Saturday, March 21, 2020

Amazon: Too essential to shut down?
We’re all going to get sick eventually’: Amazon workers are struggling to provide for a nation in quarantine
Amazon is positioning itself as an ‘essential’ service during the pandemic — a move that benefits the company and puts its warehouse workers and drivers in danger

What are the odds you are included?
Report: unidentified database exposes 200 million Americans
The CyberNews research team uncovered an unsecured database owned by an unidentified party, comprising 800 gigabytes of personal user information. The database in question was left on a publicly accessible server and contained more than 200 million detailed user records, putting an astonishing number of people at risk.
On March 3, 2020, the entirety of the data present on the database was wiped by an unidentified party.
Click HERE to see if your data has been leaked.
It seems that much of the data on the main folder might have originated from the United States Census Bureau. Certain codes used in the database were either specific to the Bureau or used in the Bureau’s classifications.

(Related) This happens when managers fail to check their processes.
Unprotected Database Exposed 5 Billion Previously Leaked Records
An Elasticsearch instance containing over 5 billion records of data leaked in previous cybersecurity incidents was found exposed to anyone with an Internet connection, Security Discovery reports.
The database was identified as belonging to UK-based security company Keepnet Labs, which focuses on keeping organizations safe from email-based cyber-attacks. It contained data leaked in security incidents that occured between 2012 and 2019.
The Elasticsearch instance, Security Discovery’s Bob Diachenko reveals, had two collections in it: one containing 5,088,635,374 records, and another with over 15 million records. This second collection was being constantly updated.
The researcher immediately alerted Keepnet Labs, which took the database offline within an hour.

Trying to keep up...
Vermont Enacts Data Breach Notification and Student Privacy Legislation
Earlier this month, the Governor of Vermont signed into law S.B. 110, which will amend the state’s data breach notification law and create a new student privacy law focused on operators of educational technology services. Notably, the amendments to the state’s data breach notification law will expand the categories of personally identifiable information (“PII”) that may trigger notification obligations to individuals and regulators in the event of a breach to include online account credentials, health and medical information, and biometric and genetic data, among others. The student privacy law will place certain restrictions on how student data can be collected, used, and disclosed by operators of online educational technology services. The new requirements, which will enter into force on July 1, 2020, are discussed in more detail below.

Rounding out my understanding.
COVID-19, Scientific Research and the GDPR – Some Basic Principles
As scientists work around the clock to gain insights into the Corona virus and how to fight it, public and private-sector stakeholders are in discussions to promote the rapid exchange of scientific data. During these discussions, the GDPR acronym inevitably rears its head and casts doubt over what is lawful. The GDPR and national data protection laws can, and often do, complicate the matter of sharing personal data, and health data in particular. We provide some general pointers below to help demystify the GDPR and explain its impact.

Could be useful if you are stuck at home.
Become an Overnight Netflix Pro: 50+ Tips and Tricks You Should Know

Something to do…
Getting Bored? Here's A List Of Free Things That Weren't Free Before Coronavirus

Friday, March 20, 2020

Professing Principles of Digital Ethics and Privacy
Dr. Anita Allen serves as Vice Provost for Faculty and Henry R. Silverman Professor of Law and Philosophy at the University of Pennsylvania. Dr. Allen is a renowned expert in the areas of privacy, data protection, ethics, bioethics, and higher education, having authored the first casebook on privacy law and has been awarded numerous accolades and fellowships for her work. She earned her JD from Harvard and both her Ph.D. and master’s in philosophy from the University of Michigan. I had the opportunity to speak with her recently about her illustrious career, the origins of American privacy law and her predictions about the information age.

No subtle argument.
Moscow’s 105,000 Facial Recognition Cameras Here to Stay as Country’s Court System Entrenches Video Surveillance
A recent ruling that facial recognition does not violate citizen privacy would appear to be the definitive statement that Moscow will now be the largest city outside of China to track people with facial recognition in nearly every inch of public space.
The lawsuit claimed that Russia’s constitution guarantees personal privacy and the existing data protection laws specified that biometric data can only be processed with written consent. The courts decided against her in November, and installation of the new facial recognition system immediately began.
The death blow for the efforts of privacy advocates was the more recent ruling against a second lawsuit, which was supported by opposition party Solidarnost and the civil rights group Amnesty. The ruling ensures that the new video surveillance system will remain in operation, and that citizens of Moscow will not be able to bring legal complaints alleging invasion of privacy or misuse of personal data due to facial recognition.

...and eventually, to my students.
Explaining machine learning models to the business
is a sub-discipline of artificial intelligence (AI) and machine learning that attempts to summarize how machine learning systems make decisions. Summarizing how machine learning systems make decisions can be helpful for a lot of reasons, like finding data-driven insights, uncovering problems in machine learning systems, facilitating regulatory compliance, and enabling users to appeal — or operators to override — inevitable wrong decisions.
Of course all that sounds great, but explainable machine learning is not yet a perfect science. The reality is there are two major issues with explainable machine learning to keep in mind:
  1. Some “black-box” machine learning systems are probably just too complex to be accurately summarized.
  2. Even for machine learning systems that are designed to be interpretable, sometimes the way summary information is presented is still too complicated for business people.

Useful reference?
LibGuide – Legal Responses to Coronavirus
Lynn McClelland has created a new LibGuide on the U.S. legal responses to COVID-19. Many units of government at all levels have issued, and continue to issue, legal responses to the coronavirus epidemic, and some states have laws pre-dating the epidemic but that have become more relevant, such as quarantine statutes and requirements for paid sick leave. Lynn’s guide identifies and provide links to primary sources and high-quality summaries of primary sources. If you know of additional resources that should be added to the guide, please feel free to share them with Lynn ( ).” [via Rachel E. Green, Faculty Services Librarian, Hugh & Hazel Darling Law Library, UCLA School of Law]

There must be a need, right? is a new law firm focused only on AI
When VentureBeat asked Andrew Burt why he was starting an AI-focused law firm, Burt was quick to clarify that it’s about AI and analytics. But that didn’t answer the underlying question of why the world needs a law firm focused so precisely on this one key area.
The thesis behind the law firm is that traditional legal expertise on its own is not sufficient,” said Burt, a Yale Law School alum. His partner is data scientist Patrick Hall, and together they aim to provide legal acumen around AI and analytics that’s bolstered by technical understanding. “If we are going to successfully manage the risks of AI and advanced analytics, we need both of these types of expertise commingled,” added Burt.
Called (techy shorthand for “Burt and Hall”), the firm is located in Washington, D.C., which Burt says confers a key advantage. “There’s a rule in D.C. It’s called 5.4b, and it basically allows Washington, D.C. to be the only place in the country where lawyers and non-lawyers can jointly run law firms together,” he explained. That’s why Hall, who is not an attorney, can be a partner in this law firm.
AI presents novel problems that, naturally, have legal ramifications. For example, there’s debate about whether an AI can hold a patent or copyright a written work. As the medical field adopts more machine learning and computer vision tools in patient diagnostics, questions about physician liability continue to percolate. Meanwhile, lawmakers are wrestling with how to understand and regulate facial recognition.

Perspective. War and plague are economic events.
Tech’s big five lost $1.3 trillion in value since market peak one month ago

When you reach the end of your binge watching…
450 free Ivy League university courses you can take online
Here’s a collection of all of them, split into courses in the following subjects: Computer Science, Data Science, Programming, Humanities, Business, Art & Design, Science, Social Sciences, Health & Medicine, Engineering, Education & Teaching, Mathematics, and Personal Development.

Scribd is giving away 1 month of unlimited access for free
Good e-Reader: “Reading subscription service Scribd is offering free access to its library of over one million ebooks, audiobooks, magazines and more for the next 30 days (no commitment or credit card information required). Scribd told Good e-Reader that “With the spread of COVID-19 and new regulations put into effect, we know many people are staying close to home, yet still looking for information, distractions and perhaps a mental escape. Scribd wants to support the community by giving people access to the world’s largest library during this global health crisis, and do our small part in helping consumers through times of uncertainty.” …There is more on from Scribd’s CEO, Trip Adler, here. To access the 30 free days of content, please CLICK HERE ..”

Thursday, March 19, 2020

Work from home.
SANS Security Awareness Work-from-Home Deployment Kit
Everything you need to know to create a secure work-from-home workforce during the COVID-19 pandemic and beyond.

Inside every cloud…
We Live in Zoom Now
The New York Times: “…Teenagers have jokingly referred to themselves as “Zoomers online for years; now the name is literal. Overnight, Zoom has become a primary social platform for millions of people, a lot of them high school and college students, as those institutions move to online learning. Zoom Video Communications is a videoconferencing company in San Jose, Calif., that has been thrust into the spotlight over the past week. On Monday morning, its iOS app became the top free download in Apple’s App Store. On Sunday, nearly 600,000 people downloaded the app, its biggest day ever, according to Apptopia, which tracks mobile apps. While the stock market crashes, Zoom shares have soared this year, valuing the company at $29 billion — more than airlines like Delta, American Airlines or United Airlines. Zoom has been preparing for this moment since the new coronavirus began spreading in China in January. Even then it was easy to see that Zoom’s primary customer base — videoconferencing desk workers — would become more reliant on its services while quarantined at home. So the company began closely monitoring its capacity and started hosting free training sessions. In China, Zoom dropped its 40-minute limit for free calls. But no amount of planning could have anticipated the company’s emergence as a cultural phenomenon used to host parties, concerts, church services and art shows. Zoom could not have prepared to become a meme…”

AI adoption in the enterprise 2020
The update sheds light on what AI adoption looks like in the enterprise— hint: deployments are shifting from prototype to production—the popularity of specific techniques and tools, the challenges experienced by adopters, and so on.
  • The majority (85%) of respondent organizations are evaluating AI or using it in production[1]. Just 15% are not doing anything at all with AI.
  • More than half of respondent organizations identify as “mature” adopters of AI technologies: that is, they’re using AI for analysis or in production.
  • Few organizations are using formal governance controls to support their AI efforts.

Could be useful…
How to Create Annotated Screen Capture Images
This morning I got an email from a reader who was looking for a screen capture tool that included tools for drawing straight lines, arrows, boxes, and generally making screen captures look a little more professional. One of the tools that I recommended was Nimbus Screenshot.
Nimbus Screenshot is available to use as an extension in Chrome, Firefox, and Opera. There is also a Nimbus Screenshot Chrome app for Chromebook users who want to be able to capture more than just a browser window. In the following video I demonstrate how to use Nimbus Screenshot to create annotated screen capture images.

Readings for shut ins.
Q&A on the Book AI Crash Course
  • Many jobs will disappear as they are replaced by AI, and three times more jobs will be created around AI.
  • There is a growing need for AI education; it's important that AI be used the right way and for good causes, for the benefit of this world.
The book AI Crash Course by Hadelin de Ponteves contains a toolkit of four different AI models: Thompson Sampling, Q-Learning, Deep Q-Learning and Deep Convolutional Q-learning. It teaches the theory of these AI models and provides coding examples for solving industry cases based on these models.
InfoQ readers can find an excerpt of AI Crash Course on the publisher's website.

Wednesday, March 18, 2020

Time to get ready. The Corona virus may help to pinpoint targets.
Renowned Economist Nouriel Roubini Warns of 2020 Cyber War
Economist Nouriel Roubini, a professor at the New York University Stern School of Business and one of the world’s most prominent Keynesian economists, has predicted that 2020 could be the year the world bears witness to the first-ever cyber war.
Speaking on Yahoo Finance’s ‘On The Move on 28 February, Roubini told the debate panel that “[The U.S.] will have the first global cyber warfare this year,” explaining his belief that the coming cyber war will like play out between the United States and any one of its several major geopolitical rivals, either North Korea, Iran, China or Russia.
We imposed sanctions against Russia, China, [North] Korea, and Iran,” Roubini explained, “and they cannot respond to us with conventional power, because we are stronger from a conventional point of view.”
So if you are a weaker rival of the U.S., and you want to contain the U.S., what you do is asymmetric warfare. Asymmetric warfare means you try to weaken your enemy from the inside, and how you do it is with cyber warfare.”

Attacks on DOD Networks Soar as Telework Inflicts ‘Unprecedented’ Loads
Cyber attacks on Defense Department networks increased over the weekend as teleworking employees put “unprecedented” loads on the military’s computer networks.
They’re already taking advantage of the situation and the environment that we have on hand,” Essye Miller, DOD’s principal deputy chief information officer, told department employees at a Monday morning “virtual town hall.
To protect Defense Department networks, the Pentagon is barring users from accessing YouTube and other streaming services. It’s one of several concerns officials expressed about rapidly moving the federal government’s largest agency toward “maximized telework.”

(Related) Hopes for ‘empathy’ are delusional.
Message to Cybercriminals: Hospitals Are Off-Limits
On Sunday night, the Department of Health and Human Services was hit with a cyberattack. This incident is the third in a string of cyberattacks that show malicious cyber actors are not slowing their assault on our public health system despite the global coronavirus pandemic. In the last week, the Brno University Hospital in the Czech Republic was hit with a ransomware attack and the Champaign-Urbana Public Health District’s website was also taken over by cybercriminals demanding payment. In the case of the Brno University Hospital, the attack caused all surgeries to be cancelled and all incoming patients to be re-routed to a nearby hospital. Cyberattacks at this time could make an already dire situation far worse.
The national security community has been slow to recognize cybercriminal groups as a national security threat. The growth in sophistication of ransomware campaigns suggests that the capabilities these groups possess are now on par with many nation states. Many people have expressed hope online that cybercriminals would empathize with those who are suffering and think twice before targeting hospitals. Unfortunately, hope is not a strategy. Their targeting of vulnerable critical infrastructure, like public health systems and hospitals, in a time of crisis demands that the threat posed by these groups be countered with the full weight that the United States can bring to bear.

(Related) Another take on risks and mitigation.
Coping with Coronavirus: Five Strategies to Mitigate Business Risks

Security tools.
Brave Ranked the Most Private Browser While Microsoft Edge and Yandex the Least Private Due to Privacy-Invading Telemetry
A new study by Professor Douglas J. Leith of Trinity College Dublin tested various browsers for privacy leaks associated with sending data back to their makers’ servers. Brave emerged as the most private browser while the new chromium-based Microsoft Edge and Yandex emerged as the most privacy-intrusive browsers. This outcome is because of their use of privacy-intrusive telemetry. Their phoning-home activities and other secret tracking methods allow them to track users across browser installs.

(Related) Why is this not updated continuously? Perhaps as a Wiki?
NIST Updates and Expands Its Flagship Catalog of Information System Safeguards
NIST: “After your organization forms a general plan for tackling its cybersecurity and privacy risk management issues, it needs particular state-of-the-art tools to make that plan a reality. Computer security and privacy experts at the National Institute of Standards and Technology (NIST) have the answer with an updated toolbox of safeguards for protecting an organization’s operations and assets, as well as the personal privacy of individuals.
NIST Draft Special Publication (SP) 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, is a collection of hundreds of specific measures for strengthening the systems, component products and services that underlie the nation’s businesses, government and critical infrastructure. One of NIST’s flagship risk management publications, the document is undergoing its first update in seven years, and the agency is accepting public comments on the draft until May 15, 2020.
The publication offers safeguards for all types of platforms, from general-purpose computers to industrial control systems and internet of things (IoT) devices. Its tools are intended for a broad audience of specialists, from security experts to systems developers to cloud computing providers…”

Security Architecture.
Security is leaving the data center and moving to the edge
The traditional network security model, in which traffic is routed through the data center for inspection and policy enforcement, is for all intents and purposes obsolete. A 2019 study by research firm Gartner found that “more users, devices, applications, services and data are located outside of an enterprise than inside.”
Driven by the adoption of multi-cloud infrastructure and applications, mobility and distributed workforces, the focal point for security has shifted to users and devices. As a result, the current data center-centric approach to network security is struggling to support a load it was not designed to bear.
This outdated architecture is impacting productivity and the user experience, while increasing networking costs since more and more circuits and APIs are needed to move traffic in and out of the corporate network. Meanwhile, implementing various security functions on remote devices requires a complex and difficult-to-manage mix of endpoint software agents.

An excuse for more surveillance?
Joseph Cox reports:
An Austin, Texas based technology company is launching “artificially intelligent thermal cameras” that it claims will be able to detect fevers in people, and in turn send an alert that they may be carrying the coronavirus.
Athena Security is pitching the product to be used in grocery stores, hospitals, and voting locations. It claims to be deploying the product at several customer locations over the coming weeks, including government agencies, airports, and large Fortune 500 companies.
Read more on Motherboard.

U.S. government, tech industry discussing ways to use smartphone location data to combat coronavirus

There are dozens of these. No two the same.
I’ve been occasionally posting FAQs or guidance from other countries and regions about privacy and the COVID-19 pandemic.
While the bigger players tend to get more media coverage and analysis, let us never forget that we are all impacted.
Here’s an FAQ from the office of the privacy commissioner of New Zealand.

(Related) A good source for these…
German Authorities Issue Guidance Related to Coronavirus

Interesting tool.
Google Translate launches Transcribe for Android in 8 languages
Google Translate today launched Transcribe for Android, a feature that delivers a continual, real-time translation of a conversation. Transcribe will begin by rolling out support for eight languages in the coming days: English, French, German, Hindi, Portuguese, Russian, Spanish and Thai. With Transcribe, Translate is now capable of translating classroom or conference lectures with no time limits, whereas before speech-to-text AI in Translate lasted no longer than a word, phrase, or sentence. Google plans to bring Transcribe to iOS devices at an unspecified date in the future.

Tuesday, March 17, 2020

This one was relatively simple. The next ones won’t be.
A coronavirus-tracking app locked users' phones and demanded $100
You can always count on hackers to exploit a terrible situation to try to make a buck.
A new Android app that promises to deliver up-to-date figures on the coronavirus pandemic includes a strain of malicious software that locks up a user’s phone and demands an extortion fee. The ransomware app, called CovidLock, threatens to erase everything on an infected phone if victims don’t pay $100 in bitcoin within 48 hours, according to the security firm DomainTools..

Password found to rescue victims of malicious COVID-19 tracker app
Members of the IT and cybersecurity communities have successfully obtained a password key for victims of CovidLock Android ransomware, which comes disguised as an app that supposedly helps track cases of the coronavirus, but actually locks users’ phones and demands a ransom in order to restore access.
The unlock token has been verified as 4865083501.

A “proof of concept” exercise. Imagine many, many targets as an opening salvo in a cyber war…
Why the Norsk Hydro attack is a 'blueprint' for disruptive hacking operations
It’s been a year since malicious code tore through the computer network of Norwegian aluminum giant Norsk Hydro, forcing the company to shift some of its operations to manual mode and inflicting tens of millions of dollars in damage.
The ransomware attack brought a global manufacturing powerhouse to its knees, and with it more questions than answers about the hackers’ motivations. Attackers targeted a company with good security practices, yet used code that would have made it difficult to collect their extortion fee. Norsk Hydro never paid, a spokesman said.
Now, an investigation published Monday argues that the LockerGoga ransomware variant could have been designed to disrupt rather than to extort — to lock up the enterprise and throw away the key.
Regardless of who was behind the Norsk Hydro attack, it provides a “worryingly effective blueprint” for state-backed hackers to hide behind malware associated with criminals to achieve their goals, says Joe Slowik, adversary hunter at industrial cybersecurity company Dragos.

Security because “we gotta do something?”
TSA Admits Liquid Ban Is Security Theater
The TSA is allowing people to bring larger bottles of hand sanitizer with them on airplanes:
Passengers will now be allowed to travel with containers of liquid hand sanitizer up to 12 ounces. However, the agency cautioned that the shift could mean slightly longer waits at checkpoint because the containers may have to be screened separately when going through security.
Won't airplanes blow up as a result? Of course not.
Would they have blown up last week were the restrictions lifted back then? Of course not.
It's always been security theater.
Interesting context:
The TSA can declare this rule change because the limit was always arbitrary, just one of the countless rituals of security theater to which air passengers are subjected every day. Flights are no more dangerous today, with the hand sanitizer, than yesterday, and if the TSA allowed you to bring 12 ounces of shampoo on a flight tomorrow, flights would be no more dangerous then. The limit was bullshit. The ease with which the TSA can toss it aside makes that clear.
All over America, the coronavirus is revealing, or at least reminding us, just how much of contemporary American life is bullshit, with power structures built on punishment and fear as opposed to our best interest. Whenever the government or a corporation benevolently withdraws some punitive threat because of the coronavirus, it's a signal that there was never any good reason for that threat to exist in the first place.

How Asia does it.
Asia Business Law Journal has published a regional comparison of data privacy laws that includes India, the Philippines, Taiwan, and Thailand. You can read it here.

First summary I’ve seen. Clearly the rules are not set in stone.
Coronavirus and Data Protection: Europe’s Data Protection Authorities’ Views
Data protection authorities from around the world are stepping in to provide their input and guidance on the matter of data processing activities and the fight against the coronavirus. Hogan Lovells’ global Privacy and Cybersecurity team has compiled the guidance from various European authorities, which is available here.
The different emphasis among the data protection authorities’ views – which can be categorized as restrictive, neutral or permissible – suggests that the right approach must lie in finding a balanced middle ground which does not ignore the application of essential privacy principles. This is also in line with the statement published by the European Data Protection Board (EDPB) on March 16 highlighting that data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic.

(Related) Not suspended, just waved.
From the U.S. Department of Health & Human Services:
The Novel Coronavirus Disease (COVID-19) outbreak imposes additional challenges on health care providers. Often questions arise about the ability of entities covered by the HIPAA regulations to share information, including with friends and family, public health officials, and emergency personnel. As summarized in more detail below, the HIPAA Privacy Rule allows patient information to be shared to assist in nationwide public health emergencies, and to assist patients in receiving the care they need. In addition, while the HIPAA Privacy Rule is not suspended during a public health or other emergency, the Secretary of HHS may waive certain provisions of the Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.
Read the full notice below.

Compare and contrast.
A Once-in-a-Century Pathogen’: The 1918 Pandemic & This One
A little over one hundred years ago, a novel virus emerged from an unknown animal reservoir and seeded itself silently in settlements around the world. Then, in the closing months of World War I, as if from nowhere, the infection exploded in multiple countries and continents at more or less the same time. From Boston to Cape Town, and London to Mumbai, the “Spanish flu,” so-called because the first widely reported outbreak occurred in Madrid in May 1918, swept like wildfire through cities and communities both large and small.
By the time the virus had burned itself out, in the spring of 1919, a third of the world’s population had been infected and at least 50 million people were dead.

Worthwhile just as a list of useful tools.
New to remote work? These tools will make your transition to working from home easier
As the coronavirus outbreak continues (even appearing in newsrooms), organizations are asking employees to work from home when they can.
For some, this may mean discovering gaps in your toolstacks. With that in mind, we’ve compiled a list of tools that might help you address different needs your team may have in staying connected and effective at work.

Late moving into AI?

The Great TP Shortage
I think I have an explanation for the toilet paper shortage. Since TP has no role in preventing or minimizing the Corona virus, it must be due to other sources of supply being cut off. I estimate that 60 to 80 percent of the population was stealing toilet paper from their employers. Since they can’t get to their work supply, they have to actually buy it in stores! (Oh, the horror)