Saturday, March 16, 2019

Part of any “Disaster Recovery” plan is testing the recovery process. Two weeks seems long, but how quickly critical systems come back is the key. Everything else can wait.
P. H. Madore reports:
Boston public defenders suffered a ransomware attack some weeks back but have chosen not to send the bitcoin demanded by the attacker. Instead, they decided to use back-ups to restore services. The Committee oversees public defenders in Boston.
According to the Boston Globe, that decision has meant a “weekslong slowdown” that affects everyone in the system. Private attorneys tapped to work for indigent clients receive a small fee from the government. The ransomware attack has also interrupted those payments and locked up the organization’s essential digital services, including e-mail.
As a security measure, they’ve taken their systems offline in order to cleanse them of viruses.
Read more on CCN.

Just because...
The Federal Trade Commission, the nation’s primary privacy and data security enforcer, released its annual report highlighting its privacy and data security work for 2018.

Two solid stories about Killing for Internet fame.
Social Media Are a Mass Shooter’s Best Friend
Forty-nine people are dead and 20 more injured after terrorist attacks on two New Zealand mosques Friday. One of the alleged shooters is a white man who appears to have announced the attack on the anonymous-troll message board 8chan. There, he posted images of the weapons days before the attack, and an announcement an hour before. On 8chan and Twitter, he also posted links to a 74-page manifesto, titled “The Great Replacement,” blaming immigration for the displacement of whites in Oceania and elsewhere. The manifesto cites “white genocide” as a motive for the attack, and calls for “a future for white children” as its goal.

The Shooter’s Manifesto Was Designed to Troll
… Early Friday, a number of unverified social-media posts surfaced, along with a bizarre manifesto posted to 8chan, rich with irony and references to memes.
Together, the posts suggest that every aspect of the shootings was designed to gain maximum attention online, in part by baiting the media.

Call it what it is: The “We wish it had been Hillary” bill.
Colorado governor signs national popular vote bill into law
… The joint agreement only goes into effect if enough states sign on to total the number needed to win the presidency — 270 electoral votes.
The addition of Colorado’s nine electoral votes brings the total to 181.

Negotiating a raise.

Friday, March 15, 2019

How it should be done.
Pat Ferrier reports:
When employees of the Fort Collins Loveland Water District and South Fort Collins Sanitation District got to work the morning of Feb. 11, they were locked out of technical and engineering data and drawings stored on their computers.
The districts had fallen victim to a ransomware cyber attack, the second in two years, General Manager Chris Matkins said. Hackers were holding the data hostage and demanding a ransom payment before they’d unlock the information.
Matkins won’t say how big the ransom demand was or how payment was to be made. “It’s not something we will talk about,” he said. “It didn’t have any bearing on how we responded.”
Fort Collins Loveland Water never considered paying the ransom and within about three weeks was able to unlock the data on its own, Matkins said.
Read more on The Coloradoan.

That persistent threat: North Korea.
Lily Hay Newman reports:
In January 2018 a group of hackers, now thought to be working for the North Korean state-sponsored group Lazarus, attempted to steal $110 million from the Mexican commercial bank Bancomext. That effort failed. But just a few months later, a smaller yet still elaborate series of attacks allowed hackers to siphon off 300 to 400 million pesos, or roughly $15 to $20 million from Mexican banks. Here’s how they did it.
At the RSA security conference in San Francisco last Friday, penetration tester and security advisor Josu Loza, who was an incident responder in the wake of the April attacks, presented findings on how hackers executed the heists both digitally and on the ground around Mexico.
Read more on Wired.
[From the article:
All of these vulnerabilities collectively made it possible for hackers to lay extensive groundwork, eventually establishing the infrastructure they needed to begin carrying out actual cash grabs. Once that was in place, the attacks moved quickly.
The hackers would exploit flaws in how SPEI validated sender accounts to initiate a money transfer from a nonexistant source like “Joe Smith, Account Number: 12345678.” They would then direct the phantom funds to a real, but pseudonymous account under their control and send a so-called cash mule to withdraw the money before the bank realized what had happened. Each malicious transaction was relatively small, in the range of tens or hundreds of thousands of pesos. "SPEI sends and receives millions and millions of pesos daily, this would have been a very little percentage of that operation," Loza says.
Attackers would have potentially needed to work with hundreds of mules to make all of those withdrawals possible over time.

Why is this a DARPA thing? Is it Defense related?
DARPA to Develop $10 Million Open Source Voting System
The US election might be different in 2020 thanks to a project by DARPA (Defense Advanced Research Projects Agency), the US Department of Defense research division, aiming at bullet-proofing voting machines by moving away from proprietary software that can’t be properly evaluated for bugs, writes Motherboard.
$10 million is invested in creating an unhackable, fully open source voting system with a touch screen that will allow voters to ensure their votes are accurately recorded.
… “We will not have a voting system that we can deploy. That’s not what we do,” said Salmon. “We will show a methodology that could be used by others to build a voting system that is completely secure.”

Chatters gotta chat! I’m (mostly/kinda/almost) sure they had nothing to do with the outage.
Telegram gets 3M new signups during Facebook apps’ outage
Messaging platform Telegram claims to have had a surge in signups during a period of downtime for Facebook’s rival messaging services.
In a message sent to his Telegram channel, founder Pavel Durov wrote: “I see 3 million new users signed up for Telegram within the last 24 hours.”
It’s probably not a coincidence that Facebook and its related family of apps went down for most of Wednesday, as we reported earlier.

I have been hacked, that is proof our enemies fear me! OR I have been hacked. That does not mean I don’t understand security.
Leading Israeli Candidate for PM Targeted by Iranian Hackers
Israeli media reported Thursday that the Shin Bet internal security service warned Benny Gantz that Iranian intelligence hacked his cellphone, putting “his personal details and addresses in hostile hands.”
A statement from Gantz’s campaign insinuated his opponents leaked the news to damage his political bid, saying the timing of the report just weeks before Israel’s April 9 elections “raises important questions.”
A campaign official says the security breach happened several months ago, before Gantz entered politics. The official spoke on condition of anonymity because they were not authorized to talk to media.

(Related) Why only “successful” attacks? Why not five days for everyone? Sounds like they think the attacks are not important.
U.S. Senators Want Transparency on Senate Cyberattacks
U.S. Senators Ron Wyden and Tom Cotton believe all senators should receive information on successful cyberattacks aimed at the Senate.
In a letter sent this week to the U.S. Senate Sergeant at Arms, Michael C. Stenger, Wyden and Cotton have asked that each senator be provided an annual report containing information on the number of cyber incidents that involved compromised Senate computers or illegally accessed sensitive data.
They also want Senate leadership and members of the Committees on Rules and Intelligence to be informed of any breach within five days of discovery.

But will it become law?
Mike Maharrey writes:
Last Friday, a Utah House committee passed a bill that would prohibit police from using a person’s biometric data to gain access to their electronic device. The bill would not only privacy in Utah; it would also hinder one aspect of the federal surveillance state.
Rep. Adam Robertson (R-Provo) introduced House Bill 438 (HB438) on Feb. 27. The legislation would prohibit law enforcement from using an individual’s biometric information to access an electronic device protected by biometric security.
There are no exceptions to the ban.
Read more on TenthAmendmentCenter.

Should I be surprised?
The Internet Knows You Better Than Your Spouse Does
If you enjoy computerized personality tests, you might consider visiting Apply Magic Sauce ( The Web site prompts you to enter some text you have written—such as e-mails or blogs—along with information about your activities on social media. You do not have to provide social media data, but if you want to do it, you either allow Apply Magic Sauce to access your Facebook and Twitter accounts or follow directions for uploading selected data from those sources, such as your history of pressing Facebook’s “like” buttons. Once you click “Make Prediction,” you will see a detailed psychogram, or personality profile, that includes your presumed age and sex, whether you are anxious or easily stressed, how quickly you give in to impulses, and whether you are politically and socially conservative or liberal.
Examining the psychological profile that the algorithm derives from your online traces can certainly be entertaining. On the other hand, the algorithm’s ability to draw inferences about us illustrates how easy it is for anyone who tracks our digital activities to gain insight into our personalities—and potentially invade our privacy. What is more, psychological inferences about us might be exploited to manipulate, say, what we buy or how we vote.

Public ledger meets GDPR Privacy.
Blockchain Privacy Poisoning a New Concern in Post-GDPR Era
When it comes to blockchain technology, the very features that make blockchain so attractive to many enterprises – such as the ability to create an immutable public ledger of transactions – are also the very features that could lead to privacy issue headaches for those enterprises. In fact, tech research firm Gartner is now calling “blockchain privacy poisoning” one of the biggest risks facing organizations over the next few years. By 2022, says Gartner, three-fourths of all public blockchains will suffer some form of privacy poisoning.
What is blockchain privacy poisoning?
The term “blockchain privacy poisoning” refers to the insertion of personal data into a public blockchain, thereby making that blockchain non-compliant under the European General Data Protection Regulation (GDPR).

Farming in your PJs?
The Amazing Ways John Deere Uses AI And Machine Vision To Help Feed 10 Billion People
… Near the start of the journey in 2013, it unveiled its Farm Forward vision – demonstrating the concept of the “autonomous farm” where machinery would be remotely managed from a central control hub. It showed a farmer monitoring data points and managing machinery from a console in his home in real-time, while AI takes care of the moment-to-moment operational decisions.
Now it has released what it calls the 2.0 version of that vision – representing the leaps in learning and practical application of smart, self-teaching technology that has been made since those early days of the digital transformation.
… “When we tell them they can spray their fields with 80 – 90% less herbicide, based on Blue River's testing … that's real money right in your pocket. As well as less herbicide going onto the plants that are going to become our food. Farmers are business people, and they're looking for business outcomes from this precision agricultural technology."
… Stone says “The farmer has been the primary ‘sensor’ on a farm for years – and so much of farming is visual.
“It’s how does the ground look, what can you tell about the health of a plant by how it looks? Are the leaves nice and lush or are they going yellow? Are there bugs?
… One application of Blue River’s technology has been in the development of Deere’s See and Spray pesticide and herbicide distribution systems. This involves using smart cameras powered by computer vision, which are able to distinguish between healthy and unhealthy crops as machinery passes through the field. While traditionally the decision about whether or not to dose a crop with chemicals has been made on a field-by-field basis, this system allows targeted bursts of chemicals to be directed precisely where they are needed, at individual plants – hence the 80 to 90% reduction in herbicide use touted above.

Perspective. Why they are looking at self-driving cars?
Don't Read This If You're Bullish About Lyft
The coming initial public offerings from Lyft Inc. and Uber give the public its first deep look inside the economics of car rides on demand. There were two obscure data points about Lyft that I found discouraging about the financial viability of that company, and potentially the entire industry.
First, Lyft disclosed in its IPO document that it generates about the same average revenue for each car ride as it does from a trip on Lyft's growing network of rented bicycles and scooters: $3.75, to be exact, as of the fourth quarter. 1 And second, Lyft's financials show that its average expense for each ride has  gone up.
… People don't pay much to rent a scooter for a mile or two, but remember the important difference compared to a car: There's no driver in the equation when Lyft rents a scooter or bike, so the company keeps almost 100 percent of the fare. With a car ride, the driver effectively ends up with the vast majority of that money.

Interesting article. They’ve got the data, why not use it?
Amazon gets an edge with its secret squad of PhD economists
Estimating inflation is a tricky and complex task. In the United States, the government's Bureau of Labor Statistics sends testers to stores to record the price of everything from cheese to tires, and surveys consumers over the phone about what they spent on gas and funeral services.
Amazon thinks it could do it better.
With help from outside researchers, the company's economists are working on a way to measure inflation using thousands of transactions across its own platform. Automatically analyzing product descriptions allows them to better assess the quality of a dress or a juicer or a bathmat, theoretically creating a more accurate, up-to-date index of how much things cost.
That's just one way Amazon is using the squad of economists it has recruited in recent years.

Make your tools work for you.
A beginners guide to voice search and digital assistants in 2019
Search Engine Land: “Voice search isn’t only here to stay, it’s on the rise. Is your website optimized for spoken queries? If not, then you could lose market share to competitors whose websites are optimized for voice search. Good news, though, that’s a problem you can start fixing today. In this article, I’ll explain the various types of digital assistants and what to do to get your site ready for voice search. If you want to learn more, I’ll be talking about voice search in more detail at SMX Advanced in Seattle on June 5…”

One of those tools you don’t know you need until you need it.

For my students, who still think every “big” company is profitable.
How Does Netflix Make Money?
Netflix is the undisputed leader in streaming video. The DVD-by-mail company created modern streaming as we know it and has built a massive audience by being the first mover -- more than 50% of U.S. households have the streaming service.
But how does the company turn all those eyeballs into dollar signs?
In this video from our YouTube channel, we break down how Netflix makes money and what the strategy is behind the company's huge cash burn.

For us military history buffs. (Perhaps a map showing the spread of GDPR level Privacy?)
Interactive Map - The Battle of Gettysburg
Decisive Moments at the Battle of Gettysburg is an interactive map hosted on The map details events of the battle and the decisions made by commanding officers on both sides of the war. You can navigate the map by using the timeline on the left-hand side of the map or by clicking the placemarks on the map. While viewing the map you will see "eye" icons that you can click to view a panorama of that location. The panoramic view is of Gettysburg as it exists today.
… The map also provides a good model of using ArcGIS Story Maps to convey geo-located information. Your students could take the model of Decisive Moments at the Battle of Gettysburg and apply it to the creation of their own maps about significant moments in history.

Thursday, March 14, 2019

If everything uses the same ‘engine’ and that ‘engine’ stalls, everyone stalls. Simple.
Gmail and YouTube hit with massive outage that sent the internet into a panic
What’s the first thing you do when any popular service you rely on goes down? Why you panic and take to social media to warn everyone that the end is nigh, of course! Beginning around 10:00 PM EST on Tuesday night, users around the world began to notice that something wasn’t right with several Google services on which they’ve come to rely. The first reports suggested something was amiss with Gmail, and the volume of those reports increased exponentially. Yes, Gmail was indeed down… but things didn’t stop there. Google Drive would quickly follow, with users unable to connect and access their files.
As if all that wasn’t bad enough, YouTube soon began having issues as well. A Google Drive outage is annoying and a Gmail outage is obviously even worst. YouTube was the last straw, however, and users poured into social media services like Facebook and Twitter to vent over the fact that they watch their favorite creators.

Facebook and Instagram are down, and the internet is freaking out
Facebook users are facing problems with posting to the social sites on Wednesday, and the company has not yet said when they could be back online.
People on Instagram and WhatsApp (which are owned by Facebook) also saw similar errors when trying to post photos or videos.

Not surprising. Constant training and reminders help.
CISOMag reports on a recent survey and report, Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions, authored by Dr. William Gordon and colleagues. Not surprisingly, the survey found that the healthcare sector was susceptible to phishing attacks.
How susceptible, you wonder?
William specified that when the researchers sent simulated phishing emails, nearly one in seven of the emails were clicked by employees of healthcare organizations.
The phishing simulations were conducted between August, 2011 and April, 2018.
Read more on CISOMag.
From the report on JAMA Network:
The final study sample included 6 anonymized US health care institutions, 95 simulated phishing campaigns, and 2 971 945 emails, 422 062 of which were clicked (14.2%).

A short paper on a topic of interest.
Understanding the Changing Landscape of Data Protection Laws
Klinkner, Blake, Understanding the Changing Landscape of Data Protection Laws (February 11, 2019). The Wyoming Lawyer, February 2019, at 44-45.. Available at SSRN:
“As businesses and other entities have sought to collect more personal data on individuals, the public has pushed back, and lawmakers throughout the United States and elsewhere have responded by passing data protection laws. Recent data protection laws passed by the European Union and by several states have already resulted in a number of lawsuits against businesses who handle personal data. Attorneys should become familiar with this changing legal landscape in order to best protect their clients, practices, and their own personal accounts. This article discusses recent legislation addressing data protection and data privacy, including the 2018 General Data Protection Regulation passed in the European Union, and the California Consumer Privacy Act of 2018. This article next discusses how data protection and privacy laws will continue to evolve in the United States and elsewhere. This article concludes by providing recommendations for attorneys in adapting to the changing landscape of data protection and privacy laws.”

(Related) Nothing much new here either.
GDPR - Improving Data Privacy and Cyber Resilience?

Law Enforcement will get this data one way or another. It’s just too useful.
Home DNA-testing firm will let users block FBI access to their data
One of the biggest home DNA-testing companies seems to have bowed to a backlash over its decision to allow the FBI access to its database, by announcing a new way for customers to stop law-enforcement agencies accessing their data.
FamilyTreeDNA faced criticism when BuzzFeed News recently revealed that the company had chosen to cooperate with the FBI without consulting customers.
Initially, the only way for individuals to deny the FBI access was to opt out of the firm’s DNA-matching service entirely, depriving themselves of a tool that has become vital for many genealogists.
But on 12 March, FamilyTreeDNA told customers that they could now retain the matching service but end access by law-enforcement agencies.

No doubt alerts will cause some fools to run toward the event, trying for the sui-selfie (suicide selfie). Will this work in Denver where police and fire radios are encrypted?
Citizen, the real-time crime alerting app, is growing in big cities
… Using a combination of human employees and technology, Citizen scans hundreds of public-safety radio bands 24-hours a day in the major cities where it's deployed, sometimes by playing audio at three times the speed. It filters out what it deems non-essential and sends the information as short, factual alerts to everyone within a quarter mile of the incident. The app updates with a list of details as they roll in and lets people nearby take live video or comment with information.
Some local governments and police departments have their own alerting apps, and sites like Nextdoor are filled with user reports of incidents. But what makes Citizen different are its sources, the volume and speed of its text updates. It's closer in spirit to police scanner apps.
"What we have done, in essence, is open up the emergency response system from an information perspective," Citizen co-founder and CEO Andrew Frame told CNN Business.
… The app originally launched in New York with the name "Vigilante" and was quickly taken down from the Apple App Store over concerns it would encourage people to rush toward danger. At the time, the New York City Police Department spoke out against the app: "Crimes in progress should be handled by the NYPD and not a vigilante with a cell phone," it said in a statement.

Would this require the student to supply a password?
The Eleventh Circuit has issued a decision in Jackson v. McCurry. A student’s family filed the case after school officials searched her cell phone without probable cause. The appeals court ruled against the the student because the law limiting searches of student cell phones was not “clearly established.” EPIC filed an amicus brief, arguing that searches of student phones should be “limited to those circumstances when it is strictly necessary” after the Supreme Court’s decision in Riley v. California. EPIC wrote that “most teenagers today could not survive without a cellphone.” The court recognized the need to limit school searches of cell phones, noting that “the reasoning of Riley treats cellphone searches as especially intrusive in comparison to searches incident to arrest of personal property” and that “a search of a student’s cellphone might require a more compelling justification than that required to search a student’s other personal effects.” However, the court refused to hold that this right was “clearly established.” EPIC routinely files L[amicus briefs] in cases raising new privacy issues. EPIC has also long advocated for greater student privacy protections, including a Student Privacy Bill of Rights.

Wednesday, March 13, 2019

Manage so you can do what you are required to do. Harder than it sounds.
I’ve recently commented a few times on delays to notification in the healthcare sector. has a piece on data breach response times in the U.K. that provides some useful comparisons.
Businesses in the UK took an average of 21 days to report personal data breaches they had identified to the Information Commissioner’s Office (ICO) during the year up to 31 March 2018, according to information disclosed by the watchdog.
According to Redscan, there were 181 data breaches reported to the ICO by organisations across the general business, financial and legal sectors over the 12 month period. Across those cases, the average time taken to identify a breach was 60 days and it took businesses 21 days on average to then report those breaches to the ICO.
Of course, that was before GDPR went into effect, and GDPR requires notification with 72 hours. According to the Information Commissioner’s Office:
If, within the 72 hour time limit, a UK organisation has no clue as to the who, the what, the how of a breach, then it is clear that they do not have the required accountability in place – which is a requirement of the law. That’s why mandatory breach reporting is one of the most significant upgrades in the new law. It drives companies to invest in better data security and better data governance,” she said.
Imagine if we had that requirement here….

(Related) A management success.
Clinic hit by ransomware recovers in hours thanks to solid incident response plan
Maffi Clinics, a chain of plastic surgery clinics in the United States, is notifying patients about a ransomware incident that briefly affected its systems. Unlike most cases involving ransomware, though, this one didn’t leave a scar, illustrating the power of strong security protocols.
… Within about five hours, the incident was contained and all data was restored. In other words, the clinic denied the attackers the ransom and escaped unscathed. The clinic nonetheless emailed all patients whose information was subjected to the attack out of an abundance of caution. Under the Health Insurance Portability and Accountability Act (HIPAA), Maffi fulfilled its legal obligation to acknowledge the breach, and notified the US Department of Health and Human Services (HHS).

Who would you like to win this election and by how much? The really interesting part is: What do they do now?
Researchers Find Critical Backdoor in Swiss Online Voting System
An international group of researchers who have been examining the source code for an internet voting system Switzerland plans to roll out this year have found a critical flaw in the code that would allow someone to alter votes without detection.
The cryptographic backdoor exists in a part of the system that is supposed to verify that all of the ballots and votes counted in an election are the same ones that voters cast. But the flaw could allow someone to swap out all of the legitimate ballots and replace them with fraudulent ones, all without detection.
… The researchers provided their findings last week to Swiss Post, the country’s national postal service, which developed the system with the Barcelona-based company Scytl. Swiss Post said in a statement the researchers provided Motherboard and that the Swiss Post plans to publish online on Tuesday, that the researchers were correct in their findings and that it had asked Scytl to fix the issue. It also downplayed the vulnerability, however, saying that to exploit it, an attacker would need control over Swiss Post’s secured IT infrastructure “as well as help from several insiders with specialist knowledge of Swiss Post or the cantons.”
But this ignores the fact that Swiss Post and other insiders themselves could pull off the attack.
“Their response hides that they are the primary threat actor for this scenario

Markets for my Computer Security students.
Getting Educated on Cyber Security in an Education Environment
Cybersecurity is one of the fastest growing industries in the world. We already know that businesses, organizations, and government entities must follow guidelines in order to protect sensitive information, but the education sector is one of the most important assets to protect, yet it is an extremely underserved market. Year after year, universities and school systems are plastered all over the media because of a multi-million-dollar lawsuit that they are facing due to a breach in security. It is past time to draw attention to an ongoing and very serious problem facing the US education system: our schools are ill-equipped to face the mounting threats posed by hackers.

How does this fit into the enhanced Privacy of the GDPR?
Joe Cadillic writes:
A recent European Union (EU) announcement about national ID’s will destroy millions of people’s privacy and create a near global biometric database.
An article in State Watch News revealed that the EU has agreed to create a MANDATORY national biometric ID card.
“Measures being negotiated as part of the EU’s ‘Security Union’ are moving ahead swiftly, with the Council and Parliament reaching provisional agreements on new rules for immigration liaison officers, the EU’s Visa Code and the introduction of mandatory biometric national identity cards; and the Council agreeing its negotiating position on the new Frontex Regulation.”
Earlier this week the Nepal government announced their plans to roll-out a national biometric ID card that will affect 30 million people.
Read more on MassPrivateI.

(Related) Probably…
From Papers, Please!
In December 2018, the White House announced that President Trump had sent Congress a classified “National Strategy to Combat Terrorist Travel”.
Two months later, in February 2019, the White House released both this “National Strategy to Combat Terrorist Travel” (supposedly as signed in December 2018, and with no indication that it had ever been classified) and a companion “National Strategy for Aviation Security” (also unclassified and dated December 2018).
Together, these two documents give an overview of both the extent and the manner in which the US government intends — and believes that it has the authority — to surveil all travelvers, monitor and log all movement of persons in the US and worldwide, and exercise administrative prior restraint over all such travel based on extrajudicial “pre-crime” predictions.
Nowhere in either of these vision statements is there any mention of the First Amendment, the right of the people peaceably to assemble, the right to travel, or international human rights treaties.
Read more on Papers, Please!

Is one answer better than several?
How voice computing will transform the way we live, work and think
Will the Siri model for voice computing replace search engines in the near future? Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think, a new book by James Vlahos is excerpted in Wired – Amazon Alexa and the search for the one perfect answer
“…the rise of voice computing platforms such as Amazon Alexa and Google Assistant, the world’s biggest tech companies are suddenly, precipitously moving in Tunstall-Pedoe’s direction. Voice-enabled smart speakers have become some of the industry’s best-selling products; in 2018 alone, according to a report by NPR and Edison Research, their prevalence in American households grew by 78 percent. According to one market survey, people ask their smart speakers to answer questions more often than they do anything else with them. Tunstall-Pedoe’s vision of computers responding to our queries in a single pass—providing one-shot answers, as they are known in the search community—has gone mainstream. The internet and the multibillion-dollar business ecosystems it supports are changing irrevocably. So, too, is the creation, distribution, and control of information—the very nature of how we know what we know…”

Not a bad little backgrounder.

A way for students to share? One server per major? One per class? It’s FREE.
How an App for Gamers Went Mainstream
… Discord is a real-time chat platform that was founded four years ago as a way to make it easier for gamers to communicate. But over the past year, it has outgrown its origin story and become the default place where influencers, YouTubers, Instagram meme accounts, and anyone with an audience can connect with their community.
After signing up for Discord, users join different servers. Each server functions as its own community, and it’s very easy to toggle between them. Once you’re within a server, you can hop between a long list of hashtag-marked channels on the left-hand side of the screen. Some channels are text-based, and some are group voice chats. Visually, Discord looks very similar to Slack.
Discord is also highly customizable. Not only can servers have public and private channels, but administrators can also designate an endless series of roles to each user, all of which can come with custom privileges, colors, and name tags. Most server administrators designate roles to help moderate their communities. In addition to the group chats, Discord allows for global private messaging. You can add friends from any server to have a one-on-one conversation, without having to click into each server itself. It’s like having an AIM buddy list at the top of the app.
… To join a server, users need a custom invite link, which allows admins and moderators to ensure that their chats aren’t overrun by spammers or outsiders looking to troll.

Tuesday, March 12, 2019

Now will you change the law?
Michigan AG Nessel warns of possible data breach of more than 600,000 residents
A data breach possibly involving the theft of names, addresses, dates of birth, Social Security numbers, insurance contract information and numbers, phone numbers, and medical information of more than 600,000 Michigan residents has state Attorney General Dana Nessel urging residents to pay close attention to their personal information and credit reports.
… The data was stolen from Detroit-based Wolverine Solutions Group and may have included data for customers of Blue Cross Blue Shield of Michigan, Health Alliance Plan, McLaren Health Care, Three Rivers Health, and North Ottawa Community Health System.
… The attorney general’s office is now seeking more information about the breach. Under state law, Wolverine was not required to share information about the breach with the office. Nessel said her office was first made aware of the breach through media sources.
The company announced the breach on Jan. 1, 2019 on its website, but did not list how many people may have been impacted by the breach.

Security tools.
Firefox Send's free encrypted file transfers are now available to all
… Firefox Send was introduced in 2017 as part of the now-defunct Firefox Test Pilot, which allowed early adopters to try out experimental features, and is now being graduated. Those with Firefox accounts can now share files up to 2.5GB in size between browsers, while everyone else is limited to 1GB. It's also getting its very own Send Android app in beta.
… Firefox Send only comes with a basic free option.
… But it should boast enough security perks to keep general Firefox users happy: You can choose when your file link expires, the number of downloads, and whether to add an optional password. Recipients, on the other hand, simply receive a link to download the file regardless of whether they have a Firefox account or not.

We’ll see.
Lawmakers introduce bipartisan bill for 'internet of things' security standards
The bill, introduced in the Senate by Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) and in the House by Reps. Will Hurd (R-Texas) and Robin Kelly (D-Ill.), would require established standards for government use of the devices.

There should be consequences for such failures. We seem to let them (Boards of Directors) slide.
Equifax Was Aware of Cybersecurity Weaknesses for Years, Senate Report Says
The attack on Equifax started in May, but was only detected in July, despite thousands of queries sent by threat actors to the company’s databases during that time.
A December 2018 report from the House of Representatives’ Oversight and Government Reform Committee Republicans blasted the company for its poor security practices, and the new U.S. Senate report does that once again, while also providing some more details on Equifax’ failures regarding the incident.
According to the report (PDF), Equifax was aware of security weaknesses in its systems for two years, but failed to properly address them. The critical vulnerability that led to the data breach was patched only months after being publicly reported.
Equifax employees were unable to respond adequately due to a failure to implement basic cybersecurity standards, which prevented Equifax from complying with its own internal policies and procedures,” the report reads.
Moreover, the company was unable to locate vulnerable assets in its inventory,

What was illegal is now illegal-er? How does that help?
Drone no-fly zones around UK airports are expanding this week
Starting this Wednesday, March 13th, it will be illegal to fly a drone within three miles of an airport in the UK, up from the 0.6-mile limit that’s currently in effect. The rule changes, which were first announced last month, more than quadruple the radius of each airport’s drone restricted airspace.
The new laws are in response to drone activity that effectively shut down the UK’s second-largest airport, Gatwick, for over a day in the run-up to Christmas last year. However, despite the incident affecting over 1,000 flights and as many as 140,000 passengers, police still don’t know who was responsible.

How to create Internet Laws?
Ten Principles for a New Approach to Regulating the Internet
The ten principles are:
Ethical design.
Recognition of childhood.
Respect for human rights and equality.
Education and awareness-raising.
Democratic accountability, proportionality and evidenced-based approach.

Another way we run into Privacy laws.
California Privacy Law Threatens Discount Programs, ANA Says
… The California Consumer Privacy Act, set to take effect next year, allows consumers to learn what personal information about them is held by businesses, request deletion of that information, and to opt out of its sale. The bill contains a provision prohibiting companies from charging higher prices to consumers who opt out of data collection and selling. But the measure also allows businesses to offer "financial incentives" to consumers who allow their data to be collected and sold -- provided that the incentives are related to the data's value.
The ANA is now calling on state Attorney General Xavier Becerra to issue regulations specifically providing that loyalty programs are permissible under the new law.

Alston & Bird lawyers write:
On March 6, the Washington state Senate voted 46-1 to approve the Washington Privacy Act (WPA or the Act), otherwise known as SB 5376. If the bill passes the House, the bill would become the second comprehensive state privacy legislation behind the California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020. The bill would provide consumer rights, impose obligations on businesses collecting and selling personal information, and create an office of privacy and data protection to interface with state agencies on data privacy and data protection policy matters. The bill draws from the CCPA and the European Union’s General Data Protection Regulation (GDPR).

Doing what no human can?
How Artificial Intelligence Is Changing Science
No human, or team of humans, could possibly keep up with the avalanche of information produced by many of today’s physics and astronomy experiments. Some of them record terabytes of data every day — and the torrent is only increasing. The Square Kilometer Array, a radio telescope slated to switch on in the mid-2020s, will generate about as much data traffic each year as the entire internet.
The deluge has many scientists turning to artificial intelligence for help. With minimal human input, AI systems such as artificial neural networks — computer-simulated networks of neurons that mimic the function of brains — can plow through mountains of data, highlighting anomalies and detecting patterns that humans could never have spotted.

Why I try not to laugh at my students.
Taking Laughter Seriously at the Supreme Court
Jacobi, Tonja and Sag, Matthew, Taking Laughter Seriously at the Supreme Court (March 9, 2019). Vanderbilt Law Review, Forthcoming. Available at SSRN:
“Laughter in Supreme Court oral arguments has been misunderstood, treated as either a lighthearted distraction from the Court’s serious work, or interpreted as an equalizing force in an otherwise hierarchical environment. Examining the more than 9000 instances of laughter witnessed at the Court since 1955, this Article shows that the justices of the Supreme Court use courtroom humor as a tool of advocacy and as a signal of their power and status. As the justices have taken on a greater advocacy role in the modern era, they have also provoked an increasing level of laughter. The performative nature of courtroom humor is apparent from the uneven distribution of judicial jokes, jests, and jibes. The justices overwhelmingly direct their most humorous comments at the advocates who they disagree with, the advocates who are losing, and at novice advocates. Building on prior work, we show that laughter in the courtroom is yet another aspect of judicial behavior that can be used to predict cases before justices have even voted. Many laughs occur in response to humorous comments, but that should not distract from the serious and strategic work being done by that humor. To fully understand oral argument, Court observers would be wise to take laughter seriously.”

For all my students.
Microsoft launches business school focused on AI strategy, culture and responsibility
In recent years, some of the world’s fastest growing companies have deployed artificial intelligence to solve specific business problems. In fact, according to new market research from Microsoft on how AI will change leadership, these high-growth companies are more than twice as likely to be actively implementing AI as lower-growth companies.
What’s more, high-growth companies are further along in their AI deployments, with about half planning to use more AI in the coming year to improve decision making compared to about a third of lower growth companies. Still, less than two in 10 of even high-growth companies are integrating AI across their operations, the research found.
… Today, Azizirad and her team are launching Microsoft’s AI Business School to help business leaders navigate these questions. The free, online course is a master class series that aims to empower business leaders to lead with confidence in the age of AI.
AI Business School course materials include brief written case studies and guides, plus videos of lectures, perspectives and talks that busy executives can access in small doses when they have time. A series of short introductory videos provide an overview of the AI technologies driving change across industries, but the bulk of the content focuses on managing the impact of AI on company strategy, culture and responsibility.
… The business school complements other AI learning initiatives across Microsoft, including the developer-focused AI School and the Microsoft Professional Program for Artificial Intelligence, which provides job-ready skills and real-world experience to engineers and others looking to improve their skills in AI and data science.
Unlike these other initiatives, AI Business School is non-technical and designed to get executives ready to lead their organizations on a journey of AI transformation, according to Azizirad.

For the student toolkit?

Monday, March 11, 2019

A China like attack? Searching for IP?
Attack on Software Giant Citrix Attributed to Iranian Hackers
The company said it was informed by the FBI on March 6 that its systems had been breached by “international cyber criminals.” Citrix has launched a forensic investigation and it has taken action to secure its network.
Citrix’s investigation so far suggests that the attackers may have accessed and downloaded some business documents, but it has yet to determine exactly which documents may have been stolen. The company says there is no evidence that the security of its products or services has been compromised as a result of the attack.
While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security,” stated Citrix CISO Stan Black.
A cybersecurity firm named Resecurity claims the attack was carried out by an Iran-linked group tracked as IRIDIUM, which reportedly hit over 200 organizations, including government agencies, tech firms, and oil and gas companies.
Resecurity representatives told NBC News that the attackers may have been lurking inside Citrix’s network for the past 10 years.

Cry wolf? On the other hand, the US would like to see his regime fail.
Venezuela's Maduro Says Cyber Attack Prevented Power Restoration
Maduro told supporters in Caracas that almost 70 percent of power had been restored when "we received at midday another cyber attack at one of the generators that was working perfectly and that disturbed and undid everything we had achieved."
The government blamed the outage on US sabotage at the central generator in Guri, in the country's south, which provides 80 percent of Venezuela with its electricity.
Experts say Venezuela's power problems are due to a lack of investment in infrastructure.
Maduro's regime usually blames outages on outside factors.

Security theater.
The US Government Will Be Scanning Your Face At 20 Top Airports, Documents Show
In March 2017, President Trump issued an executive order expediting the deployment of biometric verification of the identities of all travelers crossing its borders. That mandate stipulates facial recognition identification for “100 percent of all international passengers,” including American citizens, in the top 20 US airports by 2021. Now, the United States Department of Homeland Security is rushing to get those systems up and running at airports across the country. But it's doing so in the absence of proper vetting, regulatory safeguards, and what some privacy advocates argue is in defiance of the law.

Probably needs all the help we can provide.
FPF Comments on the California Consumer Privacy Act (CCPA)
On Friday, the Future of Privacy Forum submitted comments to the Office of the California Attorney General (AG), Xavier Becerra.

All they need to do is pick and choose from the warped realities people already have.
Russian Internet Trolls Are Apparently Switching Strategies for 2020 U.S. Elections
Russian internet trolls appear to be shifting strategy in their efforts to disrupt the 2020 U.S. elections, promoting politically divisive messages through phony social media accounts instead of creating propaganda themselves, cybersecurity experts say.
The Kremlin-linked Internet Research Agency may be among those trying to circumvent protections put in place by companies including Facebook Inc. and Twitter Inc. to find and remove fake content that hackers created to sow division among the American electorate in the 2016 presidential campaign.

The Six Wings Of The Democratic Party
There’s a lot of news right now about conflicts within the Democratic Party, and similar stories will likely continue to pop up for the next two years. Much of this is normal and unsurprising. The American political system has only two major parties, resulting in those parties being large and internally diverse — a political reporter could write a “Democrats divided” or “Republicans divided” story virtually any day of any year. And the Democrats are in a complicated place politically at the moment, having just won a major election but not the presidency, which would give the party one single person to rally around.
All that said, it’s worth unpacking these divides among elected Democrats. Not because they will necessarily hurt the party in November 2020, but because those divides will explain a lot of what happens day-to-day until the presidential election and potentially afterward.

For all my students.
Committee Report Confirms College is Still Well Worth the Cost
“A report released this morning by the Committee on Education and Labor reveals that a college degree is still well worth the cost. The report, titled “Don’t Stop Believin’ (in the value of a college degree)” collects the mountain of evidence showing that – despite the recent skepticism regarding the value of a college – researchers have consistently found that the benefits of a college degree significantly outweigh the costs. The key takeaways of the report are:
  • College degrees yield a large return for individuals: bachelor’s and associate’s degree holders earn up to $1 million and $400,000 more than high school graduates over their lives, respectively.
  • College is a worthy investment for state governments: for every $1 states invest in higher education, they receive up to $4.50 back in increased tax revenue and lower reliance on government assistance.
  • College graduates play a key role in strengthening the American economy. Two out of three jobs are filled by individuals who have at least some college education.
  • However, barriers continue to prevent many students of color and low-income students from accessing and obtaining college degrees.
  • The next Higher Education Act (HEA) reauthorization should expand access, improve affordability, and promote completion for all students.
Starting next week, the Committee will hold five bipartisan hearings on higher education, marking the formal start of an effort the reauthorize the Higher Education Act in the 116th Congress. These hearings reflect the Committee’s shared intention to host a thoughtful and open exchange of ideas for improving America’s higher education system…”