Saturday, July 29, 2017

Perfect timing?  Remember, it’s the hack that aren’t shared that you have to worry about.
Tesla Model X Hacked by Chinese Experts
Security researchers from China-based tech company Tencent have once again demonstrated that they can remotely hack a Tesla.  The vulnerabilities they leveraged were quickly patched by the carmaker.
Tencent’s Keen Security Lab published a video last year showing how they could hack a Tesla Model S, both while it was parked and on the move.  They took control of the sunroof, turn signals, displays, door locks, windshield wipers, mirrors, the trunk and even the brakes.
At the time, Tesla patched the vulnerabilities within 10 days, but claimed that the vulnerabilities were not as easy to exploit as it appeared from the video published by Keen Security Lab researchers.
In a new video and blog post published this week, the researchers claim they’ve once again managed to hack a Tesla, this time a Model X, via a Controller Area Network (CAN bus) and Electronic Control Unit (ECU) attack.
   In its video, Keen Security Lab showed that it managed to remotely unlock the doors and trunk in parking mode, control the brake in driving mode, and put on a light show using the car’s headlights and taillights by taking control of multiple ECUs.


Rumba attempts a foot-ectomy after sticking its foot firmly in its mouth. 
iRobot, the maker of Roomba, made big news this week when an interview with its CEO mentioned plans to sell the map data of customers’ homes to third parties.  Today, the company launched damage control measures and the CEO is spreading assurances that this is all just a big misunderstanding.
   We reached out to a spokesperson for iRobot, who tells Gizmodo that Reuters’ original article about iRobot contained “an unintentional misinterpretation of Colin’s statements.”  In fact, Reuters issued a correction today.  The paragraph that set off a firestorm has now replaced the words “sell maps” with “share maps for free with customer consent.”
   So we know that Reuters admits to the misunderstanding, but iRobot is still saying that it’s considering sharing all that map data, just that they won’t sell it for cash.  And a great way to guarantee “iRobot will never sell your data” would be to include those exact words in Roomba’s privacy policy. But iRobot wouldn’t commit to that.
   We’ve attempted to get more information about exactly what data is being stored by iRobot but company reps have avoided specificity.


For the next time I teach Computer Security.
Brad D. Williams reports:
Critical infrastructure operators have long faced the formidable security challenges of zero-day vulnerabilities and advanced persistent threats (APTs), both of which were employed in some of the most prominent cyberattacks in the sectors to date.  But one researcher is warning leaders in government and industry of an old threat that, fueled by recent legislation and commercial practices, is quickly surpassing zero days and APTs as perhaps the greatest risk to critical infrastructure security.
The threat is what might be called “weaponized metadata,” and the risks are detailed extensively in a new report, Metadata: The Most Potent Weapon in this Cyberwar, recently published by the Institute for Critical Infrastructure Technology (ICIT), a Washington, D.C.-based cybersecurity think tank.
Read more on Federal Times.


The second-best way works too.  (If you can’t out talk them, bomb them)
The US-Led Coalition Is Steadily Decimating ISIS’s Propaganda Operation
U.S.-executed decapitation strikes are eliminating key ISIS propaganda leaders and hacking away at the terror group’s ability to broadcast its jihadist message across the world from its dwindling holdfasts in Syria and Iraq, Operation Inherent Resolve announced on July 27.

Friday, July 28, 2017

Is nothing sacred?  A very understandable illustration.  Now think about the same types of hack in other environments.   
Researchers Demo Physical Attack via Car Wash Hack
LAS VEGAS - BLACK HAT USA - Researchers have created proof-of-concept (PoC) exploits to demonstrate how hackers can cause physical damage to vehicles and injure their occupants by remotely hijacking a connected car wash.
The attack was detailed in a presentation at the Black Hat security conference this week by WhiteScope founder Billy Rios, a researcher best known for finding vulnerabilities in medical devices and industrial control systems (ICS), and Dr. Jonathan Butts, founder of QED Secure Solutions and committee chair for the IFIP Working Group on Critical Infrastructure Protection.
The experts pointed out that automated car wash systems are essentially ICS and, just like industrial systems, they can be hacked and manipulated.
   Rios and Butts discovered that the web-based administration panel for the product, which is in many cases accessible directly from the Internet, has many features, including for sending email alerts and a widget for social media.
However, the more problematic issue is that both the owner and engineer accounts for the web interface are protected by weak default passwords.  They also discovered that the authentication mechanism can be bypassed by a hacker.

(Related).  What’s next?
Joshua Philipp reports:
Cyber mercenaries are breaching the systems of governments, financial institutions, critical infrastructure, and businesses, then selling access to them on a marketplace on the darknet, a hidden internet accessible only via specialized software.
All of this is happening on a darknet black marketplace known as the CMarket or “Criminal Market,” formerly known as “Babylon APT.”  The marketplace contains a public market, invite-only submarkets, and hacker-for-hire services ready to breach any network in any country.
The Epoch Times was provided with analysis, screenshots, and chat logs from the marketplace by darknet intelligence company BlackOps Cyber.  An undercover operative for the company gained access to the marketplace’s invite-only sections and grew close to several of its top members.
Read more on The Epoch Times.


Another one?!?!  Apparently, their strategy does not allow for anything that may go wrong. 
Wells Fargo Broadsided Anew With an Auto Insurance Sales Scandal
Wells Fargo & Co.’s campaign to rebuild customer and shareholder trust just hit another bump, as the bank said it may have pushed thousands of car buyers into loan defaults and repossessions by charging them for unwanted insurance.
An internal review of the bank’s auto lending found more than 500,000 clients may have unwittingly paid for protection against vehicle loss or damage while making monthly loan payments, even though many drivers already had their own policies,  Wells Fargo said in a statement late Thursday.  The firm said it may pay as much as $80 million to affected clients -- with extra money for as many as 20,000 who lost cars, “as an expression of our regret.”


Very timely.  My Architecture class will be discussing metrics this week!
Report Depicts Shameful State of Cybersecurity Metrics
For years, Security has sought the ear of the Board and claimed it was not offered.  Today the Board is listening; but all too often Security talks in a language that Business does not understand.  There is a solution, but it is not yet maximized.  That solution is Metrics, a language spoken and understood by both Business and Security; but not widely or effectively used.
The size of the task can be seen in just two statistics from Thycotic's 2017 State of Cybersecurity Metrics Annual Report (PDF).  Firstly, 1 in 3 companies invest in cybersecurity technologies without any way to measure their value or effectiveness.
   The second statistic is that four out of every five companies fail to include business stakeholders in cybersecurity investment decisions.  The result, in combination, is that through no direct fault of its own, Business doesn't understand what Security is doing, and has no way of knowing whether it is effective.
   Using metrics to demonstrate the overall efficiency or lack of efficiency in a company's cybersecurity posture is difficult but not impossible.  At the moment, however, companies are not making use of, or even collecting, the statistics that are readily available.  For example, four out of five companies never measure the success of security training investments. 
Two out of three companies don't fully measure whether their disaster recovery will work as planned.  And while 80% of breaches involve stolen or weak credentials (from Verizon's DBIR), 60% of companies still do not adequately protect privileged accounts.


An all too common failure, given low priority.  Watch what happens when North Korea crashes their systems.
SEC must improve how it protects its networks against cyberattacks, says watchdog
Wall Street’s top U.S. regulator needs to improve the way it protects its own computer networks from cyber attacks, according to a new report by a congressional watchdog office.
The 27-page report by the Government Accountability Office found the Securities and Exchange Commission did not always fully encrypt sensitive information, used unsupported software, failed to fully implement an intrusion detection system and made missteps in how it configured its firewalls, among other things.
“Information security control deficiencies in the SEC computing environment may jeopardize the confidentiality, integrity, and availability of information residing in and processed by its systems,” the GAO said.


Just in case you Mac users were starting to feel all safe and secure…
WikiLeaks Details Mac OS X Hacking Tools Used by CIA
The latest round of documents published by WikiLeaks as part of a leak dubbed by the organization “Vault 7” describes several tools allegedly used by the U.S. Central Intelligence Agency (CIA) to target Mac OS X and other POSIX systems.
The tools, said to be part of a CIA project named “Imperial,” are called Achilles, Aeris and SeaPea.


Large collections of data are valuable.  No surprise that people will want to use a database that contains information on everyone in the country!
Ola employee accused of data theft from Aadhaar website
The Unique Identification Authority of India (UIDAI) has registered a case with the Bengaluru Police against Abhinav Srivastava and Qarth Technologies Pvt Ltd for misusing Aadhaar data obtained from its website without any authentication.
Chennai-based Qarth Technologies was acquired by India's largest taxi aggregator Ola in March last year, to help grow its in-house payments service.
   While the report does not divulge any further details on the nature of the violation, a cyber expert who did not want to be named speculated that Qarth could have been using someone else's license to access Aadhaar data for eKYC, which is not allowed as per the regulations set by the Aadhaar Act.


If the courts do it this way, following their example might be wise.
Ebook – Best Practices for Court Privacy Policy Formulation
by on
“A State Justice Institute supported report, “Best Practices for Court Privacy Policy Formulation” authored by three of our NCSC colleagues, Tom Clarke, Jannet Lewis and Di Graski has just been released.
The report begins: “As state and local courts progressively convert their business processes from paper to electronic formats, policies around remote electronic access to court case information by the public become ever more important.  COSCA last addressed this issue comprehensively in 2002 with a report authored by Martha Steketee and Alan Carlson that proposed a model policy for public access.  At that time, few courts had implemented electronic filing, so the model policy addressed both manual and electronic access.  In the fifteen years since then, courts have learned a lot about living in an electronic world and providing remote access to their case data and documents.  Consequently, there is a need to update what we know about this topic and revise the model policy.” 


Can we expect the same for President Trump as he deletes tweets and blocks people?
Court Rules Against Politician Who Banned Access to Her Facebook Page
A federal court in Virginia ruled that a local politician violated the free-speech rights of a constituent she banned from her Facebook page, in a case the judge said raises “important questions” about the constitutional restrictions that apply to social media accounts of elected officials.


Perhaps Rolls Royce is showing us what will be possible with self-driving cars.  (This one is not self-driving.)
Phantom VIII Heralds Arrival Of The House Of Rolls-Royce
   The 8-speed ZF gearbox retains satellite-linked intelligence, which reads GPS data about the road ahead then preloads shift sequences for upcoming corners.

Wednesday, July 26, 2017

Big Data, big breaches, huge numbers of records stolen…  The market for my Computer Security students should also be huge. 
2,227 Breaches Exposed 6 Billion Records in First Half of 2017: Report
The number of publicly disclosed data compromise events through June 30 remained in line with the number of breaches disclosed mid-way through 2015 and 2016, but the total number of records exposed surpassed 2016’s year-end high mark.
The top 10 data breaches exposed 5.6 billion of the 6 billion records compromised, and had an average severity score of 9.82 out of 10.0, Risk Based Security’s report (PDF) reveals.

(Related).  Sounds small compared to the cost of all security breaches, but smaller victims are hit hard.
Russell Brandom reports:
Ransomware victims have paid more than $25 million in ransoms over the last two years, according to a study presented today by researchers at Google, Chainalysis, UC San Diego, and the NYU Tandon School of Engineering.  By following those payments through the blockchain and comparing them against known samples, researchers were able to build a comprehensive picture of the ransomware ecosystem.
Read more on The Verge.


Addressing claims of underreporting? 
HHS Unveils Improved Web Tool to Highlight Recent Breaches of Health Information
by on
“The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) today launched a revised web tool that puts important information into the hands of individuals, empowering them to better identify recent breaches of health information and to learn how all breaches of health information are investigated and successfully resolved.  The HIPAA Breach Reporting Tool (HBRT) features improved navigation for both those looking for information on breaches and ease-of-use for organizations reporting incidents.
   The HBRT may be found at:  https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.  For additional information on HIPAA breach notification, visit:  https://www.hhs.gov/hipaa/for-professionals/breach-notification


For my Computer Forensic students.


Searching for Privacy violations is probably not high on their priority list. 
Newly declassified memos detail extent of improper Obama-era NSA spying
The National Security Agency and Federal Bureau of Investigation violated specific civil liberty protections during the Obama years by improperly searching and disseminating raw intelligence on Americans or failing to promptly delete unauthorized intercepts, according to newly declassified memos that provide some of the richest detail to date on the spy agencies’ ability to obey their own rules.
The memos reviewed by The Hill were publicly released on July 11 through Freedom of Information Act litigation by the American Civil Liberties Union.
They detail specific violations that the NSA or FBI disclosed to the Foreign Intelligence Surveillance Court or the Justice Department's national security division during President Obama’s tenure between 2009 and 2016.
   The NSA says that the missteps amount to a small number — less than 1 percent — when compared to the hundreds of thousands of specific phone numbers and email addresses the agencies intercepted through the so-called Section 702 warrantless spying program created by Congress in late 2008.


I wonder how our intelligence services are using this.  Could we be supplying a bit of propaganda?  Trolling for potential defectors?  Attempting to recruit regime changers?
North Korea's Elite More Connected Than Previously Thought
Telecommunications capability in North Korea is three-tiered.  The vast majority of people have neither internet nor North Korean intranet connectivity -- they simply have mobile telephony voice, text and picture/video messaging within the domestic provider, Koryolink.
A small group of others, including university students, scientists and some government officials, can access the state-run North Korean intranet, Kwangmyong, that links libraries, universities and government departments and comprises a limited number of domestic websites.
A much smaller group from the ruling elite does, however, have full access to the internet.  From April 1 through July 6, 2017, Recorded Future analyzed internet traffic from this small group of officials, and concluded that the standard view of North Korea is not entirely accurate: its leadership at least is not isolated from the rest of the world.
In a report and analysis conducted in partnership with Team Cymru and published today, Recorded Future notes that North Korean leadership's internet activity is little different to the rest of the world's internet activity: "North Koreans spend much of their time online checking social media accounts, searching the web, and browsing Amazon and Alibaba," notes the report.  "Facebook is the most widely used social networking site for North Koreans, despite reports that it, Twitter, YouTube, and a number of others were blocked by North Korean censors in April 2016."


Global company, global law?
Google Fights Against Canada's Order to Change Global Search Results
In June, Canada's Supreme Court came down on Google—hard.  It ruled that the tech giant must take down certain Google search results for pirated products.  And not just in Canada, but globally.  Now, Google is going south of the Canadian border to push back on this landmark court ruling.  The tech giant filed an injunction Monday with the US District Court for Northern California, arguing that globally removing the search results violates US law, and thus Google should not be forced to comply with the Canadian ruling.
Because the case had already made its way to the highest court in Canada, Google should have not been able to fight the ruling.  But Google is hoping to find a loophole on American soil by arguing this violates the First Amendment.
“We’re taking this court action to defend the legal principle that one country shouldn’t be able to decide what information people in other countries can access online,” says David Price, senior product counsel at Google.  “Undermining this core principle inevitably leads to a world where internet users are subject to the most restrictive content limitations from every country.”


Disrupting advertising?  Probably won’t win Facebook many friends.  Could Russia (or an agent) promote the “news” it prefers?
Paying To Promote News Stories On Facebook Is The Ad World’s Favorite New Tactic
When the workplace gossip app Blind expanded its product’s availability earlier this summer, it got the word out via an age-old tactic: advertising.  But instead of running a traditional ad campaign, the company took a route gaining favor among advertisers big and small: It paid Facebook to promote a favorable review of its service.
Blind spent thousands of dollars promoting a Mashable article headlined “Silicon Valley's secret app Blind opens the floodgates.”  The post drove more than 11,000 visits to its app download page, according to publicly available analytics.  The campaign worked out nicely for Blind — and for Facebook, a master at making money off of other people’s content.  But Mashable, which sells advertising to companies like Blind, didn’t see a dime.  Neither did any other traditional publisher.


Is “big” always “bad?”
In the 1980s and 1990s, Blockbuster modernized the movie rental business.  It offered far more movies than its smaller rivals, used computers to better manage that inventory, and designed its stores to be bright and family friendly.  By 1993, just eight years after its founding, Blockbuster was the global leader in movie rentals, with more than 3,400 stores worldwide.
Then Netflix happened.  Blockbuster went bankrupt in 2010.
Economist Luigi Zingales mentions the Blockbuster story in a recent paper as an example of how the economy ought to work.  A company has an innovative idea, which for a while provides competitive advantage.  Later on, a new innovator comes along and pushes it aside.
But Zingales fears that this isn’t happening as often as it should.  Instead, he argues, the U.S. economy may be succumbing to what he calls “the Medici cycle,” named for the powerful family of medieval Florence.  Their motto — or at least the motto often attributed to them — was “Money to get power. Power to protect money.”  And Zingales fears that a version of this motto aptly describes the true strategy of at least some of corporate America.
Zingales’s paper is the latest in a flurry of research and commentary on the rising concentration of corporate power in the U.S.


A slight exaggeration but I wonder why President Trump hasn’t claimed victory?
Now hiring every available human: Amazon posts 50,000 warehouse jobs in U.S.
   Of those postings, 10,000 are for part-time gigs, while the rest are for full-time positions. The roles span the duties required to “pick, pack, and ship customer orders” across its various warehouses, the company said.
Back in January, Amazon said it would increase its U.S. headcount over the next 18 months to 280,000 employees, an increase of around 55 percent.
   The company is hosting job fairs at 10 of its fulfillment centers on August 2 to give candidates a look inside, and it plans to make job offers to some candidates on the spot.


For my students, because I want recent article, nothing more than two years back.  (200 Internet years)


Just in case you are wondering…
Check online for contaminants in your city's drinking water
You can learn what’s in your drinking water with a new database that allows you to type in your ZIP code and find out which contaminants are going along for the ride when you turn on the faucet.

Tuesday, July 25, 2017

I didn’t realize how big this was.
One in Ten U.S. Organizations Hit by WannaCry: Study
WannaCry stormed the world in mid-May by leveraging a previously patched exploit called EternalBlue, which hacker group Shadow Brokers allegedly stole from the NSA-linked Equation Group.  The ransomware mostly infected Windows 7 computers that hadn’t been patched in due time, and also revealed the destructive impact of a global outbreak.  NotPetya confirmed the risk in late June.
According to a survey (PDF) from software lifecycle automation solutions provider 1E, 86% of the organizations in the U.S. had to “divert significant resources” to safeguard themselves during the WannaCry attack.  Only 14% of the respondents revealed their organization was prepared for such an attack.
The study also shows that 86% of organizations don’t apply patches immediately after they are released, thus leaving endpoints and entire networks exposed to such attacks.  While 14% of respondents said they apply patches immediately, 36% apply them within one week after release, and 27% need up to a month for that, while 23% don’t apply patches within a month after release.


It’s the same with vampires.  You are only at risk when you invite them in. 
iRobot wants to sell Roomba-generated maps of your home
iRobot, creator of the Roomba, plans to sell the data the house-cleaning robot collects when it maps your house.  Potential buyers include smart home device manufacturers, such as Amazon, Apple and Google.
iRobot's business strategy hinges on regular updates [Because furniture moves, not walls.  Bob] and understanding the floor plan of your home, according to Reuters.
   Roombas have been mapping homes since 2015 using a camera and sensors or visual localisation and cloud-connected app control.  The Roomba uses these maps to avoid toppling over lamps and ramming into your furniture.  It was made compatible with Amazon's Alexa voice assistant in March.


Ubiquitous surveillance.  Is it possible to go unnoticed and unrecorded? 
Google snaps every search your phone makes – yes, even that one
Google’s latest update keeps a screenshot for later.  Much like how Google Maps remembers everywhere you’ve ever been so you can find your car, Google (the search engine app) keeps a snapshot history of what you’ve searched for in Google Search.  This search history does not make a significant impact on your smartphone’s data storage space as it’s all stored with Google on Google’s servers.


Did anyone check?  Were there any managers involved? 
Is this why United, TSA clashed on Twitter over comic books on planes?
Passengers flying with United Airlines UAL, out of San Diego — site of the popular Comic-Con event this weekend — were greeted by a message telling them to remove books from their checked luggage.  United then responded on Twitter to a post with a picture of the message saying the requirement was set by the Transportation Security Administration.
Subsequently, the TSA sent out its own tweet noting that there are no restrictions on checking books, which a spokesperson confirmed to MarketWatch.


Fodder for conspiracy theories.
National Archives Begins Online Release of JFK Assassination Records
by on
[At 8am on July 24, 2017] the National Archives released a group of documents (the first of several expected releases), along with 17 audio files, previously withheld in accordance with the JFK Assassination Records Collection Act of 1992.  The materials released today are available online only.  Access to the original paper records will occur at a future date.  Download the files online: https://www.archives.gov/research/jfk/2017-release.  Highlights of this release include 17 audio files of interviews of Yuri Nosenko, a KGB officer who defected to the United States in January 1964.  Nosenko claimed to have been the officer in charge of the KGB file on Lee Harvey Oswald during Oswald’s time in the Soviet Union.  The interviews were conducted in January, February, and July of 1964.  This set of 3,810 documents is the first to be processed for release, and includes FBI and CIA records—441 documents previously withheld in full and 3,369 documents previously released with portions redacted.  In some cases, only the previously redacted pages of documents will be released.  The previously released portions of the file can be requested and viewed in person at the National Archives at College Park (these records are not online).  The re-review of these documents was undertaken in accordance with the John F. Kennedy Assassination Records Collection Act of 1992, which states: “Each assassination record shall be publicly disclosed in full, and available in the Collection no later than the date that is 25 years after the date of enactment of this Act, unless the President certifies, as required by this Act, that continued postponement is made necessary” by specific identifiable harm.  The act mandated that all assassination-related material be housed in a single collection in the National Archives and defined five categories of information that could be withheld from release.  The act also established the Assassination Records Review Board to weigh agency decisions to postpone the release of records.  The National Archives established the John F. Kennedy Assassination Records Collection in November 1992, and it consists of approximately five million pages of records.  The vast majority of the collection (88 percent) has been open in full and released to the public since the late 1990s.  The records at issue are documents previously identified as assassination records but withheld in part or in full.  Federal agencies have been re-reviewing their previously withheld records for release, and will appeal to the President if they determine that records require further postponement.  Online resources:


For the toolkit.

Monday, July 24, 2017

An example of mismanagement.  Arrest some one trying to help, but fail to correct the security breach he discovered?
45,000 Facebook Users Leave One-Star Ratings After Hacker's Unjust Arrest
Over 45,000 users have left one-star reviews on a company's Facebook page after the business reported a security researcher to police and had him arrested in the middle of the night instead of fixing a reported bug.
   The young man discovered that he could access BKK's website, press F12 to enter the browser's developer tools mode, and modify the page's source code to alter a ticket's price.
Because there was no client or server-side validation put in place, the BKK system accepted the operation and issued a ticket at a smaller price.
   The teenager — who didn't want his name revealed — reported the issue to BKK, but the organization chose to contact the police and file a complaint, accusing the young man of hacking their systems.
   BKK management made a fatal mistake when they brazenly boasted in a press conference about catching the hacker and declaring their systems "secure."  Since then, other security flaws in BKK's system have surfaced on Twitter.  [This flags their system as ‘hackable’ and challenges hackers at the same time.  Probably not a wise decision.  Bob] 


Not very subtle.  A clear message from Big Brother, “I don’t trust you.”  Will hackers find a way to spoof this App? 
China forces its Muslim minority to install spyware on their phones
China has ramped up surveillance measures in Xinjiang, home to much of its Muslim minority population, according to reports from Radio Free Asia.
Authorities sent out a notice over a week ago instructing citizens to install a "surveillance app" on their phones, and are conducting spot checks in the region to ensure that residents have it.
   Android users were instructed to scan the QR code in order to install the Jingwang app that would, as authorities claimed, "automatically detect terrorist and illegal religious videos, images, e-books and electronic documents" stored in the phone.  If illegal content was detected, users would be ordered to delete them.
Users who deleted, or did not install the app, would be detained for up to 10 days, according to social media users.


How do we block/detect/mitigate these attacks?
RAND Report: The Russian “Firehose of Falsehood” Propaganda Model
by on
“Since its 2008 incursion into Georgia (if not before), there has been a remarkable evolution in Russia’s approach to propaganda.  The country has effectively employed new dissemination channels and messages in support of its 2014 annexation of the Crimean peninsula, its ongoing involvement in the conflicts in Ukraine and Syria, and its antagonism of NATO allies.  The Russian propaganda model is high-volume and multichannel, and it disseminates messages without regard for the truth.  It is also rapid, continuous, and repetitive, and it lacks commitment to consistency.  Although these techniques would seem to run counter to the received wisdom for successful information campaigns, research in psychology supports many of the most successful aspects of the model.  Furthermore, the very factors that make the firehose of falsehood effective also make it difficult to counter.  Traditional counterpropaganda approaches will likely be inadequate in this context.  More effective solutions can be found in the same psychology literature that explains the surprising success of the Russian propaganda model and its messages.”


Bashing companies with no underlying theory as justification seems to be a trend.  If a company competes globally, are they automatically too big because they are bigger than companies that do not go after global markets? 
Should America’s Tech Giants Be Broken Up?
As a former tour manager for Bob Dylan and The Band, Jonathan Taplin isn’t your typical academic.  Lately, though, he’s been busy writing somber tomes about market shares, monopolies, and online platforms.  His conclusion: Amazon.com, Facebook, and Google have become too big and too powerful and, if not stopped, may need to be broken up.


Very interesting.  References a University of Colorado Law Library study that suggests that even the best legal search engines are inadequate if used alone. 
New on LLRX – The Real “Black Box” Dilemma of Legacy Legal Research Tools
by on
Via LLRXThe Real “Black Box” Dilemma of Legacy Legal Research ToolsAndrew Arruda, CEO/Co-founder of ROSS Intelligence talks about how new artificial intelligent methods currently under development to leverage deep learning and neural nets will be game changers in the area of legal research.


Another “This is good for you” study.  Since I drink coffee in the morning, have a glass of wine in the evening, and read constantly, I might live forever!
Science concurs with librarians about value of reading actual books
by on
Mic.com – “It’s no secret that reading is good for you.  Just six minutes of reading is enough to reduce stress by 68%, and numerous studies have shown that reading keeps your brain functioning effectively as you age.  One study even found that elderly individuals who read regularly are 2.5 times less likely to develop Alzheimer’s than their peers.  But not all forms of reading are created equal.  The debate between paper books and e-readers has been vicious since the first Kindle came out in 2007.  Most arguments have been about the sentimental versus the practical, between people who prefer how paper pages feel in their hands and people who argue for the practicality of e-readers.  But now science has weighed in, and the studies are on the side of paper books.  Reading in print helps with comprehension.  A 2014 study found that readers of a short mystery story on a Kindle were significantly worse at remembering the order of events than those who read the same story in paperback.  Lead researcher Anne Mangen of Norway’s Stavanger University concluded that “the haptic and tactile feedback of a Kindle does not provide the same support for mental reconstruction of a story as a print pocket book does.” 

Sunday, July 23, 2017

Where were the thoughtful managers? 
Catalin Cimpanu reports:
The Swedish government has exposed sensitive details on millions of citizens in one of the biggest government screw-ups ever, and the official responsible for the whole fiasco was fined only half of her’s monthly salary, which is 70,000 Swedish krona — or around $8,500.
The leak happened in September 2015, when the Swedish Transport Agency (STA) decided to outsource the management of its database and other IT services to companies such as IBM in the Czech Republic, and NCR in Serbia.
Read more on BleepingComputer.
[From the article: 
It was only in March 2016 that the Swedish Secret Service realized what happened, and started an investigation, warning other government agencies that unauthorized foreigners were now in control of their IT systems after the STA had bypassed necessary security checks just to expedited the transition to the new IT system as they wanted to fire local IT staff.
According to several Swedish newspapers, the leaked data included:
- Data from all drivers licenses in Sweden
- Personal details of all persons in Sweden's witness relocation program
- Personal details of Sweden's elite military units
- Personal details of Sweden's fighter pilots
- Personal details of all of Sweden's pilots and air controllers
- Personal details of all Swedish citizens in a police register
- Details of all Swedish government and military vehicles
- Details about Sweden's road and transportation infrastructure


How do errors like this even happen?  Normal procedure would be to look at the entire dataset and copy selected records to a new file.  This looks like, “Give them a copy of the file.  The data they want is probably in there somewhere.” 
Wells Fargo Accidentally Releases Trove of Data on Wealthy Clients
When a lawyer for Gary Sinderbrand, a former Wells Fargo employee, subpoenaed the bank as part of a defamation lawsuit against a bank employee, he and Mr. Sinderbrand expected to receive a selection of emails and documents related to the case.
But what landed in Mr. Sinderbrand’s hands on July 8 went far beyond what his lawyer had asked for: Wells Fargo had turned over — by accident, according to the bank’s lawyer — a vast trove of confidential information about tens of thousands of the bank’s wealthiest clients.
The 1.4 gigabytes of files that Wells Fargo’s lawyer sent included copious spreadsheets with customers’ names and Social Security numbers, paired with financial details like the size of their investment portfolios and the fees the bank charged them.
   By Mr. Sinderbrand’s estimate, he has financial information for at least 50,000 individual customers. 
   The files were handed over to Mr. Sinderbrand with no protective orders and no written confidentiality agreement in place between his lawyers and Wells Fargo’s.
   The disclosure is a data breach that potentially violates a bevy of state and federal consumer data privacy laws that limit the release of personally identifiable customer information to outside parties.
State and federal regulations also require companies to notify customers when their information has been improperly released, as Wells Fargo may now do.
   Based on the fairly narrow subpoena that his lawyer submitted — it sought communications about Mr. Sinderbrand’s employment and compensation — there was no reason for the bank to turn over such information, especially without any redactions, Mr. Sinderbrand said.


Sounds like a “we gotta do something” law.
UK to bring in drone registration
It will affect anyone who owns a drone which weighs more than 250 grams (8oz).
   There is no time frame or firm plans as to how the new rules will be enforced and the Department of Transport admitted that "the nuts and bolts still have to be ironed out".
   "There will be people who will simply not be on the system, that's inevitable."
Similar registration rules in the US were successfully challenged in court in March 2017 and as a result are currently not applicable to non-commercial flyers.
Dr McKenna said there were also issues around how a drone's owner could be identified by police and whether personal liability insurance should also be a legal requirement in the event of an accident.