Saturday, July 27, 2019

If there was a CDC for malware, ransomware would be an epidemic.
Puerto Rico: Two hospitals report ransomware incident potentially affecting more than 520,000 patients
Add Bayamón Medical Center and its affiliated Puerto Rico Women And Children’s Hospital to the list of ransomware victims.
On July 19, the hospitals notified HHS and the public of a “recent” security incident that resulted in files being encrypted. No details were provided as to when this occurred, whether the hospitals paid any ransom, and whether they have fully recovered all patient records. Nor do they reveal how the ransomware was inserted into the system.

Signs that state governments are getting serious?
Governor signs bills to help prevent data breaches
Gov. Andrew Cuomo on Thursday signed legislation that expands the law to cover any company holding personal data belonging to a New Yorker, and not just companies doing business in the state.
The SHIELD (Stop Hacks and Improve Electronic Data Security) Act, which takes effect in 240 days, will also add email addresses and passwords and biometric data to the list of information covered by the law. The measure aims to ensure consumers know if personal data, such as Social Security numbers, are obtained by hackers.
Cuomo also signed a bill Thursday that requires credit reporting agencies to provide identify theft prevention services to consumers when their data is exposed during a breach.

Leaders like this explain at lot about CBP.
Top CBP Officer Testifies He’s Unsure if 3-Year-Old Is “a Criminal or a National Security Threat”
One of the country’s top border officers cannot say whether a 3-year-old child might pose a “criminal or national security threat.”

Worth reading.
The Internet of Things Needs a Business Model. Here It Is
The Internet of Things (IoT) has been near the top of the technology-hype lists for years. In 2018, Gartner’s Hype Cycle for Emerging Technologies ranked IoT platforms as cresting the “peak of inflated expectations” stage and ready to tumble into the dreaded “trough of disillusionment,” like a barrel careening over Niagara Falls.

Modern English writing.
Is the Internet Making Writing Better?
A new book argues that our richest, most eloquent language is found online.
A common refrain from writers on Twitter is that writing is hard. Often, this insight is accompanied by the rueful observation that tweeting is easy. This is, of course, the difference between informal and formal expression, between language that serves as a loose and intuitive vehicle for thought and language into which one must wrestle one’s thought like a parent forcing his squirming kid into a car seat. We’ve long had both formal and informal modes of speech. The first pours from political orators; the second winds around friends at a bar. But, as the linguist Gretchen McCulloch reveals in “Because Internet: Understanding the New Rules of Language,” her effervescent study of how the digital world is transfiguring English, informal writing is relatively new. Most writing used to be regulated (or self-regulated); there were postcards and diary entries, but even those had standards. It’s only with the rise of the Internet that a truly casual, willfully ephemeral prose has ascended—and become central to daily life.

I’m an “opinionated old guy,” just not this one.

Friday, July 26, 2019

What happens when “lessons learned” become “lessons ignored?”
Russia Targeted Election Systems in All 50 States, Report Finds
The Senate Intelligence Committee concluded Thursday that election systems in all 50 states were targeted by Russia in 2016, an effort more far-reaching than previously acknowledged and one largely undetected by the states and federal officials at the time.
But while the bipartisan report’s warning that the United States remains vulnerable in the next election is clear, its findings were so heavily redacted at the insistence of American intelligence agencies that even some key recommendations for 2020 were blacked out.
In his testimony to two House committees on Wednesday, Mr. Mueller had sought to highlight the continued threat that Russia or other adversaries would seek to interfere in the 2020 elections. He said many more “countries are developing capability to replicate what the Russians have done.”
While the report is not directly critical of either American intelligence agencies or the states, it described what amounted to a cascading intelligence failure, in which the scope of the Russian effort was underestimated, warnings to the states were too muted, and state officials either underreacted or, in some cases, resisted federal efforts to offer help.
The report, black lines and all, is titled, “Russian Efforts Against Election Infrastructure.

Similar but different.
The Unsexy Threat to Election Security
Much has been written about the need to further secure our elections, from ensuring the integrity of voting machines to combating fake news. But according to a report quietly issued by a California grand jury this week, more attention needs to be paid to securing social media and email accounts used by election officials at the state and local level.
California has a civil grand jury system designed to serve as an independent oversight of local government functions, and each county impanels jurors to perform this service annually. On Wednesday, a grand jury from San Mateo County in northern California released a report which envisions the havoc that might be wrought on the election process if malicious hackers were able to hijack social media and/or email accounts and disseminate false voting instructions or phony election results.
A copy of the San Mateo County grand jury report is available here (PDF).

Let us watch your neighbors from your doorbell camera.”
Amazon Requires Police to Shill Surveillance Cameras in Secret Agreement
Amazon's home security company Ring has enlisted local police departments around the country to advertise its surveillance cameras in exchange for free Ring products and a “portal” that allows police to request footage from these cameras, a secret agreement obtained by Motherboard shows. The agreement also requires police to “keep the terms of this program confidential.”
Police already have access to publicly-funded street cameras and investigative tools that help them track down almost any criminal suspect. But Ring cameras are proliferating in the private sphere, with close to zero oversight. Amazon is convincing people to self-surveil through aggressive, fear-based marketing, aided by de facto police endorsements and free Ring camera giveaways.
The agreement gives the Lakeland Police Department access to Ring’s “Law Enforcement Neighborhood Portal.” This portal is an interactive map that shows police all of the active Ring doorbell cameras in their town. The exact addresses of the doorbell cameras are hidden. Police can use the portal to directly interact with Ring doorbell camera owners and informally request footage for investigations, without a warrant.
Andrew Ferguson, a professor at the University of the District of Columbia School of Law, said in a phone call that products like Ring can remove typical due process. Typically, police have to get a warrant from a judge before collecting digital evidence. Ring’s Law Enforcement Neighborhood Portal, given to police for free as a part of the agreement, lets police request footage directly from Ring owners.

Google, Christopher Reeve Foundation to Give Away 100,000 Google Home Minis
Google has teamed up with the Christopher & Dana Reeve Foundation to give 100,000 Google Home Mini smart speakers to people living with paralysis and their caregivers, the company announced Friday morning. Eligible U.S. residents can apply on the website of the foundation.

What are they matching my face to? If I add my photo, identified as Donald Trump to their database, will I receive proper obeisance?
Brandi Vincent reports how Customs and Border Protection claims to be using facial recognition technology these days:
Today, Hardin said the agency’s main use for facial recognition is to confirm that people are who they say they are as they move in, out and around the nation.
It’s a huge advantage for us now, not just because the machine can perform better than the human in the actual matching, but also because it frees up the person to do other law enforcement activities in a small amount of time, which is really all they have,” he said.
Benji Hutchinson, vice president of federal operations at the information technology company NEC Corporation, also differentiated between how facial recognition has come to be used across law enforcement versus how Hardin and others are implementing it across immigration services. Hutchinson said it’s used in family reunification to identify matches of children that have been kidnapped, it helps dispel [(sic) Is that the right word? Bob] people who are wrongfully convicted and it supports officials in developing investigatory leads.
Read more on NextGov.
Sounds so benign when you put it that way, doesn’t it?

Italian Supervisory Authority Issues Judgment Concerning ‘Right to be Forgotten’
On July 22, 2019, the Italian supervisory authority for data protection (“Garante”) issued a judgment involving the so-called “right to be forgotten”. The Garante’s decision explores the boundaries of this right in a case in which Internet users could access an article by using a professional position as a search term, whereas it was not possible to access the article merely by using an individual’s name as a search term.
the Garante made clear that the principles of data protection apply to any information concerning an identified or identifiable natural person. Citing the GDPR’s definition of “personal data”, which refers to “factors specific to cultural or social identity of that natural person”, the Garante concluded that the data subject’s position as president of a cooperative constituted identifiable – and therefore personal – data relating to him.

Could these problems be universal? (Hint: Fer Sure, dude.)
ACCC Digital Platforms Inquiry to recommend changes to stop tech giants’ anti-competitive behaviour
Facebook and Google will be forced to better protect Australians’ privacy and be more transparent about collecting personal data if the government adopts the findings of a “groundbreaking” consumer watchdog report handed down today.
The Australian Competition and Consumer Commission has made 23 recommendations in its 623-page final report into anti-competitive behaviour and the market power of tech giants in Australia.
The ACCC stops short of calling for tech giant Google to be broken up

Worth reviewing.

Thursday, July 25, 2019

Decisive. Even if they don’t know exactly what they will do. They had a “Commission” but apparently did no planning?
Louisiana's governor declares an emergency after cyberattacks on several school systems
Several school systems in Louisiana have been attacked by malware, Gov. John Bel Edwards said, and authorities are trying to determine if any other agencies are affected.
The governor issued a statewide emergency declaration Wednesday after the security breach was discovered in several school systems throughout the state, his office said. The declaration -- the state's first cybersecurity emergency activation -- allows multiple resources to be devoted to the probe.
The declaration enables local governments to utilize cybersecurity experts from the Louisiana National Guard, Louisiana State Police, the Office of Technology Services and others to resolve and prevent cyberattacks, according to the news release.
Louisiana State Police, the Louisiana National Guard, the Governor's Office of Homeland Security and Emergency Preparedness (GOHSEP), the state Office of Technology Services, Louisiana State University and other agencies are determining how to move forward, the release said.

Wow! Interesting tool. Look what it can do.
Advanced mobile surveillanceware, made in Russia, found in the wild
Monokle infected Android devices, but evidence suggests iOS versions may also exist.
Researchers have discovered some of the most advanced and full-featured mobile surveillanceware ever seen. Dubbed Monokle and used in the wild since at least March 2016
Monokle uses several novel tools, including the ability to modify the Android trusted-certificate store and a command-and-control network that can communicate over Internet TCP ports, email, text messages, or phone calls. The result: Monokle provides a host of surveillance capabilities that work even when an Internet connection is unavailable. According to a report published by Lookout, the mobile security provider that found Monokle is able to:
  • Retrieve calendar information including name of event, when and where it is taking place, and description
  • Perform man-in-the-middle attacks against HTTPS traffic and other types of TLS-protected communications
  • Send text messages to an attacker-specified number
  • Reset a user’s pincode
  • Record environmental audio (and specify high, medium, or low quality)
  • Make outgoing calls
  • Record calls
  • Interact with popular office applications to retrieve document text

This is even worse in complex systems, like AI.
Software Developers and Security
According to a survey: "68% of the security professionals surveyed believe it's a programmer's job to write secure code, but they also think less than half of developers can spot security holes." And that's a problem.
Nearly half of security pros surveyed, 49%, said they struggle to get developers to make remediation of vulnerabilities a priority. Worse still, 68% of security professionals feel fewer than half of developers can spot security vulnerabilities later in the life cycle. Roughly half of security professionals said they most often found bugs after code is merged in a test environment.
At the same time, nearly 70% of developers said that while they are expected to write secure code, they get little guidance or help. One disgruntled programmer said, "It's a mess, no standardization, most of my work has never had a security scan."
Another problem is it seems many companies don't take security seriously enough. Nearly 44% of those surveyed reported that they're not judged on their security vulnerabilities.

How the Commission thinks GDPR is working.
European Commissions Issues Report on the Implementation of the GDPR
On July 24, 2019, the European Commission (“the Commission”) published a report appraising Europe’s progress in implementing the General Data Protection Regulation (“GDPR”) as a central component of its revamped data protection framework.

Gosh, I don’t think he’s a Facebook fan. Or maybe he’s only mad for political reasons?
Senator Edward J. Markey (D-Mass.) released the following statement after the Federal Trade Commission (FTC) announced its settlement with Facebook over consumer privacy violations.
“With its settlement with Facebook, the FTC not only fell short, it fell on its face. Facebook is getting away with some of the most egregious corporate bad behavior in the age of the internet,” said Senator Markey, a member of the Senate Commerce, Science and Transportation Committee. “This settlement is a partisan abdication of the FTC’s duty.
… “The new rules placed on Facebook in this consent decree fail to systematically change Facebook’s internal infrastructure and put a stop to its privacy malpractice once and for all.

(Related) Is this settlement better?

Similar to the AI algorithm problem, but at lest Mark Zuckerberg should be able to explain this one.
Facebook algorithm changes suppressed journalism and meddled with democracy
The Conversation: “Facebook’s News Feed algorithm determines what users see on its platform – from funny memes to comments from friends. The company regularly updates this algorithm, which can dramatically change what information people consume. As the 2020 election approaches, there is much public concern that what was dubbed “Russian meddling in the 2016 presidential election could happen again. But what’s not getting enough attention is the role Facebook’s algorithm changes play, intentionally or not, in that kind of meddling. A key counterpoint to the Russian misinformation campaign was factual journalism from reputable sources – which reached many of their readers on Facebook and other social media platforms. As a social media researcher and educator, I see evidence that changes to Facebook’s News Feed algorithm suppressed users’ access to credible journalism in the run-up to Trump’s election…”

Odds are in your favor. Sorry.
Equifax Settlement Payouts Range from $125 to $20K. Here's How to Find Out if You're Eligible in Just 10 Seconds
If you spent time or money as a result of the Equifax breach, even if you only signed up for free credit monitoring, you can quickly check to see if you're eligible for part of the settlement.
Visit the settlement eligibility checker and enter your last name and the last six digits of your social security number to find out if your information was included in the breach. If so, you can then follow the prompts to file a claim.
According to the site, "You can receive free, three-bureau credit monitoring at all three national credit reporting agencies (Equifax, Experian, and TransUnion). Experian will provide this service for at least four years. You can also enroll in free, single-bureau credit monitoring of your Equifax credit file, provided by Equifax, for up to six years after the Experian service ends."
Or, if you're skeptical about having Equifax monitor your credit at this point, you can choose a cash payout and sign up for a different credit monitoring service on your own.
[My results:
Based on the information you provided, our records indicate your personal information was impacted by this incident.

They may have a point, but the focus is missing.
The end of tech's laissez-faire era
This week's series of big government moves against big tech platforms dropped a curtain on the era of hands-off regulatory policy that shaped the firms.
Why it matters: A generation of firms led by Google and Facebook that grew rich and powerful while the Feds stayed out of their way must now adjust to government action as a way of life. Meanwhile, legislators and regulators will have to figure out [Little success so far. Bob] how to protect the public while preserving the industry's vitality and creativity.
  • In other circles, insiders are beginning to talk about the prospect of a broad new Telecommunications Act-like law that would wrap privacy and data ownership rules, antitrust safeguards, and content regulations into one big package.
  • Since the current Congress hasn't even been able to get a bill focused only on privacy moving, either of these scenarios would have to play out on a long horizon.

Interesting speakers. Should be worth following. (Photos, not so much.)
50 Photos From Net@50: The Roots and Future of the Internet
We’ll publish another post soon with more takeaways from the event, but for now, please enjoy the photo slideshow. You can also watch videos of the entire event by clicking here. (We also ran a special series of stories, by Wade Roush and Brian Dowling, which predict the internet’s next 50 years, trace the roots of internet security issues, and provide in-depth Q&As with Radia Perlman, Bob Metcalfe, and Don Norman.)

A tool for my geeks.
This AI-powered autocompletion software is Gmail’s Smart Compose for coders
Over the past year, AI has seriously improved its ability to generate the written word. By scanning huge datasets of text, machine learning software can produce convincing samples of everything from short stories to song lyrics. Now, those same techniques are being applied to the world of coding with a new program called Deep TabNine.
Deep TabNine is what’s known as a coding autocompleter. Programmers can install it as an add-on in their editor of choice, and when they start writing, it’ll suggest how to continue each line, offering small chunks at a time. Think of it as Gmail’s Smart Compose feature but for code.

Wednesday, July 24, 2019

Computer Security training.
Phishing Emails Have Become Very Stealthy. Here Are 5 Ways to Spot Them Every Time
Most phishing emails appear completely legitimate, often by imitating a company's logo using high-quality graphics and including opt-out instructions. For this reason, it's quite common for recipients to be fooled, and even large companies have fallen prey to these scams. SiteLock has published a round-up of some recent phishing examples to demonstrate the prevalence of these scams and how to protect against them.

Some IoT background.
Now Available: IoT Webinar Series — Cyberthreats in the Internet of Things
On July 16, 2019, Nathan Salminen, Allison Holt, and Paul Otto from the Hogan Lovells Privacy and Cybersecurity and Litigation teams presented a webinar, “Cyberthreats in the Internet of Things” where they explored some techniques that can be used to exploit potential vulnerabilities in connected devices and how those types of events impact organizations from a regulatory and litigation perspective.
The speakers discussed unique litigation and technical risks related to the IoT ecosystem and some of the technical aspects of hacking threats to connected devices, how those threats may differ from other cyberthreats, and the legal implications of such threats.
To view the webinar recording and to download the presentation slides, please click here.

These fines add up. At what point will Facebook notice them?
Facebook to pay separate $100 million SEC fine over Cambridge Analytica scandal
It's a fraction of the FTC settlement.

Opinion | We Need a New Government Agency to Fight Facebook
… . As Tony Romm reported in The Washington Post this week, the F.T.C. had originally conceived of significantly tougher punishments for Facebook, including fines exceeding tens of billions of dollars as well as direct liability for the company’s c.e.o., Mark Zuckerberg. The report lays out the nuance of the settlement negotiation process, and what I found striking was how it seemed as if — despite being the party in violation of the rules — Facebook appeared to have the upper hand:
Internally, the agency knew that it wasn’t guaranteed to get a multibillion dollar fine and other new commitments from a federal judge. Adding to the trouble, the agency, armed with a relatively small $306 million budget in 2018 that supported roughly 1,100 employees, had to confront the possibility that it might be outmatched in such litigation … A loss also could have immensely damaged the agency, perhaps setting a legal standard that curtailed the commission’s authority to police other tech giants for their privacy and security practices.
Facebook, in other words, is too big to fight. And so it received a fine that is roughly equivalent to a month of the company’s yearly revenue.

Costly, aren’t they?
Your business hit by a data breach? Expect a bill of $3.92 million
On Tuesday, IBM Security released its annual study, the Cost of a Data Breach Report, to estimate both the immediate and ongoing expense of a data breach. According to the company, the cost of a data breach has risen by 12 percent over the course of five years, and organizations can expect to pay an average of $3.92 million.

(Related) Possible appendix to the Computer Security budget request?
In Just One Evil Internet Minute, Over Two Phish Are Detected And $2.9 Million Is Lost To Cybercrime
RiskIQ, the global leader in attack surface management, released its annual “Evil Internet Minute” report today. The company tapped proprietary global intelligence and third-party research to analyze the volume of malicious activity on the internet, revealing that cybercriminals cost the global economy $2.9 million every minute last year, a total of $1.5 trillion.
RiskIQ’s Evil Internet Minute infographic can be found here:

Not just no, hell no! I teach my students to generate encryption using the RSA algorithm in about 30 minutes. Anyone (terrorists, crooks, attorneys general) could do the same. According to the 2018 wiretap report ( only 146 of 2937 wiretaps encountered encryption. Roughly 5%.
US Attorney General Says Encryption Creates Security Risk
U.S. Attorney General Bill Barr said Tuesday that increased encryption of data on phones and computers and encrypted messaging apps are putting American security at risk.
Barr’s comments at a cybersecurity conference mark a continuing effort by the Justice Department to push tech companies to provide law enforcement with access to encrypted devices and applications during investigations.
There have been enough dogmatic pronouncements that lawful access simply cannot be done,” Barr said. “It can be, and it must be.”

I ask my students if they read the GDPR law and articles and immediately said, “There’s money to be made here!” If not, why not?
5 data privacy startups cashing in on GDPR
Aside from GDPR, Europe is also weighing up a new ePrivacy Regulation, which covers individuals’ privacy in relation to electronic communications. Elsewhere, countries and jurisdictions around the world are increasingly adopting their own privacy-focused regulations, with the likes of China and Russia already instilling local data residency requirements for citizens. And the California Consumer Privacy Act (CCPA) designed to enhance privacy rights of consumers living in the state will take effect on Jan 1, 2020.
Amid all this turmoil, companies are emerging to capitalize on the growing demand for data privacy tools, both for regulatory compliance and consumer peace of mind. In the past month alone, at least five such companies have raised sizable sums of cash for various data privacy, protection, and compliance products. Here’s a quick look at the companies and what they do.

Do they actually go together?
Artificial Intelligence and Law: An Overview
Surden, Harry, Artificial Intelligence and Law: An Overview (June 28, 2019). Georgia State University Law Review, Vol. 35, 2019; U of Colorado Law Legal Studies Research Paper No. 19-22. Available at SSRN:
Much has been written recently about artificial intelligence (AI) and law. But what is AI, and what is its relation to the practice and administration of law? This article addresses those questions by providing a high-level overview of AI and its use within law. The discussion aims to be nuanced but also understandable to those without a technical background. To that end, I first discuss AI generally. I then turn to AI and how it is being used by lawyers in the practice of law, people and companies who are governed by the law, and government officials who administer the law. A key motivation in writing this article is to provide a realistic, demystified view of AI that is rooted in the actual capabilities of the technology. This is meant to contrast with discussions about AI and law that are decidedly futurist in nature.”

Toward automating lawyers.
Legaltech startup Genie AI scores £2M seed for its ‘intelligent’ contract editor
Genie AI, a legaltech startup and Entrepreneur First alumni, has raised £2 million in funding. The round is a combination of equity and a U.K. government grant, and will be used to continue development of the company’s “intelligent” contract editor for law firms and an upcoming product targeting GDPR compliance.
… “Lawyers always tell us ‘I know I’ve done something like that before,’ but in large firms it’s a real pain to dig past drafting out of emails, document management systems and the minds of senior lawyers,” says Genie AI co-founder and CEO Rafie Faruq. “SuperDrafter solves this by automatically curating relevant knowledge from around the firm, and recommending clauses to lawyers as they draft, in real time.”
The broader idea is that SuperDrafter can enable lawyers to benefit from the “collective intelligence” — both past and present — of an entire law firm. It does this by machine reading thousands of documents confidentially and then analyses variations of the same clause to deuce market standards and allow lawyers to negotiate the best deal for their clients.

Toward automating courts.
E-Nudging Justice: The Role of Digital Choice Architecture in Online Courts
Sela, Ayelet, E-Nudging Justice: The Role of Digital Choice Architecture in Online Courts (March 18, 2019). 2019 Journal of Dispute Resolution 127 ( 2019). Available at SSRN:
Justice systems around the world are launching online courts and tribunals in order to improve access to justice, especially for self-represented litigants (SRLs). Online courts are designed to handhold SRLs throughout the process and empower them to make procedural and substantive decisions. To that end, they present SRLs with streamlined and simplified procedures and employ a host of user interface design and user experience strategies (UI/UX). Focusing on these features, the article analyzes online courts as digital choice environments that shape SRLs’ decisions, inputs and actions, and considers their implications on access to justice, due process and the impartiality of courts. Accordingly, the article begins to close the knowledge gap regarding choice architecture in online legal proceedings….”

Some AI background. All corporate AI is trivial?
Is This the AI We Should Fear?
We scientists want to understand intelligence as well as create machines that are intelligent. We want to create companion machines in ageing societies, machines that can teach our children math or serve as perceptive personal assistants. We’d like to build a robot that cooks an exotic meal for you with recipes from the internet or even teach you how to play bridge. We don’t just want to build machines that interact with humans in a superficial manner while pretending to be deep.
In sum, the AI which we now see is only the crust of a would-be intelligent entity, but this limited version is what corporate interest lies in. Indeed, this AI is only the tip of the machine-intelligence iceberg, and the corporate world does not seem to be interested in expanding its limits to do more, do better. And it’s likely they won’t until it makes commercial sense for them to do so.

Should not be interesting.
Big tech's antitrust wipeout: $33 billion erased from the value of Amazon, Apple, Facebook, and Google after DOJ announces probe
The DOJ on Tuesday said it was launching a broad investigation into whether "online platforms" were illegally harming their competitors and stifling innovation.
Here's how things stood at 5:30 a.m. ET:
  • Alphabet: Down 0.96%, wiping $7.6 billion off its value
  • Amazon: Down 1%, a $9.8 billion hit to its market cap
  • Apple: Down 1.04%, a $6.8 billion drop in value
  • Facebook: Down 1.46%, erasing $8.4 billion in value

Put together, the losses represent around $33 billion of lost value for the tech companies.

Perspective. At that price, even I might buy one.
The Hottest Phones for the Next Billion Users Aren’t Smartphones
The hottest phones for the world’s next billion users aren’t made by smartphone leaders Samsung Electronics Co. or Apple Inc. In fact, they aren’t even smartphones.
Millions of first-time internet consumers from the Ivory Coast to India and Indonesia are connecting to the web on a new breed of device that only costs about $25. The gadgets look like the inexpensive Nokia Corp. phones that were big about two decades ago.