane stuff, but how do you know which is the one person? It's always easy after the fact, to go: 'That was clear.' But clearly everyone spouting their mouth doesn't go and shoot up a synagogue," said David Chipman, a retired agent of the federal Bureau of Alcohol, Tobacco, Firearms and Explosives and now senior policy adviser for the Giffords Center.
Keeping tabs on social media posts has been used for years by law enforcement to try to identify potential threats. The task is enormous and it's an inexact science. The volume of posts is significant and the question arises: Is something a true threat or free speech?
Among more than 550 police departments across the country surveyed several years ago by the International Association of Chiefs of Police, about three-quarters said they regularly searched social media for potential threats.
Lt. Chris Cook, spokesman for the Arlington, Texas, Police Department, said the searches are often done manually, using keywords to try to identify troubling posts.
"It's very time consuming, it's very staff and resource intensive and you have humans involved in the process so there is the potential that law enforcement can miss something,"

Why is it so hard to create a process that works?
How Big Oil Dodges Facebook’s New Ad Transparency Rules
A Facebook ad in October urged political conservatives to support the Trump administration’s rollback of fuel emission standards, which it hailed as “our president’s car freedom agenda” and “plan for safer, cheaper cars that WE get to choose.” The ad came from a Facebook page called Energy4US, and it included a disclaimer, required by Facebook, saying it was “paid for by Energy4US.”
Yet there is no such company or organization as Energy4US, nor is it any entity’s registered trade name, according to a search of LexisNexis and other databases. Instead, Energy4US — which Facebook says spent nearly $20,000 on the ads — appears to be a front for American Fuel & Petrochemical Manufacturers, a trade association whose members include ExxonMobil, BP, Chevron and Shell.

Without new laws, Facebook has no reason to fix its broken ad system
In recent days, both Vice News and Business Insider have put Facebook’s political ad transparency efforts to the test ahead — and the results are not good. Yesterday, Vice was able to easily game the “Paid for by” disclosure on political ads, getting false disclosures approved in the name of all 100 sitting US senators.
… But without any real requirements put in place by Congress or the Federal Elections Commission, there are no penalties for vulnerabilities in Facebook’s ad disclosure methods.

I thought this might happen. Once legislatures realized that significant consequences (GDPR) could change corporate behaviors, they would start trying to top one another.
Senator Wyden proposes 20 prison sentences for CEOs who lie about data collection and protection
Senator Ron Wyden [D-OR] (previously) has introduced the Consumer Data Protection Act, which extends personal criminal liability to the CEOs of companies worth more than $1B or who hold data on more than 50,000,000 people who knowingly mislead the FTC in a newly mandated system of annual reports on the steps the company has taken to secure the data.
CEOs whose companies lie to the FTC about these measures will face 20 years in prison and $5 million in fines for breaches.
This reminds me of the criminal liability regime in the Sarbanes-Oxley bill passed after the Enron scandal, which threatened jail sentences for CEOs who signed their name to false financial statements and had far-reaching consequences (for example, record labels had been routinely running "third shift" pressings to produce extra, off-the-books copies of popular CDs that would be sold in record stores but without sending any royalties to the musicians involved -- after SOX, this came to an abrupt halt).
It turns out that when the CEO's freedom is on the line, businesses manage to create really effective policies to accomplish whatever it is the company needs to do to keep the CEO out of prison: “Depend upon it, sir, when a man knows he is to be hanged in a fortnight, it concentrates his mind wonderfully.”

A project for people?
LOC Crowd - Crowdsourcing the Transcription of Primary Sources
The Library of Congress has launched a new crowdsourcing initiative to transcribe primary source documents. The new initiative simply called Crowd has contains collections of documents that the Library of Congress wants the public to help transcribe.
Anyone can participate in the LOC's Crowd project. To get started simply go to the site and click on one of the five collections of documents. The current collections are Branch Rickey: Changing the Game, Civil War Soldiers: Disabled But Not Disheartened, Clara Barton: Angel of the Battlefield, Letters to Lincoln, and Mary Church Terrell: Advocate for African Americans and Women. Once you've chosen a collection you can choose an individual document within the collection. Your chosen document will appear on the left side of the screen and a field for writing your transcription appears on the right side of the screen. After you have completed your transcription it is submitted for peer review.
… All of the collections in Crowd do have timelines and some other resources that help to provide context for the documents that are in need of transcription.
The Smithsonian has a similar crowdsourcing project called Smithsonian Digital Volunteers.

You don’t see articles like this too often.
The Most Awesome Online Teachers for Learning Web Development
For the past few months, I have been on a learning spree looking to enhance my existing coding skills and also learn new programming languages and frameworks. In this process, I have watched a countless number of video tutorials and online courses that pertain to programming and, specifically, web development.
In my quest to become a better developer, I’ve come across several awesome “teachers” who aren’t just excellent programmers but awesome educators and have the art of explaining complex and difficult concepts.
This is an attempt to highlight the best instructors on the Internet for JavaScript, React, Redux, Node.js, Firebase (database and storage), Docker, Google Golang, Typescript, Flutter (for mobile app development), Dart, Git, Webpack and Parcel bundler.
I’ve taken courses by every single instructor mentioned here and recommend them highly.

Thursday, November 01, 2018

Dear Supreme Court,
The Privacy Foundation at DU’s Sturm College of Law has operated for several years by careful use of a cy pres fund. Judging by the number of students and lawyers who attend their seminars, this was money wisely invested. So, if you are looking for a way to benefit Google users and the public at large…
U.S. Supreme Court divided over Google privacy settlement
U.S. Supreme Court justices, in an internet privacy case involving Google, disagreed on Wednesday over whether to rein in a form of settlement in class action lawsuits that awards money to charities and other third parties instead of to people affected by the alleged wrongdoing.
… Roberts also said it was “fishy” that settlement money could be directed to institutions to which Google already was a donor. Some beneficiary institutions also were the alma mater of lawyers involved in the case, conservative Justice Brett Kavanaugh noted.
… In endorsing the Google settlement last year, the San Francisco-based 9th U.S. Circuit Court of Appeals said each of the 129 million U.S. Google users who theoretically could have claimed part of it would have received “a paltry 4 cents in recovery.”

Clearly I’m not the only one anticipating a repeat of 2016, or worse.
Buying Used Voting Machines on eBay
This is not surprising:
This year, I bought two more machines to see if security had improved. To my dismay, I discovered that the newer model machines -- those that were used in the 2016 election -- are running Windows CE and have USB ports, along with other components, that make them even easier to exploit than the older ones. Our voting machines, billed as "next generation," and still in use today, are worse than they were before -- dispersed, disorganized, and susceptible to manipulation.
Cory Doctorow's comment is correct:
Voting machines are terrible in every way: the companies that make them lie like crazy about their security, insist on insecure designs, and produce machines that are so insecure that it's easier to hack a voting machine than it is to use it to vote.
I blame both the secrecy of the industry and the ignorance of most voting officials . And it's not getting better.

Perhaps I should buy a smartphone, or I may cease to exist!
Joe Cadillic writes:
Surveillance cameras will soon be able to identify everyone by talking to their cellphones.
“This system basically allows surveillance cameras to talk to the public through their individual phones,” Purdue Univeristy doctoral student Siyuan Cao said.
As the above video illustrates, soon no where will be safe from Big Brother’s prying eyes.
Purdue University’s SIMBA Labs has developed a camera-to-human surveillance program called PHADE otherwise known as Private Human Addressing. The name of this new program, seems appropriate as everyone’s privacy will soon phade fade away. (Pun intended.)
Read more on MassPrivateI.

Betrayal! My vacuum cleaner gave Google a detailed plan of my house? Are they selling this to burglars? (iRobbers?)
Google wants to improve your smart home with iRobot’s room maps
Google and iRobot have announced they’re working together to improve smart home technology using mapping data collected by iRobot’s robot vacuums. The two companies say the aim is to make smart homes “more thoughtful” by leveraging the unique dataset collected by iRobot: maps of customers’ homes.

I’m sure they’ll get it right, eventually.
UK Regulator Issues Second GDPR Enforcement Notice on Canadian Firm
On 6 July 2018, the UK's data protection regulator (ICO) issued the first GDPR-related enforcement notice. It was delivered on Canadian firm Aggregate IQ.
That enforcement notice requires that AIQ should within 30 days "Cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes."
AIQ appealed the notice. In that appeal, AIQ states "the data continues to be held by AggregateIQ for the simple reason that it remains subject to a preservation order made by Canadian officials."
The ICO has now issued a new enforcement notice (PDF) that "varies and replaces the Notice served on AIQ dated 6 July 2018. The Notice clarifies the steps to be taken by AIQ..."
But, comments Flint, "Given that the October Notice states in paragraph 2 that it "clarifies the steps to be taken by AIQ", some lack of clarity remains. What is to happen to the personal data of non-UK data subjects mentioned in the July Notice? What about UK data subjects who have e-mail addresses other than "" -- such as Does the "clarification" go beyond the original Notice which had a purpose restriction on the use of the data -- the October Notice seems to be all encompassing."
In short, he adds, "the October Notice may provide some "clarification" but really raises as many questions as it answers."

The consequences of a “false positive” are growing as tools like this become more widespread.
A number of border control checkpoints in the European Union are about to get increasingly—and unsettlingly—futuristic.
In Hungary, Latvia, and Greece, travelers will be given an automated lie-detection test—by an animated AI border agent. The system, called iBorderCtrl, is part of a six-month pilot led by the Hungarian National Police at four different border crossing points.
“We’re employing existing and proven technologies—as well as novel ones [i.e. new and unproven Bob] —to empower border agents to increase the accuracy and efficiency of border checks,” project coordinator George Boultadakis of European Dynamics in Luxembourg told the European Commission. “iBorderCtrl’s system will collect data that will move beyond biometrics and on to biomarkers of deceit.”
The virtual border control agent will ask travelers questions after they’ve passed through the checkpoint.
… For travelers who pass the test, they will receive a QR code that lets them through the border. If they don’t, the virtual agent will reportedly get more serious, and the traveler will be handed off to a human agent who will asses their report. But, according to the New Scientist, this pilot program won’t, in its current state, prevent anyone’s ability to cross the border.
… Keeley Crockett at Manchester Metropolitan University, UK, and a member of the iBorderCtrl team, said that they are “quite confident” they can bring the accuracy rate up to 85 percent. But more than 700 million people travel through the EU every year, according to the European Commission, so that percentage would still lead to a troubling number of misidentified “liars” if the system were rolled out EU-wide.

Continuing a discussion with my students. (Do we get this instead of HQ 2.0?)
Amazon’s second ever 4-star store opening at Park Meadows mall in Lone Tree
… the experience offered by the 4,000-square-foot Amazon store that opens Thursday inside the Park Meadows mall is best described as the physical equivalent of walking into the homepage.
The first display table inside the door features a group of top-rated products that appear on many Amazon’s user’s online wish lists.
… “It’s something we’re really excited about because we think we’re bringing a new approach to building a store,” Cameron Janes, vice president of physical stores for Amazon 4-star said Wednesday. “We’re trying to create a store that is a direct reflection of our customers.”
There are even excerpts from online reviews posted below products on the shelves. Digital sales tags update prices in real time based on what an item is selling for online.

Should my students look at this?
Handshake, a LinkedIn for university students and diversity, raises $40M
LinkedIn has created and — with 562 million users — leads the market in social platforms for people who want to network with others in their professions, as well as look for jobs. Now a startup that hopes to take it on in a specific niche — university students and recent grads, with a focus on diversity and inclusion — has raised a substantial round to grow. Handshake, a platform for both students looking to take their early career steps and employers that want to reach them, has raised $40 million in a Series C round of funding, after hitting 14 million users in the U.S. across 700 universities, and 300,000 employers targeting them.

A data analysis tool.
Why Jupyter is data scientists’ computational notebook of choice
… Jupyter is a free, open-source, interactive web tool known as a computational notebook, which researchers can use to combine software code, computational output, explanatory text and multimedia resources in a single document. Computational notebooks have been around for decades, but Jupyter in particular has exploded in popularity over the past couple of years. This rapid uptake has been aided by an enthusiastic community of user–developers and a redesigned architecture that allows the notebook to speak dozens of programming languages
… For data scientists, Jupyter has emerged as a de facto standard, says Lorena Barba, a mechanical and aeronautical engineer at George Washington University in Washington DC. Mario Jurić, an astronomer at the University of Washington in Seattle who coordinates the LSST’s data-management team, says: “I’ve never seen any migration this fast. It’s just amazing.”

I’m not a fan, either taking or teaching.
Assessing Online Learning in Law Schools: Students Say Online Classes Deliver
Dutton, Yvonne and Ryznar, Margaret and Long, Kayleigh, Assessing Online Learning in Law Schools: Students Say Online Classes Deliver (October 2018). Denver University Law Review, Forthcoming; Indiana University Robert H. McKinney School of Law Research Paper Forthcoming. Available at SSRN:
“This is the first article to provide empirical data on the effectiveness of distance education in law schools since the ABA this summer approved increasing the total number of credits that law students could earn through online classes from 15 to 30. Our data, composed of law student surveys and focus groups, reveal not only the success of distance education in their experience, but also the methods that are most effective for them.”

Wednesday, October 31, 2018

Something for my Software Architects.
How to Build Great Data Products
Products fueled by data and machine learning can be a powerful way to solve users’ needs. They can also create a “data moat” that can help stave off the competition. Classic examples include Google search and Amazon product recommendations, both of which improve as more users engage.
… The lifecycle of a so-called “data product” mirrors standard product development: identifying the opportunity to solve a core user need, building an initial version, and then evaluating its impact and iterating. But the data component adds an extra layer of complexity.
Stage 1: Identify the opportunity
Stage 2: Build the product
Stage 3: Evaluate and iterate

The New National ID Systems
,,, This paper summarizes the stances of each of the 50 states on various ID systems, including REAL ID, E-Verify, facial recognition, and license-plate scanning. Together, those technologies—along with other initiatives orchestrated at the federal level—are the leading edge of a national identification and tracking infrastructure.

American Tech Firms Are Winning the R&D Spending Race With China
… U.S. firms, led by Inc. and Google parent Alphabet Inc., invested more than $5 in R&D for every $1 spent by Chinese companies, according to a new report from PricewaterhouseCoopers LLP, which logged the top 1,000 spenders among publicly traded companies. PwC’s report tracked the year ended June 30.

Apparently, “hate” is a growing academic area.
DOJ Announces Launch of New Hate Crimes Website
“The Department today released an update on hate crimes and announced the launch of a new comprehensive hate crimes website designed to provide a centralized portal for the Department’s hate crimes resources for law enforcement, media, researchers, victims, advocacy groups, and other related organizations and individuals. The resources include training materials, technical assistance, videos, research reports, statistics, and other helpful information from all of the Department components working on hate crimes. In recent years, the Department has ramped up its hate crimes prosecution program and increased training of federal, state, and local law enforcement officers to ensure that hate crimes are identified and prosecuted to the fullest extent possible. The Department of Justice Law Enforcement Roundtable on Improving the Identification and Reporting of Hate Crimes being conducted today and tomorrow through the Department’s Hate Crimes Enforcement and Prevention Initiative is an example of ongoing efforts to spur communication and cohesion among those in the field working on hate crimes. Over the past 10 years, the Department of Justice has charged more than 300 defendants with hate crimes offenses, including 50 defendants in FY 2017 and 2018. In FY 2018, the Department charged 27 defendants in 22 cases, and obtained 30 convictions. Since January 2017, the Department has indicted 50 defendants involved in committing hate crimes and secured convictions of 51 defendants for hate crimes incidents…”

Southern Poverty Law Center – Guide to Hate and Extremism in the US
“The SPLC is the premier U.S. organization monitoring the activities of domestic hate groups and other extremists – including the Ku Klux Klan, white nationalists, the neo-Nazi movement, antigovernment militias and others. We track more than 1,600 extremist groups operating across the country. We publish investigative reports, train law enforcement officers and share key intelligence, and offer expert analysis to the media and public. Our work fighting hate and extremism began in the early 1980s, amid a resurgence of Klan violence that began several years after the end of the civil rights movement. Each year since 1990, we have released an annual census of U.S. hate groups. In the mid-1990s, we also began documenting the number of radical, antigovernment militias and other organizations that comprise the far-right “Patriot” movement. Over the years, we’ve crippled or destroyed some of the country’s most notorious hate groups – including the United Klans of America, the Aryan Nations and the White Aryan Resistance – by suing them for murders and other violent acts committed by their members or by exposing their activities.
  • Hate Map: There are 954 hate groups currently operating in the US.
  • Extremist Files: A database on prominent extremist groups and individuals
  • 100 Days in Trump’s America: A report on white nationalists and their agenda to infiltrate the mainstream
  • Terror From The Right: A synopsis of radical-right terrorist plots, conspiracies and racist rampages since the Oklahoma City bombing in 1995. It includes a roster of murdered law enforcement officials…”

Something free for my students.
James Patterson on his new Facebook Messenger digital book: 'You've never seen anything like it'
James Patterson, the prolific writer who holds a record for the most No. 1 New York Times bestsellers, says "you've never seen anything like" the new book he has released for free via Facebook Messenger.
"It's just so different," he said on "Squawk Box" Tuesday morning.
Conceding that "people don't read like they used to," Patterson is making a pitch to bring more attention to books and publishing in a world where booksellers like Borders have closed down and Barnes & Noble look to "rebound" in a tech-focused world.
… With the digital release of "The Chef" on Tuesday, Patterson takes a stab at modernizing storytelling by adapting to a text- or instant-message format on Facebook Messenger.
The new story, a murder mystery set in New Orleans, offers an "enhanced" novel experience by delivering readers short messages peppered with multi-media including photos, video and audio clips, maps and other interactive content. The additional content is optional for the reader to engage.
"You're reading text then all of the sudden you see film of what you were reading about," much like an online news article accompanied by photos and videos, Patterson said.

Tuesday, October 30, 2018

My tax dollars at waste. No indication they fired this guy. No indication his manager was disciplined. No indication of management at all, come to think of it.
Civil servant who watched porn at work blamed for infecting a US government network with malware
A U.S. government network was infected with malware thanks to one employee’s “extensive history” of watching porn on his work computer, investigators have found.
The audit, carried out by the U.S. Department of the Interior’s inspector general, found that a U.S. Geological Survey (USGS) network at the EROS Center, a satellite imaging facility in South Dakota, was infected after an unnamed employee visited thousands of porn pages that contained malware, which downloaded to his laptop and “exploited the USGS’ network.” Investigators found that many of the porn images were “subsequently saved to an unauthorized USB device and personal Android cell phone,” which was connected to the employee’s government-issued computer.
Investigators found that his Android cell phone “was also infected with malware.”
The findings were made public in a report earlier this month but buried on the U.S. government’s oversight website and went largely unreported.
… Investigators recommended that USGS enforce a “strong blacklist policy” of known unauthorized websites and “regularly monitor employee web usage history.”
The report also said the agency should lock down its USB drive policy, restricting employees from using removable media on government devices, but it’s not known if the recommendations have yet gone into place. USGS did not return a request for comment.

I’m going to read this carefully.
92% of External Web Apps Have Exploitable Security Flaws or Weaknesses: Report
Most large companies readily admit that they have shadow IT and legacy applications they do not know, and that this at least theoretically makes them vulnerable. It is generally considered to be an acceptable risk.
The purpose of this research from High-Tech Bridge (HTB) is designed to show that the problem is far bigger and less acceptable than most companies imagine. It was prompted, at least in part, by HTB's experience with one particular U.S. government agency client.
"They told us," HTB founder and CEO Ilia Kolochenko told SecurityWeek, "'We know we have shadow IT – about 250 applications." HTB used its non-intrusive scanning tools and replied, "No, you have 8000 shadow IT applications." The implication is that this government agency has around 7,750 shadow IT applications that it doesn't know and isn't monitoring – leaving it potentially vulnerable to an unquantifiable risk.

Just saying…
US Election Integrity Depends on Security-Challenged Firms
A trio of companies — ES&S of Omaha, Nebraska; Dominion Voting Systems of Denver and Hart InterCivic of Austin, Texas — sell and service more than 90 percent of the machinery on which votes are cast and results tabulated. Experts say they have long skimped on security in favor of convenience, making it more difficult to detect intrusions such as occurred in Russia's 2016 election meddling.
The businesses also face no significant federal oversight and operate under a shroud of financial and operational secrecy despite their pivotal role underpinning American democracy.
In much of the nation, especially where tech expertise and budgets are thin, the companies effectively run elections either directly or through subcontractors.

Something my students need to understand. Metadata is often sufficient to identify communication between possible targets. This will make it only slightly more difficult.
New Signal privacy feature removes sender ID from metadata
Plenty of messaging apps use strong encryption to make it next to impossible for law enforcement officers or other potential adversaries to read communications sent between parties. Often, however, unencrypted metadata—such as the sender, receiver, and time a message is sent—is all the sensitive data an adversary needs. Now, the Signal app is testing a new technique called "sealed sender" that's designed to minimize the metadata that's accessible to its servers.
A beta release announced Monday will send messages that remove most of the plain-text sender information from message headers.
… Signal's beta comes 12 days after federal prosecutors revealed they were able to build a strong case against a US Treasury official by monitoring, in real-time, the messages she sent and received using an unnamed encrypted messaging app. On August 15, according to a criminal complaint, investigators used a court-issued pen register and trap and trace order to determine the official exchanged 10 messages with a BuzzFeed reporter using the encrypted app. Over the next two months, the same order showed the official and reporter traded 301 messages using the same app.
The account provided in the complaint was a reminder that encryption doesn't always provide users with anonymity unless they take extra precautions.

This seems quite confusing. Will this system prevent unauthorized people from entering the school? The article seems to suggest not.
Facing Tomorrow's High-Tech School Surveillance
… Earlier this year, the school district announced it would be using tech developed by SN Technologies Corp., the Canadian company behind Aegis, a surveillance platform that comes with both facial recognition software and a tool designed to flag guns that might appear on the camera footage (provided the firearm is in someone’s hand, not in a bag). In the wake of high-profile mass school shootings across the US, Lockport, a small, conservative town of around 20,000 people, has invested in Aegis out of a belief the facial recognition system will help safeguard students, even though there’s no evidence that such a system would be an effective security measure in an active shooter scenario.
… The idea is that the school could get an extra few seconds of warning when an unwanted person arrives on campus, whether that’s an expelled student or an escaped felon. But critics of the system point out that the vast majority of school shooters are enrolled students—individuals who probably wouldn't be in the facial database.
Hundreds of documents related to Lockport’s new surveillance program, obtained by the NYCLU in late August through a Freedom of Information Law request, suggest that Lockport did not engage with the community before deciding to move ahead with installing the surveillance network, and that a security consultant who taught Lockport’s board about the tech and was later hired by the district holds licensing for Aegis through a separate company, CSI. The NYCLU found nothing in the documents outlining policies for accessing data collected by the cameras, or what faces would be fed to the system in the first place. And based on emails acquired through the same FOIL request, the NYCLU noted, Lockport administrators appeared to have a poor grasp on how to manage access to internal servers, student files, and passwords for programs and email accounts.
“The serious lack of familiarity with cybersecurity displayed in the email correspondence we received and complete absence of common sense redactions of sensitive private information speaks volumes about the district’s lack of preparation to safely store and collect biometric data on the students, parents and teachers who pass through its schools every day,” an editor’s note to the NYCLU’s statement on the Lockport documents reads.

A Fork in the Road for Avis
Self-driving cars and ride-hailing services could make the car-rental industry obsolete—or create a huge opportunity. Here’s how Avis Budget is adapting.

Research tool? The CAP data is free for the public to use and access.
The Caselaw Access Project expands public access to US law
Three Hundred and Sixty Years of Caselaw: “The Caselaw Access Project (“CAP”) expands public access to U.S. law. Our goal is to make all published U.S. court decisions freely available to the public online, in a consistent format, digitized from the collection of the Harvard Law Library.
What data do we have? CAP includes all official, book-published United States case law — every volume designated as an official report of decisions by a court within the United States. Our scope includes all state courts, federal courts, and territorial courts for American Samoa, Dakota Territory, Guam, Native American Courts, Navajo Nation, and the Northern Mariana Islands. Our earliest case is from 1658, and our most recent cases are from 2018. Each volume has been converted into structured, case-level data broken out by majority and dissenting opinion, with human-checked metadata for party names, docket number, citation, and date. We also plan to share (but have not yet published) page images and page-level OCR data for all volumes…”

This might be fun in my next statistics class.
The Highway Drone Dataset
Naturalistic Trajectories of 110 000 Vehicles Recorded at German Highways
Request access to the dataset! [The HighD dataset is free for non-commercial use only. If you are interested in commercial use]
“About the Dataset – The highD dataset is a new dataset of naturalistic vehicle trajectories recorded on German highways. Using a drone, typical limitations of established traffic data collection methods such as occlusions are overcome by the aerial perspective. Traffic was recorded at six different locations and includes more than 110 000 vehicles. Each vehicle’s trajectory, including vehicle type, size and manoeuvres, is automatically extracted. Using state-of-the-art computer vision algorithms, the positioning error is typically less than ten centimeters. Although the dataset was created for the safety validation of highly automated vehicles, it is also suitable for many other tasks such as the analysis of traffic patterns or the parameterization of driver models. Click here for details.”

Unfortunately, this has applications in many areas.

Monday, October 29, 2018

There’s good news and bad news. The good news is, this cost the bank a trivial amount. (Roughly $35,500) The bad news is, this looks like a hack by some amateur. North Korea would have tried to drain ALL the accounts.
Muhamed Bilal reports:
Bank Islami Pakistan has come under the biggest cyber attack in the history of Pakistan.
The incident came under the limelight when numerous customer of the bank complaint of an unusual activity – that their payments cards are being used in the different international countries. It is alleged that a group of hackers breached the data centre of Islami bank and made the transaction by stealing customer’s details.
The unknown transaction that had been made by card scheme was worth Rs. 2.6 million.
Read more on Daily Punch.

Some things I teach my students to avoid… (Is this really a ‘social network?’)
Joseph Cox reports:
Remini, a smartphone app that launched in 2013, aims to provide parents and educators with a social network to follow a child’s progress throughout school and their early life, documenting important milestones and letting parents share images with their child’s school.
But Remini exposed these, and the personal information of its users to the internet writ large, thanks to an API that let anyone pull the data without any sort of authentication. The data included email addresses, phone numbers, and the documented moments of the children as well as their profile photos, according to a researcher who discovered the issue.
Remini has since taken the exposed API offline, but only after multiple complaints from a user as well as the researcher. The company confirmed the security issue to Motherboard.
Read more on Motherboard.

(Related) Don’t do this either. No encryption?
Security Vulnerability in Internet-Connected Construction Cranes
This seems bad:
The F25 software was found to contain a capture replay vulnerability -- basically an attacker would be able to eavesdrop on radio transmissions between the crane and the controller, and then send their own spoofed commands over the air to seize control of the crane.
"These devices use fixed codes that are reproducible by sniffing and re-transmission," US-CERT explained.
"This can lead to unauthorized replay of a command, spoofing of an arbitrary message, or keeping the controlled load in a permanent 'stop' state."
Here's the CERT advisory.

This probably got the attention of Privacy experts everywhere. It even got my attention.
'City of surveillance': privacy expert quits Toronto's smart-city project
When it was announced last year that a district in Toronto would be handed over to a company hoping to build a model for new tech-driven smart city, critics were quick to voice concerns.
Despite Justin Trudeau’s exclamation that, through a partnership with Google’s sister company Sidewalk Labs, the waterfront neighborhood could help turn the area into a “thriving hub for innovation”, questions immediately arose over how the new wired town would collect and protect data.
A year into the project, those questions have resurfaced following the resignation of a privacy expert, Dr Ann Cavoukian, who claimed she left her consulting role on the initiative to “send a strong statement” about the data privacy issues the project still faces.
“I imagined us creating a Smart City of Privacy, as opposed to a Smart City of Surveillance,” she wrote in her resignation letter.

Unfortunate that it takes something like the Pittsburgh shooting to get these companies to look at their customers. goes down after GoDaddy threatens to pull domain
Gab, the controversial social network with a far-right following, has pulled its website offline after domain provider GoDaddy gave it 24 hours to move to another service. The move comes as other companies including PayPal, Medium, Stripe, and Joyent blocked Gab over the weekend. It had emerged that Robert Bowers, who allegedly shot and killed eleven people at a Pittsburgh synagogue on Saturday, had a history of posting anti-Semitic messages on Gab.

Clearly this is coming. What are we going to do about it?
With No Laws To Guide It, Here's How Orlando Is Using Amazon's Facial Recognition Technology
… In the US, there are no laws governing the use of facial recognition, and there is no regulatory framework limiting its law enforcement applications. There is no case law or constitutional precedent upholding police use of the tech without a warrant; courts haven’t even decided whether facial recognition constitutes a search under the Fourth Amendment. The technology is still plagued by inaccuracies.
But that hasn't stopped law enforcement from piloting these systems. According to documents obtained by BuzzFeed News, the city of Orlando — which initially allowed its original Rekognition pilot to expire amid growing public outcry — just embarked on a second pilot that allows for an unspecified but “increased” number of additional cameras.
The documents, obtained by BuzzFeed News via a Freedom of Information request, show that Amazon marketed its facial recognition tools to Orlando’s police department, providing tens of thousands of dollars of technology to the city at no cost, and shielding the Rekognition pilot with a mutual nondisclosure agreement that kept its details out of the public eye. More broadly, they reveal the accelerated pace at which law enforcement is embracing facial recognition tools with limited training and little to no oversight from regulators or the public.

Perspective. IBM wants to own the Cloud?
IBM to Acquire Open Source Giant Red Hat for $34 Billion
IBM said Sunday it has reached a deal to buy open source software company Red Hat for $34 billion, among the biggest tech mergers in history which the computing giant said would enhance its cloud offerings.
If approved it will be the third biggest tech merger in history, according to business news site CNBC. Red Hat said it was the biggest involving a software company.
The acquisition of Red Hat is a game-changer. It changes everything about the cloud market," said Ginni Rometty, IBM's chairman, president and CEO.
"IBM will become the world's number one hybrid cloud provider, offering companies the only open cloud solution that will unlock the full value of the cloud for their businesses."
Hybrid cloud relates to the linking of public and private cloud platforms.

For my geeks…
Google updates Firebase with enterprise-grade support, ML Kit Face Contours, Management API, and more
Google today updated Firebase, its service for helping developers build apps for Android, iOS, and the web. Firebase has gained paid enterprise-grade support, ML Kit Face Contours, a Firebase Management API, Test Lab for iOS, Performance Monitoring improvements, and Firebase Predictions.

Interesting, but I don’t think I could read all this information before the election. Maybe next time?
Ballotpedia is the digital encyclopedia of American politics and elections
Ballotpedia is the digital encyclopedia of American politics and elections. Our goal is to inform people about politics by providing accurate and objective information about politics at all levels of government. We are firmly committed to neutrality in our content; here’s why. As a nonprofit, our mission is to educate.
… Ballotpedia currently has over 276,000 encyclopedic articles and offers daily, weekly, and monthly email newsletters on a variety of specialized topics. See the full scope of what we cover...”

Another ‘arms race,’ this time in the grocery markets.
Sam's Club is ditching cashiers at a new store in Texas
Sam's Club is opening a location in Dallas that will allow customers to scan and pay for their groceries with an app — without a cashier or standing in the checkout line.
It comes at a time when many retailers, including Sam's Club owner Walmart, Target, Kroger and Macy's, are playing with technology in stores to appeal to customers, cut costs and grow sales.
… "We'll use all available technologies — including computer vision, augmented reality, machine learning, artificial intelligence, robotics, just to name a few — to redefine the retail experience," Iannone said in a blog post.
To pay after shopping the store, customers will simply scan a code with an exit host when leaving, bypassing the traditional checkout process. The Dallas store will eventually be equipped with roughly 700 cameras to help facilitate inventory and layout management, Sam's Club said. The retailer also says it plans to take much of the new technology nationwide over time.
Amazon reportedly could open as many as 3,000 cashierless stores by 2021, putting intense pressure on its competitors to respond with their own initiatives or risk losing sales for lack of convenient options. Kroger has a "Scan, Bag, Go" app similar to Sam's Club, while Walmart decided to pull the plug on its mobile express scan-and-go offering earlier this year. It had been in as many as 120 Walmart stores across the U.S.

My students predict that eventually self-driving cars will not need traffic signals. They will negotiate right of way in real time, and never slow down. (But what about older cars, Bob? After market self-driving add on kits!)
Cars and traffic signals are talking to each other
Cars and traffic signals are talking to each other, leaving the driver — if there even is one — out.
Top automakers including Volkswagen, Honda, Ford and BMW are experimenting with technology that allows cars and traffic lights to communicate and work together to ease congestion, cut emissions and increase safety.
… The idea is that the system will be able to tell the driver (or a self-driving car in the future) when to expect a wave of green lights. The goal is to eventually make the system work with a range of cars and brands.

Interesting resource.
TinEye Reverse Image Search
  • “Using TinEye, you can search by image or perform what we call a reverse image search. You can do that by uploading an image or searching by URL. You can also simply drag and drop your images to start your search.
  • TinEye constantly crawls the web and adds images to its index. Today, the TinEye index is over 32.1 billion images.
  • When you search with TinEye, your image is never saved or indexed. TinEye adds millions of new images from the web every day—but your images belong to you. Searching with TinEye is private, secure, and always improving…”

(Related) ...and a few more.
13 Alternatives to Google Image Search - Chart

Sunday, October 28, 2018

If Twitter can’t recognize a problem account when it is pointed out to them, how can they identify any similar accounts?
Twitter suspends accounts linked to mail bomb suspect
At least two Twitter accounts linked to the man suspected of sending explosive devices to more than a dozen prominent Democrats were suspended on Friday afternoon.
… In one case, those threats had been previously reported to Twitter. Democratic commentator Rochelle Ritchie tweeted that she reported a tweet from @hardrock2016 following her appearance on Fox News. According to a screenshot, Twitter received the report and on October 11 responded that it found “no violation of the Twitter rules against abusive behavior.”
The tweet stated “We will see u 4 sure. Hug your loved ones real close every time you leave home” accompanied by a photo of Ritchie, a screenshot of a news story about a body found in the Everglades and the tarot card representing death.
Update: Twitter issued an apology for not dealing with Ritchie’s initial report.

(Related) Twitter-like social media for Wackos? Who monitors these?
The Pittsburgh Suspect’s Internet of Hate
Robert Bowers was an avid user of Gab, a social network popular among white nationalists and the alt-right.
… Bowers didn’t make his anti-semitic statements on Twitter or Facebook or even Reddit, but rather on a small social network called Gab. It was founded in 2016 as an alternative to Twitter and other large social platforms, and indeed looks and operates similarly to Twitter, allowing users to follow and reply to each other, and to reshare short status updates.
But while Twitter, Facebook, and other mainstream social networks abide by ever-evolving sets of community standards, Gab allows users to say pretty much anything they want. Andrew Torba, the Silicon Valley Trump supporter who created it, said that he wanted to offer an alternative to mainstream social networks which he and others feel are biased against conservatives.

Before I forget, here are some GDPR resources mentioned in Friday’s Privacy Foundation seminar.
The European Data Protection Board
GDPR Recitals
Information Commissioner’s Office

Perspective. The pendulum swings…
The Digital Gap Between Rich and Poor Kids Is Not What We Expected
… For the last six months, at night in school libraries across Overland Park, a suburb of Kansas City, Mo., about 150 parents have been meeting to talk about one thing: how to get their kids off screens.
It wasn’t long ago that the worry was that rich students would have access to the internet earlier, gaining tech skills and creating a digital divide. Schools ask students to do homework online, while only about two-thirds of people in the U.S. have broadband internet service. But now, as Silicon Valley’s parents increasingly panic over the impact screens have on their children and move toward screen-free lifestyles, worries over a new digital divide are rising. It could happen that the children of poorer and middle-class parents will be raised by screens, while the children of Silicon Valley’s elite will be going back to wooden toys and the luxury of human interaction.

GATINEAU, QC, Oct. 26, 2018 /CNW/ – Privacy commissioners from around the world are urging educational authorities and developers of e-learning platforms to better protect the privacy of students, who increasingly use e-learning platforms in the classroom.
Privacy Commissioner of Canada Daniel Therrien and his international counterparts have adopted a resolution on e-learning platforms in Brussels, Belgium at the 40th International Conference of Data Protection and Privacy Commissioners.
“E-learning platforms are powerful tools that help teachers teach and students learn, but they come with the inherent risk that personal information could potentially be used inappropriately,” Commissioner Therrien says.
… The federal Privacy Commissioner’s office also co-sponsored two other resolutions at the international conference — on ethics and artificial intelligence as well as on digital citizens and consumer protection.

Cloud Giants Continue Pouring Billions Into Data Centers
Even though there are indications that overall cloud data center spend may be slowing down, the biggest cloud providers continue spending billions to expand their platforms’ physical scale.
Amazon, Microsoft, and Alphabet all reported their earnings for the quarter ended September 30 this week, and all three said they invested a ton of money in data centers during the quarter. They don’t report the exact amounts they spend on data centers – usually lumping that number with spending on other things – but it’s safe to say that data centers represent the bulk of the bucket they're in.
… Google’s parent Alphabet, for example, spent close to $5.6 billion on “production equipment, data center construction, and facilities” during the quarter, Alphabet CFO Ruth Porat said on an earnings call Thursday.
… Amazon, the leader of the cloud pack, reports its data center spend as part of a capital leases bucket, whose size during the quarter was $2.33 billion.

(Related) Perhaps this is being run by the folks who build Denvers’s $328 Million $1.73 Billion VA Hospital.
Washington Veterans Are Unconvinced A New $10 Billion Computer System Will Actually Improve VA Service
… “So what we are doing here in Washington, we are testing out the medical health records, which is the largest program the VA has ever undertaken,” Wilkie said at the Fairchild event organized by U.S. Rep. Cathy McMorris Rodgers. “That will be the template for the entire country.”
But the system designed by Kansas City, Missouri-based Cerner Corp. has gone anything but smoothly under a similar contract for the U.S. Department of Defense. The same computer system, called Medical Healthcare System GENESIS, is being installed under a separate contract at four military bases in Washington state, including Fairchild.
According to an April 30 DOD report, military personnel trying to install the health care system had a litany of problems that caused them to shut the testing down.
“MHS Genesis is not operationally effective because it does not demonstrate enough workable functionality to manage and document patient care,” the report states. Users were only able to perform “56 percent of the 197 tasks used as measures of performance.”

God Bless Our Troops! (Call the Guinness book of world records!)
US Troops Deploy ‘Overwhelming Force’ Against Iceland’s Beer Supplies
U.S. troops landed in Iceland last week ahead of the start the largest NATO military exercise since the Cold War, and apparently, they left their mark in the most appropriate way possible: by drinking every last beer in the nation’s capital.
A significant number of bars in downtown Reykjavík were forced to make emergency beer runs under the onslaught of thirsty American sailors and Marines in town for the start of Trident Juncture 18, Iceland Magazine reports.
Local media estimate that 6,000 and 7,000 U.S. military personnel exhausted beer cellars across the Icelandic capital in the span of a single weekend.