Friday, June 08, 2018

No doubt I’ll have more recruiters interrupting my Computer Security class. Backups people, backups!
Atlanta officials reveal worsening effects of cyber attack
… Atlanta’s administration has disclosed little about the financial impact or scope of the March 22 ransomware hack, but information released at the budget briefings confirms concerns that it may be the worst cyber assault on any U.S. city.
More than a third of the 424 software programs used by the city have been thrown offline or partially disabled in the incident, Atlanta Information Management head Daphne Rackley said. Nearly 30 percent of the affected applications are considered “mission critical,” affecting core city services, including police and courts.
Initially, officials believed the reaches of the cyber assault on city software was close to 20 percent and that no critical applications were compromised, Rackley said.
… Rackley anticipated an additional $9.5 million would be needed by her department in the coming year due to the hacking. That would be a sharp increase from the $35 million Mayor Keisha Lance Bottoms suggested for the technology department in her budget pitch, which was delayed in the cyber incident.
… Departments citywide, including municipal courts, told the council on Wednesday about their struggles to regain workplace normalcy since the attack. Interim City Attorney Nina Hickson said her office lost 71 of 77 computers as well as a decade of legal documents.
The discussions came two days after Atlanta Police Chief Erika Shields told local television news station WSB-TV 2 that the hack wiped out police dash-cam recordings. “That is lost and will not be recovered,” she said in a brief televised interview.




Something my Computer Security students should be asking their organization’s lawyers. WWTJS: What Would Thomas Jefferson Say (T-shirts sold separately.)
Alison Frankel writes about what she calls the less obvious takeaway from the 11th Circuit’s LabMD opinion:
FTC enforcement actions for unfair practices cannot be based just on consumer injury, even “substantial” injury.
This is going to get wonky, but, trust me, it’s what cybersecurity defense lawyers are already buzzing about.
Read more on Reuters. And yes, that aspect of the ruling did not go unnoticed or uncommented upon on Twitter when the opinion was released. Consider, for example, this footnote from the opinion:
24 Section 5(n) now states, with regard to public policy, “In determining whether an act or practice is unfair, the Commission may consider established public policies as evidence to be considered with all other evidence. Such public policy considerations may not serve as a primary basis for such determination.” We do not take this ambiguous statement to mean that the Commission may bring suit purely on the basis of substantial consumer injury. The act or practice alleged to have caused the injury must still be unfair under a well-established legal standard, whether grounded in statute, the common law, or the Constitution.
So there’s a lot to discuss about this opinion, and I think this point is going to pose a major hurdle for the FTC going forward in data security cases. Where are they going to find statutory, common law, or constitutional bases for declaring specific acts or practices “unfair?” Will they start engaging in rule- or regulation-writing? I am guessing, based on their history of enforcement, that they will turn to common law, but I look forward to reading what scholars and litigators think.




New laws to consider. Will anyone summarize what we learn?
New Data Privacy Regulations
… If consumers don't even know where these data brokers are getting their data from and what they're doing with it, they can't make intelligent buying choices.
This is starting to change, thanks to a new law in Vermont and another in Europe. And more legislation is coming.
Vermont first . At the moment, we don't know how many data brokers collect data on Americans. Credible estimates range from 2,500 to 4,000 different companies. Last week, Vermont passed a law that will change that.
The law does several things to improve the security of Vermonters' data, but several provisions matter to all of us. First, the law requires data brokers that trade in Vermonters' data to register annually.
… A 2018 California ballot initiative could help. Among its provisions, it gives consumers the right to demand exactly what information a data broker has about them. If it passes in November, once it takes effect, lots of Californians will take the list of data brokers from Vermont's registration law and demand this information based on their own law.
… We will also benefit from another, much more comprehensive, data privacy and security law from the European Union. The General Data Protection Regulation (GDPR) was passed in 2016 and took effect on 25 May. The details of the law are far too complex to explain here, but among other things, it mandates that personal data can only be collected and saved for specific purposes and only with the explicit consent of the user. We'll learn who is collecting what and why, because companies that collect data are going to have to ask European users and customers for permission.
… In the coming weeks and months, you're going to see other companies disclose what they're doing with your data. One early example is PayPal: in preparation for GDPR, it published a list of the over 600 companies it shares your personal data with. Expect a lot more like this.




"Amateurs talk strategy. Professionals talk logistics." Gen. Omar Bradley (probably)
Google Renounces AI Weapons; Will Still Work With Military
Google pledged not to use its powerful artificial intelligence for weapons, illegal surveillance and technologies that cause "overall harm." But the company said it will keep working with the military in other areas, giving its cloud business the chance to pursue future lucrative government deals.




All of this had to be shipped to a rather small geographic area, right? Amazon didn’t notice that?
How this young Indiana couple stole $1.2 million from Amazon
On Monday, a U.S. District Court judge sentenced a Muncie, Indiana married couple to nearly six years in prison apiece for stealing more than $1.2 million in consumer electronics from e-commerce giant Amazon.
… Between 2014 and 2016, the Finans created hundreds of fake online identities and Amazon accounts. They then used them to order more than 2,700 electronics products — GoPro digital cameras, Microsoft Xboxes, Apple Macbooks, Microsoft Surface tablets and more, federal authorities said in a press release announcing their sentencing.
After ordering the products, the Finans would tell the company that the products had arrived damaged or that they did not work.
Amazon's famously friendly customer service policy allows customers to "receive a replacement before they return a broken item," in some cases, according to a release from the U.S. Attorney's Office, Southern District of Indiana.
Amazon keeps a close eye on customers' accounts to track any potential fraud. But the government said the Finans were able to get away with receiving the replacement products before returning the supposedly damaged goods by using their long list of false identities to simply abandon each fake account before their fraud was discovered.
So the Finans would ask Amazon to send replacement products at no charge. Once Amazon would comply, the Finans then sold the stolen merchandise to an accomplice, Danijel Glumac, 29, who sold the items to an entity in New York that would sell the products to the public.




Who’d a thunk it?
Paper – Scholarly Twitter metrics
Scholarly Twitter metrics, Stefanie Haustein (Submitted on 6 Jun 2018) – to be published in W. Gl\”anzel, H.F. Moed, U. Schmoch, & M. Thelwall (Eds.), Handbook of Quantitative Science and Technology Research, Springer. 40 pages, 5 figures, 7 tables. Cite as: arXiv:1806.02201 [cs.SI] (or arXiv:1806.02201v1 [cs.SI] for this version)
“Twitter has arguably been the most popular among the data sources that form the basis of so-called altmetrics. Tweets to scholarly documents have been heralded as both early indicators of citations as well as measures of societal impact. This chapter provides an overview of Twitter activity as the basis for scholarly metrics from a critical point of view and equally describes the potential and limitations of scholarly Twitter metrics. By reviewing the literature on Twitter in scholarly communication and analyzing 24 million tweets linking to scholarly documents, it aims to provide a basic understanding of what tweets can and cannot measure in the context of research evaluation. Going beyond the limited explanatory power of low correlations between tweets and citations, this chapter considers what types of scholarly documents are popular on Twitter, and how, when and by whom they are diffused in order to understand what tweets to scholarly documents measure. Although this chapter is not able to solve the problems associated with the creation of meaningful metrics from social media, it highlights particular issues and aims to provide the basis for advanced scholarly Twitter metrics.”


(Related) Scholarly Facebook data.
From Bach to Rock: How Music Preferences Predict Behavior
If the aggressive rap of Eminem is an auditory assault that sends you searching for smooth jazz, you’re probably a person with a high level of openness. That’s one interpretation from a study that looks at the link between music and personality. The study, by Wharton marketing professor Gideon Nave, has wide-ranging implications in our data-driven world. Companies that collect data to tailor product offerings, for example, can gain more insight by looking at their customers’ online playlists. Nave joined Knowledge@Wharton to discuss the paper, “Musical Preferences Predict Personality: Evidence from Active Listening and Facebook Likes.”