Saturday, December 15, 2018

The stalkers already know what she looks like. Is turnabout fair play?
Gabrielle Canon reports:
Taylor Swift secretly surveilling her fans using facial recognition technology might sound like science fiction – but Rolling Stone reported on Thursdaythat the pop star has been doing exactly that in an effort to root out stalkers.
Swift has stayed silent on the report, declining to comment to the Guardian and other news organizations. But the episode has raised ethical questions for civil rights groups concerned about privacy.
“Stalkers are a generally scary phenomenon and everyone understands why someone like Taylor Swift would want to be protected against them,” says Jay Stanley, the American Civil Liberties Union’s (ACLU) senior policy analyst. “But this does have larger implications. It is not about this one deployment, it is about where this is technology is headed.”
Read more on The Guardian.

(Related) The technology is cheap and easily available. Why wouldn’t they use it?
The Taliban Are Watching US Troops With Drones '24/7' In Afghanistan
… During an October showcase of counter-drone directed energy weapons at the White Sands Missile Range in New Mexico, Air Force Research Laboratory official Tom Lockhart revealed that the Taliban and various insurgent groups that are battling for control of the country are aggressively utilizing unmanned aircraft to keep an eye on Resolute Support personnel.

Porn has always been an early adopter, not surprising that Big Data and Data Analytics are also being adopted.
Porn sites collect more user data than Netflix or Hulu. This is what they do with it.
The biggest and perhaps best source of data about what people like to watch on the internet and what they would pay for doesn’t come from streaming giants like Netflix, Amazon Prime Video, or Hulu. It comes from porn.
While consuming porn is typically a private and personal affair, porn sites still track your every move: What content you choose, which moments you pause, which parts you repeat. By mining this data to a deeper degree than other streaming services, many porn sites are able to give internet users exactly what they want—and they want a lot of it.
There are 125 million daily visits to the Pornhub Network of sites, including YouPorn and Redtube, and 100 million of those are to Pornhub alone. (It’s widely acknowledged that Pornhub is the most popular porn site in the world although exact statistics on the industry are few and far between.) To put into perspective how much content that is: In 2017, Pornhub transmitted more than the entire contents of the New York Public Library’s 50 million books combined.
... MindGeek is the world’s biggest porn company—more specifically, it’s a holding company that owns numerous adult entertainment sites and production companies, including the Pornhub Network.
… MindGeek, whose bandwidth use exceeds that of Facebook or Amazon, began as a company named Mansef, founded by Stephane Manos and Ouissam Youssef in 2004. It was bought by tech entrepreneur Fabian Thylmann in 2010, re-named Manwin, then MindGeek, and now runs a near-monopoly of streaming porn sites.

What would it take for this to happen in Brazil, Mexico, or the US?
How WhatsApp Fuels Fake News and Violence in India
In India, WhatsApp is a major channel for false reporting and hate speech that sometimes fuels mob violence and gruesome murders. Police say they can’t track the encrypted messages to find culprits. And the government is demanding change.
… The five male victims in Rainpada were part of a string of killings that took place over the late spring and summer linked to messages spread on WhatsApp, the Facebook-owned encrypted messaging platform. Police and government officials estimate that more than two dozen people have been killed by mobs, though no official tally is being kept. IndiaSpend, a data journalism outlet, pegs the figure at 33 killed in 69 incidents of mob violence between January 2017 and July 2018.
… The Indian government has cast much of the blame for these killings on WhatsApp. In August and again in late October, the government asked the company for the ability to stop and trace problematic messages, a demand that would short-circuit the encrypted security that is central to the app’s popularity. At the same time, critics of the government accuse it of using the platform as a convenient scapegoat while failing to sufficiently address underlying issues of intolerance, weak policing, caste divides, and nationalist rhetoric that has fueled violence again and again.

For every ‘Oops!,’ a ‘Gotcha?’
Facebook faces billion-euro fine as Irish data protection commissioner opens fresh investigation into photo leak -
Facebook is potentially facing huge fines from Ireland’s data protection commissioner, who has announced a fresh investigation into the social media giant.
The move comes after Facebook admitted another privacy error, possibly affecting 7m people. The bug may have allowed up to 1,500 apps get access to private photos held by users on the social site.
Facebook is already facing an official probe from the Irish data watchdog for a previous privacy leak in September, which the company said may have affected 30m people.
… The Irish data authority now has at least two serious investigations underway into Facebook, with 14 more also being undertaken against other tech multinationals. Because so many big tech companies choose Ireland as their European or global headquarters, the Irish data authority is responsible for investigating when there is a problem.

An interesting perspective.
The Machine Learning Race Is Really a Data Race
… Machine learning — or artificial intelligence, if you prefer — is already becoming a commodity. Companies racing to simultaneously define and implement machine learning are finding, to their surprise, that implementing the algorithms used to make machines intelligent about a data set or problem is the easy part. There is a robust cohort of plug-and-play solutions to painlessly accomplish the heavy programmatic lifting, from the open-source machine learning framework of Google’s TensorFlow to Microsoft’s Azure Machine Learning and Amazon’s SageMaker.
What’s not becoming commoditized, though, is data. Instead, data is emerging as the key differentiator in the machine learning race. This is because good data is uncommon.
… today’s most valuable companies trade in software and networks, not just physical goods and capital assets. Over the past 40 years, the asset focus has completely flipped, from the market being dominated by 83% tangible assets in 1975 to 84% intangible assets in 2015. Instead of manufacturing coffeepots and selling washing machines, today’s corporate giants offer apps and connect people. This shift has created a drastic mismatch between what we measure and what actually drives value.

Worth reading.
Searching Google: Lessons from Sundar Pichai’s Congressional Testimony
… “The big takeaway is that trust is the currency of this generation of innovation,” notes Andrea Matwyshyn, professor of law at Northeastern University and an expert on information security and consumer privacy. She believes that while data may have been the driver of the last decade of building out new companies, “the challenge that exists now relates to maintaining the engagement of companies, products and services with the consumer base, and that is going to be driven by trust.”

Friday, December 14, 2018

This reads like a procedure problem. Sending money based on one email is not the way it should work.
Hackers fooled Save the Children into sending $1 million to a phony account
Save the Children Federation, one of the country’s best-known charities, said it was the victim of a $1 million cyberscam last year.
The Connecticut-based nonprofit said hackers broke into a worker’s e-mail, posed as an employee, and created false invoices and other documents, to fool the charity into sending nearly $1 million to a fraudulent entity in Japan. The con artists claimed the money was needed to purchase solar panels for health centers in Pakistan, where Save the Children has worked for more than 30 years.
… Sandy Ross, an accountant and fraud examiner, said that most large nonprofits and businesses have procedures to prevent such scams, such as having a second person sign off on significant wire transfers and calling the recipient to verify the account numbers. In all but one instance Ross could recall, she said, the attacks have “been thwarted.”
… Save the Children Federation, also known as Save the Children US, has since adopted similar measures, including making sure someone confirms all new vendors and bank account instructions via phone, as well as strengthening its technology systems

There is talk that China is gathering (all kinds of) information on everyone, everywhere. If that is so, consider what they could do with it.
Sergiu Gatlan reports:
According to the Ministry’s public statement, the hackers managed to get their hands on the names, phone numbers, and email addresses of all people who had an account on the French Ariane emergency contact database.
The platform is used by the French Ministry of Europe and Foreign Affairs to allow citizens traveling abroad to receive security updates in case of emergency.
“Personal data recorded during registration on the Ariane platform have been stolen,” says the Ministry’s statement.
Read more on Softpedia.
[From the article:
"As soon as we became aware of this attack, we put in place measures, technically to prevent any further intrusions of this type," added the Ministry.

Investigating the Twits?
Twitter says governments are ramping up their demands for user data
… According to the newly released data, Twitter received 6,904 government requests for information on 16,882 accounts. Twitter turned over at least some data in 56 percent of cases.
The U.S. took the lead with 2,231 requests for information on 9,226 accounts — representing about one-third of all Twitter’s demands for the first-half of the year, with Japan and the U.K. falling behind in second and third place.

What was this about? What would have happened if someone refused to leave the plane? Did DHS think San Francisco was in another country?
Last October, the ACLU filed suit after an incident that still boggles my mind. As Cecilia Wang of the ACLU described the background at the time:
On February 22, 2017, Delta Airlines Flight 1583 departed San Francisco and headed for John F. Kennedy Airport in New York. As the plane was landing, passengers heard a strange announcement.
Speaking over the intercom, a flight attendant announced that everyone would have to show their documents in order to get off the plane. After passengers expressed their consternation, the flight attendant repeated her announcement, stating that officers would be meeting the plane and every passenger would have to show government-issued ID to deplane.
The case, Amadei v. Duke, was filed in Eastern District New York (Duke’s the Acting Secretary of Homeland Security). The government is not having an easy time trying to get this case dismissed. The docket for yesterday shows:
MEMORANDUM & ORDER, For the foregoing reasons, Defendants’ motion to dismiss (Dkt. 32) is DENIED. Defendants’ motion to dismiss Plaintiffs’ APA claim is DENIED. Defendants’ motion to stay discovery pending a decision on Defendants’ motion to dismiss (Dkt. 70) is DENIED as moot. So Ordered by Judge Nicholas G. Garaufis on 12/13/2018. (Lee, Tiffeny) (Entered: 12/13/2018)
I’ve uploaded the memorandum and order, below.

Perspective. A new world for my students to explore.
Internet of Bodies: The Privacy and Security Implications - CPO Magazine
… Over the past few years, technological advances in healthcare and medicine have combined with advances in AI to create a brave new world that some have called the “Internet of Bodies.” Instead of simply hooking up digital devices and connected objects to the Internet, as with the Internet of Things, we are now hooking up human bodies to the Internet.
With the Internet of Bodies, connected devices from tech companies are now being implanted, ingested and affixed to the human body in ways never before imagined. And these connected devices are simultaneously generating tremendous amounts of data about our behaviors, our physiology, and even our DNA. Examples of Internet of Bodies innovations include smart contact lenses that are able to monitor glucose levels, artificial lenses used to correct vision, Bluetooth-equipped electronic pills, digital tattoos, and even Fitbit devices that monitor and analyze very intimate profiles of your health and physiological functions.
… Imagine being turned down for healthcare coverage because an AI system detected certain warning signs in all of your biometric or physiological data, or being required by the state to undergo behavioral modification training for committing a “health crime.”

More Americans are making no weekly purchases with cash
“Americans are becoming less reliant on physical currency. Roughly three-in-ten U.S. adults (29%) say they make no purchases using cash during a typical week, up slightly from 24% in 2015. And the share who say that all or almost all of their weekly purchases are made using cash has modestly decreased, from 24% in 2015 to 18% today, according to a new Pew Research Center survey that comes as some businesses experiment with becoming cashless establishments. Demographic patterns in the new survey, which was conducted in September and October, are similar to those in a 2015 survey by the Center. Most notably, adults with an annual household income of $75,000 or more are more than twice as likely as those earning less than $30,000 a year to say they do not make any purchases using cash in a typical week (41% vs. 18%). Conversely, lower-income Americans are about four times as likely as higher-income Americans to say they make all or almost all of their purchases using cash (29% vs. 7%)…

Thursday, December 13, 2018

Let’s hope police departments mention this to their officers. Government officials? Fend for yourselves.
Federal judge rules Mass. law prohibiting secret audio recording of police, government officials is unconstitutional
Joe Cadillic sends along this report by Noah R. Bombard:
A federal court judge Monday ruled a Massachusetts General Law prohibiting the secret audio recording of police or government officials is unconstitutional.
Chief United States District Judge Patti B. Saris made the ruling on two similar cases — one involving two Jamaica Plain residents who frequently record police officers and a second case involving Project Veritas, the undercover organization founded by conservative political activist James O’Keefe.
Read more on MassLive while I do a little happy dance.
[From the article:
In the 44-page decision Saris declared that "secret audio recording of government officials, including law enforcement officials, performing their duties in public is protected by the First Amendment, subject only to reasonable time, place and manner restrictions."
… "both have stated that their desire to record secretly stems from a fear that doing so openly will endanger their safety and provoke hostility from officers."

More details on the arguments please.
Bulk surveillance is always bad, say human rights orgs appealing against top Euro court
A band of human rights organisations have appealed against a top European court's ruling on bulk surveillance, arguing that any form of mass spying breaches rights to privacy and free expression.
… That ruling said oversight of the UK government's historic regime for bulk interception of communication was insufficient and violated privacy rights under the European convention.
However, it did not say that bulk interception was unlawful in and of itself; neither did it rule that sharing information with foreign governments breached the rules.
It is these elements of the ruling that the groups disagree with, arguing that bulk surveillance can never be lawful, and that the sharing intelligence with other governments is just another form of bulk surveillance and also unlawful.

This won’t go anywhere, it doesn’t have a cutesy acronym.
Federal data privacy bill introduced by 15 US senators
Laura Hautala reports:
The US doesn’t have a single data privacy law that applies to all fifty states. On Wednesday, a group of 15 US senators indicated it wanted to change the status quo, introducing the Data Care Act.
The bill (PDF) would require companies that collect personal data from users to take reasonable steps to safeguard the information. The act also has provisions to prevent them from using the data in ways that could harm consumers.
If the bill becomes law, the US Federal Trade Commission would be in charge of implementing it.
“People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them,” Sen. Brian Schatz, a Democrat from Hawaii who is sponsoring the bill, said in a press release.
Read more on CNET.

Is it war yet? Is there a line that China (or others) must not cross? I don’t have a clear vision of that line, if it exists.
FBI: China threatens 'the future of the world’
Chinese spying threatens “not just the future of the United States, but the future of the world,” a senior FBI official told lawmakers Wednesday.
“We are being exploited by China, so we are right to shore up our defenses against this,” E.W. Priestap, assistant director of the FBI’s Counterintelligence Division, told the Senate Judiciary Committee.
… His warning echoed the assessment offered by a senior CIA official in July. “At the end of the day, the Chinese fundamentally seek to replace the United States as the leading power in the world,” Michael Collins, the CIA’s deputy assistant director for the East Asia Mission Center, said during the Aspen Security Forum. “What they're waging against us is fundamentally a cold war.”

“Hey! Here’s something we haven’t taxed yet!” (But if they drop the line for TEXT on the bill, no tax?)
California proposes a plan to tax text messages
… A new surcharge proposed by the California Public Utilities Commission (CPUC) wouldn't be a per-text tax, but a monthly fee based on a cellular bill that includes any fees for text-message services. Most carriers offer a flat fee option for texting, and already charge a similar fee for other services included in the bill — such as phone calls. The exact structure of the charge would vary from carrier to carrier.

(Related) Wouldn’t Google just buy/create their own ISP?
FCC panel wants to tax Internet-using businesses and give the money to ISPs
… If adopted by states, the recommended tax would apply to subscription-based retail services that require Internet access, such as Netflix, and to advertising-supported services that use the Internet, such as Google and Facebook. The tax would also apply to any small- or medium-sized business that charges subscription fees for online services or uses online advertising. The tax would also apply to any provider of broadband access, such as cable or wireless operators.

Wednesday, December 12, 2018

Is this all that Congress has learned?
House Releases Cybersecurity Strategies Report
The U.S. House of Representatives’ Committee on Energy and Commerce has released a report identifying strategies for the prevention and mitigation of cybersecurity incidents.
Designed to summarize the work of the Subcommittee on Oversight and Investigations, the report (PDF) includes conclusions drawn from tens of briefings, hearings, letters, reports, and roundtables.

For my Computer Security students.
Organizations Still Slow to Detect Breaches: CrowdStrike
Organizations are getting better at detecting intrusions on their own, but it still takes them a long time to do it, according to a new report published on Tuesday by endpoint security firm CrowdStrike.
the average attack dwell time – or the time it takes to detect an attack – was 85 days, comparable to the 86 days reported by the company in its 2017 report.
Clearly, there is considerable room for improvement. Boards of directors, executive management, and the public at large are all rightly concerned that organizations take days, weeks or even months to detect attacks,” CrowdStrike said in its latest report.

Cybersecurity of the Person
Kosseff, Jeff, Cybersecurity of the Person (October 31, 2018). First Amendment Law Review, 2019. Available at SSRN:
“U.S. cybersecurity law is largely an outgrowth of the early-aughts concerns over identity theft and financial fraud. Cybersecurity laws focus on protecting identifiers such as driver’s licenses and social security numbers, and financial data such as credit card numbers. Federal and state laws require companies to protect this data and notify individuals when it is breached, and impose civil and criminal liability on hackers who steal or damage this data. In this paper, I argue that our current cybersecurity laws are too narrowly focused on financial harms. While such concerns remain valid, they are only one part of the cybersecurity challenge that our nation faces. Too often overlooked by the cybersecurity profession are the harms to individuals, such as revenge pornography and online harassment. Our legal system typically addresses these harms through retrospective criminal prosecution and civil litigation, both of which face significant limits. Accounting for such harms in our conception of cybersecurity will help to better align our laws with these threats and reduce the likelihood of the harms occurring.”

If you place cookies, you need to understand this.
How Big Companies Should Behave Under Europe’s New Cookie Regulations
… Under the GDPR, implied consent is not enough and instead customers must actively affirm that they agree to the use of cookies. That means that companies can no longer claim that using its website constitutes consumer consent. Rather, websites must provide accurate information – in plain language – specifying exactly what a company’s cookie policy is. The GDPR also grants users the right to retract their consent and every 12 months corporations must obtain renewed consent from customers to keep using cookies for the same purposes.

It’s not important that they don’t know. What is important is, they don’t bother to find out!
At the Google hearing, Congress proves they still have no idea how the internet works
Google CEO Sundar Pichai’s long-awaited Congressional hearing took place on Tuesday.
Pichai testified before Congress on Google+ data breaches, the controversial Chinese-censorship friendly search product, and perceived anti-conservative bias. But, there was one more pressing concern that took center stage to those watching the hearing: Several members of Congress, at least on the House Judiciary Committee, have no idea what they’re talking about when it comes to technology.
… Rep. Lamar Smith claimed as fact that 96 percent of Google search results come from liberal sources. Besides being proven false with a simple search of your own, Google’s search algorithm bases search rankings on attributes such as backlinks and domain authority. Partisanship of the news outlet does not come into play. Smith asserted that he believe the results are being manipulated, regardless of being told otherwise.
… When Iowa Rep. Steve King demanded to know why a nasty image of the Congressman would appear on his granddaughter’s phone while she was playing a game, Pichai had to point out that Google doesn’t make the iPhone. King’s response? It could have been an Android!

For my student researchers. (Remember, the page is not the article.)
How to Find Out When a Webpage Was Published
maketecheasier: “When you’re doing research on a topic, it’s vital to ensure your sources are up to date. If you’re writing an academic paper, dates of publication are often required in the citations. The majority of the time, getting the date is easy: simply look on the site and find the “published on” date to find out how recent it was. Things get a little more complicated when there is no date listed on the webpage. When this happens, how do you know when the page was published?…”

Tuesday, December 11, 2018

A very very small portion of Google’s users.
Google says Google+ bug affected 52.5 million people
Google will shut down its Google+ social network much sooner than planned after discovering a second bug that revealed millions of customers' private information to software developers.
In a blog post, the company said 52.5 million people were affected by a bug in a November software update. The latest bug allowed app developers to access profile information not marked public. App developers inadvertently had access to this data for six days.

You might want to send this article to “your leaders.” Or at least your Accounts Payable department.
How Internet Savvy are Your Leaders?
Back in April 2015, I tweeted about receiving a letter via snail mail suggesting the search engine rankings for a domain registered in my name would suffer if I didn’t pay a bill for some kind of dubious-looking service I’d never heard of. But it wasn’t until the past week that it become clear how many organizations — including towns, cities and political campaigns — actually have fallen for this brazen scam.
… According to a statement filed with the Federal Election Commission, one of the earliest public records involving a payment to Web Listings dates back to 2008 and comes from none other than the the 2008 Hillary Clinton for President fund.
… Guilmette said most of the public references he found regarding payments to Web Services Inc. are from political campaigns and small towns.
“Which naturally raises the question: Should we really be trusting these people with our money?” Guilmette said. “What kind of people or organizations are most likely to pay a bill that is utterly phony baloney, and that actually isn’t due and payable? The answer is people and organizations that are not spending their own money.”

I doubt this will be the basis for a US version of the GDPR. And why no Democrats? Cherchez la political contribution?
House Cmte Investigation Issues Scathing Report on Equifax Breach
The Hill: “The House Oversight and Government Reform Committee, following a 14-month probe, released a scathing report Monday saying the consumer credit reporting agency aggressively collected data on millions of consumers and businesses while failing to take key steps to secure such information. The breach is estimated to have harmed 148 million consumers.
“In 2005, former Equifax Chief Executive Officer (CEO) Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, information technology (IT) systems, and data,” according to the 96-page report authored by Republicans. “Equifax, however, failed to implement an adequate security program to protect this sensitive data. As a result, Equifax allowed one of the largest data breaches in U.S. history. Such a breach was entirely preventable.”…

How do we know this article was not written by an AI?
Artificial Intelligence and the Future of Humans
Pew: “Experts say the rise of artificial intelligence will make most people better off over the next decade, but many have concerns about how advances in AI will affect what it means to be human, to be productive and to exercise free will. Digital life is augmenting human capacities and disrupting eons-old human activities. Code-driven systems have spread to more than half of the world’s inhabitants in ambient information and connectivity, offering previously unimagined opportunities and unprecedented threats. As emerging algorithm-driven artificial intelligence (AI) continues to spread, will people be better off than they are today? Some 979 technology pioneers, innovators, developers, business and policy leaders, researchers and activists answered this question in a canvassing of experts conducted in the summer of 2018. The experts predicted networked artificial intelligence will amplify human effectiveness but also threaten human autonomy, agency and capabilities. They spoke of the wide-ranging possibilities; that computers might match or even exceed human intelligence and capabilities on tasks such as complex decision-making, reasoning and learning, sophisticated analytics and pattern recognition, visual acuity, speech recognition and language translation. They said “smart” systems in communities, in vehicles, in buildings and utilities, on farms and in business processes will save time, money and lives and offer opportunities for individuals to enjoy a more-customized future…”

I don’t think they like Article 13.
Latest EU Copyright Proposal: Block Everything, Never Make Mistakes, But Don't Use Upload Filters
As we've been discussing the "Trilogue" negotiations between the EU Commission, EU Council and EU Parliament over the EU's Copyright Directive have continued, and a summary has been released on the latest plans for Article 13, which is the provision that will make upload filters mandatory, while (and this is the fun part) insisting that it doesn't make upload filters mandatory. Then, to make things even more fun, another document on the actual text suggests the way to deal with this is to create a better euphemism for filters.

Perspective. No breakdown of the results of these searches. What were they looking for? How often did they find anything?
Colleen Long of AP reports:
U.S. Customs and Border Protection officers are searching the electronic devices of travelers more often, and did not always follow proper protocol, a new watchdog report has found.
The report made public Monday found there were 29,000 devices searched at a port of entry out of 397 million travelers to the U.S. in budget year 2017, up from 18,400 the year before from 390 million travelers.
Customs and Border Protection officials note it is less than 1 percent of all travelers.
Read more on AP.

Social media outpaces print newspapers in the U.S. as a news source
Social media sites have surpassed print newspapers as a news source for Americans: One-in-five U.S. adults say they often get news via social media, slightly higher than the share who often do so from print newspapers (16%) for the first time since Pew Research Center began asking these questions.
… Overall, television is still the most popular platform for news consumption – even though its use has declined since 2016. News websites are the next most common source, followed by radio, and finally social media sites and print newspapers.

Perspective. This should have been done 30 or 40 years ago!
UK just banned the NHS from buying any more fax machines
BBC News: “The National Health Service will be banned from buying fax machines from next month – and has been told by the government to phase out the machines entirely by 31 March 2020. In July, the Royal College of Surgeons revealed nearly 9,000 fax machines were in use across the NHS in England. The Department of Health said a change to more modern communication methods was needed to improve patient safety and cyber security. An RCS spokesman said they supported the government’s decision. In place of fax machines, the Department of Health said secure email should be used. Richard Kerr, who is the chair of the RCS’s commission on the future of surgery, said the continued use of the outdated technology by the NHS was “absurd”. He added it was “crucial” that the health service invested in “better ways of communicating the vast amount of patient information that is going to be generated” in the future. The group’s report from earlier this year found the use of fax machines was most common at the Newcastle upon Tyne NHS Trust, which still relied on 603 machines. Three-quarters of the trusts in England replied to the survey – 95 in total. Ten trusts said that they did not own any fax machines, but four in ten reported more than 100 in use…”

Monday, December 10, 2018

Not as much exposure as you might think. Do you know every computer a job applicant might have had access to?
DarkVishnya: Banks attacked through direct connection to local network
… In 2017-2018, Kaspersky Lab specialists were invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown device directly connected to the company’s local network. In some cases, it was the central office, in others a regional office, sometimes located in another country.
… Each attack can be divided into several identical stages. At the first stage, a cybercriminal entered the organization’s building under the guise of a courier, job seeker, etc., and connected a device to the local network, for example, in one of the meeting rooms.
The devices used in the DarkVishnya attacks varied in accordance with the cybercriminals’ abilities and personal preferences. In the cases we researched, it was one of three tools:
  • netbook or inexpensive laptop
  • Raspberry Pi computer
  • Bash Bunny, a special tool for carrying out USB attacks
… At the second stage, the attackers remotely connected to the device and scanned the local network seeking to gain access to public shared folders, web servers, and any other open resources. The aim was to harvest information about the network, above all, servers and workstations used for making payments. At the same time, the attackers tried to brute-force or sniff login data for such machines.
… Having succeeded, the cybercriminals proceeded to stage three. Here they logged into the target system and used remote access software to retain access

This could be another example of the FBI talking to lawmakers in another country, hoping to convince them to support an FBI position. Now they can point to this law and tell US lawmakers, :We’re behind!”
Australia Anti-Encryption Law Rushed to Passage
A newly enacted law rushed through Australia's parliament will compel technology companies such as Apple, Facebook and Google to disable encryption protections so police can better pursue terrorists and other criminals.
"I think it's detrimental to Australian and world security," said Bruce Schneier, a tech security expert affiliated with Harvard University and IBM.
U.S. law enforcement officials, including Deputy Attorney General Rod Rosenstein, are again pushing for legislation that would somehow give authorities access to secure communications.
The Australian bill is seen by many as a beachhead for those efforts because the nation belongs to the "Five Eyes" security alliance with the U.S., Britain, Canada and New Zealand.
"There is a lot here that doesn't make any sense," Schneier said of the Australian bill. "This is a technological law written by non-technologists and it's not just bad policy. In many ways, I think it's unworkable."
A leading figure in cryptography, Martin Hellman of Stanford University, said it appears the bill would "facilitate crime by weakening the security of the affected devices."
But Apple, in comments filed with parliament in October, argued that "it would be wrong to weaken security for millions of law-abiding customers in order to investigate the very few who pose a threat."

I’m beginning to think that stories like this are influencing the push for real penalties (like GDPR). The next requirement is some significant penalties for the managers who won’t take action on their own.
Stuff reports on a case in New Zealand that was cited in a newly-released annual report by the Privacy Commissioner. Disturbingly, the unnamed government agency not only did not set a great example for data protection, but they demonstrated less than admirable response to the incident of insider-wrongdoing that harmed a member of the public. Stuff reports:
A government employee in dispute with his neighbour snooped on him 73 times after accessing his employer’s “sensitive” records.
He also changed the man’s file to add allegations of “improper conduct”.
When the government agency found out about the privacy breach it reviewed its processes but was not willing to apologise to the neighbour or pay him compensation.
The commissioner has called for changes to the Privacy Act to introduce “meaningful consequences” for non-compliance, including for the commissioner to decide which cases should go to the tribunal and for the commissioner to take the claims.
Read more on Stuff. That the agency didn’t even apologize for the anguish or harm to the individual is concerning.
It is one thing to argue that you had policies and procedures in place that you monitored, but despite that, an employee willfully managed to violate both, but then not to give the affected individual anything — even a “We agree with you with and have terminated the employee’s position with us,” well…. there has to be more redress and/or compensation for those whose complaints are founded. And government agencies should be setting good examples instead of needing to be dragged before a tribunal or sued.
To jump directly to the annual report, go here.

Is political news based on the number of people who want to read it?
The long, tortured quest to make Google unbiased
The Verge – Can a search engine ever be meaningfully neutral: “[December 11, 2018], Sundar Pichai will try to reassure Congress that Google’s search engine isn’t rigged. The Google CEO is testifying before the House Judiciary Committee on Tuesday [The Hearing is titled – Transparency & Accountability: Examining Google and its Data Collection, Use and Filtering Practices] answering questions about “potential bias and the need for greater transparency” in Google’s business practices. It’s Republican lawmakers’ latest move in a series of hearings over Silicon Valley political bias. “Google has created some of the most powerful and impressive technology applications,” wrote House Majority Leader Kevin McCarthy in the announcement. “Unfortunately, recent reports suggest Google might not be wielding its vast power impartially. Its business practices may have been affected by political bias.” We don’t know exactly what questions will arise during Pichai’s testimony. But this summer, President Donald Trump caused a brief uproar by claiming (without evidence) that Google suppressed positive news about him. Reports indicated Trump might even direct regulators to investigate Google and other platforms for bias. But that proposal hadn’t come from one of Silicon Valley’s many ideological enemies — it was supposedly promoted by recommendations site Yelp, which has spent years protesting what it calls unfair demotion of its search results.
That investigation never came to pass. But it highlighted a major underpinning of the current anti-Google backlash: a decade-long fight over how search engines, which have become many people’s primary gateway to the internet, should treat the websites they list.”

Sunday, December 09, 2018

A Privacy issue, more than a Terminator issue.
… On Thursday, the AI Now Institute, which is affiliated with New York University and is home to top AI researchers with Google and Microsoft, released a report detailing, essentially, the state of AI in 2018, and the raft of disconcerting trends unfolding in the field. What we broadly define as AI—machine learning, automated systems, etc.—is currently being developed faster than our regulatory system is prepared to handle, the report says. And it threatens to consolidate power in the tech companies and oppressive governments that deploy AI while rendering just about everyone else more vulnerable to its biases, capacities for surveillance, and myriad dysfunctions.
… But it also conveys a the succinct assessment of the key problem areas in AI as they stand in 2018. As detailed by AI Now, they are:
  1. The accountability gap between those who build the AI systems (and profit off of them) and those who stand to be impacted by the systems (you and me) is growing.
  2. AI is being used to amplify surveillance, often in horrifying ways.
  3. The government is embracing autonomous decision software in the name of cost-savings, but these systems are often a disaster for the disadvantaged.
  4. AI testing “in the wild” is rampant already.
  5. Technological fixes to biased or problematic AI systems are proving inadequate.

The world must look different from the Ninth Circuit.
The good folks at write:
In a surprisingly brief opinion, the Ninth Circuit has upheld a decision to dismiss a privacy suit against Facebook concerning the collection of sensitive medical data. In Smith v. Facebook, users alleged that the company tracked their visits to healthcare websites, in violation of the websites’ explicit privacy policies. In a little less than five pages, the Ninth Circuit decided that Facebook was not bound by the promises made not to disclose users’ data to Facebook because Facebook has a provision, buried deep in its own policy, that allows Facebook to secretly collect such data. The court actually wrote that searches for medical information are not sensitive because the “data show only that Plaintiffs searched and viewed publicly available health information…” EPIC filed an amicus brief in the case, arguing that “consent is not an acid rinse that dissolves common sense.” In 2011 Facebook settled charges with the FTC that it routinely changed the privacy settings of users to obtain sensitive personal data. The consent order resulted from detailed complaints brought by EPIC and several other consumer organizations
I hate to say it, but I do understand the court’s reasoning, at least in part. Just visiting a site about a health issue is not the same thing as going to a doctor’s office for a consultation on a disorder or diagnosis. But we also know that sometimes, these situations create significant problems when advertising relating to a sensitive issue then shows up on a shared browser. For example, if a teen browses for information on transgender issues, and then their parents later have ads pop up while they’re using the browser, the collection and use of data from public sites can cause privacy issues and concerns.
So yes, the court’s siding with Facebook is very troubling because it’s ignoring what we have learned — that buried provisions in Facebook’s terms of service are generally not read by consumers who click through “I consent.” For the court to say that hey, it’s in there and consumers consented to have their data collected by Facebook, even though they are on a web site that promises NOT to share their data with Facebook, well…. the Ninth Circuit has set consumer privacy back. As EPIC noted in their amicus brief (p. 6):
Users could point to explicit statements on the medical websites they visited which said their personal data would not be disclosed to others. Yet, Facebook pointed to language, buried deep in its privacy policy, which said that it nonetheless could collect the data, and the lower court sided with Facebook. In such a world, how can users possibly make sense of privacy statements
Although the plaintiffs didn’t prevail, do read EPIC’s amicus brief in this case as it provides a helpful discussion of the concerns.

Helpful for us non-lawyers.
Standing Issues in Data Breach Litigation: An Overview