Saturday, August 03, 2019

Perhaps they should structure these so the victims get most of the money?
Equifax on the hot seat for running out of data breach settlement funds
Even when making restitution to victims of its massive 2017 data breach, Equifax still can’t seem to avoid a mess. The credit reporting agency is now attracting a ton of scrutiny after the Federal Trade Commission revealed in an urgent announcement to the public that the pool of Equifax settlement funds used to pay cash claims to victims is quickly running dry. And that victims who step up to file a claim going forward should probably just go ahead and pick a non-cash alternative.
For its part, the FTC is stressing that it thinks [Not likely! Bob] the free credit monitoring offered as part of the settlement is worth more than the cash anyway. That’s because victims will be able to get free monitoring of their credit report at all three national credit reporting agencies — and the offer even includes up to $1 million in identity theft insurance and identity restoration services.
However, even that is drawing criticism. Another commenter on that FTC post noted that “my data has been compromised numerous times and I’ve received numerous free credit monitoring compensations.[My students agree. Bob]
All that said, Electronic Privacy Information Center president and executive director Marc Rotenberg told The Washington Post “there’s something a little askew” over consumers thinking $125 was a possible offer at first, while officials “now have to race around saying, ‘Look at the fine print.'”

Old military technology, but who knew these states were where narcotics came into the US?
Pentagon testing mass surveillance balloons across the US
The US military is conducting wide-area surveillance tests across six midwest states using experimental high-altitude balloons, documents filed with the Federal Communications Commission (FCC) reveal.
Up to 25 unmanned solar-powered balloons are being launched from rural South Dakota and drifting 250 miles through an area spanning portions of Minnesota, Iowa, Wisconsin and Missouri, before concluding in central Illinois.
… “What this new technology proposes is to watch everything at once. Sometimes it’s referred to as ‘combat TiVo’ because when an event happens somewhere in the surveilled area, you can potentially rewind the tape to see exactly what occurred, and rewind even further to see who was involved and where they came from.”

Aerial Surveillance Is Astonishingly Legal
In the eyes of the law, there’s no difference between a smartphone photo taken through an airplane window and one taken by an ultra-powerful camera in a helicopter hovering over your backyard.

Apple and Google have already done something. (See yesterday’s blog)
Amazon Gives Option to Disable Human Review of Alexa Recordings
A new policy took effect Friday that allows customers, through an option in the settings menu of the Alexa smartphone app, to remove their recordings from a pool that could be analyzed by Amazon employees and contract workers, a spokeswoman for the Seattle company said. It follows similar moves by Apple Inc. and Google.

But will AI love me back?
Forget AI ethics—treat technology like a new relationship instead
Not a week passes without an ethical misstep by Big Tech. From Facebook’s personal data overreaches to thousands of e-commerce sites that trick people into superfluous purchases to cities implementing facial-recognition systems without consent, the tech industry continues to stress-test trust.
In response, ethical guidelines have flourished. Whether a short checklist, visual principles, or lengthy treatise, most agree on core principles of privacy, safety and security, transparency, fairness, and autonomy. But despite the efforts of think tanks, tech companies, and government agencies, the principles haven’t been so easy to put into practice.
What if we took a different approach? Rather than focusing solely on generalizable standards or a prescriptive ethical code, we could instead emphasize an ethics of care. And what requires more care than our own romantic relationships?
The phases below map to Mark Knapp’s relational development model. The University of Texas professor outlined 10 steps in relationships, from hello to goodbye.
Let’s focus on the steps for coming together, and how they might apply to our tech relationships.

Automating teachers?
China has started a grand experiment in AI education. It could reshape how the world learns.
Experts agree AI will be important in 21st-century education—but how? While academics have puzzled over best practices, China hasn’t waited around. In the last few years, the country’s investment in AI-enabled teaching and learning has exploded. Tech giants, startups, and education incumbents have all jumped in. Tens of millions of students now use some form of AI to learn—whether through extracurricular tutoring programs like Squirrel’s, through digital learning platforms like 17ZuoYe, or even in their main classrooms. It’s the world’s biggest experiment on AI in education, and no one can predict the outcome.

Compute smarter!
Included are cheat sheets that cover:
  • Microsoft Office keyboard shortcuts for Windows & Mac
  • PowerPoint keyboard shortcuts
  • Word keyboard shortcuts
  • Outlook keyboard shortcuts
  • Excel keyboard shortcuts
  • Excel Formulas
  • Gmail keyboard shortcuts
  • Google Drive keyboard shortcuts
  • Google Search operators and commands
  • Markdown elements

Friday, August 02, 2019

There are a number of questions I’d like answered.
Congress Wants Capital One, Amazon to Explain Data Breach
Leaders of House and Senate committees want Capital One and Amazon to explain to Congress how a hacker accessed personal information from more than 100 million Capital One credit card customers and applicants.
"As this is not the first incident in which Capital One's customer data was exposed, we need to understand what bank regulators have been doing to ensure that this bank and other banks have strong cybersecurity policies and practices," Waters said. She plans legislation to improve oversight of the cybersecurity of financial institutions.
In a letter Thursday to Amazon CEO Jeff Bezos, Jordan and other Republicans on the House Oversight panel note that Capital One data was stored on a cloud service provided by Amazon Web Services. The suspected hacker , Paige Thompson, is a former Amazon software engineer. [Connection or coincidence? Bob]

My class will be in favor.
Apple suspends Siri response grading in response to privacy concerns
In response to concerns raised by a Guardian story last week over how recordings of Siri queries are used for quality control, Apple is suspending the program world wide. Apple says it will review the process that it uses, called grading, to determine whether Siri is hearing queries correctly, or being invoked by mistake.
In addition, it will be issuing a software update in the future that will let Siri users choose whether they participate in the grading process or not.

Google will pause listening to EU voice recordings while regulators investigate
Google has agreed to stop listening in and transcribing Google Assistant recordings for three months in Europe, according to German regulators.
In a statement released today, Germany’s data protection commissioner said the country was investigating after reports that contractors listen to audio captured by Google’s AI-powered Assistant to improve speech recognition. In the process, according to the reports, contractors found themselves listening to conversations accidentally recorded by products like the Google Home.
A Google spokesperson said it had itself moved to pause “language reviews” while it investigated recent media leaks. [“We will find out who ratted us out!” Bob]

California privacy act interpretation could make common newsgathering practice unlawful
Reporters Committee for Freedom of Information – ” The California court of appeal is considering an expansive interpretation of state privacy law — in a pending lawsuit pending involving Yelp — that would make it unlawful to take notes during telephone conversations. The Reporters Committee for Freedom of the Press and a coalition of 17 media organizations are urging the court to reject the argument that the California Invasion of Privacy Act prevents note taking. In the case, plaintiff Eric Gruber alleges that Yelp violated the CIPA by recording conversations between him and Yelp employees. Yelp argues that it only made “one-way” recordings in which only the Yelp employee’s voice was recorded.
The district court found that Yelp did not violate CIPA, but Gruber appealed, calling for a more “expansive” reading of what qualifies as a recording under the law that would include “all simultaneously-created records” as long as they are “registered in reproducible form,” whether that be audio, written, photographic or another form of recording. In a friend-of-the-court brief filed July 10, Reporters Committee attorneys argue, along with 17 media organizations, that this expansive interpretation of CIPA could potentially make journalists responsible for damages or criminalize those who take notes — either by hand or by computer — during conversations and consequently, criminalize the common journalistic practice of notetaking. Note taking should not be considered recording, “even if done without the consent of all parties to the communication.”…

Another minor problem?
Evidence in the Age of Privacy: Access to Data in the Criminal Justice System
The California Consumer Privacy Act, scheduled to go into effect on January 1, 2020, will make it harder for people accused of crimes to defend themselves. So would the New York Privacy Act, introduced on May 9, 2019. And so would eight of eleven proposed federal privacy bills currently under consideration in the United States Congress. Most likely, lawmakers aren’t even aware of the problem.
The vast majority of proposed laws share a common feature — they grant law enforcement more or better access to useful data than they afford to defense counsel and the investigators who work with them.

In exchange for Amazon giving the cops video from the door cameras?
Amazon-owned home security company Ring is pursuing contracts with police departments that would grant it direct access to real-time emergency dispatch data, Gizmodo has learned.
The California-based company is seeking police departments’ permission to tap into the computer-aided dispatch (CAD) feeds used to automate and improve decisions made by emergency dispatch personnel and cut down on police response times. Ring has requested access to the data streams so it can curate “crime news” posts for its “neighborhood watch” app, Neighbors.

Is there much left to reveal?
Edward Snowden memoir to reveal whistleblower’s secrets
The Guardian – In Permanent Record, the former spy will recount how his mass surveillance work eventually led him to make the biggest leak in history – “After multiple books and films about his decision to leak the biggest cache of top-secret documents in history, whistleblower Edward Snowden is set to tell his side of the story in a memoir, Permanent Record. Out on 17 September, the book will be published in more than 20 countries and will detail how and why the former CIA agent and NSA contractor decided to reveal the US government’s plans for mass surveillance around the world and in the US – which included monitoring phone calls, text messages and emails. UK publisher Macmillan said the book would see him “bringing the reader along as he helps to create this system of mass surveillance, and then experiences the crisis of conscience that led him to try to bring it down”…”

Interesting but complicated. Will they flag Russian ads?
This Tool Lets You See Facebook’s Targeted Political Ads All Over the World
Vice – Facebook has failed to be fully transparent with data concerning political advertising, so two researchers collected the data themselves. ”A team of two researchers has created the most comprehensive visualization of Facebook’s political advertisements. Detailing hundreds of thousands of ads across 34 countries by more than 150 political actors, is a new tool aimed at providing transparency to political advertisements on the platform. Three years after the Cambridge Analytica scandal, in which user data was used to target political ads, someone has finally made a way for ordinary people to learn which political campaign ads are being posted on Facebook all around the world. “With, you can explore both country-specific contextual issues and political strategies, as well as broader questions about the power of persuasion that the use of personal data facilitates,” the website notes. “Through our interfaces, you can understand targeting and optimization, compare monetary investment, and trace the timelines of ads.”…”

Is the Visicalc of AI on the way?
Bringing machine learning to the masses
Artificial intelligence (AI) used to be the specialized domain of data scientists and computer programmers. But companies such as Wolfram Research, which makes Mathematica, are trying to democratize the field, so scientists without AI skills can harness the technology for recognizing patterns in big data. In some cases, they don't need to code at all. Insights are just a drag-and-drop away. One of the latest systems is software called Ludwig, first made open-source by Uber in February and updated last week. Uber used Ludwig for projects such as predicting food delivery times before releasing it publicly. At least a dozen startups are using it, plus big companies such as Apple, IBM, and Nvidia. And scientists: Tobias Boothe, a biologist at the Max Planck Institute of Molecular Cell Biology and Genetics in Dresden, Germany, uses it to visually distinguish thousands of species of flatworms, a difficult task even for experts.

What are you looking for?
Facebook open-sources algorithms for detecting child exploitation and terrorism imagery
Facebook will open-source two algorithms it uses to identify child sexual exploitation, terrorist propaganda, and graphic violence, the company said today. PDQ and TMK+PDQF, a pair of technologies that store files as digital hashes and compare them with known examples of harmful content, have been released on Github, Facebook said in a blog post.

Capitalizing on ignorance. What has politics become?
Biden’s flubbed text message appeal launches at least five internet domains
Bay Area-native Keoua Medeiros saw an immediate opportunity when Joe Biden flubbed a campaign promo during his closing statement at the Democratic debate Wednesday night.
If you agree with me, go to Joe 30330 and help me in this fight,” the former vice president said, pausing as he said the numbers and seemingly directing viewers of the CNN-hosted debate to a website. But the Democratic front-runner meant to say “Text Joe to 30330,” his campaign said in a statement the next day, adding, “oops.”
… “It seemed like he didn’t know what he was saying,” Medeiros said of Biden.
Medeiros said he snapped up the domain for about $15. The registrant name for the URL is private, but the purchase was made via the domain hosting company GoDaddy at about 7:50 p.m. Pacific — four minutes after Biden’s slip — according to registration data from Internet Corporation for Assigned Names and Numbers. The domain was one of at least five variants of Joe followed by threes and zeros that were registered in the minutes after Biden’s remark.
By the time I went to buy joe30330, that was taken already by the Josh for America guy,” Medeiros said.

I would threaten my students with this, but they’d probably enjoy it.
Science Goes Too Far, Creates AI That Turns You Into an Anime Character
The AI-anime-convertor is the brainchild of Junho Kim, Minjae Kim, Hyeonwoo Kang, and Kwanghee Lee, researchers working for the video game company NCSoft, the publishers of Guild Wars 2. The NCSoft team released the code on github and published its research online.

Thursday, August 01, 2019

Following a “correct” but inadequate process. Would it have killed them to make a phone call?
$1.7 million still missing after North Carolina county hit by business email compromise scam
According to a notice published on the Cabarrus County government’s website, problems began in November 2018 when Cabarrus County Schools received an email claiming to come from Virginia-based Branch and Associates, which was working on the construction of West Cabarrus High, a new school for the district.
The email claimed that Branch and Associates had changed their bank account details, and requested that future payments on the school construction project were sent to the new account.
To its credit, Cabarrus County says that its staff followed the correct processes – requesting that forms and documentation (including an electronic funds transfer (EFT) form signed by the bank) were submitted to make the change.
One week later, Cabarrus County received the documentation from the criminals, and saw nothing to raise any concerns.
Then, on December 21 2018, Cabarrus County electronically transferred $2,504,601 into what they believed was Branch and Associates’ bank account.
Soon afterwards, the bank and law enforcement were informed, as were the county’s insurers, and an investigation determined that Cabarrus County’s computer systems had not been hacked or compromised, but instead a socially engineered business email compromise scam had been successfully pulled off using a bogus email address.
In response Cabarrus County halted all future payments via electronic transfer until account details could be verified. This process, alongside a redesign of the county’s vendor system, took three months.

A new perspective for Computer Security.
Cyber Kill Chain Reimagined: Industry Veteran Proposes "Cognitive Attack Loop"
The Cyber Kill Chain is dead. Long live the Cognitive Attack Loop. This is the thesis of Tom Kellermann's (Chief Security Officer at Carbon Black and former cyber commissioner for President Obama) new paper, 'Cognitions of a Cybercriminal'.
The problem with the Cyber Kill Chain framework created (and trademarked) by Lockheed Martin is that it has a beginning and an end. While this was an accurate reflection of cyber-attacks when it was first devised, it no longer applies, Kellermann says. The burglary approach of cybercriminals to enter, steal and leave has changed to long-lasting home invasion. The modern cybercriminal does not just leave -- he wants to stay, quietly hidden. Breaking the kill chain no longer works; because the criminal is still in the home.
There are three primary phases to this loop: reconnoiter and infiltrate; maintain and manipulate; execute and exfiltrate – but there is no assumed exit. Each of these primary phases has numerous sub-phases, such as privilege, persistence and evasion within the maintain and manipulate phase; and exfiltration, destruction and disinformation in the final phase. But there is no end to this loop. If the attackers have not been detected, they will remain. They could start again at some point in the future – or, in the case of the Russian state/hacker alliance, simply pass the access keys to a Russian intelligence agency.
In this sense, Kellermann's paper (PDF ) is a call to action, that he intends to repeat at Black Hat and Defcon.

Lots of people are helping us to stay current.
The Future of Data Privacy in the United States
Analyzing the state of privacy regulation, including the CCPA, Nevada’s privacy law, and bills introduced in New York and Washington State
With laws passed in California and Nevada and bills planned in many other states, companies should expect to be impacted within the coming months.
This article breaks down the crucial parts of each state’s privacy regulation law/bill — including who they cover, when they take effect, penalties, how to achieve compliance as well as why states took the reins before the federal government to protect consumer’s personal data.

Farewell encryption?
Facebook Plans on Backdooring WhatsApp
This article points out that Facebook's planned content moderation scheme will result in an encryption backdoor into WhatsApp:
In Facebook's vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. These algorithms will be continually updated from a central cloud service, but will run locally on the user's device, scanning each cleartext message before it is sent and each encrypted message after it is decrypted.
The company even noted
Facebook's model entirely bypasses the encryption debate by globalizing the current practice of compromising devices by building those encryption bypasses directly into the communications clients themselves and deploying what amounts to machine-based wiretaps to billions of users at once.
Once this is in place, it's easy for the government to demand that Facebook add another filter – one that searches for communications that they care about – and alert them when it gets triggered.

So now I have a National ID Number? Unlike my social security number, which can not(???) be used as ID, this one is only used as ID?
Shaun Grannis, John D. Halamka, and Ben Moscovitch have an opinion piece on STAT that begins:
It isn’t every day that the House of Representatives takes bipartisan action to reverse a policy that’s been in place for two decades. But that’s what happened last month, when Democrats and Republicans alike voted for a measure designed to address a perennial problem that undermines medical record-keeping, puts patients at risk, and costs our health care system billions of dollars every year.
Specifically, the House voted to repeal a 21-year ban on funding for a national patient identifier — a unique number or code comparable to a Social Security number that would be assigned to each and every American. As envisioned, this identifier would make it easier for health care providers to access accurate medical records anywhere, anytime — whether the patient is making a routine office visit in Boston or lying unconscious in a San Francisco emergency room.
Read more on STAT

We’ll figure out this GDPR thing some day. Meanwhile…
ICO Launches Public Consultation on New Data Sharing Code of Practice
On July 16, 2019, the UK’s Information Commissioner’s Office (“ICO”) released a new draft Data sharing code of practice (“draft Code”), which provides practical guidance for organizations on how to share personal data in a manner that complies with data protection laws. The draft Code focuses on the sharing of personal data between controllers, with a section referring to other ICO guidance on engaging processors.

Can lawyers use AI ethically. Is there a “duty to use” AI?
PART II : AI Tools for Solo and Small Law Firms
Generally, today’s AI tools for solo and small law firms break down into three categories: (1) legal research and issue spotting; (2) law practice automation and marketing tools and (3) substantive legal issues arising out of the use of algorithmic, AI-driven platforms in legal matters ranging from criminal defense, employment, insurance, custody defense and others that solo and small firm lawyers tend to handle.

Tools & Techniques. Very interesting and very, very carefully worded.
At the final session of the 2019 Space Symposium in Colorado Springs, attendees straggled into a giant ballroom to listen to an Air Force official and a National Geospatial-Intelligence Agency (NGA) executive discuss, as the panel title put it, “Enterprise Disruption.” The presentation stayed as vague as the title until a direct question from the audience seemed to make the panelists squirm.
… “When will the Department of Defense have real-time, automated, global order of battle?” they asked.
an initiative called Sentient has relevant capabilities. A product of the National Reconnaissance Office (NRO), Sentient is (or at least aims to be) an omnivorous analysis tool, capable of devouring data of all sorts, making sense of the past and present, anticipating the future, and pointing satellites toward what it determines will be the most interesting parts of that future.

Share with everyone! Gary Alexander tipped me off to the CyberheistNews newsletter.
Q2 2019 Top-Clicked Phishing Email Subjects from KnowBe4 [INFOGRAPHIC]
… Aside from social media-related messages, general subject lines related to password management were highest on the list. In-the-wild attacks ... found greatest success when they asked for action from the recipient.
Click here to download the full infographic (PDF)

Wednesday, July 31, 2019

How we did it” articles are always worth reviewing. You never know when you might learn something.
How 4 IT technicians saved an Arizona hospital from hacker ransomware
After some reading up on ransomware attacks on the internet, the Wickenburg IT team determined that in other Ryuk attacks, which have targeted public- and private-sector victims, cybercriminals would ask for more than the small hospital could afford to pay anyway.
So instead of seeing what the hackers wanted, Beckham said that Wickenburg’s IT staff, a total of four people, including himself, began rebuilding the hospital’s computer systems from scratch.
We threw it in the trash and started over from a software perspective,” Beckham said. “We sat down and decided what is most important, what was absolutely needed both short term and long term. And when I say short term, I mean in the next hour and long term is the next 12 hours.”
The hospital had already started to strengthen its security measures, and it had been backing its data up on physical tapes, which Beckham described as “halfway between a cassette tape and a VHS tape,” that were stored in a safe, an archaic-seeming strategy that cybersecurity professionals are increasingly advising organizations to use to protect critical data. A brand-new backup system was being shipped to Wickenburg when the attack hit.

Seems like a very small slice of vulnerability here. Most small planes operate under Visual Flight Rules, that is they do not fly blind, relying only on instruments.
U.S. Issues Hacking Security Alert for Small Planes
The Department of Homeland Security issued a security alert Tuesday for small planes, warning that modern flight systems are vulnerable to hacking if someone manages to gain physical access to the aircraft.
An alert from the DHS critical infrastructure computer emergency response tea m recommends that plane owners ensure they restrict unauthorized physical access to their aircraft until the industry develops safeguards to address the issue, which was discovered by a Boston-based cybersecurity company and reported to the federal government.
The warning reflects the fact that aircraft systems are increasingly reliant on networked communications systems, much like modern cars.
The Rapid7 report focused only on small aircraft because their systems are easier for researchers to acquire. Large aircraft frequently use more complex systems and must meet additional security requirements. The DHS alert does not apply to older small planes with mechanical control systems.

Your phone will rat you out!
How You Move Your Phone Can Reveal Insights Into Your Personality, Creepy Study Finds
Science Alert – “It may sound strange at first, but a team of researchers in Australia has come up with a method to predict your personality traits using just the accelerometer in your phone. Well, that and your call and messaging activity logs. Also, the system works for some traits better than others. But it’s an interesting take on how we may find connections through such seemingly unrelated things. There’s a wealth of previous research investigating how different aspects of your smartphone and social media use – such as your language in messages, how you style your Facebook profile, or how much physical activity you do – can be used to predict your personality traits.
Activity like how quickly or how far we walk, or when we pick up our phones up during the night, often follows patterns and these patterns say a lot about our personality type,” said one of the team, computer scientist Flora Salim from RMIT University in Australia. In this case, we start at the Big Five personality traits. These have been used in psychology since the 1980’s to help classify five dominant parts of our personalities…” (The study has been published in Computer – Predicting Personality Traits From Physical Activity Intensity [paywall])

Almost everything will rat you out.
Alexa Guard will listen for breaking glass or fire alarms. Could it be more obvious that this is Amazon's test balloon for always on microphones that will listen for everything.

The next big thing? (Links to studies and policies)
Internet of Things: Regulatory Ecosystem and Consumer Product Health and Safety – Part I
Technological Revolutions are quiet and astonishing. Step by step new technological applications are pushing existing paradigms and changing the way business is transacted by consumers, companies and in society. In the past, electricity and printing had a revolutionary role in social development, shifting all sectors of life. These days, the Internet of Things (IoT) is pivotal in creating quick, profound and quiet transformations.
According to the Committee on Digital Economy Policy of Directorate for Science, Technology and Innovation of OCED:
The Internet of Things (IoT) could soon be as commonplace as electricity in the everyday lives of people in OECD countries. As such, it will play a fundamental role in economic and social development in ways that would have been challenging to predict as recently as two or three decades ago[1].