Saturday, August 01, 2020

It’s for the security of our nation.

https://www.bloomberg.com/news/articles/2020-07-31/trump-to-order-china-s-bytedance-to-sell-tiktok-u-s-operations

Trump to Order China’s ByteDance to Sell TikTok in U.S.

The U.S. has been investigating potential national security risks due to the company’s control of the app, and Trump’s decision could be announced as soon as Friday, the people said.

We are looking at TikTok. We may be banning TikTok,” Trump told reporters at the White House Friday. “We are looking at a lot of alternatives with respect to TikTok.”



(Related) It’s for profit?

https://www.reuters.com/article/us-usa-tiktok-bytedance-exclusive-idUSKBN24X3SK

Exclusive: ByteDance offers to forgo stake in TikTok to clinch U.S. deal - sources

ByteDance was previously seeking to keep a minority stake in the U.S. business of TikTok, which the White House had rejected. Under the new proposed deal, ByteDance would exit completely and Microsoft Corp would take over TikTok in the United States, the sources said. Some ByteDance investors that are based in the United States may be given the opportunity to take minority stakes in the business, the sources added.





Securing data.

https://arstechnica.com/gadgets/2020/07/ibm-completes-successful-field-trials-on-fully-homomorphic-encryption/

IBM completes successful field trials on Fully Homomorphic Encryption

FHE allows computation of still-encrypted data, without sharing the secrets.

FHE is a type of encryption that allows direct mathematical operations on the encrypted data. Upon decryption, the results will be correct. For example, you might encrypt 2, 3, and 7 and send the three encrypted values to a third party. If you then ask the third party to add the first and second values, then multiply the result by the third value and return the result to you, you can then decrypt that result—and get 35.

You don't ever have to share a key with the third party doing the computation; the data remains encrypted with a key the third party never received. So, while the third party performed the operations you asked it to, it never knew the values of either the inputs or the output. You can also ask the third party to perform mathematical or logical operations of the encrypted data with non-encrypted data—for example, in pseudocode, FHE_decrypt(FHE_encrypt(2) * 5) equals 10.





Security is being offered, will it be accepted?

https://www.nbcnews.com/tech/tech-news/volunteer-hacker-army-boosts-u-s-election-cybersecurity-n1235324

Volunteer hacker army boosts U.S. election cybersecurity

As election officials across the country prepare for November without knowing if they'll receive additional federal funds, a new volunteer group hopes to ease their cybersecurity concerns for free.

While the federal government does provide some free election cybersecurity tools, states are under no obligation to use them. The Department of Homeland Security offers state and local election directors some free cybersecurity services, and the Election Assistance Commission, an advisory agency that is the closest thing election officials and election system makers have to a federal regulator, recently released a free online cybersecurity course.

Ben Hovland, the chair of the commission, said he welcomed any free help to local election officials.

Now, a University of Chicago initiative called the Election Cyber Surge aims to act as matchmaker between local election officials who may not have access to cybersecurity services and qualified experts who want to help. Officials will be able to choose an area of concern, then pick from a list of professionals willing to help via phone or video chat, a necessity during the pandemic.





Coming soon to a ballot near you!

Massachusetts Ballot Question Poses Privacy Concerns

Kathryn Rattigan of Robinson & Cole writes:

Ballot Question 1 in Massachusetts, if passed in November, would require car manufacturers that sell cars equipped with telematics systems (i.e., a method of monitoring a vehicle by combining a GPS system with on-board diagnostics to record – and map – exactly where a car is and how fast it’s traveling, etc.) to install a standardized, open data platform beginning with model year 2022. Such a system would allow the cars’ owners to access their telematics system data through a mobile app and give their consent for independent repair facilities to access those data and send commands to the system for repair, maintenance, and diagnostic testing.
An open data platform is primarily designed to help big-data developers in creating big-data applications on a common platform. It provides a baseline model to build applications and services that can be interoperable on different platforms. While this platform would allow for use by many different users, this proposed open data platform may also presents security risks to those providing the information. From loss of confidentiality, to the higher potential for compromising personal information, releasing data inherently puts the data at risk.

So on the one hand, consumers would get access to their own car’s data and system so that they do not have to rely on the manufacturer for diagnosis and repairs. On the other hand, detractors claim that opening up access to the data puts consumers at more risks of being hacked and having their personal information compromised.

I don’t know about Massachusetts voters, but I doubt most voters in my area would wade through a real discussion of the pros and cons behind this ballot issue and might just flip a switch or pull a lever or make a check mark randomly on voting day. And yet this is a ballot that might actually impact consumers’ privacy and data security if the detractors are right. But are they?

Read more on Data Privacy & Security Insider

[Correct link: https://www.dataprivacyandsecurityinsider.com/2020/07/massachusetts-ballot-question-poses-privacy-concerns/





Some thoughts…

https://thenextweb.com/neural/2020/07/31/the-6-unholy-ai-systems-thou-shalt-not-develop/

The 6 unholy AI systems thou shalt not develop

TLDR; don't pretend a Magic 8 Ball is a useful tool for grownups and don't build hate machines





Getting softy on AI?

https://www.brookings.edu/research/soft-law-as-a-complement-to-ai-regulation/

Soft law as a complement to AI regulation

Corporate leaders including Google CEO Sundar Pichai, Microsoft President Brad Smith, Tesla and SpaceX CEO Elon Musk, and IBM ex-CEO Ginni Rometty have called for increased regulation of artificial intelligence. So have politicians on the both sides of the aisle, as have respected scholars at academic research institutes and think tanks. At the root of the call to action is the understanding that, for all of its many benefits, AI also presents many risks. Concerns include biased algorithms, privacy violations, and the potential for injuries attributable to defective autonomous vehicle software. With the increasing adoption of AI-based solutions in areas such as criminal justice, health care, robotics, financial services, and education, there will be incentives that conflict corporate interests with societal benefits. That conflict raises the question of what systems should be put in place to mitigate potential harms.

THE ROLE OF SOFT LAW

While the dialogue on how to responsibly foster a healthy AI ecosystem should certainly include regulation, that shouldn’t be the only tool in the toolbox. There should also be room for dialogue regarding the role of “soft law.” As Arizona State University law professor Gary Marchant has explained, soft law refers to frameworks that “set forth substantive expectations but are not directly enforceable by government, and include approaches such as professional guidelines, private standards, codes of conduct, and best practices.”

Soft law isn’t new. The authors of a 2018 article in the Colorado Technology Law Journal point out that uses of soft law go back decades.





Perspective.

https://www.cnbc.com/2020/07/31/apple-surpasses-saudi-aramco-to-become-worlds-most-valuable-company.html

Apple surpasses Saudi Aramco to become world’s most valuable company

Apple shares closed up 10.47% Friday, giving it a market valuation of $1.84 trillion. Saudi Aramco, which had been the most valuable publicly listed company since its market debut last year, now trails at $1.76 trillion as of its last close.




Friday, July 31, 2020

They either did not know or chose to hide the scope of the breach. Neither says much for management.

https://www.cpomagazine.com/cyber-security/new-details-indicate-that-scope-of-the-2019-mgm-data-breach-is-much-bigger-than-expected/

New Details Indicate That Scope of the 2019 MGM Data Breach Is Much Bigger Than Expected

In early 2020, there was a report that the MGM Grand resort in Las Vegas had experienced a major data breach. The personal information of about 10.6 million guests had been exfiltrated, going back an unknown number of years.

The wording of the report was always confusing. Some news articles named only the MGM Grand resort, which was plausible for a data breach dating back years given that the property has nearly 7,000 rooms (the largest amount in the United States) and is quite popular with Vegas tourists. However, other articles named parent company MGM Resorts International. This company operates many casino-hotels in a number of states, including nearly half of the properties on the Vegas Strip and a handful of properties in China.

A new discovery of over 142 million guest credentials on the dark web appears to confirm that the data breach nabbed information from a variety of MGM Resorts properties, not just the MGM Grand. ZDNet reporters found the information on sale for $2,939 USD in mid-July. MGM had previously contacted guests that were impacted by the data breach, but these new numbers indicated there may be over ten times as many that were not contacted and are not aware that their personal information has been compromised.





A hopeful article.

https://www.zdnet.com/article/ransomware-how-clicking-on-one-phishing-email-left-a-whole-business-in-big-trouble/?&web_view=true

Ransomware: How clicking on one email left a whole business in big trouble

Security experts have given an insight into how a targeted ransomware attack took down the network of a food and drink manufacturer after hackers took advantage of common security vulnerabilities.

The crooks used a phishing attack and took advantage of a number of vulnerabilities – from old hardware to default passwords – to first deploy Emotet and Trickbot malware before delivering the Ryuk ransomware and attempting to extort a fee from the victim to restore the network.

In this case, the organisation didn't opt to pay the ransom – something that authorities discourage and would only fund additional attacks by cyber criminals – but instead had security experts come in to examine the network and restore functionality within 48 hours.





Something to follow?

https://www.reuters.com/article/epiq-dataprivacy-ransomware/after-ransomware-attack-legal-services-company-epiq-faces-california-privacy-lawsuit-idUSL2N2F12Q3

After ransomware attack, legal services company Epiq faces California privacy lawsuit

Lawyers for Epiq Systems Inc have removed a lawsuit to federal court that alleges the legal services provider failed to adequately protect personal information under California’s consumer privacy law.

The proposed class action lawsuit, originally filed in California state court and removed to federal court on Wednesday, claims that individuals “face a lifetime risk of identity theft” after the Missouri-based company was hit by a ransomware attack in February.

To read the full story on Westlaw Today, click here: bit.ly/2P86lcz





More crime during the pandemic? (The report is locked)

Amazon says police demands for customer data have gone up

Zack Whittaker reports:

Amazon has said the number of demands for user data made by U.S. federal and local law enforcement have increased more during the first half of 2020 than during the same period a year earlier.

The disclosure came in the company’s latest transparency report, published Thursday.

Read more on TechCrunch.





Weak law is worse than no law?

Protect consumer privacy: Repeal GLBA’s privacy provisions

It is so hard to get privacy protections for consumers that you might think that if a law has privacy provisions, you’d want to keep them. Not necessarily, as Robert Gellman explains in an opinion piece that opened my eyes — and may open yours, too.

How do the privacy protections in the Gramm-Leach-Bliley Act — the well-known banking law — help consumers? The short answer is that the GLBA does almost nothing to help consumer privacy. Understanding that the GLBA is essentially a privacy fraud is important because exemptions for the GLBA are features of some state and federal privacy bills.
Let’s look at the provisions of the GLBA. The privacy part of the law provides two — and only two — provisions for consumers. First, each financial institution must have a privacy notice. That’s something but not much.

Read more on IAPP..




Thursday, July 30, 2020

No doubt this answered all their questions...

https://www.bespacific.com/online-platforms-and-market-power-part-6-examining-the-dominance-of-amazon-apple-facebook-and-google/

Online Platforms and Market Power Part 6: Examining the Dominance of Amazon, Apple, Facebook, and Google

House Judiciary Committee, Subcommittee on Antitrust, Commercial, and Administrative Law – July 29 2020: Support Documents –

  • Hearing Notice [PDF]

  • Hearing Notice – Revision 1 [PDF] Added 07/24/2020 at 03:48 PM

  • Witnesses: Mr. Jeff Bezos Chief Executive Officer, Amazon.com, Inc. Jeff Bezos Statement [PDF]; Mr. Tim Cook, Chief Executive Officer, Apple Inc. Tim Cook Statement [PDF]; Mr. Sundar Pichai Chief Executive Officer, Alphabet Inc.Sundar Pichai Statement [PDF]; Mr. Mark Zuckerberg, Chief Executive Officer, Facebook, Inc., Mark Zuckerberg Statement [PDF]

  • Hearing via YouTube

  • See also The New York Times – Big Tech Hearing Live Updates: Lawmakers Attack Executives





Failure to follow basic security practices…

https://cyware.com/news/data-breach-incidents-escalate-when-security-of-databases-takes-a-backseat-e22fd64c/?web_view=true

Data Breach Incidents Escalate When Security of Databases Takes a Backseat

Cloud configuration mistakes continue to pose a major security risk to organizations around the world. These unsecured cloud databases can leak sensitive user data and even allow unauthorized third parties to access or modify the data without any authorization.

  • In a new research conducted by Comparitech, it was found that attackers took less than nine hours to get their hands on unsecured databases.

  • Eventually, these unprotected databases were attacked 18 times per day by hackers.

  • To find vulnerable databases, many attackers use an IoT search engine, like Shodan or BinaryEdge.



(Related)

https://www.hackread.com/9517-unsecured-databases-with-10-billion-records/?web_view=true

9,517 unsecured databases identified with 10 billion records globally

A research conducted by NordVPN’s NordPass password manager reveals more than nine thousand unsecured databases across 20 countries can be attacked effortlessly.





For comparison to your Computer Security budget…

https://www.zdnet.com/article/todays-mega-data-breaches-now-cost-companies-392-million-in-damages-lawsuits/?&web_view=true

Today’s ‘mega’ data breaches now cost companies $392 million to recover from

On Wednesday, IBM released its annual Cost of a Data Breach Report which says that the average data breach now costs $3.86 million. While this average has decreased by 1.5% in comparison to 2019, when over 50 million consumer records are involved, these "mega" breaches can cost up to $392 million to remedy, up from $388 million in 2019.

If an organization is acting as a data controller for between 40 and 50 million records, the cost on average is $364 million, and organizations could face a cost of up to $175 per consumer record involved in data theft or leaks.





A ten year plan (that’s a bazillion Internet years) is too long. Still, it’s a list of some issues they face...

https://www.cyberscoop.com/army-cyber-command-plan-transition-information-war/

Here's how Army Cyber Command plans to take on information warfare

the Army’s top cybersecurity official has released a ten-year plan to reform his command into a more capable information warfare unit.

The plan, which Lt. Gen. Stephen Fogarty outlined this week in Cyber Defense Review, a publication from the Army Cyber Institute, is meant to reorganize Army Cyber Command into a series of units that can work to counter adversaries’ efforts to destabilize the U.S., including by influencing adversaries’ behavior and decision-making through jamming up their signals, or by messaging and running social media information operations to control the narrative, for instance. In some cases, the reformulated Army Cyber Command (ARCYBER) will focus on “skillfully communicating (or obscuring), the location, capability, and intent of Army forces,” Fogarty said.





Not the most timely, but welcome. (Hey, was that a stop sign back there?)

https://devops.com/a-developers-guide-to-ccpa-gdpr-compliance/

A Developer’s Guide to CCPA, GDPR Compliance

The digital landscape is continuously evolving, and privacy regulations such as CCPA (California Consumer Privacy Act) and the European Union’s GDPR (General Data Protection Regulation) are in effect to give consumers their fundamental right to data privacy.

These regulations force organizations to revamp their operations to comply. This means all departments within an organization, from marketing to software development and everything in between, have to keep privacy regulations in mind and tweak their workflows accordingly.

In this article, we will discuss the steps developers can take to stay compliant with these regulations.

With more people concerned about their data rights, giving them complete control over their data is essential in today’s world. Under both GDPR and CCPA, here are all the rights consumers have concerning their data:

  • The right to be informed.

  • The right of access.

  • The right to rectification.

  • The right to erasure.

  • The right to restrict processing.

  • The right to data portability.

  • The right to object to processing.

  • The rights concerning automated decision-making and profiling.





Interesting. The changes we will have to live with.

https://sloanreview.mit.edu/article/the-age-of-accelerating-strategy-breakthroughs/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+mitsmr+%28MIT+Sloan+Management+Review%29

The Age of Accelerating Strategy Breakthroughs

Companies showing the most agility and resilience in their response to the global pandemic are pursuing four main strategies.

1. Prioritize people.

2. Make megatrends matter.

3. Build resilience to accelerated change.

4. Champion multistakeholder capitalism.





Law goes techie?

https://www.bespacific.com/fireman-company-releases-white-paper-on-pacerpro-usage-data-with-21-major-law-firms/

Fireman & Company releases white paper on PacerPro usage data with 21 major law firms

PRNewswie PacerPro, a leading provider of workflow automation and experience capture services for US federal court litigation is pleased to announce that Fireman & Company has published a white paper covering usage and ROI data for 21 of its major AMLaw 100 and leading litigation boutique firms. Firms participating in the white paper include:

As advisors, it’s our job to help the industry understand the tools and technology available using concrete metrics. Thanks to the willingness of PacerPro’s clients to share their usage data publicly, we have been able to produce a report that quantifies in straightforward, easy to understand terms, actual impact of an automation and experience capture tool in wide use among US law firms. Our hope is that more firms will follow the example set by these firms with other services to help create a more robust, transparent legal technology market.” Joshua Fireman, Fireman & Company.




Wednesday, July 29, 2020


If you can’t manage technology perhaps you shouldn’t be using it? (You see why outsourcing is popular?)
Avon Cosmetics Leaks 7GB of Personal and Technical Information from Unsecured Server
Last month, SafetyDetectives researchers discovered an unsecured database belonging to the popular Avon beauty company. The server, which lacked basic security measures, was easily accessible by investigators, who found a trove of 19 million records, including personal information of employees and website technical data.
While the news might not strike a chord at first, the data breach disclosure follows a June 9 regulatory filing by the company, which confirmed a security incident that “interrupted some systems and partially affected operations.”




Protesters act as a smoke screen for drug theft?
More pharmacy chains report HIPAA breaches linked to looting during protests
First it was Walmart disclosing that their pharmacies in stores in California and Chicago had suffered damage and theft by looters of medications ready for pickup with patient information on labels.
Then it was CVS, who notified HHS that more than 21,000 patients’ information may have been compromised by looters who stole or accessed prescriptions ready for pickup.
Now it’s Walgreens who is notifying an as-yet-undisclosed number of patients at multiple stores across multiple states.




I’m shocked. Shocked I tell you!
Over Half of Americans Do Not Trust Companies to Ethically Collect, Use or Sell Personal Data
A new study from professional services firm KPMG finds that over half of Americans are no longer comfortable with their personal data being in the hands of private companies.
97% feel that data privacy is important to them, and 87% take it a step further in believing that it should be considered a human right, but 54% feel that companies cannot be trusted to use their personal data in an ethical way. On the specific subject of the sale of personal data, 68% believe that companies will not do so in a responsible way.
The KPMG study (“New Imperative for Corporate Data Responsibility) surveyed 1,000 US citizens from a broad mix of age, race, gender and regional backgrounds.




How do I regulate thee
Let me count the ways
New Zealand establishes algorithm charter for government agencies
A standards guide on how to use algorithms across government.
Dubbed as the "first in the world", the Algorithm Charter for Aotearoa New Zealand, according to Minister for Statistics James Shaw, will improve data transparency and accountability, especially when algorithms are being used to process and interpret large amounts of data.
"Using algorithms to analyse data and inform decisions does not come without its risks," he said. "It is important, therefore, that people have confidence that these algorithms are being used in a fair, ethical, and transparent way. And that's what this Charter is all about."




Tools & Techniques. (Image or video)
This AI turns your home videos into cute cartoons
If you’ve ever wondered what you’d look like in animated form, you can now find out. Developers Tejas Mahajan and Niraj Pandkar have created an AI tool that can turn your photos and videos into cartoons.
Cartoonizer is based on a research paper by University of Tokyo researchers Xinrui Wang and Jinze Yu. The tool leverages their open-source implementation to create a publicly-available demo of the method, using GPU (Graphics Processing Unit) servers for the video inference and CPUs (central processing units) for the images.
Mahajan and Pandkar plan to open source the code and write an article on the architecture within the next few days. In the meantime, you can try the tool out yourself at the Cartoonizer website.




For my students…
Phidgets - A Fun, Free, Hands-on Way to Learn Python, Java, and More
As the new school year approaches Phidgets is one new thing that I’m excited to use with my students. Phidgets provide a fun, hands-on way for students to learn to program in Python, Java, C#, and Swift. If you’re not a computer science teacher, don’t skip over this post thinking that Phidgets is just a product for computer science classes. There’s no cost to try it out because Phidgets will send you a free kit to get started. And Phidgets has super easy-to-follow instructions that make perfect sense even if you have never written a single line of code in your life.
What are Phidgets?
Phidgets are sensors, microcontrollers that you can program in your choice of four programming languages. You can program Phidgets to do things like turn things like LED lights on and off, to record data, and to automate processes. Come all three of those things together and you’ll start to build some really interesting things like lights that turn on based on a light sensor or build a simple alert system with motion and proximity sensors. Probably the quickest way to see what’s possible with Phidgets is to watch this 90 second video.
The Phidgets starter kit for schools comes in a 6”x3”x4” box that serves as the storage container for the kit’s contents and also serves to hold the LEDs and switches included in the kit. The kit also includes a humidity sensor, a hub (where wired connections are made), and all necessary wires and cables.