Shaun Nichols reports on a lawsuit filed by Seagate
employees whose W-2 information was given to criminals who successfully tricked
an employee via business email compromise.
The
suit [PDF], originally filed in July through the Northern California
District Court, accuses the hard drive maker of negligence and unfair business practices stemming from the
March 1, 2016 incident when a phishing attack lead to the W‑2 information on
all Seagate employees, as well as family members and beneficiaries named in
employee W‑2 forms.
The suit claims that the
attackers have already begun using the information lifted in the breach.
Read more on The
Register.
Another “tip of the iceberg” suit?
Nicholas Iovino reports:
Yelp cannot escape claims that it
invaded Apple device users’ privacy by uploading their personal data without
consent, a federal judge ruled Friday.
Yelp is one of 14 app developers accused of using a “find
friends” feature to mine users’ contacts without their permission.
The consolidated class action
stretches back to 2012 when lead plaintiff Marc Opperman sued Apple, Yelp and
others for claims of privacy invasion.
Read more on Courthouse
News.
Incident response: How NOT to sound innocent.
As I commented to someone recently, a security
incident involving Appalachian
Regional Hospital facilities in Beckley and Summers County struck me as a
really serious one because it was impacting patient care. While ARH responded promptly and initiated its
emergency operations plan after detecting that its system was infected, it
seemed clear that shifting to an older manual system would introduce delays in
processing and in care, despite employees’ best efforts.
Since the cyberattack was first announced, some patients
have complained that ARH has been less than forthright about the situation and
about whether their protected health information or identity information has
been acquired by bad actors. A statement by
ARH on August 30 indicated that they had no indication that patient
data was stolen, but I guess people want that confirmed and want updates. ARH has issued two updates since August 30,
but the updates do not address whether there was any ransom demand, and do not
provide any update on whether there is any evidence that PHI or PII was
accessed or exfiltrated.
As I noted even before the August 30th press
release was issued, my initial impression was that this was likely to be a case
where the data or systems were locked up for ransom but no data had been
exfiltrated. I continue to
hypothesize that that’s the case, but in this day and age, it’s
understandable that patients want answers quickly so that they can take steps
to protect themselves.
And while I appreciate the great stress that everyone at
ARH must be under during this difficult time, threatening the press who
have been reporting on what is, indeed, a matter of public concern, does not
strike me as an appropriate response.
The Register-Herald has been all over this story
since the beginning, and it appears they’ve been threatened over their
coverage. Daniel Tyson reports
today how operations are still impacted. He then reports all the entities and
offices the paper has contacted trying to get information about the breach and
current status, and how the paper could get no response from any of the many
individuals and offices they reached out to. Then… wait for it …
However, an email from ARH Chief
Legal Officer Rick King Friday afternoon stated if The Register-Herald
continues to “deliberately publish statements which defame ARH, or cast it in a
false light, we will have no other recourse but to consult with our attorneys
in WV, to determine appropriate legal action.”
BOOM.
Threatening the press for reporting that some people are
complaining or that the hospital has not yet answered questions the public
wants answered should not be part of incident response. Maybe ARH would like to see more coverage from
patients who are understanding and supportive or from patients who experienced
no delay in care, but the solution is to issue a statement saying what
delays patients should still expect at this point and what operations are fully
restored already. And while they’re at
it, perhaps they should explain why they were unable to just fully restore
operations from backup.
One way to restore trust and confidence is by being more
transparent. Threatening the media to
attempt to chill some speech is counterproductive and inappropriate.
Of course they are. “Here self-driving taxi, deliver this bomb
package to that crowd over there.”
DOJ studying if self-driving cars pose ‘terrorist threat’
The U.S. Justice Department has formed a threat analysis
team to study potential national security challenges posed by self-driving
cars, medical devices and other Internet-connected tools, a senior official
said.
The new group’s goal is to secure the so-called “internet
of things” from exploitation by “terrorist threats” and by others who might try
to hack devices to cause loss of life or achieve political or economic gain,
according to Assistant Attorney General John Carlin, head of the Justice
Department’s national security division.
Onward to Big Brotherlyness!
Thomas Heath reports:
Do you hog office conversations? Or not talk enough? Does your voice squeal?
Do you sit very still at
your desk all day? Or do you fidget
under stress? Where do you go in the
office? How much time do you spend
there? To whom do you talk?
An employee badge can now measure
all this and more, all with the goal of giving employers better information to
evaluate performance. Think of it
as biometrics meets the boss.
A Boston company has taken
technology developed at MIT and turned it into special badges that hang around
your neck on a lanyard. Each has two
microphones doing real-time voice analysis, and each comes with sensors that
follow where you are in the office, with motion detectors to record how much
you move. The beacons tracking your movements [The voice analysis continues? Bob] are omitted from bathroom
locations, to give you some privacy.
Read more on the Washington
Post.
Privacy in Canada.
David T.S. Fraser writes:
The Ontario Small Claims Court,
in Halley
v McCann, 2016 CanLII 58945 (ON SCSM), has recently awarded a plaintiff
$9,000 in damages for breach of privacy. The case arose because the defendant disclosed
the fact that the plaintiff had admitted herself to a mental health facility. The
defendant is also the half-sister of the plaintiff. It was alleged that the defendant had told
three people outside the facility about the plaintiff’s stay there. No other information was disclosed.
What may
not be totally clear from that first paragraph is that the defendant was an
employee of the mental health facility, which is how she learned of
the plaintiff’s stay there. So this
wasn’t just a case of a family member finding out something and sharing it with
others. This was a case of an employee
disclosing confidential information about a patient. Maybe her motivation to disclose had to do
with the familial relationship and some animosity towards the plaintiff and
maybe the familial issues made the impact on the plaintiff greater, but the
main thing I would focus on is that the defendant only knew of the stay
because of her work at the facility.
Read more about the case and opinion on Canadian
Privacy Law Blog.
If I record your voice to train the machine, would everyone
believe it was you?
Face of a Robot, Voice of an Angel?
The last time you heard a computer convert a line of text
to speech, it probably jarred. Google’s
machine-learning division, DeepMind, has developed a new voice synthesis system
using artificial intelligence that it thinks will improve the situation.
… The results do
sound compelling—you
can listen to them yourself here. Compared
with the concatenative and parametric approaches, it’s noticeably more
humanlike.
Fool these, fool everyone?
Greenhouse
(Chrome, Safari): Who Is Funding That Politician?
Change Politics (Web): Run a Mock
Ballot, Talk to Candidates
Vote411
(Web): Learn About Your Community’s Candidates
Ballotpedia (Web): Everything You
Need to Know About U.S. Politics
ChartsMe
(Web): Are You a Democrat or a Republican?
We’ve got to get our programmers into this competition.
U.S. developers have the numbers, but China and Russia have
the skills
While the United States and India may have lots of
programmers, China and Russia have the most talented developers according to a
study by HackerRank, which administers coding tests to developers worldwide.
… The United
States and India provide the majority of competitors on HackerRank but only
manage to rank 28th and 31st, respectively. "If we held a hacking Olympics today, our
data suggests that China would win the gold, Russia would take home a silver,
and Poland would nab the bronze," Trikha said.
… Poland was tops
in Java testing, France led in C++, Hong Kong in Python, Japan in artificial
intelligence, and Switzerland in databases. Ukrainian programmers led in security, while
Finland was top in Ruby coding challenges.
For my next Statistics class.
Is A 50-State Poll As Good As 50 State Polls?
Doing e-Business?
Why You Shouldn't Give Up on Social Commerce (Infographic)
Anything you do, someone somewhere is going to be amused
or offended.
iPhone 7 Slogan Translates to 'Penis' in Hong Kong - Report
… in Cantonese,
the Chinese dialect spoken in Hong Kong, the word for "seven" is
pronounced "tsat," and is also slang for "penis."
Because, humor!
Strategic Humor: Cartoons from the October 2016 Issue
It’s Saturday, again.
Hack Education Weekly News
… Via
The Guardian: “US library to enforce jail
sentences for overdue books.” That’s the Athens-Limestone public
library in Alabama (and that’s completely fucked up).
… Via
Buzzfeed: “ Online K–12 School Fights Attempt To Check If Students Really
Show Up.” The school in question: the Electronic Classroom of Tomorrow.
… Via
Politico: “There’s no firm deadline for the Education Department to weigh
in on whether a group of investors, which includes some with deep ties to the
Obama administration, are effectively allowed to buy the University of
Phoenix’s parent company. But
the company, Apollo Education Group, has previously said in
SEC filings that it expects to get the necessary regulatory approvals to
complete the sale by the end of this calendar year.”
… Via
The Washington Post: “Inside Bill Clinton’s nearly $18
million job as ‘honorary chancellor’ of a for-profit college.” The for-profit: Laureate Education
(which once began as the tutoring chain Sylvan Learning and is now an investor
in Coursera, I always like to point out).
… Via
T.H.E. Journal: “The biggest predictor of student achievement (based on
their use of a learning management system) is not the amount of time they spend
working with course content; nor is it how long they spend taking assessments
or participating in discussion forums. It’s
how frequently they check their grades online.” The claims are based on Blackboard
data, published
on the LMS company’s blog.
… Via the Bureau
of Labor Statistics (as
reported by Infodocket): “The Cost of College Textbooks Has
Increased 88% Since Jan. 2006, Tuition and Fees Up 63%.”
… Mark
Guzdial writes about a thesis from Yogendra Pal: “Learning CS while
Learning English: Scaffolding ESL CS Learners.”