Saturday, March 23, 2019

Why not? My Ethical Hackers will tell me.
Lorenzo Franceschi-Bicchierai reports:
This story is part of When Spies Come Home, a Motherboard series about powerful surveillance software ordinary people use to spy on their loved ones.
A company that sells consumer-grade software that lets customers spy on other people’s calls, messages, and anything they do on their cell phones left more than 95,000 images and more than 25,000 audio recordings on a database exposed and publicly accessible to anyone on the internet. The exposed server contains two folders with everything from intimate pictures to recordings of phone calls, given that the app markets itself mostly to parents.
Read more on Motherboard.

“Hello, we’re from the government. We’re here to help.” I guess they hire others to do harm.
Caroline Linton reports:
FEMA mistakenly exposed personal information, including addresses and bank account information, of 2.3 million disaster victims, the Department of Homeland Security’s Office of Inspector General said in a report released Friday. The breach occurred because FEMA did not ensure a private contractor only received information it required to perform its official duties, the report said.
The victims affected include survivors of Hurricanes Harvey, Irma and Maria and the 2017 California wildfires.
The report found FEMA’s failure to protect their data put them at risk of identity theft and fraud.
Read more on CBS

A near perfect headline!
Olivia Rizzo reports:
Several high school students are in hot water after they were able to log into their schools’ computer systems to change grades and attendance records.
A letter was sent out Wednesday to parents of high school students in the Elizabeth Public School system informing them of the data breach.
“Unfortunately, a number of our students have made some poor choices by participating, to varying degrees, in compromising our student information system to manipulate attendance and classroom grades,” a letter from the district’s Superintendent Olga Hugelmeyer read.

Where were you on the night of the murder? Don’t bother to answer, your App has already ratted you out.
Matt Swayne writes:
Fitness apps and other smart devices embedded with GPS satellite chips and other sensors may use satellite data to help users stay fit and healthy, but, according to Penn State and Penn State Dickinson Law researchers, they unwittingly open a gateway to privacy-related legal and ethical headaches and are a repeated source of national security threats.
In a session at the Penn State Law Review annual symposium held today (March 22), the researchers and Dickinson Law professors said that immediate focus is needed on how vast quantities of data, collected from sensors embedded in smart devices combined with both government-owned and privately owned satellite mapping technologies, is aggregated, used, disseminated, and bought and sold. Government-owned satellite mapping technologies, including global positioning satellites provide free, worldwide access for use in GPS chip-embedded devices.
Read more on Penn State News.

A series on Privacy.
Michael Grothaus writes:
This story is part of The Privacy Divide, a series that explores the fault lines and disparities–economic, cultural, philosophical–that have developed around digital privacy and its impact on society.
Increasingly, the most important issue for everyday internet users is privacy—and rightly so. In today’s connected world, we’re being tracked and surveilled more than ever by everyone from search giants and social media companies to ISPs and advertising firms. These organizations don’t just record what we click on or share, but analyze our online activity to compile complex demographic and psychographic profiles about us—so they can manipulate us into doing their bidding, whether that’s clicking on ads they serve us based on the data they hold about us or getting us to interact with their sites more and share even more information about ourselves.
Read more on Fast Company.

An automated bias reinforcing App. Could be political ad with no specific political orientation. Some elements of “six degrees of separation” thinking.
How Twitter's algorithm is amplifying extreme political rhetoric
magine opening up the Twitter app on your phone and scrolling through your feed. Suddenly, you come across a hyper-partisan tweet calling Hillary Clinton the "godmother of ISIS." It's from a user you do not follow, and it's not in your feed by virtue of a retweet from a user you do follow. So how did it get there?
Over the last several months, Twitter has begun inserting what it believes to be relevant and popular tweets into the feeds of people who do not subscribe to the accounts that posted them. In other words, Twitter has started showing users tweets from accounts that are followed by those they follow. This practice is different from the promoted content paid for by advertisers, as Twitter is putting these posts into the feeds of users without being paid and without consent from users.
Twitter said its goal with the practice is to expose users to new accounts and content that they might be interested in. In some situations, the practice is innocuous and perhaps even beneficial. For instance, if someone is watching the Super Bowl, but doesn't follow Tom Brady, it might be useful for them to see his post-game tweet.
… In effect, the practice means Twitter may at times end up amplifying inflammatory political rhetoric, misinformation, conspiracy theories, and flat out lies to its users.
… The feature affects different users in different ways because it relies on the accounts followed by the user to determine which tweets to insert into the timeline. It does not appear to be biased toward a particular ideology, but only biased toward what content users might engage with. If a user primarily follows accounts on the political left, it's likely that person will see inserted content from other accounts on the left. The same goes for people who follow accounts on the political right.

Something every citizen should have? (Free)
All the Crime, All the Time: How Citizen Works
Open Citizen and you will see a familiar blue location dot — that’s you! — surrounded by other, often larger dots, in red and yellow. Each represents an incident, either of the “Recent” or “Trending” variety, that has recently been reported in your proximity, and that may even be unfolding at the very moment.
… Particularly notable reports might have video, sometimes live, as well as a timeline of new developments, and a chat-scroll full of users discussing what they’re seeing. (“This is the second time this has happened in a month,” noted one citizen in TAXI ENGULFED IN FLAMES. “Is it gonna blow up,” wondered another, watching the live video broadcast of firefighters putting down the fire.)

Free is good. In this case, free is good for Microsoft. (
The Windows 10 calculator will soon be able to graph math equations
Microsoft is adding a graphing mode to the Windows 10 calculator. The company made the calculator open-sourced on GitHub earlier this month and has received over thirty suggestions from contributors so far, as spotted by ZDNet.
… As of now, the feature’s still under development but GitHub notes indicate users would be able to graph linear, quadratic, and exponential equations.
[Until it’s ready, try:

For my programmers. Always steal study and create your own version of the best!

Same for Artificial Intelligence?

Friday, March 22, 2019

I wonder if there was someone like me who sent articles describing how incredibly stupid this was to any manager at Facebook, let alone Mark Zuckerberg.
Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years
Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.
Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That’s according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press.
The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.

Learn from the failures of others. Even if it didn’t result in jail time.
Jared Kushner and Ivanka Trump Use Private Accounts for Official Business, Their Lawyer Says
The chairman of the House Oversight and Reform Committee revealed information on Thursday that he said showed Ivanka Trump and Jared Kushner used private messaging services for official White House business in a way that may have violated federal records laws.
… Mr. Kushner uses an unofficial encrypted messaging service, WhatsApp, for official White House business, including with foreign contacts.

AI isn’t perfect. Or the training of AI isn’t perfect. Relying on AI is a management failure?
Facebook says its artificial intelligence systems failed to detect New Zealand shooting video
… Facebook’s vice president of integrity, Guy Rosen, said “this particular video did not trigger our automatic detection systems.”
"AI has made massive progress over the years and in many areas, which has enabled us to proactively detect the vast majority of the content we remove," Rosen said. "But it’s not perfect."
One reason is because artificial intelligence systems are trained with large volumes of similar content, but in this case there was not enough because such attacks are rare.
Rosen said another challenge is in getting artificial intelligence to tell the difference between this and “visually similar, innocuous content,” such as live-streamed video games.

Only a lawyer would think this clears things up.
Tim Murphy reports:
MPs have revised privacy legislation to avoid a risk of ‘notification fatigue’ in which holders of data would be forced to advise the public of even minor data breaches.
Parliament’s justice select committee has raised the threshold in the Privacy Bill for when mandatory notifications to the Privacy Commissioner and affected individuals would be required from a breach causing “harm” to one of “serious harm”.
Now, the judgment of “serious harm” from a breach would be determined by a range of factors set out in the revised bill including: the actions a holder of data has taken to reduce the harm; the sensitivity of the information; the nature of the harm; those to whom the information might be disclosed; and whether the information is protected by security measures.
Read more on Newsroom. I wish they had linked to the actual language of the legislation. I’ll go look for it.
Update: Thanks to the Office of the Privacy Commissioner for the link to the actual text:

For my next Computer Security class.
Enigma, Typex, and Bombe Simulators
GCHQ has put simulators for the Enigma, Typex, and Bombe on the Internet.
News article.

Silicon Island?
First details of Malta’s Artificial Intelligence policy announced
The first details of Malta’s Artificial Intelligence policy were announced on Thursday at a workshop organised by the taskforce.
Silvio Schembri, Parliamentary Secretary for Financial Services and the Digital Economy, said that Malta aspires to become a jurisdiction in which local and foreign companies and entrepreneurs can develop, prototype, test and scale AI, and ultimately showcase the value from their innovations.
… The policy document will be open for public consultation until April 22. It can be accessed at:

We want an AI-powered government’, Silvio Schembri says as AI vision launched
… The consultation document, which was formulated by the Malta.AI Taskforce which was appointed last year, is built on three major pillars and three strategic enablers. The pillars are: Innovation, start-ups and investment; public sector adoption; and private sector adoption, while the three enablers are: education and workforce; legal and ethical framework; and infrastructure.

Does everyone want to sell stuff online? A question for my Architecture students.
Pinterest hires the exec behind Walmart's tech transformation
If you're wondering how serious Pinterest is about turning itself into more of a shopping portal, here's your answer: the company has just hired former Walmart CTO Jeremy King as Head of Engineering. King headed Walmart's e-commerce team and oversaw most of the massive retailer's digital strategy, including in-store pickup of online orders and online grocery pickup. He also led the company's innovation arm called Walmart Labs. While Amazon continues to dominate the e-commerce space, Bloomberg says Walmart's online sales grew by 40 percent last year under his leadership.

(Related) Amazon wants to sell stuff.
Can Amazon Reinvent the Traditional Supermarket?
Amazon’s plans to launch physical grocery stores this year is just the latest affirmation that, ironically, bricks-and-mortar stores are crucial to the e-commerce giant’s future growth. Amazon may launch as many as 2,000 supermarkets in major U.S. cities, according to a recent report in The Wall Street Journal. It will be Amazon’s sixth physical retail format after Whole Foods, Amazon Books, Amazon Go, Amazon 4-Star and Amazon Pop-Up.
… Whatever retail store format Amazon uses, it “would be built upon this tremendous capacity they have to gather, analyze, understand and use what customers are saying to them every day,” said Mark Cohen, director of retail studies at Columbia University who had been CEO of Sears Canada. “Amazon is proof-positive of the value of big data and the way in which you collect it and the way in which you examine it and use it.”

Mobile time-spent jumps up: YouTube corners ~40% of the traffic, Facebook less than 10%
Smartphones are the big gainers in media consumption year-over-year, according to the just-released Nielsen’s Q3 2018 Total Audience Report.
There’s been a significant jump in mobile time-spent among 18-34s, from 29% to 34%. The growth came at the expense of television viewing.
… With mobile media consumption coming at the expense of television viewing, it’s no wonder that a large chunk of the attention is going to the leading online video platform, YouTube.
A Sandvine study (The Mobile Internet Phenomena Report, Feb 2019) found that YouTube is now responsible for 37% of all mobile internet traffic. Interestingly, Facebook is running neck and neck with Snapchat when it comes to mobile traffic, with both having less than 9%.

(Related) “What’s a record, Grandpa?”
Streaming accounts for more than half UK record label income
Music streaming services generated more than half of the income earned by record labels in the UK last year, as CD sales continue to plummet.
Subscription streaming platforms operated by Spotify, Amazon Music and Apple Music, made revenues of £468m in the UK last year, 54% of the £865.5m total income for the recorded music industry. It is the first time that subscription streaming revenues, which grew at 35% year-on-year in 2018, have accounted for more than half of total recorded music revenues for labels.

(Related) “How did anyone watch TV before the Internet, Grandpa?”
The MPAA says streaming video has surpassed cable subscriptions worldwide
The Motion Picture Association of America (MPAA) reported today that the world’s entertainment market — encompassing both theatrical and home releases — grew to a new high in 2018: $96.8 billion, 9 percent over 2017.
… When it comes to streaming video, the MPAA reports that subscriptions surpassed cable television for the first time, with 131.2 million new subscriptions added, rising to 613.3 million worldwide, a jump of 27 percent over 2017’s numbers. The report says that cable subscriptions dropped by 2 percent to 556 million.

Thursday, March 21, 2019

Once inside as Admin, the bad guys could go global? Probably better to divide your IT systems.
Norsk Hydro Attack Contained, New Website Live, Samples Analysed
Two days after first announcing a crippling cyber attack, major metals producer Norsk Hydro has launched a new website, says it has succeeded in “detecting the root cause” of the problems and is currently working to restart the company’s IT systems.
… The company added: “Currently, the only known way to remove LockerGoga from your system is to restore from backup.”

Hydro working hard to recover following ransomware attack
Hydro’s entire global network was taken down by the attack. The company’s US factories were amongst those affected, as well as smelting plants in Norway. However, other facilities - including the firm’s power plants - are functioning normally.
The Norwegian National Security Authority (NSM) has said that the relatively new LockerGoga ransomware was to blame for the incident.
… Unlike many other families of ransomware, LockerGoga appears to only be being used in a limited fashion, with specific organisations being targeted for attack. And for that reason it doesn’t have its own mechanism of spreading throughout an organisation.
That makes LockerGoga different from other hard-hitting ransomware such as Wannacry or NotPetya, which cared little about the organisations it infected. For LockerGoga to be successfully deployed inside a targeted organisation it needs to already have admin rights.

Easily automated. A good thing my Ethical Hacking students pledge not to do this.
Lithuanian man pleads guilty to scamming Google and Facebook out of $123 million
A Lithuanian man admitted today to defrauding Google and Facebook out of $123 million by using fake invoices to trick employees into wiring money to his bank accounts.
… US officials said Rimasauskas operated by using a company he set up that employed a name similar to Quanta, a reputable provider of data center hardware products.
He targeted Google and Facebook because both companies run their own data centers and were known to have had business relations with Quanta.
… He used fake invoices, contracts, and letters that fooled Google and Facebook employees into sending requested payments to the bank accounts provided by Rimasauskas, located at banks in Latvia and Cyprus.
US authorities said that as soon as the suspect received payments in these bank accounts, they were immediately transferred to other banks in Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong, at accounts controlled by Rimasauskas.
Rimasauskas ran the scheme for three years between 2013 and 2015, allegedly defrauding Google out of $23 million and Facebook out of $100 million.

An article for my lawyer friends who STILL don’t encrypt client data.
Anton Janik, Jr. of Mitchell, Williams, Selig, Gates & Woodyard, P.L.L.C. writes:
As attorneys, our livelihood is often heavily dependent upon the keeping of secrets. But in this complex electronic-data driven environment we work in, where physical security via locked doors and piercing alarms may no longer be solely sufficient to keep client confidences from prying eyes, what is the modern attorney supposed to do? ABA Opinion 483 provides guidance on a lawyer’s duty when client confidential information is hacked from the law firm.
Read more on JDSupra.

Periodically I need to introduce my students to the “Streisand Effect.”
Devin Nunes sued an obscure Twitter account. Now ‘Devin Nunes’ Cow’ has more followers than the congressman
The Twitter account “Devin Nunes’ cow,” which professes to be “hanging out on the dairy in Iowa looking for the lil’ treasonous cowpoke,” has more than 550,000 followers as of Thursday morning, a dramatic increase from the 1,000 or so before Rep. Devin Nunes (R-Calif.) filed a lawsuit Tuesday accusing the cow account (@DevinCow), Twitter, and two other users of defamation.
Nunes’s own verified account has 396,000 followers.
The suit alleges that the cow account, as well as one called @DevinNunesMom, “repeatedly tweeted and retweeted abusive and hateful content” about the congressman in violation of Twitter user guidelines.

Does this increase Volvo’s liability? “Your system failed to stop the car that crashed into my car!” Is this Okay under the GDPR or California Privacy law?
Volvo will use cameras to fight drunk and distracted driving
Volvo plans to use cameras and sensors inside cars to combat drunk and distracted driving. The vehicles may intervene if a driver doesn't respond to warning signals – cars may limit their speed, alert the Volvo on Call service (which will contact the driver) or perhaps even slow down and park. Volvo on Call may send additional help if necessary.
… With those cameras and sensors, however, come inevitable concerns about surveillance and whether drivers will be comfortable with being explicitly monitored while they're behind the wheel. Volvo is aware of those worries though. It "wants to start a conversation about whether car makers have the right or maybe even the obligation to install technology in cars that changes their drivers' behavior," it said in a press release.

Perspective. Perhaps “percent of revenue” should be replaced with “percent of market value.” Or whichever is greater?
Google was slapped with another huge EU fine — and investors didn’t bat an eye
Google was hit with another fine from EU antitrust regulators Wednesday, and investors didn’t bat an eye.
The stock rose 2 percent by the end of trading, outpacing Apple and Microsoft for the day and adding nearly $17 billion to the company’s market value.

Perspective. I see this as a very good thing. The scut work was always handed to new Project Management people (the same thing happens in most fields) so many just dropped out.
Whither project managers? AI will take 80 percent project management tasks, says Gartner
Gartner projected that by 2030, 80 percent of that tasks involved in project management will be eliminated. Things like data collection, tracking and reporting will be taken over by AI.
… Gartner recommends that project and portfolio management leaders look into using conversational AI, machine learning and robotic process automation.

Also a scut work issue, as lots of police work seems to be.
Facial recognition overkill: How deputies cracked a $12 shoplifting case
On a Saturday afternoon in late November 2017, a woman walked into a Wilco Farm store in Oregon, stuffed a $130 pair of Georgia Boots in her purse and walked out.
About 24 hours later, she turned herself in to the Washington County jail.
… The speedy investigation was made possible by Amazon's Rekognition, facial recognition software that let the Washington County Sheriff's Office create its own searchable database of county jail mugshots. A WCSO deputy watched a surveillance recording of the woman pilfering the boots, grabbed pictures of her face from the footage and imported them into the sheriff's office's new tool. He quickly got back a digital lineup of mugshots and found a possible match.
… WCSO officials confirmed they've mostly trained this sophisticated and controversial tool on mundane crimes, including one in which a woman stole a $12 gas tank from an Ace Hardware store, a CNET investigation into WCSO police reports found.
… "The investigation of petty crimes does not justify the creation of a massive facial recognition database like this one," he said. [But since they already have the database, why not use it for anything it can help them with? Bob]

This isn’t funny.

That’s it! Tomorrow I’m converting this to a ‘Beauty Blog!’
Glossier started as a beauty blog and is now valued at $1 billion
Glossier is now a unicorn.
The New York-based beauty brand is now valued at $1.2 billion following its latest funding round, according to a source familiar with the deal.
… In 2010, Weiss started a popular blog called "Into the Gloss" with beauty tips, trends and tutorials. She used it to launch beauty and skincare brand Glossier four years later, which offers simple and affordable products.
Glossier has since attracted a cult-like following with nearly 2 million followers on Instagram. Weiss has been credited with being especially effective at using social media to reach customers.

Wednesday, March 20, 2019

Does not seem that Norsk Hydro is making much progress on their ramsomware (?) attack. This is all that appears on their website.
Following an extensive cyber attack on Tuesday March 19, Hydro has made progress in securing safe and stable operations across the company.
For updated information about the situation, go to Hydro’s Facebook pages:

(Related) Very few articles today. Almost all are from yesterday. Strange.
Nordic Metals Giant Restarts Some Systems After Ransomware Attack
… The company plans to restart some systems in divisions that make finished metal, which should help it continue deliveries to customers, according to a statement on Wednesday. It has detected the “root cause” of the attack, but didn’t know how long it would take to restore stable computer systems.
… Hydro said yesterday that it didn’t know the identity of the hackers and believes the attack originated in the U.S.

Nordic metals firm Hydro restoring systems after cyber attack
… The Norwegian National Security Authority (NSM), the state agency in charge of cybersecurity, said the attack used a virus known as LockerGoga, a relatively new strain of so-called ransomware, which encrypts computer files and demands payment to unlock them.
The LockerGoga malware is not widely used by cyber crime groups, cyber security researchers said, but has been linked to an attack on French engineering consultancy Altran Technologies in January.
Hydro said on Tuesday it did not plan to pay the hackers to restore files and would instead seek to restore its systems from backup servers.

“If you can’t police your content, we have a rather extreme alternative.”
4chan, Liveleak blocked by Australian internet providers
Telstra yesterday blocked access to 4chan, 8chan and Voat, the blog Zerohedge and video hosting platform Liveleak.
"We understand this may inconvenience some legitimate users of these sites, but these are extreme circumstances and we feel this is the right thing to do," Telstra networks and IT executive Nikos Katinakis said in a statement.

Not the outcome I would have predicted. Still, it does point to a disconnect. I thought CEOs were responsible for everything. Apparently not IT.
Stop the world. I want to get off.
Mark Sutton reports:
Bosses are more likely to receive a pay rise after their firm suffers a cybersecurity breach, according to a study by the UK’s Warwick Business School.
Researchers at Warwick Business School found that media reports of a cyber-attack led to a stock market “shock” as investors sold their shares, but this only lasted a few days.
Security breaches did have a lasting impact on the way firms were run, as they typically paid lower dividends and invested less in research and development up to five years after the attack.
Yet they were no more likely to fire their chief executive. On the contrary, bosses were more likely to receive an increase in total and incentive pay several years after a security breach.

A hint of things to come?
I miss the days when we used to say that baseball was as American as apple pie. Nowadays, we can only say that about surveillance, it seems.
Joe Cadillic writes:
I hope you enjoyed America’s favorite pastime because by the end of this year, nearly every Major League Baseball (MLB) team will be using facial recognition.
Last year, their were only nine MLB teams using CLEAR’s facial recognition to spy on fans. But all of that is about to change.
This year, the MLB has decided to go full-blown TSA and put facial recognition cameras in 23 stadiums which is just seven shy of the entire league.
According to a Business Wire article, the MLB plans to scan the faces of millions of baseball fans.
Read more on MassPrivateI.
[From the Business Wire article:
This new partnership will leverage’s API, allowing CLEAR members who link their CLEAR profile with their account to gain entry with just the tap of a finger or, in the near future, facial recognition technology.
… CLEAR will also soon unveil new biometric-powered concessions in the state of Washington, enabling fans to pay for food, beer and validate legal age with just the tap of a finger or blink of an eye.

Just a thought, but will the US need a l;aw like this when The Wall fails to do the job?
New U.K. Border Security Law: A Frightening Response to the Skripal Poisoning
With Brexit naturally dominating the parliamentary agenda and media coverage in the U.K., the Counter-Terrorism and Border Security Act 2019 passed into law last month with barely a peep in the press.
… Two key elements of the border security sections of the new Act are most concerning: new authority to stop and search based on vaguely defined “hostile activity,” and the absence of a “reasonable suspicion” standard for taking those steps.
… The definition of what constitutes a “hostile act” itself is extremely broad. A “hostile act” is one that: (a) threatens national security, (b) threatens the economic well-being of the United Kingdom in a way relevant to the interests of national security, or (c) is a serious crime.
… The wide definition of “hostile act” becomes much more problematic due to the absence of any requirement for a border officer to have “reasonable suspicion,” a standard that applies to the bulk of search powers under U.K. law. Indeed, under Schedule 3, paragraph 1(4) “an examining officer may exercise the powers … whether or not there are grounds for suspecting that a person is or has been engaged in hostile activity.”

Perspective. Not using those services, I missed this entirely. (Good for me.)
Another Trump Facebook election
While Democrats' campaign launches have sucked up national attention, President Trump's re-election campaign has quietly spent nearly twice as much as the entire Democratic field combined on Facebook and Google ads, according to data from Facebook and Google's political ad transparency reports, aggregated by Bully Pulpit Interactive.
Why it matters: Political advertising strategists say that this level of ad spend on digital platforms this early in the campaign season is unprecedented.

Perspective. Their strategy is not like Amazon’s.
AI-Powered, Self-Driving Robots Are Taking On a Bigger Role at Walmart Stores
… Walmart recently revealed it's bringing self-driving robots powered by artificial intelligence (AI) to its stores to handle the mundane task of floor cleaning.
This often-overlooked chore would typically take Walmart associates (what the retailer calls its employees) about two hours per day, on average. Multiply that by more than 11,000 stores worldwide and that's a lot of time cleaning floors.
… In late 2017, Walmart began using similar technology from tech start-up Bossa Nova to scan shelves for out-of-stock items, incorrect prices, and wrong or missing labels. The device, which is only 2 feet high, has a telescoping tower that reaches more than 6 feet, allowing it to capture data from even the highest shelves.
Last year, the company launched a pilot test of a system called the Alphabot, which was developed especially for Walmart by start-up Alert Innovation. The device brings items from storage to associates assembling orders for grocery delivery, so they don't have to walk through the store searching for items.

Good government is careful to avoid even the appearance of manipulation.
… Last week, the FCC was forced to admit in court that its Electronic Comment Filing System (ECFS) was never designed to keep track of where comments originate.
… In response to allegations that millions of comments submitted to the FCC about net neutrality in 2017 were fabricated—using the names and home addresses of Americans without their consent—the New York Times is actively seeking access to the FCC’s internal logs under the Freedom of Information Act. Its reporters have specifically asked the FCC to turn over records that contain every comment and the IP addresses from which they originated. But the commission is fighting back.

A billion here, a billion there, pretty soon you’re talking real money! Is that still true?
Google hit with €1.5 billion antitrust fine by EU
… In a press conference this morning, EU antitrust commissioner Margrethe Vestager said that the tech giant had abused its dominant position by forcing customers of its AdSense business to sign contracts stating they would not accept advertising from rival search engines. Said Vestager: “The misconduct lasted over 10 years and denied other companies the possibility to compete on the merits and to innovate.”
… With the new penalty, Google’s total EU antitrust bill now stands at €8.2 billion ($9.3 billion). Today’s fine was lower than the previous two as Google actively worked with the European Commission to change its AdSense policies after the EU announced its case in 2016.

Something to toss into the debate.
Fear the Economic Singularity
Let’s say that technology keeps gradually replacing humans in the workforce. Eventually, what if technology existed that allowed entire companies to operate autonomously – completely without human intervention? After all, we are seeing steady movement in that direction as we engineers develop technology that surpasses human abilities one job at a time. Is the logical projection of that trend the company that has no human employees at all, only owners?
But, our giant robotic corporations of the future will still need humans for at least one role: customers. If our imaginary Fortune 500 automated AI monolith dominates the flat-screen TV market, there will still need to be folks who want (and can afford) flat screen TVs. But, if technology has eliminated all the jobs, it isn’t clear where most folks will come up with the cash to buy them.

A tool for my traveling students? (I suspect browsers like this are in response to the FBI’s insistence that they need to crack encryption.)
Opera adds unlimited VPN service to its Android browser for free
… Opera 51 for Android enables users to establish a private connection between their mobile device and a remote VPN server using 256-bit encryption. Users can pick a server of their choice from a range of locations. Unlike some VPN apps, Opera’s offering does not require users to open an account to use the service.

Free is good!
Free Cone Day is March 20th!
Celebrate the first day of spring with a free small vanilla DQ® Cone! At participating locations.

Tuesday, March 19, 2019

No matter who is behind this attack, or what their purpose may be, you have to consider this a cyber war proof of concept.
Huge aluminium plants hit by cyber-attack
One of the world's biggest aluminium producers has switched to manual operations at its smelting facilities following a cyber-attack.
Hydro, which employs more than 35,000 people in 40 countries, says the attack began on Monday night and is ongoing.
A spokesman told the BBC that he could not yet confirm what type of cyber-attack the Norwegian firm was facing, or who was behind it.
The company's website is currently down and it is posting updates to Facebook.
"IT systems in most business areas are impacted," the firm said.
Hydro told the BBC that digital systems at its smelting plants were programmed to ensure machinery worked efficiently.
However, these systems had had to be turned off.
Smelting operations in Norway, Qatar and Brazil had been affected, according to the Reuters news agency. Additionally, Hydro had shut down some of its smaller metal extrusion plants.

Will the police track down those who watched this live? Did they have knowledge that it was coming?
Update on New Zealand
  • The video was viewed fewer than 200 times during the live broadcast. No users reported the video during the live broadcast. Including the views during the live broadcast, the video was viewed about 4000 times in total before being removed from Facebook.
  • The first user report on the original video came in 29 minutes after the video started, and 12 minutes after the live broadcast ended.
  • Before we were alerted to the video, a user on 8chan posted a link to a copy of the video on a file-sharing site.

Because they work!
Phishing Attacks: Now More Common Than Malware
As custodians of the world’s most commonly used computer operating systems and cloud-based office tools, Microsoft’s security team is uniquely positioned to analyze trends in cyber security threats. The company’s regular Security Intelligence Reports, published at least annually since 2006, serve as an excellent indicator of these trends. The most recent report indicates that phishing attacks are now by far the most frequent threat to the cyber landscape, increasing a massive 250% since the publication of the previous report.
Microsoft’s numbers are based on an internal scan of Office 365 email addresses, with over 470 billion messages analyzed. The company reports that not only are phishing attacks much more frequent, but they have also significantly increased in sophistication in a short amount of time.

What happens when the system tries to kill you?
Death By 1,000 Clicks: Where Electronic Health Records Went Wrong
The U.S. government claimed that turning American medical charts into electronic records would make health care better, safer, and cheaper. Ten years and $36 billion later, the system is an unholy mess. Inside a digital revolution that took a bad turn.
… Her doctor had considered the possibility of an aneurysm and, to rule it out, had ordered a head scan through the clinic’s software system, the government alleged in court filings. The test, in theory, would have caught the bleeding in Monachelli’s brain. But the order never made it to the lab; it had never been transmitted.
… It didn’t take long for Foster to assemble a dossier of troubling reports — Better Business Bureau complaints, issues flagged on an eCW user board, and legal cases filed around the country — suggesting the company’s technology didn’t work quite the way it said it did.

We’ll have it all worked out in 20 or thirty years.
Products Liability and the Evolving Internet of Things
… Traditional products liability principles apply reasonably well to IoT devices when the device itself malfunctions.
… Liability is more difficult to judge in the IoT realm, where devices are increasingly integrated into networks. In the past, manufacturers have been held liable where defects in their products caused a series of failures in other, integrated products only when the manufacturer “substantially participated” in the integration of its products into the overall design of the network.
… Privacy threats and liability for security breaches fit less neatly in the traditional products liability framework, which may require an evolution of products liability law. The lack of clear, universal industry standards for IoT security makes proof of the existence of a design defect difficult.

Who knew that New York Law Schools had a class in Chutzpah. Not silly, non-lawyer me.
New York City’s newest luxury neighborhood, Hudson Yards, officially opened on Friday and visitors are already scrambling to photograph or mock its gilded pinecone landmark structure dubbed the Vessel.
But, as Gothamist points out, Hudson Yards seemingly claims rights to all such photos of the $200-million giant honeycomb floating above an active train yard, so long as they’re taken in and around the Vessel.
… Mickey Osterreicher, general counsel for the National Press Photographers Association told Gothamist that these terms and conditions don’t mean that Hudson Yards owns visitors’ content, but the organization is allowed “broad license” to use the content how it would like without visitors’ consent. And it means visitors can’t use their Vessel content commercially, according to Osterreicher’s reading.
James Grimmelmann, a law professor at Cornell Law School and Cornel Tech, blasted the “content” clause on Twitter.
It's even broader than phototographs taken inside the Vessel. It also covers photographs "depicting or relating to the Vessel" even if not taken from inside. So if you "agree" to the license, it even applies to your later photographs of the Vessel taken from across the river.
So: Go to the Vessel. Take a photo or a video. Put it online with a Creative Commons Attribution license. You're not making a commercial use, and anyone else who does never agreed to the Vessel's terms.

No doubt President Trump would love to copy this law.
Russia's Putin Signs Into Law Bills Banning 'Fake News,' Insults
President Vladimir Putin has signed legislation enabling Russian authorities to block websites and hand out punishment for "fake news" and material deemed insulting to the state or the public.

For the toolkit. free data visualization tool
Center for Data Innovation: “The Financial Times has released a free data visualization tool called FastCharts to help people make professional charts with their data in less than a minute. Users can paste in their data in CSV or TSV format and the tool will automatically create an area, bar, column, or line chart with labels and a title. Once the tool creates a chart, users can customize their chart through actions such as highlighting specific data on the chart or changing the scale.”

A tool for checking student papers?
This Site Detects Whether Text Was Written by a Bot
Futurism – Reassuringly, Futurism articles registered as being written by humans. “Last month, developers from OpenAI announced that they had built a text generating algorithm called GPT-2 that they said was too dangerous to release into the world, since it could be used to pollute the web with endless bot-written material. But now, a team of scientists from the MIT-IBM Watson AI Lab and Harvard University built an algorithm called GLTR that determines how likely it is that any particular passage of text was written by a tool like GPT-2 — an intriguing escalation in the battle against spam.
When OpenAI unveiled GPT-2, they showed how it could be used to write fictitious-yet-convincing news articles by sharing one that the algorithm had written about scientists who discovered unicorns. GLTR uses the exact same models to read the final output and predict whether it was written by a human or GPT-2. Just like GPT-2 writes sentences by predicting which words ought to follow each other, GLTR determines whether a sentence uses the word that the fake news-writing bot would have selected… The IBM, MIT, and Harvard scientists behind the project built a website that lets people test GLTR for themselves. The tool highlights words in different colors based on how likely they are to have been written by an algorithm like GPT-2 — green means the sentence matches GPT-2, and shades of yellow, red, and especially purple indicate that a human probably wrote them…”

Monday, March 18, 2019

What’s that journalistic rule… If it bleeds, it leads? Perhaps we need a new philosophy.
Why AI is still terrible at spotting violence online
Artificial intelligence can identify people in pictures, find the next TV series you should binge watch on Netflix, and even drive a car.
But on Friday, when a suspected terrorist in New Zealand streamed live video to Facebook of a mass murder, the technology was of no help. The gruesome broadcast went on for at least 17 minutes until New Zealand police reported it to the social network. Recordings of the video and related posts about it rocketed across social media while companies tried to keep up.
… Even if violence appears to be shown in a video, it isn't always so straightforward that a human — let alone a trained machine — can spot it or decide what best to do with it. A weapon might not be visible in a video or photo, or what appears to be violence could actually be a simulation.
Furthermore, factors like lighting or background images can throw off a computer.
… It's not simply that using AI to glean meaning out of one video is hard, she said. It's doing so with the high volume of videos social networks see day after day. On YouTube, for instance, users upload more than 400 hours of video per minute — or more than 576,000 hours per day.
"Hundreds of thousands of hours of video is what these companies trade in," Roberts said. "That's actually what they solicit, and what they want."

Welcome to extremely low probabilities in an extremely large (global) population.
Jargon Watch: The Rising Danger of Stochastic Terrorism
Wired: “Stochastic Terrorism n. Acts of violence by random extremists, triggered by political demagoguery. “When President Trump tweeted a video of himself body-slamming the CNN logo in 2017, most people took it as a stupid joke. For Cesar Sayoc, it may have been a call to arms: Last October the avowed Trump fan allegedly mailed a pipe bomb to CNN headquarters. No one told Sayoc to do it, but the fact that it happened was really no surprise. In 2011, after the shooting of US representative Gabby Giffords, a Daily Kos blog warned of a new threat the writer called stochastic terrorism: the use of mass media to incite attacks by random nut jobs—acts that are “statistically predictable but individually unpredictable.” The writer had in mind right-wing radio and TV agitators, but in 2016, Rolling Stone accused then-candidate Trump of using the same playbook when he joked that “Second Amendment people” might “do” something if Hillary Clinton won the election…”

If Cambridge Analytica was the cause, have we yet found a cure?
Cambridge Analytica was the Chernobyl of privacy
… We knew that in 2012 the re-election campaign of Barack Obama had built a voter contact system using Facebook and had acquired personal data on millions of American voters. When we tried to raise the alarm that no head of state should have so much personal data on so many of his citizens – many of whom opposed his candidacy – we were ignored because the dominant story at the moment was how digitally savvy the Obama campaign was. No one seemed concerned that the United States might some day have a president who was unconcerned with niceties like the rule of law or civil liberties.
… In December 2016 a Swiss news site called Das Magazine published a long account of how Cambridge Analytica had worked with researchers at the University of Cambridge to gather personal information on millions of Facebook users and deploy it to position political advertisements on Facebook. Facebook users had been persuaded to take a seemingly harmless personality quiz.
Few took note of the Das Magazine story until the US-based news site Motherboard translated it into English six weeks later, in January 2017.
… The fact is that Cambridge Analytica sold snake oil to gullible political campaigns around the world. Nix boasted of the power of “psychometric profiling” of voters using a complex set of personality descriptors. Nix somehow convinced campaigns that this ability to stereotype voters could help them precisely construct of messages and target ads. There is no reason to believe any of this.
… The fact is that if you want to target political advertisements precisely to move voters who have expressed interest in particular issues or share certain interests, there is an ideal tool to use that does not rely on pseudoscience. It’s called Facebook.
Buying an inexpensive ad on Facebook involves a simple process of choosing the location, gender, occupation, education level, hobbies, or professional affiliation of Facebook users. You don’t need Cambridge Analytica when you have Facebook.

Can I copyright my face? Must the government get a warrant to look at me? Take my picture?
The Government Is Using the Most Vulnerable People to Test Facial Recognition Software
If you thought IBM using “quietly scraped” Flickr images to train facial recognition systems was bad, it gets worse. Our research, which will be reviewed for publication this summer, indicates that the U.S. government, researchers, and corporations have used images of immigrants, abused children, and dead people to test their facial recognition systems, all without consent. The very group the U.S. government has tasked with regulating the facial recognition industry is perhaps the worst offender when it comes to using images sourced without the knowledge of the people in the photographs.

(Related) Possible answer?
Use and Fair Use: Statement on shared images in facial recognition AI
… While we do not have all the facts regarding the IBM dataset, we are aware that fair use allows all types of content to be used freely, and that all types of content are collected and used every day to train and develop AI. CC licenses were designed to address a specific constraint, which they do very well: unlocking restrictive copyright. But copyright is not a good tool to protect individual privacy, to address research ethics in AI development, or to regulate the use of surveillance tools employed online. Those issues rightly belong in the public policy space, and good solutions will consider both the law and the community norms of CC licenses and content shared online in general.

If Arnold Schwarzenegger puts his face on my body (everyone needs a ‘before’ image) is that as outrageous as me putting my face on his body?
Coming Soon to a Courtroom Near You? What Lawyers Should Know About Deepfake Videos
The Recorder ( / paywall] via free access on Yahoo} “Are rules that guard against forged or tampered evidence enough to prevent deepfake videos from making their way into court cases? … If you follow technology, it’s likely you’re in a panic over deepfakes—altered videos that employ artificial intelligence and are nearly impossible to detect. Or else you’re over it already. For lawyers, a better course may lie somewhere in between. We asked Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford Law School’s Center for Internet and Society, to explain (sans the alarmist rhetoric) why deepfakes should probably be on your radar….”

For my Enterprise Architecture students.
With great speed comes great responsibility: Software testing now a continuous race
Continuous integration and continuous delivery is giving us software updates every day in many cases. A recent survey of 500 IT executives finds 58 percent of enterprises deploy a new build daily, and 26 percent at least hourly. That's why Agile and DevOps are so important. With great speed comes great responsibility. A constant stream of software needs constant quality assurance. To make sure things are functioning as they should, organizations are turning to continuous testing.

I think I’ll make my students give more presentations…
How long will it take to read a speech or presentation?
Convert words to time. “Enter the word count into the tool below (or paste in text) to see how many minutes it will take you to read. Estimates number of minutes based on a slow, average, or fast paced reading speed.” Great tool for presentations in any setting – in person or online.

Sunday, March 17, 2019

Privacy (law) is spreading faster than swine flu.
Joseph J. Lazzarotti, Jason C. Gavejian and Maya Atrakchi of Jackson Lewis write:
The California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020, is considered the most expansive state privacy law in the United States. Organizations familiar with the European Union’s General Data Protection Regulation (GDPR), which became effective on May 25, 2018, certainly will understand CCPA’s implications. Perhaps the best known comprehensive privacy and security regime globally, GDPR solidified and expanded a prior set of guidelines/directives and granted individuals certain rights with respect to their personal data. The CCPA seems to have spurred a flood of similar legislative proposals on the state level.
Since the start of 2019, at least six state legislatures have already introduced privacy laws mirrored largely on the CCPA. Below are some of the highlights of each state legislative proposal:
[From the article:
  • Hawaii
  • Maryland
  • Massachusetts
  • Mississippi
  • New Mexico

Victorianne Musonza writes:
In the shadow of the EU General Data Protection Regulation, which went into effect in 2018, and the resurgence of global privacy laws, Virginia has proposed a new privacy statute, HB 2793, that imposes a duty of care on businesses on the disposal of personal information. HB 2793 applies to both paper and electronic records. Businesses that own, license or maintain personal information about customers will be required to comply with the bill.
The bill does not cover publicly available information that an individual has voluntarily disseminated and/or consented to be listed, such as a name, address or telephone number.
Read more on IAPP.

Hunton Andrews Kurth writes:
On February 28, 2019, Thailand’s National Legislative Assembly finally approved and endorsed the draft Personal Data Protection Act (the “PDPA”), which will now be submitted for royal endorsement and subsequent publication in the Government Gazette. Publication is anticipated to occur within the next few weeks.
The PDPA provides for a one-year grace period, such that the operative provisions concerning personal data protection, rights of data subjects, complaints, civil liabilities and penalties will take force one year after publication in the Government Gazette. The aim is to allow sufficient time for business operators to prepare and implement internal controls and systems for PDPA compliance.

Perhaps they are just creapy?
Maybe some people are starting to wake up to the risks? Writing about voice assistant devices like Siri and Google Assistant and Alexa, Eric Johnson writes:
Whether it’s your alarm clock, bluetooth speaker, or even microwave, voice assistants can be found in practically every room of a home or office. But more and more people are starting to think twice before asking Alexa for the daily forecast. According to a recent PwC survey, 38 percent of participants chose not to purchase a smart device because they “don’t want something listening in on [their lives] all the time.” Additionally, 28 percent of respondents are “concerned about privacy issues with [their] data/security.”
Read more on TNW.

Just because I went to school with Tony Soprano does not mean my voice reveals a mob connection. New Jersey, yes. Italian neighborhood, yes. Secret meatballl recipe, yes. Is that enough to convict?
Why companies want to mine the secrets in your voice
Voices are highly personal, hard to fake, and contain surprising information about our mental health and behaviors.
Voicesense makes an intriguing promise to its clients: give us someone’s voice, and we’ll tell you what they will do. The Israeli company uses real-time voice analysis during calls to evaluate whether someone is likely to default on a bank loan, buy a more expensive product, or be the best candidate for a job.

Courts don’t always think like I do. Do testing labs need to know the name of the person whose blood they are testing? If there was only a code provided by the doctor, then is the name protected?
A blood sample in a lab is not “information” within the physician-patient privilege statute. The state sought a search warrant for the blood sample. State v. Atwood, 2019 Minn. LEXIS 122 (Mar. 13, 2019).
I had never thought of that before, but yes, I can see how it is not “information” although the outcome/results/test report might be “information” as it is necessary to provide treatment to the patient.   But if the purpose of privilege is to make the patient feel safe providing information that the doctor needs to properly diagnose and treat, then is this court splitting a hair that shouldn’t be split? What if a patient declined to give doctors a DNA sample to test for hereditary diseases like Huntington’s? The doctor needs the information to treat/advise the patient, but if the sample isn’t protected from non-parties to the medical relationship….?

How do you counter a manifesto before the act?
Technology is terrorism’s most effective ally. It delivers a global audience
Terrorism is effective because it always seems near. It always seems new. And it always seems personal. Ever since the first wave of terrorist violence broke across the newly industrialised cities of the west in the late 19th century this has been true.
It feels personal because, although statistics may show we are many times more likely to die in a banal domestic accident, we instinctively conclude from an attack on the other side of the street, the city or, in the case of New Zealand, the other side of the world, we might be next.
… Tarrant said in his “manifesto” that he did not seek to die, but accepted that might happen. But he will still be seen as a martyr to the cause by supporters. The word martyr is of Greek origin and refers to a witness. The Arabic equivalent has similar roots. Witnesses need an audience or their acts are empty. For some terrorists, that witness is God alone, but these are few. For a growing number, that audience, via Facebook, via virtually unmoderated sites in the dark corners of the web, via the mainstream media they so detest and suspect, is everyone.

Facebook removed 1.5 million videos of the Christchurch attacks within 24 hours — and there were still many more.