Saturday, August 31, 2019

I’ve heard of forensic investigations but never one claiming psychic powers.
Phishing scheme gains entry to Oregon Judicial Department emails
A phishing scheme succeeded in breaking into the email accounts of five Oregon Judicial Department employees, exposing personal information of more than 6,000 people.
A forensic team determined that none of the information has been used in an inappropriate way so far.
… Lemman said originally a private lawyer had their email account hacked. The hackers gained access to the lawyer’s address book, and sent an email to workers in the state court system. That effort gained entry to a Washington County Circuit Court administrative staffer’s account. The email was then sent to Judicial Department staff, and five employees took the bait. Lemman said he didn’t know if they clicked a link, [Ask! Bob] but said the five entered their usernames and passwords, which hackers were able to access.
… Some of the information deemed “private” by law is also public record, like arrest rosters, he said.
The attackers did not gain access to any of the department’s internal systems. [Except email? Bob]

I bet there was a procedure that did not get followed.
AI Used For Social Engineering. Fraudsters Mimic CEO’s Voice in Unusual Cybercrime Case
Catherine Stupp at the Wall Street Journal reported on something we have predicted would happen in this blog. The article started out with:
"Criminals used artificial intelligence-based software to impersonate a chief executive’s voice and demand a fraudulent transfer of €220,000 ($243,000) in March in what cybercrime experts described as an unusual case of artificial intelligence being used in hacking.
"The CEO of a U.K.-based energy firm thought he was speaking on the phone with his boss, the chief executive of the firm’s German parent company, who asked him to send the funds to a Hungarian supplier. The caller said the request was urgent, directing the executive to pay within an hour, according to the company’s insurance firm, Euler Hermes Group SA. Euler Hermes declined to name the victim companies.

Will this type of response become common?
Why Hong Kongers Are Toppling Lampposts
The most successful surveillance devices are unobtrusive by nature, which means spotting them is difficult and engaging with them directly can be surreal.
… The Chinese government is notorious for its sophisticated surveillance apparatus, and evading it requires equally sophisticated tactics. Protesters have been hiding their faces with surgical masks and umbrellas, using burner cellphones, and paying for transit in cash. And, for the past month, they’ve also been cutting down lampposts with electric saws.

For my Security Compliance class.
Google, Medical Center Ask Court to Dismiss Privacy Lawsuit
Google and the University of Chicago Medical Center have filed motions to dismiss a class action lawsuit that alleges patients' electronic health records were not properly de-identified by the hospital before they were shared with Google to support the company's predictive medical data analytics technology development efforts.
The lawsuit filed in an Illinois federal court in June by a former medical center patient notes that HIPAA requires that data shared for research purposes must be de-identified by one of two methods. Those methods include the "expert determination" method to determine if risk of de-identification is small and the "safe harbor" method, which involves removing a long list of identifiers.
The lawsuit alleges that while the medical center claims it de-identified patient records shared with Google, the data included date stamps of when patients checked in and out of the hospital, as well as "copious free-text notes."
As a result, the lawsuit contends, through Google's "prolific data mining ... [the company] is uniquely able to determine the identity of almost every medical record released by the university."
Legal experts are weighing in on the dispute, seeing merits in the arguments on both sides.

Friday, August 30, 2019

The what but not the why. What websites? How big a deal was this?
Google finds 'indiscriminate iPhone attack lasting years'
Security researchers at Google have found evidence of a “sustained effort” to hack iPhones over a period of at least two years.
The attack was said to be carried out using websites which would discreetly implant malicious software to gather contacts, images and other data.
Google’s analysis suggested the booby-trapped websites were said to have been visited thousands of times per week.
… "There was no target discrimination,” Mr Beer wrote.
“Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant."
… Once on a person’s iPhone, the implant could access an enormous amount of data, including (though not limited to) contacts, images and GPS location data. It would relay this information back to an external server every 60 seconds, Mr Beer noted.
The implant also was able to scoop up data from apps a person was using, such as Instagram, WhatsApp and Telegram. Mr Beer’s list of examples also included Google products such as Gmail and Hangouts, the firm's group video chat app.
Google’s team notified Apple of the vulnerabilities on 1 February this year. A patch was subsequently released six days later to close the vulnerability. Apple’s patch notes refer to fixing an issue whereby “an application may be able to gain elevated privileges” and “an application may be able to execute arbitrary code with kernel privileges”.

Let’s not get too far ahead of ourselves.
Can AIs Hold Patents? Experts Answer USPTO's Questions About Artificial Intelligence
Academics have been debating for a while whether machines can be inventors for the purposes of patent law. Earlier this month, University of Surrey IP professor Ryan Abbott and others upped the ante, forming the Artificial Inventor Project and filing patents around the world that list an AI machine as the inventor.
The USPTO, which convened a conference earlier this year on AI and IP, is now formally requesting comments from the public on patenting artificial intelligence inventions. PTO Deputy Director Laura Peter publicized the request in a blog post Monday, highlighting four sample questions the agency intends to address.
For further reading, check out Abbott’s articles on AI inventorship and on the level of ordinary skill in an AI world.
PTO QUESTION 1: Do current patent laws and regulations regarding inventorship need to be revised to take into account inventions where an entity or entities other than a natural person contributed to the conception of an AI invention or any other invention?
PTO QUESTION 2: Are there any patent eligibility considerations unique to AI inventions?
PTO QUESTION 3: Does AI impact the level of a person of ordinary skill in the art?
PTO QUESTION 4: Do the disclosure rules (enablement, specification, etc.) need to be altered for AI-related patent applications?

Soon, this may be the only place to learn Latin.

Thursday, August 29, 2019

Subtle, but something. Not sure this was a very important database. Probably more like a list of shipping in the Gulf.
US Waged Cyberattack on Database Used by Iran to Target Tankers: NY Times
The United States staged a secret cyberattack in June against a database used by Iran's Islamic Revolutionary Guard Corps to plot attacks on oil tankers in the Gulf, The New York Times reported.
The newspaper, quoting senior US officials, said the June 20 attack had degraded the ability of Iran's paramilitary force to target shipping in the Gulf.
… It said the database targeted in the attack was used by the Guards to choose which tankers to target.

Too late to avoid a GDPR fine?
Apple Apologizes for Listening to Siri Talk, Sets New Rules
Apple on Wednesday apologized for its digital assistant Siri sharing some of what it heard with quality control workers as it unveiled new rules for handling data from conversations.
Under the changes, Apple will allow its employees to review conversations only from customers who opt into the "Siri grading" program to improve the voice recognition technology. Apple will also delete by default any recordings used for the program.
"We realize we haven't been fully living up to our high ideals, and for that we apologize," Apple said in a post.
… If customers opt in, only Apple employees will be allowed to listen to audio samples of Siri interactions and they will "work to delete any recording which is determined to be an inadvertent trigger" of the voice-commanded digital assistant, according to the company.

A bit too optimistic?
Jack Ma says 12-hour work week could be the norm when AI benefits kick in
Billionaire Jack Ma, long an outspoken advocate for China's extreme work culture, says that people should be able to work just 12 hours a week with the benefits of artificial intelligence.
People could work as little as three days a week, four hours a day with the help of technology advances and a reform in education systems, the Alibaba Group Holding Ltd co-founder said at the World Artificial Intelligence Conference in Shanghai on Thursday (Aug 29).
Ma cited electricity as an example of how developments in technology can free up time for leisure.

How to automate lawyering?
A Primer on Using Artificial Intelligence in the Legal Profession
LexBlog – A Primer on Using Artificial Intelligence in the Legal Profession: “What’s artificial intelligence (“AI”) and why should lawyers care about it? On a practical level, lawyers should be aware that software powered by AI already carries out legal tasks. Within a few years, AI will be taking over (or at least affecting) a significant amount of work now done by lawyers. Thirty-nine percent of in-house counsel” expect that AI will be commonplace in legal work within ten years. On a more philosophical level, lawyers should understand that the “decisions” made by AI-powered software will raise significant legal questions, including those of tort liability and of criminal guilt. For example, if AI is controlling a driverless car and someone’s killed in an accident, who’s at fault? While the philosophical questions are important to resolve, this Comment will focus on the practical issues. To provide an overview of what AI is and how it will be used in the legal profession, this Comment addresses several questions…”

How not to automate lawyering?
Lawyering Somewhere Between Computation and the Will to Act: A Digital Age Reflection
Lipshaw, Jeffrey M., Lawyering Somewhere Between Computation and the Will to Act: A Digital Age Reflection (August 5, 2019). Legal Studies Research Paper Series Research Paper 19-21 August 5, 2019. Available at SSRN: or
This is a reflection on machine and human contributions to lawyering in the digital age. Increasingly capable machines can already unleash massive processing power on vast stores of discovery and research data to assess relevancies and, at times, to predict legal outcomes. At the same time, there is wide acceptance, at least among legal academics, of the conclusions from behavioral psychology that slow, deliberative “System 2” thinking (perhaps replicated computationally) needs to control the heuristics and biases to which fast, intuitive “System 1” thinking is prone. Together, those trends portend computational deliberation – artificial intelligence or machine learning – substituting for human thinking in more and more of a lawyer’s professional functions. Yet, unlike machines, human lawyers are self-reproducing automata. They can perceive purposes and have a will to act that cannot be reduced to mere third-party scientific explanation. For all its power, computational intelligence is unlikely to evolve intuition, insight, creativity, and the will to change the objective world, characteristics as human as System 1 thinking’s heuristics and biases. We therefore need to be circumspect about the extent to which we privilege System 2-like deliberation (particularly that which can be replicated computationally) over uniquely human contributions to lawyering: those mixed blessings like persistence, passion, and the occasional compulsiveness.

May become more useful in the future.
Partnership on AI’s Terah Lyons talks ethics washing, moonshots, and power
There’s no organization in the world quite like the Partnership on AI.
Formed in September 2016 by a coalition of the largest tech companies in AI — Apple, Amazon, Facebook, Google, IBM, and Microsoft — it is a nonprofit organization that advises corporations and governments on AI policy and seeks to answer big questions about the future, like how AI will influence the economy and society and how best to make safety-critical or transparent AI systems. Of the more than 100 notable organizations active on five continents that compose the Partnership, more than half are human rights groups like Amnesty International, Future of Life Institute, and GLAAD. They sit alongside some of the world’s most influential tech companies, think tanks, and other organizations.

It’s all statistics and other math.
Former MLB Pitcher’s DC Startup Lands $23M for Sports Betting Platform
Ex-MLB pitcher Michael Schwimer’s new District-based venture, Jambos Picks, brings a machine learning-based approach to sports betting by analyzing public and commercial data sets.
The service’s most noteworthy feature is a bold guarantee: Picks will be profitable or bettors will get their subscription fee back, plus additional money.
The discounts vary depending on subscription length. The full 17-week plan costs $3,000 and has a $10,000 refund if the picks don’t make money overall. But you’ll need to bet a lot.
For example, on a $3,000 subscription including 1,000 recommended bets, you would receive $10,000 back if you followed the Jambos method – $300-plus bets – and did not profit.

Is it worth $5? (iPhone & iPad only)
Quickly and easily search case citations using your camera
    • Speed – In a time-pressed court room, you don’t have time to go to the internet and type in a case citation. Opinion Minion takes you right to the case you need!
    • Text-Recognition – Opinion Minion utilizes text-recognition software and a custom algorithm to identify case citations.
    • Accessibility – Opinion Minion is powered by Google Scholar, so all of your starred cases are automatically shared across all of your devices connected to Google…”

Wednesday, August 28, 2019

Perhaps I could volunteer my students to help?
Day 6 of Regis University’s IT nightmare: Computer recovery begins
On day six of Regis University running without access to information technology services like phone lines, email, internet and online course programs, some employee computers are beginning recovery mode.
IT services on campus started visiting faculty and staff offices Tuesday to scan computers, install safeguards and begin monitoring each computer. The treated computers were not able to go online or get back up and running, but it was the start of a recovery process. Employees don’t need to be there for the IT experts to do their work, according, a web page the university created to communicate to students, staff and faculty in the absence of their usual platform.
Employees are instructed to not use or turn on their Regis-configured computers until cleared by ITS,” a post said. “To minimize risk, employees also are advised to not use Office365 and OneDrive until further notice. In the interim, employees may bring personal computers and hotspots for connectivity to work. [I can’t remember ever having seen anything like this. Bob]
A “malicious threat” likely from outside the country caused the private, religious institution to pull down its information technology services Thursday, during the rush of finals for summer courses and start of the fall semester.
University officials declined to say whether the situation at Regis was a ransomeware attack, saying the matter is still under investigation.

(Related) A cold assessment. I suspect it’s a money thing.
The Extortion Economy: How Insurance Companies Are Fueling a Rise in Ransomware Attacks
Even when public agencies and companies hit by ransomware could recover their files on their own, insurers prefer to pay the ransom. Why? The attacks are good for business.
… “Paying the ransom was a lot cheaper for the insurer,” he said. “Cyber insurance is what’s keeping ransomware alive today. It’s a perverted relationship. They will pay anything, as long as it is cheaper than the loss of revenue they have to cover otherwise.”
One cybersecurity company executive said his firm has been told by the FBI that hackers are specifically extorting American companies that they know have cyber insurance. After one small insurer highlighted the names of some of its cyber policyholders on its website, three of them were attacked by ransomware, Wosar said. Hackers could also identify insured targets from public filings; the Securities and Exchange Commission suggests that public companies consider reporting “insurance coverage relating to cybersecurity incidents.”

Is the best we can do: “Facebook approves this ad?”
Facebook to require buyers of political ads to provide more information about who paid for them
Facebook on Wednesday announced it would tighten some of its rules around political advertising ahead of the 2020 presidential election, requiring those who purchase ads touting candidates or promoting hot-button issues to provide more information about who actually paid for them.
The changes seek to address a number of well-documented incidents where users placed misleading or inaccurate disclaimers on ads, effectively undermining a system for election transparency that the tech giant built after Russian agents spread disinformation on the site during the 2016 race.
Facebook already requires that political advertisers verify their identities. Starting in September, though, the company will require buyers of so-called issue ads or advocates of a political candidate to include information about who is funding the ads. To satisfy Facebook’s new requirements, a business can submit their tax-identification number, or campaigns can share their own registration data from the Federal Election Commission, and Facebook will label them as a “confirmed organization” in its archive.

New tool for my students.
Move over VPN, SDP has arrived
… The power of the Software Defined Perimeter (SDP) is that it is designed to address the way we use the Internet and the technologies it enables. It does away with the encrypted tunnel and replaces it with dynamic, one-to-one, micro-segmented network connections between users and the resources they have authority to access. This provides security that supports the way businesses need to operate today.
SDP supports a Zero Trust model, which means that each time a user – be they human, IoT device, or AI programme – attempts to access a resource they will have to be authenticated and authorised, using multiple checks, before gaining network access. All other resources that users haven’t been authorised to access will remain invisible to them. This is in stark contrast to traditional VPNs where once someone has access to one part of the network they can see and gain access to everything, regardless of whether it’s relevant to them.

Still trying to figure it out. (Education by bad example.)
Terms, Conditions and Considerations Under the GDPR
In recent months European regulators have found fault with tech giants Facebook and Google’s terms and conditions, causing DPOs at smaller companies to be understandably worried.
The main challenge for DPOs is to ensure terms and conditions and privacy notices do not become mixed up explained Nymity Strategic Research Director, Paul Breitbarth. “Under the GDPR, they really need to be separate documents. Still too often, terms and conditions contain information about an organization’s data processing practices, which read more like liability waivers intended for lawyers. A privacy notice on the contrary needs to be concise and in clear and plain language, that the average person should be able to understand. So no legal speak (or worse: Eurospeak), no lengthy sentences with tons of exceptions, but just describing to the point what it is you intend to do with data,” he said.
In the Facebook case, the European Commission announced on April 9 that it had ordered the company to change its terms of service to explain clearly how the company makes money by selling user data. The new terms of service must state what data Facebook sells to third parties, including data brokers or ad exchanges, how it will respond to misuse of data by third parties, and under what conditions it can unilaterally change its terms.

Insights on Video Surveillance and Data Protection
From Fox Rothschild:
Shortly after the recent video surveillance guidance from the EDPB, the Information Commissioner of the Isle of Man published an updated CCTV data protection guidance.
Key takeaways for controllers:
General Considerations and Governance:
    • CCTV images identify living individuals and are, therefore, personal data. This means that the use of CCTV will be covered by data protection law, regardless of the size of the system or organization.
    • There must be a lawful reason for considering the use of CCTV, such as crime prevention and detection, health and safety of workers or the public, property security.
Read more on Privacy Compliance and Data Security

You can read that! You can’t even look at it!”
US border officials are increasingly denying entry to travelers over others’ social media
It’s a bizarre set of circumstances that has seen countless number of foreign nationals rejected from the U.S. after friends, family or even strangers send messages, images or videos over social media sites like Facebook and Twitter, and encrypted messaging apps like WhatsApp, which are then downloaded to the traveler’s phone.
The United States border is a bizarre space where U.S. law exists largely to benefit the immigration officials who decide whether or not to admit or deny entry to travelers, and few protect the travelers themselves. Both U.S. citizens and foreign nationals alike are subject to unwarranted searches and few rights to free speech, and many have limited access to legal counsel.
CBP also claims to have what critics say is broadly unconstitutional powers to search travelers’ phones — including those of U.S. citizens — at the border without needing a warrant. Last year, CBP searched 30,000 travelers’ devices — a four-times increase since 2015 — without any need for reasonable suspicion.

Now I can find out what “double secret probation” actually means!
Research Guides In Focus – How to Find Free Case Law Online
In Custodia Legis The following is a guest post by Anna Price, a legal reference librarian at the Law Library of Congress. We are back again to focus on the Law Library’s Research Guides. This time we are discussing another popular guide, How to Find Free Case Law Online. Until a few years ago, case law generally was not freely-available online. Researchers had to find an accessible law library and then either learn how to search a subscription database or study the library’s print collection of reporters and digests. Recently, however, various organizations have been working to make state and federal court opinions, as well as associated case materials, available electronically without charge. This guide offers clear direction on using those resources.
The guide walks users through some popular online databases, with a focus on Google Scholar, CourtListener, FindLaw, Justia, and the Public Library of Law. Each section instructs users on navigating the resource and lists its tools, coverage, and unique features that may be helpful for various researcher needs. For example, did you know that CourtListener maintains the RECAP Archive, which includes selected case and docket information from federal appellate, district, and bankruptcy courts? Or what about FindLaw’s collection of Supreme Court briefs?…”

Tuesday, August 27, 2019

Only three and a half years later and they are finally “planning” to do something? Note that what they plan is NOT a fix. Is it even mandatory?
Exclusive: U.S. officials fear ransomware attack against 2020 election
The U.S. government plans to launch a program in roughly one month that narrowly focuses on protecting voter registration databases and systems ahead of the 2020 presidential election.
These systems, which are widely used to validate the eligibility of voters before they cast ballots, were compromised in 2016 by Russian hackers seeking to collect information. Intelligence officials are concerned that foreign hackers in 2020 not only will target the databases but attempt to manipulate, disrupt or destroy the data, according to current and former U.S. officials.
“We assess these systems as high risk,” said a senior U.S. official, because they are one of the few pieces of election technology regularly connected to the Internet.
The Cybersecurity Infrastructure Security Agency, or CISA, a division of the Homeland Security Department, fears the databases could be targeted by ransomware
… CISA’s program will reach out to state election officials to prepare for such a ransomware scenario. It will provide educational material, remote computer penetration testing, and vulnerability scans as well as a list of recommendations on how to prevent and recover from ransomware.

By now my students are sick of my repetitious reiteration of the things I repeat a lot. Like the failure of government bureaucracies to fix security weaknesses they are told about.
It was sensitive data from a U.S. anti-terror program – and terrorists could have gotten to it for years, records show
The Department of Homeland Security stored sensitive data from the nation’s bioterrorism defense program on an insecure website where it was vulnerable to attacks by hackers for over a decade, according to government documents reviewed by The Times.
… The information — housed on a dot-org website run by a private contractor — has been moved behind a secure federal government firewall, and the website was shut down in May. But Homeland Security officials acknowledge they do not know whether hackers ever gained access to the data. [Unlike competent organizations. Bob]
… A security audit completed in January 2017 found “critical” and “high risk” vulnerabilities, including weak encryption that made the website “extremely prone” to online attacks. The audit concluded that there “does not seem to be any protective monitoring of the site,” according to a Homeland Security report summarizing the findings.
An inspector general’s report published later that year said sensitive information had been housed on the BioWatch portal since 2007 and was vulnerable to hackers.

Not just because Harvard says so (or because I teach Computer Security).

Bad economics? Would this hold true for any other crimes?
Just Enough’ Piracy Can Be a Good Thing

Be ye careful when displaying new clothes to professionals lest someone point out the lack of fabric. Note also that the lawsuit keeps your embarrassment in the news.
Company Sues Black Hat Conference Over Mocked Presentation
Crown Sterling advertises itself as “an emerging company in development of non-factor based dynamic encryption and innovative new developments in AI.” The company’s website does not provide any details about the company’s technology, TIME AI, but it has published a short presentation video and an 8-page paper.
The company paid $115,000 to be a gold sponsor at the 2019 Black Hat USA conference, which included an exhibition booth at the event and a sponsored talk. The presentation, titled “The 2019 Discovery of Quasi-Prime Numbers: What Does This Mean for Encryption?,” was held by Robert E. Grant, Crown Sterling founder and CEO.
Some of the individuals who attended the talk called out the company during its presentation over what has been described as “pseudoscience.”
Many individuals, including reputable experts, have ridiculed Crown Sterling on social media and pointed out errors in its claims, with some calling the company “frauds” and “snake oil vendors.” Following the incident, Black Hat organizers decided to remove any mention of the presentation from the event’s official website.

I must be getting the message across. One of my students tipped me to this story.
Facial recognition in schools leads to Sweden’s first GDPR fine
The Swedish Data Protection Authority (DPA) has served a municipality in northern Sweden the country’s first GDPR fine — amounting to almost €19,000 (200,000 SEK) — for using facial recognition technology to monitor the attendance of students in school.
The high school in SkellefteĆ„ conducted a pilot program last fall where the attendance of 22 students over a period of three weeks was taken with the help of facial recognition technology, instead of good ol’ fashioned roll call, according to Computer Sweden.
… The school failed to consult the Swedish DPA before launching its program and didn’t do a proper impact assessment.
… The school maintains it had its students’ consent, but the DPA found there was no valid legal basis for this as there’s a “clear imbalance between the data subject and the controller.”

Perspective. Some you know, some you might not. It’s what they’re doing that is most interesting.
10 Companies Using AI to Grow
According to Fortune Business Insights, the global AI (artificial intelligence) market in 2018 was $21 billion. It’s expected to grow 33% annually between 2019 and 2026 to $203 billion.

Something to amuse my students.