Saturday, February 16, 2019

A mere $2.75 per credit card (if we don’t pay the lawyers)?
Dena Aubin reports:
Restaurant company Wendy’s has agreed to pay $50 million to resolve a 2016 lawsuit by financial institutions nationwide alleging that the company’s negligence allowed hackers to steal credit and debit card information in a 2015 data breach.
Disclosed in a filing on Wednesday in Pittsburgh federal court, the settlement will be paid to approximately 7,500 banks and credit unions that issued about 18 million credit or debit cards exposed in the data breach. The deal must still be approved by the court.
To read the full story, you’ll need an account on WestlawNext Practitioner Insights.

I try to teach my Computer Security students that you need to think about everything you do. And think: What could go wrong? Unencrypted? No contact information on the disk drive?
Someone asked me today about the lack of W-2 phishing reports or W-2 incidents that we’ve seen so far this year. I responded that I hadn’t really had time to research W-2 attacks yet, but a reader, “DLOW,” has now kindly submitted a news story by Mary Richards of KSL in Utah. The kinds of tax documents involved in this incident do not contain full Social Security numbers like W-2 forms do, but it’s still a tax document incident:
Forty-two thousand students at Salt Lake Community College are learning that their tax documents got lost.
An email sent to students and obtained by KSL Newsradio explained that a memory drive with tax documents for the students somehow fell out of an envelope on its way from a contracted company to the college.
SLCC spokesman Joy Tlou said that when the college processes these documents that deal with the 1098-T tax form used for getting educational tax credits, the college goes through a third-party vendor and uses a secured cloud server to access the information. That information is then also backed up on a memory drive and sent to the college.
Read more on KSL and see the FAQ on the incident.

(Related) Easy to program if you ignore the security requirements.
Julia Ingram and Hannah Knowles report:
Before this week, Stanford students could view the Common Applications and high school transcripts of other students if they first requested to view their own admission documents under the Family Educational Rights and Privacy Act (FERPA).
Accessible documents contained sensitive personal information including, for some students, Social Security numbers. Other obtainable data included students’ ethnicity, legacy status, home address, citizenship status, criminal status, standardized test scores, personal essays and whether they applied for financial aid. Official standardized test score reports were also accessible.
Students’ documents were not searchable by name, but were instead made accessible by changing a numeric ID in a URL.
Read more on The Stanford Daily.

(Related) Why I recommend regular reporting of “who can access what” to managers. reports:
Students working for extra cash at Amsterdam’s OLVG hospital group have for years been given complete access to the medical records system, allowing them to read personal information about friends, family and famous people, the Volkskrant said on Friday.
The leak was made public by a philosophy student who made telephone appointments for the hospital. Fellow students recommended digging up ‘juicy details’ in the files while doing boring jobs, she told the paper.

Dr. Michelle Post shares this Call for Speakers.
Syndicated Radio Show Safety Talk needs Safety & Security Experts
Public safety and security including law enforcement professionals, security experts and campus safety professionals as well as those who represent security products and solutions.
This includes representatives of companies that deal with video surveillance, access control, cybersecurity, personal safety products, and others.

How to face down facial recognition? What else should we ban?
Facial Recognition Surveillance Now at a Privacy Tipping Point - CPO Magazine
… San Francisco is now considering an outright ban on facial recognition surveillance. If pending legislation known as “Stop Secret Surveillance” passes, this would make San Francisco the first city ever to ban (and not just regulate) facial recognition technology.
… One reason why the outright ban on facial recognition technology is so important is because it fundamentally flips the script on how to talk about the technology. Previously, the burden of proof was on the average citizen and advocacy groups – it was up to them to show the hazards and negative aspects of the technology. Now, the burden of proof is on any city agency (including local police) that would like to implement the technology – they not only have to demonstrate that there is a clear use case for the technology, but also demonstrate that the pros far outweigh the cons for any high-tech security system (including a facial recognition database).

An observation: Facebook takes its own security seriously. Would they offer this tracking as a service to other organizations or individuals?
Salvador Rodriguez reports:
In early 2018, a Facebook user made a public threat on the social network against one of the company’s offices in Europe.
Facebook picked up the threat, pulled the user’s data and determined he was in the same country as the office he was targeting. The company informed the authorities about the threat and directed its security officers to be on the lookout for the user.
“He made a veiled threat that ‘Tomorrow everyone is going to pay’ or something to that effect,” a former Facebook security employee told CNBC.
Read more on CNBC.

Reminds me of a paper by Paul David (The Dynamo and the Computer) drafted in 1990 but never finalized. There is an entire infrastructure that has to change to fully utilize AI.
This is why AI has yet to reshape most businesses
The art of making perfumes and colognes hasn’t changed much since the 1880s, when synthetic ingredients began to be used. Expert fragrance creators tinker with combinations of chemicals in hopes of producing compelling new scents. So Achim Daub, an executive at one of the world’s biggest makers of fragrances, Symrise, wondered what would happen if he injected artificial intelligence into the process. Would a machine suggest appealing formulas that a human might not think to try?
… Daub is pleased with progress so far. Two fragrances aimed at young customers in Brazil are due to go on sale there in June.
… However, he’s careful to point out that getting this far took nearly two years—and it required investments that still will take a while to recoup. Philyra’s initial suggestions were horrible: it kept suggesting shampoo recipes. After all, it looked at sales data, and shampoo far outsells perfume and cologne. Getting it on track took a lot of training by Symrise’s perfumers. Plus, the company is still wrestling with costly IT upgrades that have been necessary to pump data into Philyra from disparate record-keeping systems while keeping some of the information confidential from the perfumers themselves. “It’s kind of a steep learning curve,” Daub says. “We are nowhere near having AI firmly and completely established in our enterprise system.”

Gartner debunks five Artificial Intelligence misconceptions

Friday, February 15, 2019

This time they took your free donut. Next time it could be your bank account and they’ll take everything.
Dunkin' Donuts accounts compromised in second credential stuffing attack in three months
Dunkin' Donuts announced today that it was the victim of a credential stuffing attack during which hackers gained access to customer accounts.
This marks the second time in three months that the coffee shop chain notifies users of account breaches following credential stuffing attacks.
Credentials stuffing is a cyber-security term that describes a type of cyber-attack where hackers take combinations of usernames and passwords leaked at other sites and use them to gain (illegal) access on accounts on new sites.
Dunkin' Donuts reported a first credential stuffing attack at the end of November (the actual attack occurred on October 31). Today, the company reported a second credential stuffing attack (attack happened on January 10).
Just like in the first, hackers used user credentials leaked at other sites to gain entry to DD Perks rewards accounts, which provide repeat customers with a way to earn points and use them to get free beverages or discounts for other Dunkin' Donuts products.
… Once hackers break into accounts, they either exploit them by extracting personal information from accounts and reselling the personal data to financial fraud operators, or they sell access to the hacked accounts themselves.
This latter case is what's happening with Dunkin' Donuts accounts, as hackers put up the hacked accounts for sale, which are later bought by other persons that use the reward points found in these accounts at Dunkin' Donuts shops to receive unearned discounts and free beverages.

Compare to the 59,000 reported under the GDPR rules.
6,500 Publicly Disclosed Data Breaches in 2018: Report
Both the number of reported breaches and that of the compromised records have decreased compared to the previous year (from 6,728 and 7.94 billion, respectively), but incidents continue to be disclosed and the number of reported events might end up being higher than in 2017, although the impacted records should remain under 6 billion.
According to Risk Based Security’s latest Data Breach QuickView Report (PDF), the Business sector was impacted the most last year, accounting for 66.2% of all the reported breaches and 65.8% of the exposed records.

Are we already fighting an undeclared Cyberwar? Should we go ahead and admit it? What is the definition of a “Just” Cyberwar?
Germany to Let NATO Use its Cyber Skills
Germany is to join the ranks of NATO countries making its cyber warfare skills available to the alliance to help fight hacking and electronic warfare, officials said on Thursday.
NATO has designated cyberspace as a conflict domain alongside land, sea and air and says electronic attacks by the likes of Russia and China – but also criminals and so-called "hacktivists" – are becoming more frequent and more destructive.
German officials used a meeting of defence ministers in Brussels on Thursday to tell allies that Berlin would make its cyber capabilities available, including offensive elements.
The US, Britain, Denmark, the Netherlands and Estonia have all made their offensive cyber weapons available to the alliance -- and announced it publicly -- in the expectation that the threat of counterattack may deter would-be aggressors.

How should this work?
Jacqueline Howard reports:
A pair of public health experts has called for Facebook to be more transparent in the way it screens posts for suicide risk and to follow certain ethical guidelines, including informed consent among users.
The social media giant details its suicide prevention efforts online and says it has helped first responders conduct thousands of wellness checks globally, based on reports received through its efforts. The authors said Facebook’s trial to reduce death by suicide is “innovative” and that it deserves “commendation for its ambitious goal of using data science to advance public health.”
But the question remains: Should Facebook change the way it monitors users for suicide risk?
Read more on CNN.

GDPR for the rest of the world? Can California learn how to do it?
Naomi Seddon and Merille Raagas of Littler write:
As a proposed Privacy Bill works its way through the New Zealand Parliament, key changes aim to strengthen the protection of confidential and personal information. The Bill is intended to replace prior law on the topic, modernizing privacy regulations and partially adopting provisions included in the European General Data Protection Regulation (GDPR).1
Among other amendments to the Bill, the Privacy Commissioner2 will have increased enforcement powers, including the ability to issue compliance notices to organizations—including private employers—to take specific steps to comply with privacy law, and the ability to approve or deny requests for access to personal information.
One of the most significant changes that the Bill proposes to introduce is a mandatory requirement to notify both the New Zealand Privacy Commissioner and the affected individual of a privacy breach.
Read more on Littler.

An idea that would work in the US too?
How to Navigate the Privacy Minefield in 2019
Dr. Maurice Coyle, Chief Data Scientist at Trūata, explains both the necessity and benefits of outsourcing anonymization to an independent third party in a post GDPR world.

What AI should do for the US?
Defense Department Releases Artificial Intelligence Strategy
On February 12, 2019 the Department of Defense released a summary and supplementary fact sheet of its artificial intelligence strategy (“AI Strategy”). The AI Strategy has been a couple of years in the making as the Trump administration has scrutinized the relative investments and advancements in artificial intelligence by the United States, its allies and partners, and potential strategic competitors such as China and Russia.

On the other hand, perhaps all the news is fake and this AI produces truth?
New AI fake text generator may be too dangerous to release, say creators
The creators of a revolutionary AI system that can write news stories and works of fiction – dubbed “deepfakes for text” – have taken the unusual step of not releasing their research publicly, for fear of potential misuse.
OpenAI, an nonprofit research company backed by Elon Musk, Reid Hoffman, Sam Altman, and others, says its new AI model, called GPT2 is so good and the risk of malicious use so high that it is breaking from its normal practice of releasing the full research to the public in order to allow more time to discuss the ramifications of the technological breakthrough.
… From a research standpoint, GPT2 is groundbreaking in two ways. One is its size, says Dario Amodei, OpenAI’s research director. The models “were 12 times bigger, and the dataset was 15 times bigger and much broader” than the previous state-of-the-art AI model. It was trained on a dataset containing about 10m articles, selected by trawling the social news site Reddit for links with more than three votes. The vast collection of text weighed in at 40 GB, enough to store about 35,000 copies of Moby Dick.

Perspective. A harsh way to look at it? A response the National Enquirer would recognize.
Amazon calls the socialists' bluff
Following months of complaints from the progressive politicos who control local politics in New York City, Amazon CEO Jeff Bezos abruptly canceled plans to open the online retailer's new corporate headquarters branch in Queens.
… Ocasio-Cortez, on the other hand, was arguing against the economic development of a region of Queens that abuts her congressional district. Along with fellow naysayers such as state Sen. Mike Gianaris, D-Queens, she attacked Amazon for bringing in too many jobs, potentially creating higher standards of living in the area and perhaps also inflating housing costs.
… Naturally, Ocasio-Cortez and friends have taken a celebratory lap on Twitter and with the press to gloat. But they are mostly revealing the financial fallacies behind their thinking. Ocasio-Cortez, for example, told the press that if New York was willing to "give away $3 billion for this deal," then those investments could be used to hire teachers or fix the subway.
Except that isn't how refundable tax credits work. The loss of Amazon only saves New York about $325 million in cash grants that had been destined for Amazon. The rest of the incentive package comprised of tax savings that Amazon will not realize, money it would not have had to pay, had it set up shop and paid roughly $10 billion in taxes over the next two decades.

Perspective. Open a virtual bank account, get a real toaster?
Amazon Moments lets developers reward customers with actual gifts, not just virtual ones
Amazon Moments — as it is called — will let developers create actions — “moments” — that it wants users to perform — such as watching several episodes of a series if its a streaming service; or taking out a subscription if its a news site — and giving users actual physical gifts in exchange for doing so.
The service is going live in 100 countries today, Amazon said. Items that are eligible to be gifted as part of the Moments scheme will come in a catalogue — Amazon said that there are “millions” of products in it already, both from Amazon and select third-party vendors — and will sit alongside other kinds of products that incentivize users to be more engaged in apps, games and other digital services such as virtual currencies and gift cards.

Noble, but threatening? How is a scan “unlawful?”
Internet Archive’s ebook loans face UK copyright challenge
The Guardian UK – “The Society of Authors (SoA) is threatening legal action against the Internet Archive unless it stops what the writers’ body claimed is the unauthorised lending of books unlawfully scanned for its Open Library. Set up in San Francisco 1996 to preserve pages published on the internet, the Internet Archive also collects digital books, offering borrowers access to hundreds of thousands of titles through its Open Library arm. Some are out of copyright, but the collection includes books from authors including AS Byatt, Kate Atkinson, Hilary Mantel, William Boyd, Philip Pullman and Iain Banks that are still in copyright and currently available to be borrowed in the UK. According to its website, the organisation began digitising books in 2005, because “not everyone has access to a public or academic library with a good collection, so to provide universal access we need to provide digital versions of books”. Today the archive scans 1,000 books a day in 28 locations around the world, through its book scanning and book drive programmes – with the “ultimate goal of [making] all the published works of humankind available to everyone in the world”. Users can borrow up to five books at a time, with each loan expiring after two weeks.
The SoA, which represents more than 10,000 writers in the UK, called on the Internet Archive to “cease making available to UK users the unauthorised lending of scanned books” via Open Library. In an open letter, the SoA said that in the UK, all scanning and lending must be authorised by the copyright owner. Despite this, users in the UK are currently able to borrow scanned copies of physical books from Open Library. “That is a direct and actionable infringement of copyright,” said the SoA. “Authors are not sked for permission before their work appears on Open Library, and they do not receive ny royalties … We are calling on you to cease this practice, which … is unquestionably nlawful in the UK.”

Practice writing for the 21st Century! (I’ll have to start one for Undergraduate and Graduate students.)
The Next Student Blogging Challenge Starts Soon
Blogging can be a great way to get students interested in writing and publishing their work for an audience. The challenges of classroom blogging have always been coming up with things for kids to write about and building an audience for your students' work. The Edublogs Student Blogging Challenge addresses both of those challenges. The next Edublogs Student Blogging Challenge begins on March 3rd.
The Edublogs Student Blogging Challenge provides weekly blogging suggestions suitable for K-12 students. Every week students complete the challenge then you can submit the URL of your students' posts to be included in a larger Student Blogging Challenge form that other participating classes can see. By submitting the URLs of your students' work, you're providing them with an opportunity to get feedback from other students and teachers who are participating the challenge.
The Edublogs Student Blogging Challenge is open to all K-12 classrooms. You do not have to use Edublogs in order to participate in the challenge. Click here to read the complete details of the challenge including how to register.

A Guide to Blogging Terminology

Thursday, February 14, 2019

Another Bangladesh? There could be much more here than is being reported. This is the best article I could find, but lots of “cover-up phrasing remains. The hackers did not “try” to move funds, they succeeded. What caused the shutdown? Did the bank panic or did the hackers gain more control than is being admitted? Watch for more!
Cyber attack on Malta bank tried to transfer cash abroad
Bank of Valletta which accounts for almost half of Malta’s banking transactions, had to shut down all of its operations on Wednesday after hackers broke into its systems and shifted funds overseas.
Prime Minister Joseph Muscat told parliament the cyber attack involved the creation of false international payments totaling 13 million euros ($14.7 million) to banks in Britain, the United States, the Czech Republic and Hong Kong.
The funds have been traced and the Bank of Valletta is seeking to have the fraudulent transactions reversed. [Have they already been moved? Bob]
Muscat said the attack was detected soon after the start of business on Wednesday when discrepancies were noticed during the reconciliation of international transactions.
Shortly after, the bank was informed by state security services that it had received information from abroad that the company had been the target of a cyber attack.
To minimize risk and review its systems, the Bank of Valletta suspended operations, shuttering its branches on the Mediterranean island, closing ATMs and disabling its website.
… Maltese banks have in the past reported cyber attacks but this was the first time that a lender had to shut down all of its operations as a result.

Haven’t we been saying the hacker is most likely China?
The great Equifax mystery: 17 months later, the stolen data has never been found, and experts are starting to suspect a spy scheme
The prevailing theory today is that the data was stolen by a nation-state for spying purposes, not by criminals looking to cash in on stolen identities.
… CNBC talked to eight experts, including data "hunters" who scour the dark web for stolen information, senior cybersecurity managers, top executives at financial institutions, senior intelligence officials who played a part in the investigation and consultants who helped support it. All of them agreed that a breach happened, and personal information from 143 million people was stolen.
But none of them knows where the data is now. It's never appeared on any hundreds of underground websites selling stolen information. Security experts haven't seen the data used in any of the ways they'd expect in a theft like this — not for impersonating victims, not for accessing other websites, nothing.
But as the investigations continue, a consensus is starting to emerge to explain why the data has disappeared from sight. Most experts familiar with the case now believe that the thieves were working for a foreign government and are using the information not for financial gain, but to try to identify and recruit spies.

If we are doing this to Iran, why not North Korea?
US sabotage may be behind Iran's embarrassing rocket launch failures
… The U.S. has been secretly sabotaging Iranian missiles and rockets, the New York Times reported Wednesday, citing half a dozen current and former officials. Since the program began a little over a decade ago, 67 percent of Iran's orbital launches have failed. The global failure rate for similar launches is only 5 percent.

Should Google also notify me if I happened by a crime scene at the time the crime was committed? Could they flag me as a possible witness without notifying the Police?
Tony Webster reports:
The suspects in an Eden Prairie home invasion last October wore gloves, dressed in black, and covered their faces with masks. But despite their efforts to remain unseen, a trail of evidence was left behind — not at the crime scene, but with Google.
Knowing the Silicon Valley giant held a trove of consumer mobile phone location data, investigators got a Hennepin County judge to sign a “reverse location” search warrant ordering Google to identify the locations of cellphones that had been near the crime scene in Eden Prairie, and near two food markets the victims owned in Minneapolis and St. Paul.
The scope of the warrant was so expansive in time and geography that it had the potential to gather data on tens of thousands of Minnesotans.
The technique has caught the attention of civil liberties lawyers who worry such warrants — deployed increasingly by police in the Twin Cities and around the country — are a digital dragnet ripe for abuse, and that judges may not realize the technical details or broad scope of the searches they’re authorizing.
Read more on MPRnews or listen to the story on that site.

Making it hard to study terrorism?
Connor Jones reports:
A new UK law, which has just received royal assent, will see anyone found to have clicked on terrorist propaganda handed a sentence of up to 15 years in prison.
The new Counter-Terrorism and Border Security Act 2019 which gives UK law enforcement greater powers to investigate suspected hostile activity, also updates existing counter-terrorism law to reflect a more digital age.
A controversial subsection of the act states that anyone who obtains ‘information of a kind likely to be useful to a person committing or preparing an act of terrorism’ will be punished under the act.
Read more on ITPro. Researchers beware…..?

It is impossible to adequately obfuscate in clear, concise English.
Most Online ‘Terms of Service’ Are Incomprehensible to Adults, Study Finds
Motherboard – Reading the terms and conditions of online consumer contracts requires, on average, more than 14 years of education. Two law professors analyzed the sign-in terms and conditions of 500 popular US websites, including Google and Facebook, and found that more than 99 percent of them were “unreadable,” far exceeding the level most American adults read at, but are still enforced. According to a new paper published on SSRN (Social Science Research Network), the average readability level of the agreements reviewed by the researchers was comparable to articles in academic journals. “While consumers are legally expected or presumed to read their contracts, businesses are not required to write readable ones. This asymmetry—and its potential consequences—puzzled us,” wrote co-author Samuel Becher, a law professor at Victoria University of Wellington, in an email to Motherboard. We’ve all been there, signing up for a new digital service such as Amazon or Uber and being asked to tick the box saying that we agree to the terms of service, or ToS. These agreements typically include clauses on intellectual property, prohibited use, and termination, among many others. Most of us accept the terms without bothering to read the fine print. But with these relatively new types of contracts, known as sign-in-wrap agreements, there is a danger in clicking “agree” without reading or understanding them—they’re regularly enforced…”

Why a proprietary system?
Kroger Co. debuts pay-by-phone option in Columbus
The Kroger Co. debuted a new mobile payment option Wednesday that is launching in Columbus and Colorado but expanding to all stores nationwide by year end.
Kroger Pay is an app that generates a single-use QR code that can be scanned at the checkout counter to pay for a Kroger purchase. The app can be linked to any major credit or debit card. Kroger is also launching the Kroger Rewards debit card so payments, fuel points and other rewards can be tied to each purchase.

Microsoft looking praying for ethics consultants?
Microsoft President Brad Smith met Pope Francis on Wednesday to discuss the ethical use of artificial intelligence and ways to bridge the digital divide between rich and poor nations, the Vatican said.
… The pair discussed “artificial intelligence at the service of the common good and activities aimed at bridging the digital divide that still persists at the global level”, according to a statement.
… The Vatican said its Academy for Life would jointly sponsor a prize with Microsoft for the best doctoral dissertation in 2019 on the theme of “artificial intelligence at the service of human life”.

Microsoft Unboxed: AI for Good (Ep. 1)
In the first episode of our new YouTube series, Microsoft Unboxed, Sonia Dara and Colleen O’Brien go “behind the tech” to explore Microsoft’s AI for Good initiatives, unpacking AI for Accessibility and AI for Humanitarian Action. Hear the stories of the unique organizations and partners making an impact within these initiatives on this episode of Microsoft Unboxed.

Another Dilbert “keeper”

Wednesday, February 13, 2019

A very nasty hack.  How many systems are vulnerable?

Hackers Wipe VFEmail Servers, May Shut Down After Catastrophic Data Loss

Sergiu Gatlan reports:
The U.S. servers of privacy-focused e-mail provider VFEmail were hacked into on February 11 and all the data was destroyed, on both the main and the backup systems.
According to VFEmail’s owner, the hackers did not leave a ransom note and, given the extent of the destruction, the service will most likely go offline to never return.
Read more on BleepingComputer.
VFEmail’s last tweet was yesterday (Feb. 11):
This is all I can do at this time. I will need to get into the datacenter to see if the one file server I caught during formatting can be recovered. If it can, we can restore mail, but most of the infrastructure is lost..
And 9 hours ago, @Havokmon tweeted that yes, VFEmail is effectively gone and likely would not return.
This is both incredibly sad and chilling.

Hacking for fun and profit.

A Closer Look: SEC’s Edgar Hacking Case

Craig A. Newman writes:
Last month, the U.S. Securities and Exchange Commission charged nine defendants with hacking into the agency’s EDGAR system – the online platform used by public companies for making their public filings – and stealing material nonpublic information to use for illegal trading purposes.
While the charges are new, the insider trading scheme goes back years and underscores the challenges faced by U.S. law enforcement and regulatory authorities in pursuing foreign nationals who violate U.S. securities laws.
According to a 43-page complaint filed in federal court in New Jersey, a Ukrainian hacker and six individual traders based in the U.S., the Ukraine and Russia, made off with more than $4.1 million in illegal profits by hacking the EDGAR system and trading in front of market-moving news.
Read more on Data Security Law Blog.

Tools for the hacking kit.

Something to watch.
Saritha Rai reports:
India’s government dealt retail giants and Walmart a devastating blow this year with new policies undermining their growth plans.  Now U.S. social media pioneers Facebook and Twitter are in danger of suffering similar setbacks in what is perhaps the world’s most important emerging technology market.
In the latest skirmish, the government is targeting Facebook Inc.’s WhatsApp, the popular messaging service increasingly important to its parent’s bottom line.  Frustrated that the service has been used to incite violence and spread pornography, the government is pressing WhatsApp to allow more official oversight of online discussions, even if that means giving officials access to protected, or encrypted, messages.  Facebook has refused, risking punitive measures or even the possibility of a shutdown in its biggest market.
Read more on Bloomberg.

I’m sure everyone will get out the paint rollers and start doing this immediately.   
You'll Have to Mark Your Drone With an ID Under Anti-Terror Rule
Responding to concerns from law enforcement and security agencies about the potential for concealed explosives, the U.S. government is ordering all civilian drones to add external markings so the owner can be more easily identified.
The regulation, which was posted Tuesday on a preview website for the Federal Register and takes effect Feb. 23, is part of an effort to bring more oversight to the rapidly growing hobby and commercial drone industry.
   The regulation would require drone owners to place their registration number on the outside of their devices. When the FAA first required drone owners to register their aircraft in 2015, it said the number could be placed within the battery compartment.

Perspective.  Towards fully automated vehicles. 
40 countries agree cars must have automatic braking
Forty countries led by Japanand the European Union — but not the U.S. or China — have agreed to require new cars and light commercial vehicles to be equipped with automated braking systems starting as soon as next year, a U.N. agency said Tuesday.
   The measure will apply to vehicles at “low speeds”: 60 kilometers per hour (42 mph) or less, and only affects new cars sold in the markets of signatory countries — so vehicle owners won’t be required to retrofit their cars and trucks already on the roads today.

Why I love lists: Someone took the time to gather useful stuff!  (Only a couple examples)
The Essential Tools for Programmers
This is a list of essential tools and services from my coding workflow that I think should be part of every web programmer’s toolkit.  Whether you a building a simple “Hello World” app or a complex web application, these tools should make your coding easier and increase productivity.
1. — API documentation for all popular programming languages and frameworks.  Includes instant search and works offline too.
10. — Type any Unix command and get a visual explanation of each flag and argument in the command.

Tuesday, February 12, 2019

Will they talk to robots? Will they lie to robots? What would a false positive look like?
Sarah Knapton reports:
Smart speakers like Amazon’s Alexa or Apple’s Siri are to be used by the NHS to analyse patient conversations and spot if they suicidal (sic), it has emerged.
A new report published today into the technological future of the health service has called for trusts to embrace robots and artificial intelligence and said that London was already planning to embed AI into its mental health services to pick up those in danger of self harm.
Mental health patients can already access online programmes to aid their recovery and it is hoped they would hold conversations with ‘triage bots’ which would notice warning signs.
Read more on Telegraph.

I did not see this one coming.
Veterans can access their medical info through Apple's Health Records
Apple is expanding its Health Records feature in iOS to cover one of the larger groups in the US: namely, veterans. The company is partnering with the Department of Veterans Affairs to make soldiers' medical info available in one place on their iPhones, including known conditions, prescriptions and procedures. It's the record-sharing system "of its kind" at Veterans Affairs, Apple said.
Access to veteran data will be available "soon," Apple noted, although it didn't say if that would be tied to an iOS update.
Support for veterans is coming soon after Apple teamed up with Aetna on a health tracking app, and reflects a larger strategy at the tech giant. It wants to become an indispensable part of people's health care, whether it's providing medical data or warning of heart conditions, and that could give you a reason to keep using its devices when you'd otherwise be tempted to switch. It's not just an altruistic gesture, then, although it's still likely to be valuable for iPhone-toting veterans who want a better understanding of their wellbeing.

Apple's deal with the VA is a big step toward giving patients control over their own health information
… Apple already works with dozens of hospitals that are integrated with its Health Records software, so their patients can access clinical information. But the VA, which represents 9 million people, is a big step forward for the company, as it's the largest medical system in the country.
It's also a big deal for people who aren't veterans.
Industry experts say that Apple is taking advantage of a bigger movement to force medical records companies and insurers to open up access to health information, which is supported by the government and different academic groups. Also this week, the Department of Health and Human Services shared its much-anticipated rules that are designed to prevent information blocking.

I wonder if Google Transcript can produce English subtitles in real time?
TELESCOPE beta There’s a whole world of film out there. Welcome to it.
Thanks to digital distribution, the American audience now has unprecedented access to films from around the world. At Telescope Film, our mission is to connect those films with the people who want to watch them — and to help that audience grow. is a website to promote international film to American audiences. Our online database of international film enables users to search and filter by options including title, director, country, language, and genre, and provides one-click access to all major streaming services in the US. The site will also offer a variety of features to help users discover new content, including curation, a customizable user experience, and an engaged community of fans…” [See also MHz Choice. The best international mysteries, dramas & comedies with easy-to-read English subtitles.]

A resource I didn’t know existed.
Internet of Things Security Institute

One day’s activity on my blog. Someone has to be messing with me.

Monday, February 11, 2019

Everyone faces this THREAT. The RISK increases depending on the payoff. (What makes us think the hack was on Jeff Bezos’ end?)
Bezos Case Exposes Billionaires' Vulnerability to Hackers
The stunning revelation that a tabloid obtained below-the-belt selfies of Amazon founder Jeff Bezos -- the world's richest man -- suggests that even billionaires are not out of the reach of hackers.
… "It's a curious irony that billionaires demonstrate astounding acumen related to their own industries, and yet seemingly ignore the minutiae of common-place security measures."
Johnson sees billionaires and top executives as especially vulnerable because their personal information is a gold mine for criminals, intelligence agencies and competitors.

Another example of: “We can, therefore we must!”
In just two years, 9,000 of these cameras were installed to spy on your car
The surveillance state is no longer limited to the state.
For years, police departments have been tracking people’s cars with cameras that capture the license plate number of every vehicle that passes by. The Electronic Frontier Foundation, a San Francisco-based digital privacy nonprofit, has described the technology as “a form of mass surveillance.”
Now, a new generation of tech firms has made it possible for private citizens to use the devices, known as automatic license plate readers, or ALPRs—without the strict oversight that governs this type of data collection by law enforcement.
Putting ALPR into civilian hands allows for a broad range of new applications, including customer service and school security. But it also raises untold numbers of new legal and ethical issues, few of which have yet been tested in the courts, experts warn.
… At least one company, OpenALPR, offers software for free, on Github. Anyone who downloads it can turn a single web-connected camera into an automatic license plate reader that can monitor traffic across a four-lane highway with 99% accuracy. (Customers pay between $49 and $995 monthly for optional cloud-based storage and analysis.)
… Unlike police and other law enforcement users of ALPR, private citizens are not beholden to constitutional protections barring unlawful search and seizure, or racial profiling, for example.

This is easy enough to check. If the government is concerned about the use of foreign software, ban it!
Senators Concerned Over DHS Employees Using Foreign VPNs
United States senators have voiced concerns over the use of foreign-made Virtual Private Network (VPN) applications within the Department of Homeland Security (DHS).
VPN services promise improved security and privacy when browsing the Internet by routing all of the user’s traffic through the provider’s servers, and a large number of people, including mobile users, have adopted such services for increased online privacy.
Furthermore, users are also adopting data-saving apps, including mobile browsers such as Dolphin, Yandex, and Opera, which route traffic through their servers and compress it before serving them to the user, to provide data-saving functionality.
… “We are particularly concerned about the potential threat posed by foreign-made apps that are affiliated with countries of national security concern and urge you to examine the national security risk they pose,” the letter reads (PDF).

We could do this here, if we wanted honest elections.
Switzerland Launches Bug Bounty Program for E-Voting Systems
Switzerland has been conducting e-voting trials since 2004 and the national postal service, Swiss Post, now believes it has developed a fully verifiable system that can make e-voting widely available in the country.
The security of the e-voting system is being tested by an “accredited body,” but Swiss Post is also launching a bug bounty program open to hackers from all around the world. White hat hackers can sign up on, and between February 25 and March 24 they will be given the chance to conduct penetration testing on both the frontend and backend of the e-voting system.
.. The source code for the e-voting system is publicly available, but Swiss Post noted that source code vulnerabilities must be reported separately if they cannot be exploited against the test system.

It could happen here.
Not just porn, Indian telecom firms are blocking other websites, too
Over three months after the Indian government banned hundreds of porn websites, internet users from across the country are reporting blocked access to a wide variety of other online services. These include VPN (virtual private network) and proxy sites, torrent sites, the website for the messaging platform Telegram, and even the audio-streaming site Soundcloud.
… Many of the reports were by people who said they were blocked out of proxy sites and VPNs, something that the telecom firm Reliance Jio was accused of by Indian Reddit users last month. Among other things, proxy sites often allow Indians to navigate bans and access websites barred by the government.
… When Quartz tried accessing Soundcloud through a Jio connection in Delhi, the web page displayed a note saying the user was “not authorised to access” the webpage, in compliance with India’s department of telecommunications (DoT).

A summary.
Sherlock at scale: Law enforcement enters the connected age
GNC: “Crime is common,” Sherlock Holmes said in the 1892 novel, The Adventure of the Copper Beeches. “Logic is rare. Therefore it is upon the logic rather than upon the crime that you should dwell.” Holmes famously used his intellect to make deductions about crimes and solve them. For him, logic was the linchpin, helping him associate disparate pieces of evidence. For law enforcement agencies today, it’s not only logic, but connections and relationships that are key in successfully using data as the foundation of information, knowledge and wisdom for decision-making. So how can today’s law enforcement agencies leverage technology to mitigate crime and do their jobs better in the connected age? Here are three ways…”

One doesn’t often think of Facebook as a source of free software.
How Facebook Has Changed Computing
Over the past 15 years, Facebook has changed the way we keep in touch with friends, how we feud with family members, how we think about privacy, and how we consume Russian propaganda—not always for the better. But Facebook also changed computing. From Netflix to Uber to Walmart’s website, many of the apps and services we use every day are built with technologies that Facebook developed and then shared with the world.

Sunday, February 10, 2019

The California model: Legislate in haste, repair whenever, dude.
Inside the lobbying war over California’s landmark privacy law
A landmark law adopted in California last year to rein in the data-collection practices of Facebook, Google and other tech giants has touched off a lobbying blitz that could water it down, potentially undermining new protections that might apply to Internet users across the country.
… Other states this year have sprung to action in a bid to follow California’s lead. Lawmakers in New Mexico have put forward a bill that largely copies Sacramento. In Massachusetts, members of the legislature unveiled a proposal that would allow consumers to sue if their privacy is violated. And in the state of Washington, Democratic Sen. Reuven Carlyle authored a measure that borrows from Europe’s approach.
“I don’t think there’s a state legislature in the country that doesn’t want comprehensive, sweeping legislation they craft to become a national model,” Carlyle said.

“Never attribute to malice that which is adequately explained by stupidity.” That’s a defense that could be impossible to disprove.
Alex Hernandez reports:
…U.S. Senator Ron Wyden from (D) Oregon is purposing a new bill that would deal out jail time to executives whose companies violate online privacy.
Senator Ron Wyden isn’t only pitching jail time but also billions of dollars in fines on companies and executives who enable privacy breaches. The senior senator from Oregon believes that privacy and data breaches are corporate fraud and should be dealt with accordingly.
Read more on TechAeris.

HIPAA compliance may be a bit much to ask for.
New voices at patients’ bedsides: Amazon, Google, Microsoft, and Apple
… Hospitals are exploring new uses in intensive care units and surgical recovery rooms, and contemplating a future in which Alexa, or another voice avatar, becomes a virtual member of the medical team — monitoring doctor-patient interactions, suggesting treatment approaches, or even alerting caregivers to voice changes that could be an early warning of a health emergency.
“Why not have a connected speaker in the room listening to conversations?” asked John Brownstein, chief innovation officer at Boston Children’s Hospital, which is piloting dozens of voice applications. Voice technology still remains at the edges of patient care, he added, but the hospital is already using it to improve the efficiency of ICU care and help prepare doctors for transplant surgeries.
… Underlying that work is an increasingly fierce competition for health care dollars among giant technology companies and scores of startups that are investing heavily in voice-enabled products and services. Clinicians are waiting to see which of the largest companies will be the first to introduce a smart speaker that fully complies with health care privacy laws, a step that would allow them to delve even deeper into patient care.
… Several startups have already created HIPAA-compliant voice software for use with electronic medical records systems. Sopris Health, a Denver-based company, developed a product designed to automatically convert a doctor-patient conversation into text that is then loaded into a doctor’s note. Other competitors in the field include Suki, Notable, Nuance, and Seattle-based SayKara, which is led by former Amazon engineers.

Reminds me of the recent ‘Artificial Lawyer’ article.
Will A.I. Put Lawyers Out Of Business?
What is the law but a series of algorithms? Codified instructions proscribing dos and don’ts—ifs and thens. Sounds a lot like computer programming, right? The legal system, on the other hand, is not as straightforward as coding. Just consider the complicated state of justice today, whether it be problems stemming from backlogged courts, overburdened public defenders, and swathes of defendants disproportionately accused of crimes.
So, can artificial intelligence help?
Very much so. Law firms are already using AI to more efficiently perform due diligence, conduct research and bill hours. But some expect the impact of AI to be much more transformational. It’s predicted AI will eliminate most paralegal and legal research positions within the next decade. Could judges and lawyers share the same fate? My coauthor Michael Ashley and I spoke to experts about AI’s impact on the legal system for our upcoming book, Own the A.I. Revolution: Unlock Your Artificial Intelligence Strategy to Disrupt Your Competition.
It may even be considered legal malpractice not to use AI one day,” says Tom Girardi, renowned civil litigator and the real-life inspiration for the lawyer in the movie, Erin Brockovich. “It would be analogous to a lawyer in the late twentieth century still doing everything by hand when this person could use a computer.”

Perspective. Soon to be “mandatory” technology? Can an employer require you to wear a monitor away from work?
Fitbit has a new health tracker, but you can only get it through your employer or insurer
… Fitbit has been developing software to help companies give employees tools to track their health and encourage behavior change. The Inspire, which has basic features like heart rate, step tracking, and calories burned, adds hardware to its line of business-to-business products. The Inspire is available as a wristband or a clip, which can more easily be hidden under clothing and might prove appealing to corporate users.
"We built it as a program for digital health interventions," Park said, in an interview at Fitbit's headquarters this week.
… Both Fitbit and Apple are telling employers and insurers that they can help bring health-care costs down by improving overall wellness. The devices are typically offered through workplace wellness programs, and are subsidized, earned through healthy behavior or available free of charge.