Saturday, September 10, 2016

Will all those other companies face similar suits?
Shaun Nichols reports on a lawsuit filed by Seagate employees whose W-2 information was given to criminals who successfully tricked an employee via business email compromise.
The suit [PDF], originally filed in July through the Northern California District Court, accuses the hard drive maker of negligence and unfair business practices stemming from the March 1, 2016 incident when a phishing attack lead to the W‑2 information on all Seagate employees, as well as family members and beneficiaries named in employee W‑2 forms.
The suit claims that the attackers have already begun using the information lifted in the breach.
Read more on The Register.


Another “tip of the iceberg” suit?
Nicholas Iovino reports:
Yelp cannot escape claims that it invaded Apple device users’ privacy by uploading their personal data without consent, a federal judge ruled Friday.
Yelp is one of 14 app developers accused of using a “find friends” feature to mine users’ contacts without their permission.
The consolidated class action stretches back to 2012 when lead plaintiff Marc Opperman sued Apple, Yelp and others for claims of privacy invasion.
Read more on Courthouse News.


Incident response: How NOT to sound innocent.
As I commented to someone recently, a security incident involving Appalachian Regional Hospital facilities in Beckley and Summers County struck me as a really serious one because it was impacting patient care.  While ARH responded promptly and initiated its emergency operations plan after detecting that its system was infected, it seemed clear that shifting to an older manual system would introduce delays in processing and in care, despite employees’ best efforts.
Since the cyberattack was first announced, some patients have complained that ARH has been less than forthright about the situation and about whether their protected health information or identity information has been acquired by bad actors.  A statement by ARH on August 30 indicated that they had no indication that patient data was stolen, but I guess people want that confirmed and want updates.  ARH has issued two updates since August 30, but the updates do not address whether there was any ransom demand, and do not provide any update on whether there is any evidence that PHI or PII was accessed or exfiltrated.
As I noted even before the August 30th press release was issued, my initial impression was that this was likely to be a case where the data or systems were locked up for ransom but no data had been exfiltrated.  I continue to hypothesize that that’s the case, but in this day and age, it’s understandable that patients want answers quickly so that they can take steps to protect themselves.
And while I appreciate the great stress that everyone at ARH must be under during this difficult time,  threatening the press who have been reporting on what is, indeed, a matter of public concern, does not strike me as an appropriate response.
The Register-Herald has been all over this story since the beginning, and it appears they’ve been threatened over their coverage.  Daniel Tyson reports today how operations are still impacted.  He then reports  all the entities and offices the paper has contacted trying to get information about the breach and current status, and how the paper could get no response from any of the many individuals and offices they reached out to.  Then… wait for it …
However, an email from ARH Chief Legal Officer Rick King Friday afternoon stated if The Register-Herald continues to “deliberately publish statements which defame ARH, or cast it in a false light, we will have no other recourse but to consult with our attorneys in WV, to determine appropriate legal action.”
BOOM.
Threatening the press for reporting that some people are complaining or that the hospital has not yet answered questions the public wants answered should not be part of incident response.  Maybe ARH would like to see more coverage from patients who are understanding and supportive or from patients who experienced no delay in care, but the solution is to issue a statement saying what delays patients should still expect at this point and what operations are fully restored already.  And while they’re at it, perhaps they should explain why they were unable to just fully restore operations from backup.
One way to restore trust and confidence is by being more transparent.  Threatening the media to attempt to chill some speech is counterproductive and inappropriate.


Of course they are.  “Here self-driving taxi, deliver this bomb package to that crowd over there.” 
DOJ studying if self-driving cars pose ‘terrorist threat’
The U.S. Justice Department has formed a threat analysis team to study potential national security challenges posed by self-driving cars, medical devices and other Internet-connected tools, a senior official said.
The new group’s goal is to secure the so-called “internet of things” from exploitation by “terrorist threats” and by others who might try to hack devices to cause loss of life or achieve political or economic gain, according to Assistant Attorney General John Carlin, head of the Justice Department’s national security division.


Onward to Big Brotherlyness! 
Thomas Heath reports:
Do you hog office conversations?  Or not talk enough?  Does your voice squeal?
Do you sit very still at your desk all day?  Or do you fidget under stress?  Where do you go in the office?  How much time do you spend there?  To whom do you talk?
An employee badge can now measure all this and more, all with the goal of giving employers better information to evaluate performance.  Think of it as biometrics meets the boss.
A Boston company has taken technology developed at MIT and turned it into special badges that hang around your neck on a lanyard.  Each has two microphones doing real-time voice analysis, and each comes with sensors that follow where you are in the office, with motion detectors to record how much you move.  The beacons tracking your movements [The voice analysis continues?  Bob] are omitted from bathroom locations, to give you some privacy.
Read more on the Washington Post.


Privacy in Canada.
David T.S. Fraser writes:
The Ontario Small Claims Court, in Halley v McCann, 2016 CanLII 58945 (ON SCSM), has recently awarded a plaintiff $9,000 in damages for breach of privacy.  The case arose because the defendant disclosed the fact that the plaintiff had admitted herself to a mental health facility.  The defendant is also the half-sister of the plaintiff.  It was alleged that the defendant had told three people outside the facility about the plaintiff’s stay there.  No other information was disclosed.
What may not be totally clear from that first paragraph is that the defendant was an employee of the mental health facility, which is how she learned of the plaintiff’s stay there.  So this wasn’t just a case of a family member finding out something and sharing it with others.  This was a case of an employee disclosing confidential information about a patient.  Maybe her motivation to disclose had to do with the familial relationship and some animosity towards the plaintiff and maybe the familial issues made the impact on the plaintiff greater, but the main thing I would focus on is that the defendant only knew of the stay because of her work at the facility.
Read more about the case and opinion on Canadian Privacy Law Blog.


If I record your voice to train the machine, would everyone believe it was you?  
Face of a Robot, Voice of an Angel?
The last time you heard a computer convert a line of text to speech, it probably jarred.  Google’s machine-learning division, DeepMind, has developed a new voice synthesis system using artificial intelligence that it thinks will improve the situation.
   The results do sound compelling—you can listen to them yourself here.  Compared with the concatenative and parametric approaches, it’s noticeably more humanlike.


Fool these, fool everyone?
Greenhouse (Chrome, Safari): Who Is Funding That Politician?
Change Politics (Web): Run a Mock Ballot, Talk to Candidates
Vote411 (Web): Learn About Your Community’s Candidates
Ballotpedia (Web): Everything You Need to Know About U.S. Politics
ChartsMe (Web): Are You a Democrat or a Republican?


We’ve got to get our programmers into this competition.
U.S. developers have the numbers, but China and Russia have the skills
While the United States and India may have lots of programmers, China and Russia have the most talented developers according to a study by HackerRank, which administers coding tests to developers worldwide.
   The United States and India provide the majority of competitors on HackerRank but only manage to rank 28th and 31st, respectively.  "If we held a hacking Olympics today, our data suggests that China would win the gold, Russia would take home a silver, and Poland would nab the bronze," Trikha said.
   Poland was tops in Java testing, France led in C++, Hong Kong in Python, Japan in artificial intelligence, and Switzerland in databases.  Ukrainian programmers led in security, while Finland was top in Ruby coding challenges.


For my next Statistics class.
Is A 50-State Poll As Good As 50 State Polls?


Doing e-Business?
Why You Shouldn't Give Up on Social Commerce (Infographic)


Anything you do, someone somewhere is going to be amused or offended.
iPhone 7 Slogan Translates to 'Penis' in Hong Kong - Report
   in Cantonese, the Chinese dialect spoken in Hong Kong, the word for "seven" is pronounced "tsat," and is also slang for "penis."


Because, humor!
Strategic Humor: Cartoons from the October 2016 Issue


It’s Saturday, again.
Hack Education Weekly News
   Via The Guardian: “US library to enforce jail sentences for overdue books.” That’s the Athens-Limestone public library in Alabama (and that’s completely fucked up).
   Via Buzzfeed: “ Online K–12 School Fights Attempt To Check If Students Really Show Up.” The school in question: the Electronic Classroom of Tomorrow.
   Via Politico: “There’s no firm deadline for the Education Department to weigh in on whether a group of investors, which includes some with deep ties to the Obama administration, are effectively allowed to buy the University of Phoenix’s parent company.  But the company, Apollo Education Group, has previously said in SEC filings that it expects to get the necessary regulatory approvals to complete the sale by the end of this calendar year.”
   Via The Washington Post: “Inside Bill Clinton’s nearly $18 million job as ‘honorary chancellor’ of a for-profit college.”  The for-profit: Laureate Education (which once began as the tutoring chain Sylvan Learning and is now an investor in Coursera, I always like to point out).
   Via T.H.E. Journal: “The biggest predictor of student achievement (based on their use of a learning management system) is not the amount of time they spend working with course content; nor is it how long they spend taking assessments or participating in discussion forums.  It’s how frequently they check their grades online.”  The claims are based on Blackboard data, published on the LMS company’s blog.
   Via the Bureau of Labor Statistics (as reported by Infodocket): “The Cost of College Textbooks Has Increased 88% Since Jan. 2006, Tuition and Fees Up 63%.”
   Mark Guzdial writes about a thesis from Yogendra Pal: “Learning CS while Learning English: Scaffolding ESL CS Learners.”

No comments: