Saturday, April 06, 2019

This shakes my (not very substantial) faith in government security. Multiple break ins, physical devices installed on computers, massive data copying after hours and NO ONE NOTICED?
Luke Rosiak reports:
A former IT aide to New Hampshire Democratic Sen. Maggie Hassan mounted an “extraordinarily extensive data-theft scheme” against the office, the culprit’s plea agreement states.
The plot included the installation of tiny “keylogging” devices that picked up every keystroke. Between July and October 2018, former IT aide Jackson Cosko worked with an unnamed accomplice, a then-current Hassan employee, who repeatedly lent him a key that he used to enter the office at night and who allegedly tried to destroy evidence for him.
Read more on The Daily Caller .
[From the article:
The theft occurred after Cosko was fired from Hassan’s office in May 2018 for undisclosed reasons, then hired by Democratic Texas Rep. Sheila Jackson Lee, giving him access to the House computer network.

I suspect many accounts had to be redirected. The process for confirming their authenticity might need a bit of work.
Karl Etters reports:
Almost half a million dollars was diverted out of the city of Tallahassee’s employee payroll Wednesday after a suspected foreign cyber-attack of its human resources management application.
Hackers attempt every day to breach the city’s security, officials say, but this week’s operation netted about $498,000.
Read more on Tallahassee Democrat .
[From the article:
The out-of-state, third-party vendor that hosts the city's payroll services was hacked and as a result the direct deposit paychecks were redirected. Employees throughout the city’s workforce were affected.

Attention Computer Security students: Poor security is a factor in deceptive trade practices.
Anne Bolamperti and Patrick X. Fowler of Snell & Wilmer write:
The Federal Trade Commission (“FTC”) has described itself as “Your cop on the privacy beat” and a top federal regulator of consumer-facing data security practices. An example of how the FTC asserts itself when it comes to data security and privacy associated with Internet of Things (“IoT”) devices can be found in the case of Federal Trade Commission v. D-Link Systems Inc., currently pending in federal court in California.
FTC Stance: Poor IoT Security +/or Misleading Ads = Deceptive/Unfair Trade Practice
The D-Link case stems from the FTC’s January 5, 2017 complaint against Taiwanese IoT hardware device manufacturer D-Link Corporation and its U.S. subsidiary D-Link Systems Inc. The FTC seeks to stop D-Link from engaging in allegedly unfair or deceptive acts in violation of Section 5(a) of the Federal Trade Commission Act (“FTC Act”). The FTC claims that the defendants failed to reasonably secure IoT network routers and Internet-accessible cameras that they sold in the U.S. and made deceptive statements about the degree of data security of those products.
Read more on Cybersecurity & Data Law Privacy Blog There was a recent settlement conference in this case, but it doesn’t seem like there was any settlement and the case is still scheduled to go to trial in June, it seems.

Interesting because inevitable? I can get a body cam on Amazon, would the hospital even suspect? Perhaps a bit of geofencing for honest manufacturers?
Emily Berris of SmithAmundsen LLC writes:
Imagine a police officer escorting a drunk driver through the emergency room with his body camera still on—not only is the officer recording the driver, the officer is simultaneously recording every individual and every patient that officer comes into contact with. In an era of attempted police reform, where law enforcement is ramping up their use of body cameras, hospitals must be increasingly aware of violations to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the implications of police body cameras within the confines of its medical center.
Read more on JDSupra

Insurance companies could use this (like their “safe-driving” plug-ins) to deny coverage for bad behavior.
Joseph J. Lazzarotti, Mary T. Costigan and Ashley Solowan of JacksonLewis write:
As wearable and analytics technology continues to explode, professional sports leagues, such as the NFL, have aggressively pushed into this field. (See Bloomberg ). NFL teams insert tiny chips into players shoulder pads to track different metrics of their game. During the 2018-2019 NFL season, data was released that Ezekiel Elliot ran 21.27 miles per hour for a 44-yard run, his fastest of the season. The Dallas Cowboys are not alone as all 32 teams throughout the league can access this chip data which is collected via RFID tracking devices. Sports statistics geeks don’t stand a chance as this technology will track completion rates, double-team percentages, catches over expectation, and a myriad of other data points.

I’m sure these are all good ideas, but we probably need an independent AI Ethics organization. Anyone want to start one? (Let’s ask Siri, Alexa, etc.)
Hey Google, sorry you lost your ethics council, so we made one for you
… How did things go so wrong? And can Google put them right? We got a dozen experts in AI, technology, and ethics to tell us where the company lost its way and what it might do next. If these people had been on ATEAC, the story might have had a different outcome.

Friday, April 05, 2019

For my Ethical Hackers?
Hiding in Plain Sight
Over the past several months, Cisco Talos has tracked several groups on Facebook where shady (at best) and illegal (at worst) activities frequently take place. The majority of these groups use fairly obvious group names, including "Spam Professional," "Spammer & Hacker Professional," "Buy Cvv On THIS SHOP PAYMENT BY BTC 💰💵," and "Facebook hack (Phishing)." Despite the fairly obvious names, some of these groups have managed to remain on Facebook for up to eight years, and in the process acquire tens of thousands of group members.
These Facebook groups are quite easy to locate for anyone possessing a Facebook account. A simple search for groups containing keywords such as "spam," "carding," or "CVV" will typically return multiple results. Of course, once one or more of these groups has been joined, Facebook's own algorithms will often suggest similar groups, making new criminal hangouts even easier to find. Facebook seems to rely on users to report these groups for illegal and illicit activities to curb any abuse.

Election security? Overreaction?
Twitter stops blocking French government’s ad campaign
Twitter said Thursday it has stopped blocking French government ads calling on people to vote after it came under fire from authorities for being overzealous in applying a law aimed at banning fake news.
The incident highlights the challenge Silicon Valley tech giants face complying with tighter regulations from governments trying to clamp down on false information and prevent foreign interference in elections. The EU’s executive Commission, in its latest monthly report on tech companies’ efforts to fight election-related disinformation, criticized Twitter for not taking action to improve ad scrutiny or report on what it has done to protect its ad services against manipulation.

Australian election: Facebook restricts foreign 'political' ads but resists further transparency
Facebook has announced it will restrict “political” ads from being bought by non-Australians during the election campaign, but will not be rolling out other key political ad transparency features used in other countries until after the election.

Foreign Interference in Canadian Election 'Very Likely', Says Minister
Canada's foreign minister warned Friday that outside interference in the country's upcoming parliamentary election was "very likely".
"We are very concerned. Our judgement is that interference is very likely and we think there have probably already been efforts by malign foreign actors to disrupt our democracy," Chrystia Freeland said.

Social media bosses could be liable for harmful content, leaked UK plan reveals
Social media executives could be held personally liable for harmful content distributed on their platforms, leaked plans for a long-awaited government crackdown obtained by the Guardian reveal.
There has been growing concern about the role of the internet in the distribution of material relating to terrorism, child abuse, self-harm and suicide, and ministers have been under pressure to act.
Under plans expected to be published on Monday, the government will legislate for a new statutory duty of care, to be policed by an independent regulator and likely to be funded through a levy on media companies.
The regulator – likely initially to be Ofcom, but in the longer term a new body – will have the power to impose substantial fines against companies that breach their duty of care and to hold individual executives personally liable.

What hath GDPR wrought?
Asia Pacific Data Protection and Cybersecurity Regulation: 2018 in Review and Looking Ahead to 2019
… Our Asia Pacific Data Protection and Cyber Security Guide 2019 will take you through the developments and key initiatives of APAC countries and discuss the implications of a shifting landscape.
Our Guide will discuss:
  • Key legislative and regulatory developments in 2018 and changes expected in 2019;
  • The impact of GDPR in APAC, and the prospects for regional harmonization;
  • APAC data protection regulatory heat map; and
  • Individual country data protection developments.
For Hogan Lovells’ Asia Pacific Data Protection and Cybersecurity Guide 2019, click here

Traveling after bashing Trump? Condemning the CBO?
Former Mozilla CTO Harassed at the US Border
This is a pretty awful story of how Andreas Gal, former Mozilla CTO and US citizen, was detained and threatened at the US border. CBP agents demanded that he unlock his phone and computer.
Know your rights when you enter the US. The EFF publishes a handy guide. And if you want to encrypt your computer so that you are unable to unlock it on demand, here's mu guide. Remember not to lie to a customs officer; that's a crime all by itself.

Addressing the Challenges of Moving Security to the Edge
For many organizations, the network perimeter has been replaced with a variety of new network edges. Many of these include unique challenges that can severely complicate an organization’s ability to maintain a consistent and manageable security infrastructure. These security challenges are two-fold.
The first involves implementing effective and consistent policy enforcement at an edge in spite of its unique network or platform configurations or functionality. The second is about creating consistent security between the various edges, not just for visibility, but to also ensure that policy changes and threat responses can be effectively coordinated across all edge environments.
… The network edge environments organizations need to secure and manage, some of their unique security challenges, and considerations for addressing those challenges include:
Cloud and multi-cloud
Enduser and IoT
WAN edge

I’m confused. (Not unusual.) Are they saying the police instigate the action?
Do Police Body Cameras Provide an Impartial Version of Events?
The goal of this footage, of course, is to provide impartial evidence that could either help exonerate officers or convict them, depending on whether a shooting appears justified on film.
But a team of Kellogg researchers wondered just how impartial such evidence really is. Is all footage equal? Or might jurors perceive interactions filmed by a body cam versus a dash cam differently? And would these differences affect how much they blamed the officer?
… They found that people who watched a body cam version of an interaction—anything from the wearer bumping into someone to a police shooting—were less likely to believe that the person instigating that action did it on purpose, as compared to people who saw the same interaction filmed by a dash cam.
There was a “diminished sense of blame or responsibility for the person who’s wearing the body cam,” Roese says.
… The researchers recommend filming interactions from more than one point of view—for instance, from dash cams and body cams on multiple officers—so that jurors aren’t biased by seeing just one perspective.
“Whenever possible, I think more video is better,” Roese says. Installing body cams “is the beginning of a process of reaching greater accountability, but it’s not the end.”

There’s a joke (a million jokes?) here somewhere.
Lawyers and Twitter: Six Ways To Make People Like You
Kevin O’Keefe: Turns out that sharing the good of others, rather than talking about my company and our products, is the most effective method of business development I have ever used. Dale Carnegie, in one of the best-selling books of all time, ‘How to Win Friends and Influence People’ laid out six business principles for making people like you – an essential he believe needed for business development. Each of Carnegie’s points apply to how you as a lawyer can use Twitter to make people like you…”

Stay current! inches closer to explaining enigma of Gen Z’s vocabulary
cnet: “ added more than 300 new words and phrases on Wednesday, including a few tech-related entries like “textlationship” (when people text a lot but don’t really interact in person) and “keyboard warrior” (someone who shares opinionated content online in an aggressive or abusive way, typically without revealing who they are)…”

For the toolkit.
A Chrome Extension for Clutter-free Reading and Printing
Mercury Reader is a Chrome extension that removes sidebar content from articles that you view in your Chrome web browser. It will hide banner ads, suggested "related" articles, and anything else that is not a part of the primary article on the page you are viewing. When you use Mercury Reader to print an article, all of the sidebar content is removed thereby saving you paper and ink.
Mercury Reader is more than just a tool for hiding sidebar content from a page. It can also be used to adjust the font size and color contrast of a page. And Kindle users can send a page directly from Mercury Reader to their Kindles.

Dilbert clearly explains the risk of using digital assistants.

Thursday, April 04, 2019

How long is too long, how much is too much?
Australia passes social media law penalising platforms for violent content
The Labor opposition combined with the ruling Liberal-National Coalition to pass the law on Thursday, despite warning it won’t allow prosecution of social media executives as promised by the government. Tech giants expressed the opposite concern that it may criminalise anyone in their companies for a failure to remove violent material.
The bill, described the attorney general, Christian Porter, as “most likely a world first”, was drafted in the wake of the Christchurch terrorist attack, when video of the alleged perpetrator’s violent attack  spread on social media faster than it could be removed.
The bill creates a regime for the eSafety Commissioner to notify social media companies that they are deemed to be aware they are hosting abhorrent violent material, triggering an obligation to take it down.
Porter said a “reasonable” or “expeditious” timeframe would depend on the circumstances and be up to a jury to decide, but “every Australian would agree it was totally unreasonable that it should exist on their site for well over an hour without them taking any action whatsoever”.

Alternative jobs for my Ethical Hackers?
New Report Shows Just How Profitable Cyber Extortion Can Be
In just a few years, cyber extortion has gone from a fringe hacking activity to something that is now very much mainstream. In fact, it’s now remarkably easy to download tools and how-to manuals for cyber extortion from the dark web, and hacking syndicates are becoming much more brazen about advertising for cyber extortion jobs in broad daylight. According to a new report from the Digital Shadows Photon Research Team, it’s now possible to make upwards of $360,000 per year by joining a cyber extortion team.

An article worth a read.
In the past few years, tech companies certainly seem to have embraced ethical self-scrutiny: establishing ethics boards, writing ethics charters, and sponsoring research in topics like algorithmic bias. But are these boards and charters doing anything? Are they changing how these companies work or holding them accountable in any meaningful way?
Academic Ben Wagner says tech’s enthusiasm for ethics paraphernalia is just “ethics washing,” a strategy to avoid government regulation. When researchers uncover new ways for technology to harm marginalized groups or infringe on civil liberties, tech companies can point to their boards and charters and say, “Look, we’re doing something.” It deflects criticism, and because the boards lack any power, it means the companies don’t change.
Google isn’t the only company with an ethics board and charter, of course. Its London AI subsidiary DeepMind has one, too, though it’s never revealed who’s on it or what they’re up to Microsoft has its own AI principles , and it founded its AI ethics committee in 2018. Amazon has started sponsoring research into “fairness in artificial intelligence” with the help of the National Science Foundation, while Facebook has even co-founded an AI ethics research center in Germany.
A report last year from research institute AI Now said there’s been a “rush to adopt” ethical codes, but there’s no corresponding introduction of mechanisms that can “backstop these ... commitments.”

Perspective. A simpler architecture?
Wayve claims ‘world first’ in driving a car autonomously with only its AI and a SatNav
We reported on UK start-up Wayve last year when it announced its existence, but they had nothing to show for their claims.
Now they say they do, and the results are not only fascinating but might also be genuinely innovative.
In fact, they are claiming a “world first” in demonstrating that a car working on their machine-learning platform can drive on roads it’s never seen before during training, and without an HD map of its environment. Other systems, like Waymo’s, rely on maps and rules to drive. Theirs, says Wayve, does not.

Perspective. What is important?
Prince Harry and Meghan break Instagram record
The Duke and Duchess of Sussex's Instagram account amassed more than one million followers in record-breaking time, Guinness World Records has said.
The couple's official account took five hours and 45 minutes to reach the milestone after its launch on Tuesday.
The official account, sussexroyal, will be used for "important announcements" and to share work that "drives" them.
Last month, the Royal Family published social media guidelines for the public, vowing to block users who leave offensive or abusive comments on official channels.

Another tool?
Harvard Caselaw Access Project Search
Today we’re launching CAP search, a new interface to search data made available as part of the Caselaw Access Project API. Since releasing the CAP API in Fall 2018, this is our first try at creating a more human-friendly way to start working with this data. CAP search supports access to 6.7 million cases from 1658 through June 2018, digitized from the collections at the Harvard Law School Library.  Learn more about CAP search and limitations. We’re also excited to share a new way to view cases, formatted in HTML. Here’s a sample! We invite you to experiment by building new interfaces to search CAP data. See our code as an example. The Caselaw Access Project was created by the Harvard Library Innovation Lab at the Harvard Law School Library in collaboration with project partner Ravel Law.”

Wednesday, April 03, 2019

When things go wrong, there is often a simple explanation. Or many simple explanations.
Arizona Beverages knocked offline by ransomware attack
The company, famous for its iced tea beverages, is still rebuilding its network almost two weeks after the attack hit, wiping hundreds of Windows computers and servers and effectively shutting down sales operations for days until incident response was called in, according to a person familiar with the matter.
More than 200 servers and networked computers displayed the same message: “Your network was hacked and encrypted.” The company’s name was in the ransom note, indicating a targeted attack.
It took the company another five days before the company brought in incident responders to handle the outbreak, the source said. Many of the back-end servers were running old and outdated Windows operating systems that are no longer supported. Most hadn’t received security patches in years.
A day after the attack hit, staff found the backup system wasn’t configured properly and were unable to retrieve the data for days until the company signed an expensive contract to bring in Cisco incident responders. A spokesperson for Cisco did not immediately comment. The company’s IT staff had to effectively rebuild the entire network from scratch. Since the outbreak, the company has spent “hundreds of thousands” on new hardware, software and recovery costs.
The ransomware infection, understood to be iEncrypt (related to BitPaymer) per a screenshot seen by TechCrunch, was triggered overnight on March 21, weeks after the FBI contacted Arizona to warn of an apparent Dridex malware infection. The FBI declined to comment, but the source said incident responders believed Arizona’s systems had been compromised for at least a couple of months.
Dridex is delivered through a malicious email attachment Once the implant installs, the attacker can gain near-unfettered access to the entire network and can steal passwords, monitor network traffic and deliver additional malware.

A security question. Why was all that older data on the web?
WSB-TV reports:
Georgia Tech says more than a million people’s personal information may have been exposed after someone gained “unauthorized access” to a web application.
Officials said the breach impacts 1.3 million people, including “some current and former faculty, students, staff and student applicants.” They do not know what information was taken from the system, but it may include names, addresses, Social Security numbers and birth dates.
It’s a massive number considering the school’s current enrollment is just under 27,000 students plus faculty.
Read more on WSB And keep in mind that this is not Georgia Tech’s first breach. If you search this site for “Georgia Tech,” you’ll find a number of other incidents that have been noted on this site — and those are only the ones that I know about. There could be more, and probably are more.

We don’t need to wait for AI to find errors like this.
Exclusive: Boeing software engaged repeatedly before crash - sources
Boeing anti-stall software on a doomed Ethiopian Airlines jet re-engaged as many as four times after the crew initially turned it off due to suspect data from an airflow sensor, two people familiar with the matter said.
It was not immediately clear whether the crew had chosen to re-deploy the system, which pushes the nose of the Boeing 737 MAX downwards, but one person with knowledge of the matter said investigators were studying the possibility that the software had kicked in again without human intervention.

Includes a model of Good Machine Learning Practices.
FDA developing new rules for artificial intelligence in medicine
The Food and Drug Administration announced Tuesday that it is developing a framework for regulating artificial intelligence products used in medicine that continually adapt based on new data.
The agency’s outgoing commissioner, Scott Gottlieb, released a white paper that sets forth the broad outlines of the FDA’s proposed approach to establishing greater oversight over this rapidly evolving segment of AI products.

A simple backgrounder.
Gartner defines the Internet of Things as the network of physical objects that contain embedded technology (such as intelligent sensors) which can communicate, sense or interact with internal or external systems. This can generate volumes of real-time data that can be used by organizations for a variety of applications, including smart appliances to monitoring equipment performance. The Internet of Things (IoT) is becoming so ubiquitous that ABI Research predicts that there will be more than 30 billion IP-connected devices and sensors in the world by 2020.

What could possibly go wrong?
How Political Campaigns Use Personal Data
Really interesting report from Tactical Tech.

An interesting process. Are the defendants ghosts?
      A district court in Florida has ordered 27 pirate site operators to each pay $1 million in damages. The default judgment was ordered in favor of media giant ABS-CBN, which has scored several victories in US courts this year. The sites in question are mostly smaller streaming portals that offer access to 'Pinoy' content in the US and abroad.
Despite facing hefty damages, none of the site operators turned up in court. This prompted ABS-CBN to file for a default judgment which was granted by US District Judge William Dimitrouleas this week.
ABS-CBN’s most recent win follows a pattern of similar verdicts in recent years. With these lawsuits, the company has managed to score dozens of millions in damages from a wide variety of streaming sites with relative ease.
While this sounds like a success story, it is unknown whether the Philippine media company has managed to recoup any damages from the defendants, who are generally not known by name.
In order to get at least some money from the defendants, ABS-CBN also obtained an injunction against the advertisers of the pirate sites. These services, including Google Adsense, RevenueHits, and Popads, will have to hand over the outstanding revenue of these sites to the media giant within a week.

A new take on anti-trust?
Justice Department Warns Academy Over Potential Oscar Rule Changes Threatening Netflix
The Justice Department has warned the Academy of Motion Picture Arts and Sciences that its potential rule changes limiting the eligibility of Netflix and other streaming services for the Oscars could raise antitrust concerns and violate competition law.

Perspective. Don’t curbside sales come at the expense of in-store sales? If Amazon wants more physical locations, they could buy Starbucks…
Amazon Is Losing This $35 Billion Opportunity to Walmart and Target is the dominant force in online shopping in the U.S., accounting for about half of Americans' online spending.
But there's a growing area where Amazon lags well behind competitors like Walmart and Target. Curbside fulfillment for online orders is increasingly popular, and Amazon is hard-pressed to compete. Its main consumer-facing physical presence are its Whole Foods Market locations, which account for nearly all of Amazon's 520 physical stores in North America. By comparison, Walmart has over 2,000 stores offering curbside pickup and will spin up 1,000 more by the end of the fiscal year.

For my teaching toolkit
How to Use BoClips to Find and Share Great Educational Videos
Back in January I discovered BoClips while walking around the BETT Show in London. It's an educational video hosting site that has quickly become one of my go-to resources. In fact, I like it so much that I now include it in my Best of the Web presentation.
BoClips offers more than two million videos from producers that you're probably familiar with through their YouTube channels. Two of the producers that many people notice right away are Crash Course and TED-Ed. BoClips is different from a lot of the sites that simply hide the "related content" and ads found on YouTube, but really just use YouTube videos for their content. The videos that you find on BoClips are actually hosted on BoClips with the permission of the video producers.

Heads up!
Microsoft stops selling ebooks and will refund customers for previous purchases
The Verge – Ebooks will no longer be accessible as of July 2019: “Starting today, Microsoft is ending all ebook sales in its Microsoft Store for Windows PCs. Previously purchased ebooks will be removed from users’ libraries in early July. Even free ones will be deleted. The company will offer full refunds to users for any books they’ve purchased or preordered. Microsoft’s “official reason,” according to ZDNet, is that this move is part of a strategy to help streamline the focus of the Microsoft Store. It seems that the company no longer has an interest in trying to compete with Amazon, Apple Books, and Google Play Books. It’s a bit hard to imagine why anyone would go with Microsoft over those options anyway…”

For my starving students.

Music history.
Boston Public Library’s 78rpm Records Come to the Internet
Internet Archives Blog – Reformatting the Boston Public Library Sound Archives – “Following eighteen months of work, more than 50,000 78rpm record “sides” from the Boston Public Library’s sound archives have now been digitized and made freely available online by the Internet Archive. ”This project and the very generous support and diversity of expertise that converged to make it possible, all ensure the Library’s sound collections are not only preserved but made accessible to a much broader audience than would otherwise ever have been possible, all in the spirit of Free to All” said David Leonard, President of the Boston Public LIbrary. In 2017, the Boston Public Library transferred their sound archives to the Internet Archive so that the materials could be reformatted digitally and preserved physically. Working in collaboration with George Blood LP, using their specialty turntable and expert staff, these recordings have been digitized at high standards so that others can use these materials for research. This is now the largest collection within the Great 78 Project, which aims to bring hundreds of thousands of 78rpm recordings to the Internet…”