Saturday, November 09, 2019


Overreaction?
Ransomware forces New Mexico school district to scrub 30,000 devices
A New Mexico school district that had its systems infected by ransomware last month is now having to scrub the hard drives of about 30,000 devices, district officials announced Thursday.
At a news conference held by the Las Cruces Public School District on Thursday, Interim Superintendent Karen Trujillo said the cyberattack has kept the district’s 39 schools offline since the malware was detected on Oct. 29.
School officials said they did not engage with their attacker, Las Cruces Sun News reported, and so recovery will consist of reformatting the hard drives of thousands of desktop computers, laptops and other devices and then reinstalling operating systems.
The attack against Las Cruces is just one of 23 ransomware attacks school districts in the U.S. since August.




Good luck, students.
State Privacy Laws Have the Potential to Haunt Industry
With less than two months until it goes into effect, many practitioners are focused on bringing their programs into compliance with the California Consumer Protection Act (“CCPA”) by January 1, 2020. But the rapid pace of privacy legal developments could continue next year. This past year, five states established studies or task forces to study privacy laws and report back to the legislature before their next session begins. Bills in Washington and Illinois passed one legislative chamber before failing, and their proponents have promised a renewed effort in 2020.
This is the first of a series of blog posts on what states other than California were considering to help you anticipate and prepare for 2020. In total, at least eighteen states considered comprehensive privacy bills this year. This initial blog post — on the heels of Halloween last week — focuses on some of those that are the scariest: bills in New York, Massachusetts, and Maryland.
The bill would create a “data fiduciary” concept that requires data controllers to exercise duties of care, loyalty and confidentiality. This would require controllers to “act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.”
Massachusetts SD 341 and Maryland’s Online Consumer Protection Act depart from the CCPA by allowing consumers to opt out of any disclosures to third parties – not just sales, but all disclosures, subject to limited exceptions




It’s the nagging that we’ll hate most. “Bob, You really shouldn’t eat all that chocolate covered bacon.”
Amazon’s roadmap for Alexa is scarier than anything Facebook or Twitter is doing
Rohit Prasad, the scientist in charge of Alexa‘s development, recently gave MIT Technology Review’s Karen Hao one of the most terrifying interviews in modern journalism. We know how dangerous it is to let bad actors run amok with AI and our data – if you need a refresher, recall the Cambridge Analytica scandal.
… Hao writes:
Speaking with MIT Technology Review, Rohit Prasad, Alexa’s head scientist, has now revealed further details about where Alexa is headed next. The crux of the plan is for the voice assistant to move from passive to proactive interactions. Rather than wait for and respond to requests, Alexa will anticipate what the user might want. The idea is to turn Alexa into an omnipresent companion that actively shapes and orchestrates your life. This will require Alexa to get to know you better than ever before.




You can’t always read everything atone sitting.



Friday, November 08, 2019


I think we are starting to get a picture of behaviors OCR will not tolerate.
OCR Imposes a $1.6 Million Civil Money Penalty against Texas Health and Human Services Commission for HIPAA Violations
On June 11, 2015, DADS filed a breach report with OCR stating that the electronic protected health information (ePHI) of 6,617 individuals was viewable over the internet, including names, addresses, social security numbers, and treatment information. The breach occurred when an internal application was moved from a private, secure server to a public server and a flaw in the software code allowed access to ePHI without access credentials. OCR's investigation determined that, in addition to the impermissible disclosure, DADS failed to conduct an enterprise-wide risk analysis, and implement access and audit controls on its information systems and applications as required by the HIPAA Security Rule. Because of inadequate audit controls, DADS was unable to determine how many unauthorized persons accessed individuals' ePHI.
"Covered entities need to know who can access protected health information in their custody at all times," said OCR Director Roger Severino.




Perspective. Census.gov estimates the US population at 330 million. That’s only 78% DHS.
DHS will have comprehensive biometric data on more than 250 million people
The U.S. Department of Homeland Security (DHS) expects to have face, fingerprint, and iris scans of at least 259 million people [Quartz – paywall] in its biometrics database by 2022, according to a recent presentation from the agency’s Office of Procurement Operations reviewed by Quartz. From the report: That’s about 40 million more than the agency’s 2017 projections, which estimated 220 million unique identities by 2022, according to previous figures cited by the Electronic Frontier Foundation (EFF), a San Francisco-based privacy rights nonprofit.
A slide deck, shared with attendees at an Oct. 30 DHS industry day, includes a breakdown of what its systems currently contain, as well as an estimate of what the next few years will bring. The agency is transitioning from a legacy system called IDENT to a cloud-based system (hosted by Amazon Web Services) known as Homeland Advanced Recognition Technology, or HART. The biometrics collection maintained by DHS is the world’s second-largest, behind only India’s countrywide biometric ID network in size. The traveler data kept by DHS is shared with other U.S. agencies, state and local law enforcement, as well as foreign governments…”




Didn’t they agree this would be fair? (Why else allow it?) But if the outcome is not as they expected, perhaps that’s because they (and I include Google) don’t understand the industry?
EU's Vestager says Google's antitrust proposal not helping shopping rivals
Alphabet unit Google’s proposal to create a level playing field for price comparison shopping rivals to stave off fresh fines has not led to more traffic for its competitors, Europe’s antitrust chief said on Thursday.
European Competition Commissioner Margrethe Vestager two years ago slapped Google with a 2.4-billion-euro ($2.65 billion)fine for favoring its own price comparison shopping service and told it to stop its anti-competitive business practices.
The world’s most popular internet search engine subsequently offered to allow competitors to bid for advertising space at the top of a search page, giving them the chance to compete on equal terms.




Perspective. Is this the new minimum offer?
This State’s 50-Year Bet on Big Tech Could Cost Hundreds of Millions of Dollars
a new law he helped pass, which eliminates sales taxes for an unprecedented five decades for a company that commits at least $750 million to a data center in his state.
Although finished data centers provide relatively few jobs, a construction boom is an attractive prospect in parts of the deindustrializing Midwest with few alternatives. Facebook has said it would spend $16 billion on data centers in 2019 alone; Google, $13 billion, and Apple, $4.5 billion. Together, these three companies, plus Microsoft and Amazon, accounted for the bulk of the $119 billion invested in data centers worldwide last year, according to Synergy Research Group.
In Indiana, where the state sales tax is 7%, the new law guarantees at least $70 million in savings to a company that commits to building a $1 billion facility. The law also waives taxes on electricity use, worth additional millions in savings, and municipalities are certain to add further incentives as they bid against one another.




I expect “safe living” Apps, like those “safe driving” Apps insurance companies offer. And for the same reason. If they can confirm that you will cost them 50% less than the average insured, they will happily reduce you premium by 25%.
How Entrepreneurs Can Take on the Future of Aging Using Artificial Intelligence
Thanks to daily advances in healthcare technology, people are living longer and longer. As a nation, we're nearing a historic first: It is predicted by the year 2034 that there will be more people over the age of 65 than people under the age of 18.




When highways are limited to self-driving cars, will you be willing to retrofit your 1926 Bugatti in order to drive on them?
Ghost raises $63.7 million to develop an aftermarket kit that gives cars self-driving capabilities
… Ghost today emerged from stealth after spending two years and change developing an aftermarket self-driving kit to retrofit existing cars. It has raised $63.7 million in capital to date from Founders Fund’s Keith Rabois, Khosla Ventures’ Vinod Khosla, and Sutter Hill Ventures’ Mike Speiser, and it’s promising compatibility with 20 “popular” car models from 2012 onward when its product launches next year.




Perhaps something for my next presentation Rubric?
Get Instant Feedback on Your Presentations With Presenter Coach
Presenter Coach is found in the online version of PowerPoint that anyone can use with a free Microsoft account. Presenter Coach will give you feedback on the pacing of your presentations, your use of filler words, and your use of sensitive phrases. In the following video I demonstrate how to use Presenter Coach in PowerPoint.



Thursday, November 07, 2019


I could have my students do this, but with more moderate language.
This Website Has Solved Cybersecurity
A new parody website generates random excuses to explain why companies got hacked and apologize to their users.
Big companies that hold our personal data get hacked almost every day, but most don’t really know how to deal with getting hacked, especially when it comes to telling users what happened. If you’ve read some data breach disclosures or notices, you know the classic “we take your privacy and security seriously”—truly the “thoughts and prayers” of cybersecurity. No matter how bad the hack is, companies always have an excuse.
Luckily, there’s now a website that automatically generates more original, and entertaining, apologies you can use if your company gets hacked. It’s called “Why the fuck was I breached?” and its excuse generating algorithm spills out truly hilarious excuses.


(Related)
We Need a Global Standard for Reporting Cyber Attacks
Cyber threats are a seemingly impossible challenge. By their very nature — fast-changing, borderless, asymmetric — they’re ridiculously difficult to predict and manage. No wonder the World Economic Forum has once again placed cybersecurity near the top of its latest list of global risks. Indeed, conventional wisdom holds that it’s only a matter of time before your organization is the target of a cyberattack. And while we agree with Andy Bochman, a senior cybersecurity analyst at the Idaho National Lab, that “no amount of spending on defenses will shield you completely from hackers,” we contend that you can shore up your defenses to substantially mitigate the risk.
In this article, we focus on the main challenge in managing cybersecurity: the data gap. Very little cyber data is broadly available, making it difficult to objectively evaluate the potential impact of incidents. Through our work with stakeholders across regions and industries, we propose an approach to identifying what to measure, how to capture the required data, and how to make it useful.




A collection of Best Practices.
CISA RELEASES CYBER ESSENTIALS FOR SMALL BUSINESSES AND GOVERNMENTS
When it comes to collective defense, we are only as strong as our weakest link, which is why CISA is committed to raising the bar in cybersecurity across all companies and government, regardless of their size,” said CISA Director Christopher Krebs. “Cyber Essentials are designed for those small businesses and local governments who don’t have abundant resources – where the CEO is also the chief information officer, head of marketing and HR – who are looking for where to start. This is a set of cybersecurity practices that are easy to adopt and understand and together constitute ‘the basics.’”
Each of the six Cyber Essentials includes a list of actionable items anyone can take to reduce cyber risks. These are:
  • Drive cybersecurity strategy, investment and culture;
  • Develop heightened level of security awareness and vigilance;
  • Protect critical assets and applications;
  • Ensure only those who belong on your digital workplace have access;
  • Make backups and avoid loss of info critical to operations; and
  • Limit damage and restore normal operations quickly.
To learn more about the Cyber Essentials, visit www.CISA.gov/cyber-essentials.




Privacy by design...
Spanish DPA Publishes Guide for Satisfying PbD Obligation
On October 17, the Spanish data protection authority (AEPD) published the Guide to Privacy by Design (Guide). While Privacy by Design (PbD) first became a legal requirement in the EU with implementation of the General Data Protection Regulation (GDPR), it is a well-known concept among privacy professionals that dates back to the 1990s.


(Related) ...could save you millions!
Real estate company fined € 14.5 million in Germany for violating GDPR principle of privacy by design
On October 30, 2019, the supervisory authority (“SA”) of Berlin issued a € 14.5 million fine against the real estate company Deutsche Wohnen SE for storing personal data of tenants without a legal basis (Art. 6 GDPR) and for not implementing the GDPR principle of privacy by design (Art. 5 and 25(1) GDPR) (press release here in German). It is the highest GDPR fine imposed so far in Germany.




I eagerly await the results!
NAB, CBA, Telstra, and Microsoft to test Australian government AI ethics principles
National Australia Bank, Commonwealth Bank, Telstra, Microsoft, and Flamingo AI have put their hands up to be the first businesses to test run the federal government's newly announced artificial intelligence (AI) ethics principles, Minister for Industry, Science and Technology Karen Andrews has announced.
The federal government said the businesses will voluntarily trial a series of eight AI principles that have been developed as part of the national AI ethics framework to ensure the principles can be translated into real world scenarios.
The eight ethics principles that have been developed for the framework include: Human, social and environment wellbeing; human-centre values in respect to human rights, diversity, and the autonomy of individuals; fairness; privacy protection and security of data; reliability and safety in accordance to the intended purpose of the AI systems; transparency and explainability; contestability; and accountability.
The ethics principles were developed following the release of a discussion paper earlier this year by Data61, the digital innovation arm of the Commonwealth Scientific and Industrial Research Organisation (CSIRO).




What do they see?
Xerox has made a cash-and-stock offer for HP, sources say
Xerox, which makes printers and copiers, has a market cap of $8.05 billion, less than a third of HP’s $27.27 billion market value.



Wednesday, November 06, 2019



If you build it, they will come...” ...to the hacker’s field of dreams!
THE BIG BITCOIN HEIST
With its cheap geothermal energy and low crime rate, Iceland has become the world’s leading miner of digital currency. Then the crypto-crooks showed up.




Screwing with the stock market should result in a quick response. Wouldn’t Robinhood have to make good?
Infinite leverage’ — some Robinhood users have been trading with unlimited borrowed money
Some Robinhood users have been manipulating the stock-trading app to trade with what they’re calling “infinite leverage.”
The cheat code was being shared on social media site Reddit, with one trader claiming he took a $1,000,000 position in stock using only a $4,000 deposit. Through Robinhood Gold, the start-up’s subscription service, users can borrow money from the company to make trades. The backdoor was essentially free money and was being called “infinite leverage” and the “infinite money cheat code” by Reddit users who discovered it.




Done right, this could work here. “Click here for ways to be excused”
Phishing campaign delivers data-stealing malware via fake court summons emails
Emails claiming to be from the UK Ministry of Justice are targeting employees of insurance and retail companies. But the cyber criminals haven't done their homework.




For the Security toolkit.
Experts: Don't reboot your computer after you've been infected with ransomware
Rebooting may lead to restarting a crashed file-encryption process, potential loss of encryption keys stored in-memory.




I thought this would happen. (Perhaps the President could create a “Cyberspace Force?”)
The National Guard’s new job? Dealing with ransomware
"Look at the ransomware attacks in places like Louisiana and Texas and Montana and the governors calling up the Guard to be able to do this,” Gen. Paul Nakasone, the head of U.S. Cyber Command said in September. “This is a new venue, this is a new capability, this is a new possibility for what we’re doing to build this capacity.”




Would this logic extend to IoT devices?
Failure to Encrypt Mobile Devices Leads to $3 Million HIPAA Settlement
URMC filed breach reports with OCR in 2013 and 2017 following its discovery that protected health information (PHI) had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively. OCR's investigation revealed that URMC failed to conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so. Of note, in 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC. Despite the previous OCR investigation, and URMC's own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices.
"Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk," said Roger Severino, OCR Director. "When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect."




Requiring Police drones?
Drones Used in Crime Fly Under the Law’s Radar
The New York Times – Drones are increasingly being used by criminals across the country, and local law enforcement agencies are often powerless to stop them.”…Drones pose novel and difficult problems for law enforcement. They are widely available, lightly regulated and can be flown remotely by an operator far away from the crime scene. They have already been put to a host of nefarious uses, from smuggling contraband into prisons to swarming F.B.I. agents who were preparing for a raid. And local and state authorities are restricted by federal law from intercepting drones in flight, potentially even when a crime is in progress, though experts say that has yet to be tested in court. “The use of drones by criminal groups is appealing in part because drones are harder to catch,” said Arthur Holland Michel, co-director of the Center for the Study of the Drone at Bard College. “They create all kinds of headaches for law enforcement.”…”




A “model” warrant?
Game-Changer’ Warrant Let Detective Search Genetic Database
Privacy experts say it could set a precedent, opening up all consumer DNA sites to law enforcement agencies across the country.
For police officers around the country, the genetic profiles that 20 million people have uploaded to consumer DNA sites represent a tantalizing resource that could be used to solve cases both new and cold. But for years, the vast majority of the data have been off limits to investigators. The two largest sites, Ancestry.com and 23andMe, have long pledged to keep their users’ genetic information private, and a smaller one, GEDmatch, severely restricted police access to its records this year.
Last week, however, a Florida detective announced at a police convention that he had obtained a warrant to penetrate GEDmatch and search its full database of nearly one million users. Legal experts said that this appeared to be the first time a judge had approved such a warrant, and that the development could have profound implications for genetic privacy.
Like many others in law enforcement, Detective Michael Fields of the Orlando Police Department was disappointed by GEDmatch’s policy shift. He had used the site last year to identify a suspect in the 2001 murder of a 25-year-old woman that he had spent six years trying to solve. Today, working with a forensic consulting firm, Parabon, Detective Fields is trying to solve the case of a serial rapist who assaulted a number of women decades ago.
In July, he asked a judge in the Ninth Judicial Circuit Court of Florida to approve a warrant that would let him override the privacy settings of GEDmatch’s users and search the site’s full database of 1.2 million users. After Judge Patricia Strowbridge agreed, Detective Fields said in an interview, the site complied within 24 hours. He said that some leads had emerged, but that he had yet to make an arrest. He declined to share the warrant or say how it was worded.




Horse droppings! Jaywalkers is just a subset of “Something in the road – don’t hit it.”
Self-Driving Uber in Crash Wasn’t Programmed to Spot Jaywalkers
Uber Technologies Inc.’s self-driving test car that struck and killed a pedestrian last year wasn’t programmed to recognize and react to jaywalkers, according to documents released by U.S. safety investigators.
The U.S. National Transportation Safety Board on Tuesday released more than 400 pages of reports and supporting documents on the March 2018 crash that killed 49-year-old Elaine Herzberg as she walked her bicycle across a road at night in Tempe, Arizona.
The Uber vehicle’s radar sensors first observed Herzberg about 5.6 seconds prior to impact before she entered the vehicle’s lane of travel, and initially classified her as a vehicle. But the system changed its classification of her as different objects several times and failed to predict that her path would cross the lane of self-driving test SUV, according to the NTSB.




Would the US counter Russia (et al) with our own propaganda? Is President Trump just ahead of the curve?
Freedom on the Net 2019 The Crisis of Social Media
Freedom House – “Governments around the world are increasingly using social media to manipulate elections and monitor their citizens, tilting the technology toward digital authoritarianism. As a result of these trends, global internet freedom declined for the ninth consecutive year, according to Freedom on the Net 2019, the latest edition of the annual country-by-country assessment of internet freedom, released today by Freedom House. Adding to the problem of meddling by foreign regimes, a new menace to democracy has risen from within, as populist leaders and their armies of online supporters seek to distort politics at home. Domestic election interference marred the online landscape in 26 of the 30 countries studied that held national votes over the past year. Disinformation was the most commonly used tactic. Authorities in some countries blocked websites or cut off access to the internet in a desperate bid to cling to power.
Many governments are finding that on social media, propaganda works better than censorship,” said Mike Abramowitz, president of Freedom House. “Authoritarians and populists around the globe are exploiting both human nature and computer algorithms to conquer the ballot box, running roughshod over rules designed to ensure free and fair elections.” Governments from across the democratic spectrum are indiscriminately monitoring citizens’ online behavior to identify perceived threats—and in some cases to silence opposition. Freedom House has found evidence of advanced social media surveillance programs in at least 40 of the 65 countries analyzed..”




Not sure I’ve convinced my students this is true.
GDPR Is More Than a Legislation, It’s a Cultural Shift
The General Data Protection Regulation (GDPR) marked a stake in the ground when it comes to data privacy, redefining our understanding of the value of the data organizations hold on us as citizens as well as what should be done to protect it. The legislation has been in effect for more than a year. The fines generated under it are not only reaching high sums but the frequency of organizations being fined is also on the rise, from tech industry giants, such as Google, which was hit with a 50 million euro fine by the French government for lacking sufficient transparency in some data gathering practices (the company is appealing), to smaller more specific violations, such as a Polish data processing firm which faced a 220,000 euro penalty for dubious marketing initiatives. Other instances are even more emotive, with a Portuguese hospital being fined 400,000 euros for allowing its staff to illegally access patient records. Most recently we’ve seen British Airways hit with a £183 million fine and Marriott nearly £100 million from the Information Commissioner’s Office (ICO).
Taking measures to comply with GDPR is extremely important and should be considered as a best practice minimum, regardless of whether EU citizen data is being handled. Going one step further, however, is to embrace the cultural shift towards data privacy that GDPR embodies, and there are a number of advantages to doing this.




Personal toolkit. I’m sure this would not work on any other ebooks. (wink, wink)




A new version for your phone.
… it’s now available to try for free in public preview on both Android and iOS.
… Anyone who has already used any of these Office apps will recognize them immediately. It’s just that Microsoft has squeezed them into a single app.



Tuesday, November 05, 2019


They keep getting bigger!
Nikkei worker tricked into transferring $29 million into scammer’s bank account
In a press release, the largest independent business media group in Asia which lends its name to Japan’s leading stock index, revealed that an employee of its American subsidiary had been fooled into transferring the money into a bank account after a fraudster posed as a Nikkei management executive.




Because my students missed this one. (Would I get rich if I developed an “Alexa, create an alabi” skill?)
Police turn to Alexa in murder case
In brief: Not for the first time, police are turning to Amazon’s digital assistant Alexa in the hope of solving a murder.
The victim in question was 32-year-old Silvia Galva. Her boyfriend, 43-year-old Reechard Crespo, claims the death was an accident that occurred as the two engaged in a physical altercation. He says the pair were having an argument, and Crespo was trying to drag her off his bed. Galva grabbed a spear with a 12-inch blade in an attempt to stop herself being pulled, but the spear broke and impaled her in her chest. Crespo pulled the blade out in an alleged attempt to save her, but Galva died.
According to the Sun Sentinel, police obtained a search warrant for anything recorded on the two Alexa-powered devices found in the apartment.


(Related)
Amazon wants Alexa to run your life. First, it must know everything about you


(Related) Not to be outdone, Microsoft is pushing Cortana to new tools.
Microsoft is building Cortana into Outlook as an AI that helps you stay productive




This seems obvious to us computer auditors.
Why Audits Are the Way Forward for AI Governance
When organizations use algorithms to make decisions, biases built into the underlying data create not just challenges but also engender enormous risk. What should companies do to manage such risks? The way forward is to conduct artificial intelligence (AI) audits, according to this opinion piece by Kartik Hosanagar, a Wharton professor of operations, information and decisions who studies technology and the digital economy. This column is based on ideas from his book, A Human’s Guide to Machine Intelligence.
An audit process would begin with the creation of an inventory of all machine learning models being employed at a company, the specific uses of such models, names of the developers and business owners of models, and risk ratings — measuring, for example, the social or financial risks that would come into play should a model fail — which, in turn, might help determine the need for an audit. Were a model audit to go forward, it would evaluate the inputs (training data), model, and the outputs of the model. Training data would need to be evaluated for data quality as well as for potential biases hidden in the data.




Important changes, but not revolutionary?
Microsoft beefs up Word, Excel, and Outlook with machine learning
A preview of Ideas in Word for the web is rolling out for Office 365 commercial users. It’s an AI-powered proofreader that taps natural language processing and machine learning to deliver intelligent, contextually aware suggestions that could improve a document’s readability. For instance, Ideas in Word will recommend ways to make phrases more concise, clear, and inclusive. And when Ideas in Word comes across a particularly tricky snippet, it will put forward synonyms and alternative phrasings, like “society” as a substitute for “society as a whole.”




For the Reference Shelf.
Blockchain: What Information Professionals Need to Know
Via LLRX – Blockchain: What Information Professionals Need to Know – Anna Irvin, Ph.D. and Janice E. Henderson, Esq. presented this comprehensive 64 page guide at the LLAGNY Education Committee Program on October 15, 2019. The guide is an multidisciplinary resource that includes: articles from law, business and finance journals, CLE programs/materials, smart contracts, Westlaw and Practical Law citations, sources on the impact of blockchain on the U.S. government and the international regulatory landscape, as well as all states with blockchain and cybersecurity laws (introduced, pending and failed).