Saturday, January 25, 2020

The Phishing is good!
Hackers Stole $10.5 Million From Richardson Company: Feds
Hackers stole $10.5 million from a Richardson real estate software company with the help of “money mules” – dozens of Americans who unwittingly accepted fraudulent money into their accounts, transferred it to those behind the scheme, and kept a cut for themselves, according to court documents.
The company, RealPage, contacted the Dallas office of the U.S. Secret Service about a computer intrusion in May 2018 after hackers, possibly from Nigeria, obtained the login credentials of an employee and accessed the company’s online financial accounts, according to a summary of the investigation included in a federal seizure document.
… It took RealPage 20 days to realize that hackers had gained access to its computer network through a phishing attack after an employee clicked on an email that appeared to be legitimate, the agent said.

Clearview is “over promoting” itself, is New Jersey over reacting?
New Jersey Bars Police From Using Clearview Facial Recognition App
New Jersey police officers are now barred from using a facial recognition app made by a start-up that has licensed its groundbreaking technology to hundreds of law enforcement agencies around the country.
Gurbir S. Grewal, New Jersey’s attorney general, told state prosecutors in all 21 counties on Friday that police officers should stop using the Clearview AI app.
… “Until this week, I had not heard of Clearview AI,” Mr. Grewal said in an interview. “I was troubled. The reporting raised questions about data privacy, about cybersecurity, about law enforcement security, about the integrity of our investigations.”
In a promotional video posted to its website this week, Clearview included images of Mr. Grewal because the company said its app had played a role last year in Operation Open Door, a New Jersey police sting that led to the arrest of 19 people accused of being child predators.
I was surprised they used my image and the office to promote the product online,” said Mr. Grewal, who confirmed that Clearview’s app had been used to identify one of the people in the sting. “I was troubled they were sharing information about ongoing criminal prosecutions.”
Mr. Grewal’s office sent Clearview a cease-and-desist letter that asked the company to stop using the office and its investigations to promote its products.

(Related) Several backgrounder articles…
Facial Recognition
The controversial and nearly ever-present technology that could replace the fingerprint

Opinion | We’re Banning Facial Recognition. We’re Missing the Point.
Communities across the United States are starting to ban facial recognition technologies. In May of last year, San Francisco banned facial recognition; the neighboring city of Oakland soon followed, as did Somerville and Brookline in Massachusetts (a statewide ban may follow). In December, San Diego suspended a facial recognition program in advance of a new statewide law, which declared it illegal, coming into effect. Forty major music festivals pledged not to use the technology, and activists are calling for a nationwide ban. Many Democratic presidential candidates support at least a partial ban on the technology.
These efforts are well intentioned, but facial recognition bans are the wrong way to fight against modern surveillance. Focusing on one particular identification method misconstrues the nature of the surveillance society we’re in the process of building. Ubiquitous mass surveillance is increasingly the norm. In countries like China, a surveillance infrastructure is being built by the government for social control. In countries like the United States, it’s being built by corporations in order to influence our buying behavior, and is incidentally used by the government.
In all cases, modern mass surveillance has three broad components: identification, correlation and discrimination. Let’s take them in turn.

A debate my student’s grandchildren will continue?
The battle for ethical AI at the world’s biggest machine-learning conference
Diversity and inclusion took centre stage at one of the world’s major artificial-intelligence (AI) conferences in 2018. But once a meeting with a controversial reputation, last month’s Neural Information Processing Systems (NeurIPS) conference in Vancouver, Canada, saw attention shift to another big issue in the field: ethics.
The focus comes as AI research increasingly deals with ethical controversies surrounding the application of its technologies — such as in predictive policing or facial recognition. Issues include tackling biases in algorithms that reflect existing patterns of discrimination in data, and avoiding affecting already vulnerable populations.
AI Now goes a step further: in a report published last month, it called for all machine-learning research papers to include a section on societal harms, as well as the provenance of their data sets.

For my students.
Takeaways from the Understanding Machine Learning Masterclass
The slides are available for download here. Attendees also received a copy of FPF’s Privacy Expert’s Guide to Artificial Intelligence and Machine Learning, a guide that explains the technological basics of AI and ML systems at a level of understanding useful for non-programmers, and addresses certain privacy challenges associated with the implementation of new and existing ML-based products and services.

AI in the world.
An AI Epidemiologist Sent the First Warnings of the Wuhan Virus
On January 9, the World Health Organization notified the public of a flu-like outbreak in China: a cluster of pneumonia cases had been reported in Wuhan, possibly from vendors’ exposure to live animals at the Huanan Seafood Market. The US Centers for Disease Control and Prevention had gotten the word out a few days earlier, on January 6. But a Canadian health monitoring platform had beaten them both to the punch, sending word of the outbreak to its customers on December 31.
BlueDot uses an AI-driven algorithm that scours foreign-language news reports, animal and plant disease networks, and official proclamations to give its clients advance warning to avoid danger zones like Wuhan.
Khan says the algorithm doesn’t use social media postings because that data is too messy.

Is it too early or too late?
Investing in AI: A Beginner's Guide
Artificial intelligence is on track to be a truly revolutionary technology. Here's what investors need to know.

Friday, January 24, 2020

Curious. I wonder if a new Marvel superhero is behind this?
Someone is uninstalling the Phorpiex malware from infected PCs and telling users to install an antivirus
Malware analysts believe someone has hijacked the Phorpiex botnet from its creator and is sabotaging its operations by alerting users they've been infected.
A mysterious entity appears to have hijacked the backend infrastructure of the Phorpiex (Trik) botnet and is uninstalling the spam-bot malware from infected hosts, while also showing a popup telling users to install an antivirus and update their computers, ZDNet has learned.
The popups have started appearing on users' screens today, early morning, US Eastern time, and have been spotted by the research team at antivirus vendor Check Point.
Initially, ZDNet and others thought this was a prank coded inside the malware by the Phorpiex team for the purpose of trolling security researchers analyzing the malware.
However, as the hours passed, it became clear that this was actually taking place on customer systems, in the real world, and was not just a popup that was appearing in virtual machines used as malware analysis sandboxes.
… Balmas listed several theories as what could have happened -- such as the malware operators deciding to quit and shut down the botnet on their own terms, a law enforcement action, a vigilante security researcher taking matters into his own hands, or a rival malware gang sabotaging the Phorpiex crew by destroying their botnet.

I haven’t found any suggestion of why they were down. Does this suggest that everything goes through a ‘single point of failure?’
Comcast experienced a nationwide internet outage on Thursday
Philadelphia-based cable and internet giant Comcast has resolved a nationwide internet outage that disrupted service on Thursday afternoon.
Customer reports of the outage surfaced around 2 p.m. and skyrocketed shortly afterward, according to
By 3:15 p.m., there was a significant drop in reports of ongoing issues.
A Comcast spokeswoman said all residential services were back online as of 4 p.m.

GDPR evolving because of AI?
EU Parliament Calls For More Consumer Protection In AI, Automation
Parliament’s Internal Market and Consumer Protection Committee issued a resolution Thursday (Jan. 23) that will put rules into place to address the challenges of fast-developing artificial intelligence and automated decision-making technology.
The committee said citizens should always be adequately informed about both kinds of technology, including how to reach a human with decision-making powers and about how the tech’s decisions can be questioned or corrected.
Under the new rules, any system utilizing AI or ADM technology should use only the highest-quality, unbiased sets of data and there should be review systems set up so that any mistakes can be corrected. The committee said it should also be possible at all times to speak with human representatives to review the decisions made by AI or ADM.
The committee said that humans must “ultimately be responsible” for the processes of AI and ADM processes, particularly in fields such as medical, legal and accounting.
The committee also warned that AI and ADM technology would evolve over time and so the regulations may have to be updated.

Implications for both Computer Security and Architecture.
Disruption 2.0: How IoT And AI Are Breaking Up The Business World
IoT solves the problem of digitizing the physical world and turning physical attributes into digital bits and bytes. AI solves the problem of making sense of large amounts of data and turning this data into actions.
At their core, IoT devices are physical assets with sensors. These sensors capture data, and this data needs to convert to business value. The term IoT, as I detailed in my previous posts, doesn't quite describe this process. A name that better describes this process is “Data Capturing Assets”.
The data enabling AioT, Intelligent Automation, and Disruption 2.0 is within the core of companies. The more of their data companies utilize, and the more insights they gain, the more influential the outcomes of Intelligent Automation will be.
This ability to do things better via better Intelligent Automation, utilization, optimization, and personalization will force businesses to redefine how they operate. Companies who will not seize this opportunity will cease to exist. They will become uncompetitive.

Any chance this could be more than a collection of guesses?
Report predicts 69% of managers' routine work will be completely automated by 2024
"Currently, managers spend time filling in forms, updating information and approving workflows. By using AI to automate these tasks, they can spend less time managing transactions and can invest more time on learning, performance management and goal setting."
AI will influence the office, but the level at which it does, will be based on new tech advances, organizational readiness to exploit, and worker attitudes, the report, "Predicts 2020: AI and the Future of Work," found. Because managers are invariably privy to planned tech changes, where and when the company stands in adopting the tech, and the in-office environment, their presence in a supervisorial capacity is essential.

An AI resource?
Discovering millions of datasets on the web
Google Blog: “Across the web, there are millions of datasets about nearly any subject that interests you. If you’re looking to buy a puppy, you could find datasets compiling complaints of puppy buyers or studies on puppy cognition. Or if you like skiing, you could find data on revenue of ski resorts or injury rates and participation numbers. Dataset Search has indexed almost 25 million of these datasets, giving you a single place to search for datasets and find links to where the data is. Over the past year, people have tried it out and provided feedback, and now Dataset Search is officially out of beta…”

Collecting handouts for my students.
Book Creator Adds New Accessibility Features
Book Creator is a tool that I have been using and recommending for years for making multimedia ebooks. You can use it as an iPad app or in your web browser. This week Book Creator announced that it now works in Microsoft Edge as well as Chrome and Safari. That's not the only product enhancement Book Creator released this week.
Some of the other Book Creator enhancements made this week include support for dictation in 120 languages, auto-generating captions on videos, and auto transcription of audio recordings. Automatic captioning of videos can be activated for videos that are recorded directly through the Book Creator app as well as videos that are uploaded to Book Creator pages. Likewise, automatic transcription of audio can be activated for files recorded directly in Book Creator as well as files that are added from external sources. Captions and transcripts are available in 120 languages.

For my students.
How to Customize Your LinkedIn Feed

I stand corrected.

Thursday, January 23, 2020

A trend(?) away from ‘proof of harm’?
PA Bill Tracker: Allowing victims of data breaches to sue companies that didn’t secure information
Daniel Walmer reports on a bill proposed in the Pennsylvania legislature:
House Bill 1010, introduced by Solomon, would change that. Under the bill, victims of data breaches could sue for $5,000 per violation or more if their actual losses were more than $5,000. The attorney general’s office can also seek civil penalties up to $10,000.
The bill would also require organizations to take “reasonable measures” to secure personal identification information. If they suffer a data breach, they would be required to notify affected customers “without unreasonable delay.” A delay of up to three days is permitted only if requested by law enforcement.
Our personal information is at risk. Countless incidents over the past few years have laid this fact bare,” Solomon wrote in a co-sponsorship memo. “We need to do more to defend Pennsylvanians’ private, personal information from falling into the wrong hands.”
The personal information protected by House Bill 1010 would include Social Security numbers, driver’s license numbers, financial account and credit card numbers, and medical information.
Read more on The Sentinel. This is one of the stronger bills that I’ve seen proposed and you may want to read all of its language.

Contrast with the FBI’s fight against encryption.
Tech policy think tanks write to govt urging stronger encryption to strengthen cyber security in India
Technology policy think tanks and digital freedom advocates have written to the National Security Council Secretariat urging stronger encryption requirements, improved breach disclosure norms and use of open-source software while encouraging free flow of data across borders, as part of suggestions to strengthen cyber security in India.

Weakening Encryption Could Impact Election Security, Coalition Says
An election security group said the Justice Department’s renewed calls for access to encrypted data could impact more than privacy.

Exclusive: U.S. Cops Have Wide Access to Phone Cracking Software, New Documents Reveal
While the FBI requests ‘backdoor’ iPhone access, documents indicate law enforcement already has easy access to encrypted devices

Inside the $10 million cyber lab trying to break Apple’s iPhone
The Trump administration wants Apple to create a backdoor into the iPhone. District Attorney Cy Vance Jr. has spent millions trying to find other ways in.

We can’t secure dedicated voting machines. Can this be made to work?
Exclusive: Seattle-Area Voters To Vote By Smartphone In 1st For U.S. Elections
The King Conservation District, a state environmental agency that encompasses Seattle and more than 30 other cities, is scheduled to detail the plan at a news conference on Wednesday. About 1.2 million eligible voters could take part.
The new technology will be used for a board of supervisors election, and ballots will be accepted from Wednesday through election day on Feb. 11.

For my Architecture students.
How Leading Organizations Are Getting the Most Value From IT
Many of the most consequential investment decisions facing CEOs today are technology-related. That wasn’t the case a few years ago. But now every company is in effect a technology company, and every CEO a tech CEO. With every major technology choice representing a vital business decision, “good enough” decisions are anything but.
That’s what we are finding as we continue to analyze the technology decisions of more than 8,300 companies across 20 industries in 20 countries, in what we believe is the largest study to date of enterprise systems. This work also includes responses from nearly 900 CEOs across the globe.
Our initial comparisons found that the top 10% of these companies in terms of their levels of technology adoption, technology penetration, and organizational change are achieving levels of revenue growth that are double those of the bottom 25%, which constitute the technology laggards. These leaders also grow revenues more than 50% faster than the middle 20% of the companies we studied.

The good, the bad, and stuff we better learn more about.
AI, automation emerge as critical tools for cybersecurity
Artificial intelligence and automation adoption rates are rising, and investment plans are high on enterprise radars. AI is in pilots or use at 41% of companies, with another 42% actively researching it, according to the 2019 IDG Digital Business Study.
… “The volume of data being generated is perhaps the largest challenge in cybersecurity,” says David Mytton, CTO and expert in residence, Seedcamp. “As more and more systems become instrumented — who has logged in and when, what was downloaded and when, what was accessed and when — the problem shifts from knowing that ‘something’ has happened, to highlighting that ‘something unusual’ has happened.”

I better get busy, I’ve only read one of these.
7 books to read right now if you want to become the ultimate authority on artificial intelligence
Companies like Walmart, JPMorgan Chase, and AB InBev are using the advanced tech to overhaul operations in the hopes it will free up workers to focus on the more critical aspects of their jobs and lead to significant cost-savings over the next several years.
To support this push, many organizations are spending significantly to train their employees on AI and other new digital tools. Earlier this month, for example, Nationwide said it would spend $160 million over five-years to train all its employees on the technology, among other reskilling efforts.

Looks like they are missing a few airports, but potentially useful.
Find the WiFi Password For Almost Any Airport Lounge Using This Free Map
LifeHacker: “Fortunately, we’re at a point where most of the airports in the United States offer free WiFi in some form. Yes, sometimes you have to watch an ad to get there, but it’s there. That said, sometimes you end up an airport that doesn’t have WiFi, or one that has free WiFi that’s restricted by a time limit. For times like those, the WiFox Google Map can help. With it, you can search for any airport in the world and see how to connect to the WiFi there…”

Wednesday, January 22, 2020

Why I teach encryption.
Joseph Menn reports:
Apple Inc dropped plans to let iPhone users fully encrypt backups of their devices in the company’s iCloud service after the FBI complained that the move would harm investigations, six sources familiar with the matter told Reuters.
The tech giant’s reversal, about two years ago, has not previously been reported.
Read more on Reuters.

Would this change if the defendants were covered by the GDPR or CCPA?
Facebook, Twitter hold evidence that could save people from prison. And they’re not giving it up
By the time the FBI raided Omar Ameen’s Sacramento apartment in August 2018, his extradition back to Iraq seemed all but inevitable.
Prosecutors must show only probable cause to secure his extradition, which would lead to Iraqi authorities conducting a criminal trial. It’s a fate Ameen’s defenders say would undoubtedly lead to his execution.
But new evidence has been unearthed that his attorneys say will show he was 600 miles away from Rawah at the time of the killing. Additionally, an Islamic State Twitter account that the company suspended, as well as a suspended Facebook account, could be instrumental in proving Ameen’s innocence.
But the social media giants are refusing to cooperate.
In Ameen’s case and a growing list of other criminal cases, attorneys for Facebook, Twitter and other social networks are citing the Stored Communications Act — a three-decade-old privacy law — to withhold information that might help prove the innocence of Ameen and other defendants.

Defining proper use of Facial Recognition.
Supreme Court declines to hear Facebook facial recognition case
The Supreme Court on Tuesday declined to take up a high-profile court battle over whether users can sue Facebook for using facial recognition technology on their photos without proper consent.
The high court rejected Facebook's bid to review the case, meaning the social media giant will likely have to face the multibillion-dollar class-action lawsuit over whether it violated an Illinois privacy law.
The case, Facebook vs. Patel, hinges on a question over whether Facebook violated Illinois law when it implemented a photo-tagging feature that recognized users' faces and suggested their names without obtaining adequate consent. Facebook argued to the Supreme Court that the class-action case should not be allowed to proceed because the group of users have not proven that the alleged privacy violation resulted in "real-world harm."

If you are still doing it the old-fashioned way, are you negligent?
The Legal Research Tools Lawyers Are Using in 2020 and Beyond
Via LLRX The Legal Research Tools Lawyers Are Using in 2020 and Beyond The ABA’s annual Legal Technology Survey Report is the basis for Nicole Black’s overview of what free and fee-based legal research tools lawyers are using – and yes, a number of lawyers continue to use print collections as well as CD-ROMs.

Clearly someone needs to train up an AI Patent lawyer.
Update on Federal Register Notice on Artificial Intelligence (AI) Patent Issues
As noted in our previous post, the U.S. Patent and Trademark Office (USPTO) published a request for comments for a list of questions regarding Artificial Intelligence (AI) Patent Issues in the Federal Register on August 21, 2019. While the comment period has closed, a few developments regarding AI patent issues have occurred that are particularly relevant.

Tuesday, January 21, 2020

Cyber insurers have been recommending payment of the ransom. Will they fight this bill?
N.Y. Senator Carlucci Introduces Bill That Prohibits Paying Ransom
New York Senator David Carlucci introduced Senate Bill S7289 that would ban the paying of ransom.
The bill prohibits municipal corporations or other government entities from paying ransom in the event of a cyber-attack against them.

Possessing Ransomware Could Become Illegal in Maryland
Lawmakers in the state of Maryland are considering making it a criminal offense to be in possession of ransomware.
A bill was introduced on Tuesday, January 14, that seeks to penalize Marylanders who knowingly possess the malware and intend to use it to cause harm. The bill also grants victims of a ransomware attack the right to sue the hacker for damages in civil court.
The state has already outlawed the use of malicious technology to extort money out of victims. Senate Bill 30, which was heard before the Senate Judicial Proceedings Committee last week, would make it a misdemeanor to be in possession of ransomware with the intent to use it in a malicious manner.

You should look for Best Practices anywhere. If you have second rate security, you are a much more attractive target for hackers.
India Plans to Mandate Cyber Security Measures for Power Grids
India’s electricity grid operators will have to install firewalls and other measures used by companies to avert an attack on their information technology systems and check rising hacking incidents of power networks across the world.
Grid operators and regulatory agencies will need to have a continuity plan handy in the event of a cyber attack, according to draft rules published by the Central Electricity Regulatory Commission. The move is part of an overhaul of the decade-old guidelines.

As expected or as feared.
GDPR: 160,000 data breaches reported already, so expect the big fines to follow
Analysis by law firm DLA Piper found that after the General Data Protection Regulation (GDPR) came into force on 25 May 2018, the first eight months saw an average of 247 breach notifications per day. In the time since, that has risen to an average of 278 notifications a day.
"GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year's report and regulators have been busy road-testing their new powers to sanction and fine organisations," said Ross McKean, partner at DLA Piper, specialising in cyber and data protection.
The GDPR Data Breach Survey also calculates the total cost of GDPR-related fines paid so far to be €114m ( $126m/£97m). The largest fine paid so far was one of €50m issued by the French data protection authority, CNIL, to Google over infringements around transparency and consent.
Under GDPR, organisations can be fined up to four per cent of their annual turnover if they've been found to be irresponsible with security following a data breach. Despite this, it's believed that just one-third of organisations are fully GDPR-compliant.

A heads-up, but not a lot of detail.
Odia Kagan of Fox Rothschild writes:
Though said to be a replica of GDPR, the Indian Personal Data Protection Bill (PDPB) is actually quite different, writes Sandeep Sangwan of the International Association of Privacy Professionals, and this can cause issues for multinationals or Indian “data fiduciaries” who are also subject to GDPR.