Saturday, December 08, 2018

Maybe if this warning had come a bit earlier…
North Korea-linked Hackers Target Academic Institutions
A threat group possibly originating from North Korea has been targeting academic institutions since at least May of this year, NetScout’s security researchers reveal.
… The actors behind the attack, however, displayed poor OPSEC, which allowed the researchers to find open web browsers in Korean, English-to-Korean translators, and keyboards switched to Korean.
… Remote Desktop Protocol (RDP) was also used to ensure continuous access. However, because there is no evidence of data theft, the motivation behind the attacks is largely uncertain.

Laura Krantz reports:
Hackers stole more than $800,000 from Cape Cod Community College last week when they infiltrated the school’s bank accounts, the school notified its employees Friday.
Several computers in the school’s Nickerson Administration Building were hacked by a phishing scheme that used malware to obtain access to the school’s accounts, according to an e-mail from the school president, John Cox, sent Friday afternoon to school faculty and staff.
Read more on Boston Globe.
[From the article:
The college has replaced all infected hard drives, [Not a normal procedure, were they unable to remove (delete) the malware? Bob] according to the president’s e-mail. It will conduct more cybersecurity training for faculty, staff, and students. Stone, the school spokesman, said the college plans to invest in more sophisticated software to prevent attacks in the future.

I’m guessing that it was either create a procedure like this or Marriott would have to replace them all.
Identity stolen because of the Marriott breach? Come and claim your new passport
… The company on Friday confirmed to The Register that customers who fall victim to fraud as a result of forged passports will be eligible to claim a replacement passport at Marriott's expense.
"As it relates to passports and potential fraud, we are setting up a process to work with our guests who believe that they have experienced fraud as a result of their passports being involved in this incident," a spokesperson told El Reg.
"If, through that process, we determine that fraud has taken place, then the company will reimburse guests for the costs associated with getting a new passport."

For my lectures on cryptography…
Back Issues of the NSA's Cryptolog
Five years ago, the NSA published 23 years of its internal magazine, Cryptolog. There were lots of redactions, of course.
What's new is a nice user interface for the issues, noting highlights and levels of redaction.

A million here, a million there, pretty soon we’re talking real money! Do you suppose this is coming out of someone’s bonus?
Alex Hern reports:
Facebook has been fined €10m (£8.9m) by Italian authorities for misleading users over its data practices.
The two fines issued by Italy’s competition watchdog are some of the largest levied against the social media company for data misuse, dwarfing the £500,000 fine levied by the British Information Commissioner’s Office in September – the maximum that body is able to issue.
The Italian regulator found that Facebook had breached articles 21, 22, 24 and 25 of the country’s consumer code …..
Read more on The Guardian.

Privacy as the Chinese see it.
Barbara Li and Bohua Yao report:
On November 30, 2018 the Cyber Security Protection Bureau, under the auspices of the PRC Ministry of Public Security (the “MPS”), issued a draft Guideline for Internet Personal Information Security Protection (the “Guideline”) along with a request for public comments.
Even though, upon reaching final form and taking effect, the Guideline will not be a mandatory regulation, it nonetheless has a key implementing role in relation to the PRC Cyber Security Law (the “CSL”) and the Administrative Measures for the Multi-Level Protection of Information Security (the “Multi-Level Protection Measures”) in respect of protecting information systems and personal information in China.
Read more on Norton Rose Fulbright Data Protection Report.

Are we ready for this future?
Amazon, AI and Medical Records: Do the Benefits Outweigh the Risks?
Last month, Amazon unveiled a service based on AI and machine-learning technology that could comb through patient medical records and extract valuable insights. It was seen as a game changer that could alleviate the administrative burden of doctors, introduce new treatments, empower patients and potentially lower health care costs. But it also carries risks to patient data privacy that calls for appropriate regulation, according to Wharton and other experts.

Friday, December 07, 2018

Two of my students know they are impacted by this breach.
Chinese Government Suspected in Marriott Hack: Report
Reuters’ sources said the hackers left behind some clues suggesting that the attack was part of an intelligence gathering operation conducted by the Chinese government. This assumption is based on the use of tools, techniques and procedures (TTPs) known to be associated with Chinese threat actors.
The potential involvement of the Chinese government in the breach suggests that the goal was espionage rather than financial gain.

CPOs should already know about this. Did they bother to tell their software architects?
Google Facing Complaints of GDPR Violations From Consumer Groups in 7 Countries
As soon as the European General Data Protection Regulation (GDPR) went into effect in May 2018, it was only a matter of time before tech giants like Google would start to receive complaints about potential GDPR violations. And now just six months later, Google is facing its first challenge under Europe’s strict new data protection regulations. A group of seven European Union member state countries – Czech Republic, Greece, Norway, the Netherlands, Poland, Slovenia and Sweden – are now asking European privacy regulators to take action against Google for its “deceptive practices” related to location tracking.
… For example, it’s a lot harder to deliver Google Maps information that is relevant if “Location History” is turned off. However, in the interests of personal privacy, some users might wish to turn “Location History” off.
And it’s here that Google appears to have created a legal headache for itself in terms of potential GDPR violations. As the BEUC has noted, simply toggling “Location History” off doesn’t mean that Google stops tracking you. Instead, in order to really stop Google from tracking you, you also need to turn off a second type of functionality called “Web and App Activity,” otherwise Google will continue to use your GPS location data in various ways. The fact that toggling something “off” doesn’t actually turn something “off” is what is so deceptive, according to the BEUC.

An issue of Privacy?
Microsoft Wants to Stop AI’s 'Race to the Bottom'
After a hellish year of tech scandals, even government-averse executives have started professing their openness to legislation. But Microsoft president Brad Smith took it one step further on Thursday, asking governments to regulate the use of facial-recognition technology to ensure it
does not invade personal privacy or [Would my face ever be considered “personal space?” Bob]
become a tool for discrimination or surveillance. [Can you view/record/recognize my face without surveilling me? Bob]
… To address bias, Smith said legislation should require companies to provide documentation about what their technology can and can’t do in terms customers and consumers can understand. He also said laws should require “meaningful human review of facial recognition results prior to making final decisions” for “consequential” uses, such as decisions that could cause bodily or emotional harm or impinge on privacy or fundamental rights.
… Smith also said lawmakers should extend requirements for search warrants to the use of facial-recognition technology. [Not gonna happen. Bob] He noted a June decision by the US Supreme Court requiring authorities to obtain a search warrant to get cellphone records showing a user’s location. “Do our faces deserve the same protection as our phones?” he asked.

But could it tell that the depression is due to an AI monitoring my smartphone? Will Big Brother make such monitoring mandatory so the government can intervene with mood altering drugs?
Your smartphone’s AI algorithms could tell if you are depressed
MIT Technology Review: “Your smartphone’s AI algorithms could tell if you are depressed. Smartphones that are used to track our faces and voices could also help lower the barrier to mental-health diagnosis and treatment. Depression is a huge problem for millions of people, and it is often compounded by poor mental-health support and stigma. Early diagnosis can help, but many mental disorders are difficult to detect. The machine-learning algorithms that let smartphones identify faces or respond to our voices could help provide a universal and low-cost way of spotting the early signs and getting treatment where it’s needed. In a study carried out by a team at Stanford University, scientists found that face and speech software can identify signals of depression with reasonable accuracy. The researchers fed video footage of depressed and non-depressed people into a machine-learning model that was trained to learn from a combination of signals: facial expressions, voice tone, and spoken words. The data was collected from interviews in which a patient spoke to an avatar controlled by a physician. In testing, it was able to detect whether someone was depressed more than 80% of the time. The research was led by Fei-Fei Li, a prominent AI expert who recently returned to Stanford from Google. While the new work is at an early stage, the researchers suggest that it could someday provide an easier way for people to get diagnosed and helped…”

Are they all wrong?
Analysis | The Technology 202: More than 200 companies are calling for a national privacy law. Here's an inside look at their proposal.
The Business Roundtable’s consumer privacy legislation framework, provided exclusively to The Technology 202, calls on the United States to adopt a national privacy law that would apply the same data collection requirements to all companies regardless of sector -- while ramping up Federal Trade Commission staffing and funding to enforce the rule. It calls on companies to give consumers more control of their data and form a national standard for breach notification.

Since you’re not driving, ads won’t be a distraction. Unless you are trying to sleep or study for my exam. Perhaps we could include voice: “Hey look! A McDonald’s! You should get a Big Mac!”
Firefly Nets $21.5 Million Seed Round To Boost Ride-Hail Driver Revenues With On-Car Ads
… A new iteration on that on-car billboard, Firefly replaces backlit printed placards with screens connected to sensors and a location-aware computer that pipes in locally-sourced ads to display for all to see. In turn, the company car-mounted screen modules will come with a set of sensors that ingest information about the outside world. The company brokers access to both.

Fortunately, NASA did not include heavy weapons.
Space station robot goes rogue: International Space Station’s artificial intelligence has turned belligerent
… But, as numerous books and movies have clearly warned us — shortly after being switched on for the first time, CIMON has developed a mind of its own.
And it appears CIMON wants to be the boss.
This has CIMON’s ‘personality architects’ scratching their heads.

Dilbert explains the size of government bureaucracies.

Thursday, December 06, 2018

The new normal: Assume you’ve been hacked. Devote resources to finding out where and how.
Zack Whittaker reports:
It’s going to take more than a bunch of posies to make up for this one.
The Canadian branch of 1-800-FLOWERS revealed in a filing with the California attorney general’s office that malware on its website had siphoned off customers’ credit cards over a four-year period.
Four years. Let that sink in.
The company said it believes the malware was scraping credit cards between August 15, 2014 to September 15, 2018, but that the company’s main website was unaffected.
Read more on TechCrunch.

(Related) That’s a fact, Jack.
Your Personal Data is Already Stolen

Old normal: Assume you are going to be sued. How will, “We didn’t think we needed that much security” sound to a jury?
Attorneys General File First Multistate HIPPA-Related Data Breach Lawsuit
Attorneys General from 12 U.S. states this week filed a lawsuit against a healthcare tech solutions provider over a data breach suffered by the company in 2015.
… Authorities claim MIE failed to implement basic data security measures, it did not have security mechanisms in place for preventing the exploitation of vulnerabilities in its systems, it failed to encrypt sensitive personal and medical information, and had an inadequate and ineffective response to the breach.

Is it possible DHS is no longer of strategic importance?
Why the U.S. Needs a Homeland Security Strategy
The last time the U.S. government published a National Homeland Security Strategy, Osama bin Laden was still alive

For consideration by my Computer Security students. The US & UK governments are not the only ones “stockpiling” vulnerabilities. Perhaps not even the best.
UK Spy Agency Joins NSA in Sharing Zero-Day Disclosure Process
On November 15, 2017, the U.S. government made public its vulnerability equities process (VEP). This is the process used to decide whether a government agency should disclose a discovered vulnerability or keep it secret for its own purposes. Exactly one year and two weeks later, the UK government did similar, disclosing its own Equities Process.
Both governments admit to stockpiling vulnerabilities. This is not open to discussion – they just do. The equities process is the means by which they decide which vulnerabilities should be kept secret from vendors, security companies and the public.

Question: When is a Cyber attack an escalation?
Ukraine Accuses Russia of Cyberattack on Judiciary Systems
Ukrainian security service SBU announced on Tuesday that its employees blocked an attempt by Russian special services to breach information and telecommunications systems used by the country’s judiciary.
According to the SBU, the attack started with a malicious email purporting to deliver accounting documents. The documents hid a piece of malware that could have been used to disrupt judicial information systems and steal data.
Another recent cyber incident involving Russia and Ukraine was revealed on Wednesday, when Adobe announced that a Flash Player security update addressed a zero-day vulnerability.
Researchers who spotted attacks involving the exploit said the target was the FSBI "Polyclinic No. 2" of the Administrative Directorate of the President of the Russian Federation.
The attack was launched just days after Russian border guards opened fire on three Ukrainian vessels in the Kerch Strait. The Ukrainian vessels and their crew were captured.

The UK grabbed these papers last month. Looks like they moved fast.
The secret Facebook documents have just been published by British Parliament
… A redacted version of the papers was pushed live on the website of the Digital, Culture, Media, and Sport Committee, which is investigating Facebook's privacy standards as part of an inquiry into "disinformation and fake news."

While some companies — most large banks, Ford and GM, Pfizer, and virtually all tech firms — are aggressively adopting artificial intelligence, many are not. Instead they are waiting for the technology to mature and for expertise in AI to become more widely available. They are planning to be “fast followers” — a strategy that has worked with most information technologies.
We think this is a bad idea. It’s true that some technologies need further development, but some (like traditional machine learning) are quite mature and have been available in some form for decades. Even more recent technologies like deep learning are based on research that took place in the 1980s. New research is being conducted all the time, but the mathematical and statistical foundations of current AI are well established.
Beyond the technical maturity issue, there are several other problems with the idea that companies will be able to adopt quickly once technologies are more capable.

Every Leader’s Guide to the Ethics of AI

Perspective. Would you believe: As goes Twitter, so goes the nation? (Looks like that might be backward)
By the numbers: Political tweets turn blue in 2018
Axios: “New data from Twitter shows the top 10 U.S. politicians who were most tweeted about in the few months after the midterm election were Democrats, replacing a list that was once dominated by GOP lawmakers the majority of 2018. Why it matters: The political clout and conversation is changing with its politicians. Republicans like Speaker of the House Paul Ryan and Sen. Ted Cruz (R-Texas) who once dominated the subject of tweets, are now being replaced by nominated House speaker Nancy Pelosi and outgoing Texas Rep. Beto O’Rourke in the rankings, per Twitter…”

Austria clears German who imported damaged euros from China
… The man, in his 40s, was detained in Austria earlier this year after police found 117kg (257lb) of the coins, worth €15,000 ($17,000; £13,000), in his car.
However an Austrian court has now ruled that his actions were not illegal.
The accused, referred to only as Mr H, had explained how he frequently travelled to China with cash to procure the coins, which he said were found in scrap metal items sent there to be destroyed.
He said that because the euro coins were not used as currency in China, he could purchase large quantities by weight at a fraction of their value and return to convert them for notes at Austrian banks using coin-counting machines

Wednesday, December 05, 2018

Looks like the 2020 Election meddling has begun. These folks have had a couple of years to get their act together. Were the hackers that good? (ie State Sponsored)
Alex Isenstadt and John Bresnahan report:
The House GOP campaign arm suffered a major hack during the 2018 election, exposing thousands of sensitive emails to an outside intruder, according to three senior party officials.
The email accounts of four senior aides at the National Republican Congressional Committee were surveilled for several months, the party officials said. The intrusion was detected in April by an NRCC vendor, who alerted the committee and its cybersecurity contractor. [Not good for their reputation. Bob]
Read more on Politico.
[From the article:
However, senior House Republicans — including Speaker Paul Ryan of Wisconsin, Majority Leader Kevin McCarthy of California and Majority Whip Steve Scalise of Louisiana — were not informed of the hack until Politico contacted the NRCC on Monday with questions about the episode. Rank-and-file House Republicans were not told, either.

(Related) Another tool for spreading disinformation.
Chatbots Are a Danger to Democracy
We need to identify, disqualify and regulate chatbots before they destroy political speech.

Be careful how you hack. Valuing your house at $5 million might seem a bit suspicious in a neighborhood of $250,000 identical homes.
Letting Algorithms Replace Human Appraisers
  • Home appraisals could be done electronically without the need for a licensed human regulator, according to new proposals
  • Regulators say the vast majority of homes could be appraised using electronic algorithms which could make house buying faster and cheaper
  • About 214,000 home sales could have been made last year with the change
  • House appraisers were largely blamed for inflating prices during the crash…”

“We know everything about you and we can’t stop knowing.”
Google personalizes search results even when you’re logged out, new study claims
The amount of personalization inherent in any one of Google’s many massive software products runs deep, based on everything from your search history to your location to every single search link you might have clicked. And avoiding that personalization seems to have become more difficult over the years. According to a new study conducted by Google competitor DuckDuckGo, it does not seem possible to avoid personalization when using Google search, even by logging out of your Google account and using the private browsing “incognito” mode.

Probably seemed like a good idea at the time. If compliance is difficult, find an easier way!
Could GDPR Consent String Fraud Bring Down the Whole Ad Tech Ecosystem?
In an effort to get around some of the more onerous provisions of the European General Data Protection Regulation (GDPR), which went into effect in May 2018, some ad tech vendors appear to be engaging in a form of data privacy fraud known as “consent string fraud.” If this type of data privacy fraud becomes rampant and European regulators begin to assess fines against ad tech companies knowingly circumventing the GDPR, it could bring down the whole ad tech ecosystem. At the very least, it could have a chilling effect on the entire digital advertising industry as publishers and advertisers decide to scale back their activity.

How easily could you organize a “fake protest” using “fake news?”
How Facebook Groups sparked a crisis in France
What commentators are saying, both inside France and out, is that the movement has been organized primarily on Facebook. The writer Frederic Filloux described some of the group’s methods:
Two weeks ago, more than 1,500 Yellow Vests-related Facebook events were organized locally, sometimes garnering a quarter of a city’s population. Self-appointed thinkers became national figures, thanks to popular pages and a flurry of Facebook Live. One of them, Maxime Nicolle (107,000 followers), organizes frequent impromptu “lives”, immediately followed by thousands of people. His gospel is a hodgepodge of incoherent demands but he’s now a national voice.
Writing for Bloomberg (and quoting a French-language column I couldn’t read myself), Leonid Bershidsky argues that Facebook’s decision to promote posts from groups in the News Feed may have exacerbated the protests.

Perspective. The world is about to change (again). Not everywhere and not for everyone.
Riding in Waymo One, the Google spinoff’s first self-driving taxi service
… Waymo, the self-driving subsidiary of Alphabet, launched its first commercial autonomous ride-hailing service here in the Phoenix suburbs on Wednesday — a momentous moment for the former Google self-driving project that has been working on the technology for almost a decade. I was one of the lucky few to test out the company’s robot taxi experience a week before the launch. And I say “lucky” because to ride in one of Waymo’s autonomous minivans, not only do you have to live in one of four suburbs around Phoenix, but you also have to be in a very exclusive, 400-person club called the Early Riders.
… The cars aren’t fully driverless yet: they will include “trained drivers” behind the steering wheel until Waymo decides to pull them out. Chu says it will test a variety of “configurations;” the company says it will eventually offer driverless rides, but it declined to give an exact date.

Perspective. This is largely about self-driving cars and the switch to electric cars.

Keeping up with my students. (More likely, their children)

Something for my students to consider.
Kik is an instant messenger service that’s increasingly popular with teens and young adults, but it doesn’t have the best reputation
… You sign up using an email address and password, negating the need for a phone number. If you want hands-on experience yourself, it’s free for iPhone and Android.

I gotta get me one of these!

Tuesday, December 04, 2018

Somehow, a mere 100 million seems small…
Saheli Roy Choudhury reports:
Quora, the popular question-and-answer website, said Monday evening that hackers broke into one of its systems and compromised information from approximately 100 million users.
CEO Adam D’Angelo said in a blog post the company discovered last week that a malicious third party had gained unauthorized access to one of its systems.
Account information, including names, email addresses and encrypted passwords, may have been illegally accessed, according to the post. User-imported data from other social networks could also have been taken.
Read more on CNBC.
Quora’s statement on their blog:

Talk to the business side of the house! Something I try to teach my Computer Security students.
Knowing Value of Data Assets is Crucial to Cybersecurity Risk Management
Understanding the value of corporate assets is fundamental to cybersecurity risk management. Only when the true value is known can the correct level of security be applied.
Sponsored by DocAuthority and based on Gartner's Infonomics Data Valuation Model, Ponemon Institute queried 2,827 professionals across the U.S. and UK to gauge how different business functions value different information assets. The business functions included in the research comprise IT security, product & manufacturing, legal, marketing & sales, IT, finance & accounting, and HR.
These groups were asked to put a financial cost to the hypothetical loss of 36 different information types on a per record basis -- such as R&D, M&A documents, source code and customer contracts. The results show a consistent and sometimes marked difference in value perception between different business functions.
For example, IT Security departments undervalued documents including research and development (R&D) and financial reports, while excessively prioritizing less sensitive Personally Identifiable Information (PII) data." ('Excessively' and 'less sensitive' are DocAuthority terms.)
Further examples that show what is almost a dichotomy of attitudes between ITsec and the rest of the business include ITsec valuing R&D documents at less than 50% of the business valuation ($306,504 versus $704,619 for reconstruction); and the leaking of financial reports at $131,570 versus the Financial department's valuation of $303,182.

Oops? I will be interested to see how (if) this works.
Australia Set to Pass Sweeping Cyber Laws Despite Tech Giant Fears
Australia's two main parties struck a deal Tuesday to pass sweeping cyber laws requiring tech giants to help government agencies get around encrypted communications used by suspected criminals and terrorists.
The laws are urgently needed to investigate serious crimes like terrorism and child sex offences, the conservative government said, citing a recent case involving three men accused of plotting attacks who used encrypted messaging applications.
But critics including Google and Facebook as well as privacy advocates warn the laws would weaken cybersecurity and be among the most far-reaching in a Western democracy.
Under the planned laws, Canberra could compel local and international providers to remove electronic protections, conceal covert operations by government agencies, and help with access to devices or services.
The draft legislation expands obligations to assist investigators from domestic telecom businesses to encompass foreign companies, including any communications providers operating in Australia.
This means social media websites and messaging services such as Facebook and Whatsapp, as well as gaming platforms with chat facilities, could be covered.
The government has said it is not asking tech firms to build in backdoors to access people's data.
But the Digital Industry Group Inc (DIGI) -- which represents major players such as Twitter and Amazon -- said in a submission to parliament last week that the bill as it is currently written would force them to create vulnerabilities in their operations which could be exploited by hackers.
The proposed changes are based on the UK's "snooper's charter" surveillance powers passed in 2016.

Compliance is not guaranteed.
Paper – ‘Modernised’ Data Protection Convention 108 and the GDPR
Greenleaf, Graham, ‘Modernised’ Data Protection Convention 108 and the GDPR (July 20, 2018). (2018) 154 Privacy Laws & Business International Report 22-3. Available at SSRN:
“One week before the GDPR came into force on 25 May 2018, the ‘modernisation’ of data protection Convention 108 was completed by the Council of Europe on 18 May, by the parties to the existing Convention agreeing to a Protocol amending it (‘Protocol’). The new version of the Convention is now being called ‘108 ’ to distinguish it. This article analyses some aspects of the relationships between 108 and 108 , and further developments at the Plenary Meeting of the Convention’s Consultative Committee in Strasbourg, 19-21 June 2018 including a conference to ‘launch’ the new 108. The transition from 108 to 108 is complex. Any new countries wishing to accede will have to accede to the Protocol (ie to 108 ) as well as to Convention 108, except for a handful of countries previously invited to accede. There are two options for when Convention 108 will come into force. One involves ratification by all existing 52 parties; the other could see it in force between ratifying parties as early as 2023. Accession to Convention 108 will have a positive effect on applications for ‘adequacy’ assessments to the EU under the General Data Protection Regulation (GDPR), but the extent to which 108 compliance will be sufficient for EU adequacy is uncertain. The article discusses these various complexities.”

So, the world is flat after all.
Paper – Common-Knowledge Attacks on Democracy
Farrell, Henry John and Schneier, Bruce, Common-Knowledge Attacks on Democracy (October 2018). Berkman Klein Center Research Publication No. 2018-7. Available at SSRN: or /a>
“Existing approaches to cybersecurity emphasize either international state-to-state logics (such as deterrence theory) or the integrity of individual information systems. Neither provides a good understanding of new “soft cyber” attacks that involve the manipulation of expectations and common understandings. We argue that scaling up computer security arguments to the level of the state, so that the entire polity is treated as an information system with associated attack surfaces and threat models, provides the best immediate way to understand these attacks and how to mitigate them. We demonstrate systematic differences between how autocracies and democracies work as information systems, because they rely on different mixes of common and contested political knowledge. Stable autocracies will have common knowledge over who is in charge and their associated ideological or policy goals, but will generate contested knowledge over who the various political actors in society are, and how they might form coalitions and gain public support, so as to make it more difficult for coalitions to displace the regime. Stable democracies will have contested knowledge over who is in charge, but common knowledge over who the political actors are, and how they may form coalitions and gain public support. These differences are associated with notably different attack surfaces and threat models. Specifically, democracies are vulnerable to measures that “flood” public debate and disrupt shared decentralized understandings of actors and coalitions, in ways that autocracies are not.”

Interesting approach. Why only “camera equipt” phones?
Want to See All the Vermeers in the World? Now’s Your Chance
The New York Times: “Johannes Vermeer, whose acute eye captured the quiet beauty of Dutch domestic life, was not a prolific artist: Just 36 paintings are widely acknowledged as his work. Still, anyone who wanted to see them all had to travel far and wide — to New York, London, Paris and beyond. Until now. The Mauritshuis museum in The Hague, which owns what is perhaps Vermeer’s best-known masterpiece, “Girl With a Pearl Earring,” has teamed up with Google Arts & Culture in Paris to build an augmented-reality app that creates a virtual museum featuring all of the artist’s works. For the app, the Metropolitan Museum of Art has contributed images of all five of its Vermeer masterpieces, while the National Gallery of Art in Washington and the Rijksmuseum in Amsterdam, each with four, have also given photographs of theirs. Two more have come from the Louvre, and three from the Frick Collection. The Isabella Stewart Gardner Museum in Boston has shared an image of “The Concert,” the Vermeer that disappeared after being stolen from the museum’s collection in 1990. That painting will be on view once again in Meet Vermeer, the digital museum. Starting Monday, the free app will be accessible to anyone with a camera-equipped smartphone…”

I’m assuming they can be recorded along with your talk.
Microsoft PowerPoint is getting real-time captions and subtitles for presentations
Microsoft is adding real-time captions and subtitles to PowerPoint early next year. The subtitles and captions are designed to help support the deaf or hard of hearing community, and even allow speakers to include a translation of a presentation. Live captions and subtitles will support 12 spoken languages and display on-screen in more than 60 different languages.
… Microsoft had previously used an add-in to provide this type of PowerPoint functionality in the past, and Google also provides similar features in G Suite. Microsoft is planning to bring these features to the Office 365 version of PowerPoint in late January, and they’ll be available across Windows, PowerPoint for Mac, and online versions of PowerPoint.

Deaf communications is a niche I follow.
Huawei’s StorySign app can translate kids’ books into sign language
Chinese smartphone giant Huawei has launched a new Android app that leverages AI tools such as image recognition and optical character recognition (OCR) to translate popular children’s books into sign language.
StorySign was developed in a collaboration between Huawei, the nonprofit European Union for the Deaf, Penguin, and animation gurus Aardman.
The app is available to download from Google Play and Huawei’s own AppGallery in 10 European markets from today.

For my (Graduate!) students who did not know what RSS was…

Monday, December 03, 2018

Some speculation on the impact of the Marriott breach.
Espionage, ID Theft? Myriad Risks From Stolen Marriott Data
The data stolen from the Marriott hotel empire in a massive breach is so rich and specific it could be used for espionage, identity theft, reputational attacks and even home burglaries, security experts say.
The affected reservation system could be extremely enticing to nation-state spies interested in the travels of military and senior government officials, said Jesse Varsalone, a University of Maryland cybersecurity expert.
And because the data included reservations for future stays, along with home addresses, burglars could learn when someone wouldn't be home, said Scott Grissom of LegalShield, a provider of legal services.
Security analysts were especially alarmed to learn of the breach's undetected longevity. Marriott said it first detected until Sept. 8 but was unable to determine until last week what data had possibly been exposed — because the thieves used encryption to remove it in order to avoid detection.
Marriott said the stolen credit card information was encrypted but the hackers may have obtained the "two components needed to decrypt the payment card numbers." It said it cannot "rule out the possibility that both were taken." [So, they kept the decryption key online? Bob]
The FBI would not say whether it is investigating, [Strange. They usually love the publicity. Bob]

(Related) Inevitable.
Lawsuits Filed Against Marriott Over Massive Data Breach
Several lawsuits have been filed against Marriott as a result of the data breach. One class action was filed by Murphy, Falcon & Murphy and co-counsel Morgan & Morgan in Maryland. It alleges that Marriott failed to ensure the integrity of its servers and to properly protect sensitive information.
Another class action was filed by two individuals in Oregon. The lawsuit seeks $25 for each impacted customer, which brings the total to $12.5 billion.
Separate legal action was announced by global investor rights law firm Rosen Law Firm, which filed a class action on behalf of purchasers of Marriott shares.
On Sunday, Sen. Chuck Schumer said Marriott should purchase new passports for customers who had their passport numbers stolen as a result of this security incident.

Tiny in comparison to Marriott.
Elasticsearch Instances Expose Data of 82 Million U.S. Users
A total of 73 gigabytes of data were found during a “regular security audit of publicly available servers with the Shodan search engine,” HackenProof explains. At least three IPs with the identical Elasticsearch clusters misconfigured for public access were discovered.

I love a good laugh. Can’t wait to see their arguments.
DOJ made secret arguments to break crypto, now ACLU wants to make them public
Earlier this year, a federal judge in Fresno, California, denied prosecutors' efforts to compel Facebook to help it wiretap Messenger voice calls.
But the precise legal arguments that the government made, and that the judge ultimately rejected, are still sealed.
On Wednesday, the American Civil Liberties Union formally asked the judge to unseal court dockets and related rulings associated with this ongoing case involving alleged MS-13 gang members. ACLU lawyers argue that such a little-charted area of the law must be made public so that tech companies and the public can fully know what's going on.
… In their new filing, ACLU lawyers pointed out that "neither the government’s legal arguments nor the judge’s legal basis for rejecting the government motion has ever been made public."
The attorneys continued, citing a "strong public interest in knowing which law has been interpreted" and referencing an op-ed published on Ars on October 2 as an example.

Sunday, December 02, 2018

This could be an outline for several of my Computer Security lectures.
What the Marriott Breach Says About Security
We don’t yet know the root cause(s) that forced Marriott this week to disclose a four-year-long breach involving the personal and financial information of 500 million guests of its Starwood hotel properties. But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.
… The companies run by leaders and corporate board members with advanced security maturity are investing in ways to attract and retain more cybersecurity talent, and arranging those defenders in a posture that assumes the bad guys will get in.
This involves not only focusing on breach prevention, but at least equally on intrusion detection and response. It starts with the assumption that failing to respond quickly when an adversary gains an initial foothold is like allowing a tiny cancer cell to metastasize into a much bigger illness that — left undetected for days, months or years — can cost the entire organism dearly.

Like the judge, I don’t think we have the entire story yet. Why take all that data to the UK?
Judge Orders Software Exec to Turn Over Laptop After He Leaked Data on Facebook
The co-founder of a software company was ordered by a judge to surrender his laptop to a forensic expert after admitting he turned over confidential documents about Facebook Inc. to the U.K. Parliament in violation of a U.S. court order.
Sensitive internal Facebook records that were supposed to remain sealed in a California lawsuit were leaked to a parliamentary committee by one of the founders of app Six4Three, which sued Facebook three years ago over access to friends’ data.
… Kramer has admitted to traveling to London where he claims he was pressured to hand over the information to Damian Collins, who heads Parliament’s Digital, Culture, Media and Sport Select Committee.
… Facebook accused Kramer’s attorneys of complicity in the release, arguing that Kramer could only have access to the sealed files in a Dropbox account if attorneys gave it to him.
A third-party forensics team will pick up Kramer’s laptop, along with his attorneys’ computers, on Friday night. He didn’t bring it to court.

Dilbert explains “managing up.”