Saturday, November 17, 2018

It doesn’t have to be a hack, poor management is enough.
Nordstrom shares slide over credit card screw-up
During its third quarter earnings call Thursday, Nordstrom said it had to refund $72 million to some credit card users because it accidentally charged them a higher interest rate. The admission sparked a sell-off Friday, sending the stock down more than 12%.
… Nordstrom's quarterly profit fell 42% because of the credit card refunds. The company said if it wasn't for the screw-up, its earnings would have been "slightly ahead" of its expectations. Sales grew 3%.
The Seattle-based company's recent shift into digital is still paying off. Digital sales grew 20% year-to-date and its website now makes up 30% of its overall business.




Another example of the use of GDPR to force companies into compliance, short of a 4% or revenue fine. “You did it wrong, now do it over!”
Kristof Van Quathem and Anna Oberschelp de Meneses of Covington & Burling write:
On November 9, 2018, the French Supervisory Authority for Data Protection (known as the “CNIL”) announced that it issued a formal warning (available here) ordering the company Vectaury to change its consent experience for customers and purge all data collected on the basis of invalid consent previously obtained.
Vectaury is an advertising network that buys online advertising space on behalf of its customers (advertisers). The company also offers a software tool that advertisers can integrate into their apps to collect geolocation data and information on the device and browser of users.
Read more on Inside Privacy.




For our discussion of “(in)security by design.”
Many ATMs Can be Hacked in Minutes: Report
According to the study, 85% of the ATMs that were analyzed are vulnerable to network-level attacks as means to fraudulently dispense the cash inside. With access to the network to which the machine is connected, an attacker would only need about 15 minutes to compromise the machine, the security researchers say.
The report also shows that 27% of the tested ATMs were vulnerable to the spoofing of processing center, an attack scenario where the connection to the processing center is not properly secured, allowing the attacker to manipulate


(Related) There have been many unsecured databases on AWS recently. This may help, if users take advantage.
AWS rolls out new security feature to prevent accidental S3 data leaks
… Starting today, AWS account owners will have access to four new options inside their S3 dashboards under the "Public access settings for this account" section.
These four new options allow the account owner to set a default access setting for all of an account's S3 buckets. These new account-level settings will override any existing or newly created bucket-level ACLs (access control lists) and policies.
the new settings are meant to work as a master switch that prevents account owners or their employees/developers from accidentally opening S3 buckets and their data to the public by coding or misconfiguration errors at the app/bucket level.




This is not a new type of crime. You give the “kidnappers” all the information they need on social media.
Olympic swimmer Rowdy Gaines said scammers pretended to hold his daughter hostage
Olympic swimmer Rowdy Gaines is issuing a warning after his family almost became victims of a virtual kidnapping scam when they received a disturbing phone call from a stranger saying his daughter was being held hostage.
… Virtual kidnapping scams have been around for almost two decades. FBI Los Angeles Special Agent Erik Arbuthnot said in a 2017 report that it started happening more in the United States in 2015 and scammers typically choose various cities and will then cold-call "hundreds of numbers until innocent people fell for the scheme."




Perspective.
Why Ford Is Getting Into The Scooter Business
… Ford is buying electric scooter company Spin.
Ford and Spin won't confirm the price tag, but reports put the purchase price at $100 million and an overall investment from Ford of $200 million.
… Automakers are trying to broaden their business — to become "mobility" companies rather than just selling cars.
… This wasn't Ford's first foray into scooters and bikes. The automaker funded a project at Purdue University that brought 40 scooters to the West Lafayette, Ind., campus. Ford sponsors GoBike, which offers rentals of regular and electric bikes in the San Francisco Bay Area. Ford also sells its own licensed brand electric scooter through a company called Ojo. The scooters go for about $2,200.
… Another reason fueling Ford's purchase of Spin goes back to the way tech companies make money: collecting personal information, Drury says.
"This is a deal that makes sense because [Ford] will acquire data," he says. "Acquiring and knowing how people are utilizing other modes of transportation in addition to the ones that they already have."




Perspective. #2 is eBay, #5 is Home Depot.
Walmart passes Apple to become No. 3 online retailer in U.S.
Walmart has overtaken Apple to become the No. 3 online retailer in the U.S., according to a report this week from eMarketer. While Amazon still leads by a wide margin, accounting for 48 percent of e-commerce sales in 2018, Walmart – including also Sam’s Club and Jet.com – is poised to capture 4 percent of all online retail spending in the U.S. by year-end, totaling $20.91 billion.




Apropos of nothing, I think this is an interesting idea.
Pirate Studios raises $20M from Talis Capital for its ‘self-service’ tech-enabled music studios
Pirate Studios, the music technology company that operates fully automated and self-service 24 hour music studios, has secured $20 million. The investment was led by Talis Capital, the London-based VC family office.
… what really sets Pirate Studios apart from a lot of existing rehearsal rooms and music production and recording studios, is that the startup is employing a lot of tech to power the logistics around its service and, in theory, make it a lot more scalable. This includes online booking, 24 hour keycode access, and other IoT controls for managing facilities.
… in just three years, Pirate has grown to 350 studios in 21 locations, including London, New York, and Berlin.




Sounds like my students.


Friday, November 16, 2018

This is changing. The GDPR is only the first of many laws and regulations that will make breaches much more expensive. (Even “material” in the accounting sense.)
Erik Sherman reports:
If you live in the United States, there’s almost a 50 percent chance your personal data was lost in the giant Equifax data breach a year ago of 143 million records. Google had its own data breach in October this year that exposed data on as many as 500,000 accounts. Or the most recent Facebook breach of data from 29 million users. Or, over the last five years alone, major breaches at Anthem, eBay, JPMorgan Chase, Home Depot, Yahoo, Target, Adobe … but you get the point. If it’s day that ends in “day,” there must have been another major data breach that keeps criminal hackers gainfully employed by selling your information.
Bad guys keep getting smarter, experts say. Why not corporations? The short answer is, because it’s not worth their trouble.
Read more on Motherboard.


(Related) For my students.
List of free GDPR resources and templates
  1. Webinars: Supporting you in your GDPR compliance project
  2. Green paper: EU General Data Protection Regulation – A compliance guide
  3. Video: What does the GDPR mean for your business in the UK
  4. Infographic: What the GDPR means in 1 minute
  5. GDPR templates: Documenting your compliance




There is a way, but no one has used it yet (to my knowledge). It requires voting machines to produce a paper voting summary with a random number. All the summaries are then published, in number order for voters to confirm. Any problem matching the voter’s copy with the “official” version is automatically documented. (There are a few more procedural steps, but nothing impossible to implement.)
Was Your Voting Machine Hacked? Without More User-Friendly Devices, We May Not Know
… In their preliminary review of Election Day, officials from the Department of Homeland Security reported vote-casting problems in Alabama, Georgia, Illinois, Indiana, Maine, North Carolina, Texas, and Virginia. But they said they did not detect “an outright hack of voting systems.” Good news, of course. Yet, our antiquated election infrastructure remains, on the whole, so unusable that even if voting machines were more secure, voters would still be acutely vulnerable to misinformation. This failure of “usability” means voters aren’t in a position to properly detect irregularities on the frontlines, a role that security specialists depend on from their end-users.
… When discussing the future of voting in the United States, it is absolutely right to call for verifiable, accurate, secure, and transparent voting systems. But in a world where “hacked,” “tampered,” and “rigged” is on the lips of many voters, we must provide the most important election stakeholders — the voters — with an easy, convenient, and intuitive voting experience.




Consider possible downsides. Could the watch tell your insurer that you are a bad risk? Could you “void” your insurance coverage?
UnitedHealthcare will pay for your Apple Watch if you meet your fitness goals
Back in 2016 UnitedHealthcare and Qualcomm teamed up on a fitness program called Motion. It's an incentive program that can earn you up to $1,460 a year by meeting fitness goals. While it started with a custom wearable, it soon added support for devices from Fitbit and then Samsung and Garmin.




Facebook: It’s where the data is!
Facebook reports a massive spike in government demands for data, including secret orders
Facebook has published the details of 13 historical national security letters it’s received for user data.
… These demands for data are effectively subpoenas, issued by the FBI without any judicial oversight, compelling companies to turn over limited amounts of data on an individual who is named in a national security investigation. They’re controversial — not least because they come with a gag order that prevents companies from informing the subject of the letter, let alone disclosing its very existence.
… (You can read all of the disclosed national security letters here.)
… Facebook’s latest transparency report shows that the number of government demands for data rocketed by 26 percent year-over-year, from 82,341 to 103,815 requests.
The U.S. government’s demands for customer data went up by 30 percent, to 42,466 total requests, Facebook said, affecting 70,528 accounts. The company said that more than half included a non-disclosure clause that prevented the company from informing the user.


(Related) Targeting better ads is very similar to finding high-level terrorists. I suspect Facebook hires people from certain government agencies to apply their skills.
Facebook Filed A Patent To Predict Your Household's Demographics Based On Family Photos
Facebook has submitted a patent application for technology that would predict who your family and other household members are, based on images and captions posted to Facebook, as well as your device information, like shared IP addresses. The application, titled “Predicting household demographics based on image data,” was originally filed May 10, 2017, and made public today. Facebook did not immediately respond to a request for comment, but the patent suggests that the company is interested in exploring the technology, which is intended to help Facebook target advertising more effectively.
… The system Facebook proposes in its patent application would use facial recognition and learning models trained to understand text to help Facebook better understand whom you live with and interact with most. The technology described in the patent looks for clues in your profile pictures on Facebook and Instagram, as well as photos of you that you or your friends post.
It would note the people identified in a photo, and how frequently the people are included in your pictures. Then, it would assess information from comments on the photos, captions, or tags (#family, #mom, #kids) — anything that indicates whether someone is a husband, daughter, cousin, etc. — to predict what your family/household actually looks like.




Lawyers do make mistakes, but this might work as well if it was deliberate. Will Ecuador change it’s mind about asylum?
Filing indicates indictment was prepared for Julian Assange
A court document filed by mistake has revealed that the Justice Department is preparing to criminally charge WikiLeaks founder Julian Assange.
In a slip unearthed by a former U.S. intelligence official and posted on Twitter, Assange’s name appears twice in an August court filing by a federal prosecutor in Virginia — an argument to keep sealed an unrelated case involving an accused child sex criminal.
The prosecutor wrote that the charges and arrest warrant “would need to remain sealed until Assange is arrested in connection with the charges in the criminal complaint and can therefore no longer evade or avoid arrest and extradition in this matter.”
At another point in the document, the prosecutor wrote that “due to the sophistication of the defendant and the publicity surrounding the case, no other procedure is likely to keep confidential the fact that Assange has been charged.”
.. Assange came to prominence after WikiLeaks published secret military and diplomatic documents leaked in 2010 by Pvt. Chelsea Manning.
Manning served 7 years in prison, but WikiLeaks was not prosecuted. Justice Department lawyers concluded at the time that they could not charge Assange and WikiLeaks even as American newspapers, protected by the First Amendment, were publishing the leaked material.
But in recent years, U.S. officials have sought to distinguish WikiLeaks from journalists, as when then-CIA Director Mike Pompeo referred to it as a “hostile non-state intelligence organization.”




Who knew that space could get crowded?
FCC tells SpaceX it can deploy up to 11,943 broadband satellites
The Federal Communications Commission voted to let SpaceX launch 4,425 low-Earth orbit satellites in March of this year. SpaceX separately sought approval for 7,518 satellites operating even closer to the ground, saying that these will boost capacity and reduce latency in heavily populated areas. That amounts to 11,943 satellites in total for SpaceX's Starlink broadband service.




Where my academic world is headed.
Germany pledges €3bn investment in artificial intelligence
Germany will spend €3 billion to boost its artificial intelligence capabilities over the next six years, as part of a belated effort by Berlin to catch up with leading AI nations such as China and the United States.
… The strategy paper also promises the creation of 100 university chairs with a focus on AI, along with additional research centres to complement facilities such as the German Research Centre for Artificial Intelligence (DFKI), which was founded in 1988. In total, Germany is aiming for a network of 12 centres for research, development and application of AI technologies offering “internationally attractive working conditions and pay”.


Thursday, November 15, 2018

Legacy systems get a break, show that you are working to comply and they go easy. My problem is trying to teach students to build systems that are fully compliant from the start.
Ezra Steinhardt of Covington & Burling writes:
Earlier this year, in the run-up to the General Data Protection Regulation’s (“GDPR”) May 25, 2018 date of application, a major question for stakeholders was how zealously the GDPR would be enforced. Now, as the GDPR approaches its six-month birthday, an answer to that question is rapidly emerging. Enforcement appears to be ramping up significantly. In this post, we set out some of the most prominent regulatory enforcement developments so far — but bear in mind other investigations are also proceeding.
Read more on InsidePrivacy.




Interesting idea, but depends on timely notification. By the time anyone who reuses passwords gets notified, hackers have probably already used your password everywhere they can think of. Still, for those of us who follow breaches, it might flag one we missed.
Natasha Lomas reports:
Mozilla is adding a new security feature to its Firefox Quantum web browser that will alert users when they visit a website that has recently reported a data breach.
When a Firefox user lands on a website with a breach in its recent past they’ll see a pop up notification informing them of the barebones details of the breach and suggesting they check to see if their information was compromised.
“We’re bringing this functionality to Firefox users in recognition of the growing interest in these types of privacy- and security-centric features,” Mozilla said today. “This new functionality will gradually roll out to Firefox users over the coming weeks.”
Read more on TechCrunch.






Great new locks installed on the wrong door?
Chip Cards Fail to Reduce Credit Card Fraud in the US
A new study finds that credit card fraud has not declined since the introduction of chip cards in the US. The majority of stolen card information comes from hacked point-of-sale terminals.
The reasons seem to be twofold. One, the US uses chip-and-signature instead of chip-and-PIN, obviating the most critical security benefit of the chip. And two, US merchants still accept magnetic stripe cards, meaning that thieves can steal credentials from a chip card and create a working cloned mag stripe card.
Boing Boing post.




For Users: Makes signing into a new site very simple. For Hackers: Makes hacking the logon process very desirable.
Hmm. This one could result in big numbers.
A notification from Title Nine about Annex Cloud. Annex Cloud is a service provider that you may never have heard of but may have used many times. The notification explains:
Annex Cloud provides a service that enables individuals to use their user name and password from social media and other websites, like Facebook and Google, to login to merchants’ websites, including www.titlenine.com. Annex Cloud recently informed Title Nine that they had detected and removed unauthorized code that had been inserted into Annex Cloud’s systems that operate its login application. In its report, Annex Cloud identified four periods of time when the unauthorized code was present and could have captured information entered during the checkout process on our website. We removed Annex Cloud’s code from our website and mailed letters to those customers to let them know what occurred.
Despite its first report that only identified four time periods, Annex Cloud informed Title Nine that they had identified additional time periods between December 28, 2017 and July 9, 2018 when the unauthorized code was or could have been present. If present, the unauthorized code could have captured information entered during the checkout process on our website. Through October 25, 2018, Title Nine sought additional information from Annex Cloud to determine the transactions that might be involved, and Annex Cloud supplied additional information about their analysis regarding these periods, including their belief that there are certain times inside these additional periods when it cannot be determined if the unauthorized code was present. Thus, we are notifying you because you entered information during the checkout process during a time period when it is possible the unauthorized code may have been present.
What Information Was Involved
The information entered during the checkout process that the code may have been accessed includes name, address, payment card number, expiration date, and card security code (CVV).
So then today, I saw saw this notification from Stein Mart.
I wonder how many more notifications we will see linked to Annex Cloud.




As an old guy, I can remember working with many senior managers who had never touched a computer. That will never be true for anyone starting out today. You have to ask: Did they hire him to program or manage?
Japan's cyber-security minister has 'never used a computer'
Japan's new cyber-security minister has dumbfounded his country by saying he has never used a computer.
Yoshitaka Sakurada made the admission to a committee of lawmakers.
"Since I was 25 years old and independent I have instructed my staff and secretaries. I have never used a computer in my life," he said, according to a translation by the Kyodo news agency.
The 68-year-old was appointed to his post last month.
… But Mr Sakurada responded that other officials had the necessary experience and he was confident there would not be a problem.
However, his struggle to answer a follow-up question about whether USB drives were in use at the country's nuclear power stations caused further concern.
The disclosure has been much discussed on social media where the reaction has been a mix of astonishment and hilarity, with some noting that at least it should mean Mr Sakurada would be hard to hack.




I wonder if this asks all the required questions? Still, it’s a start.
Mozilla ranks dozens of popular ‘smart’ gift ideas on creepiness and security
If you’re planning on picking up some cool new smart device for a loved one this holiday season, it might be worth your while to check whether it’s one of the good ones or not. Not just in the quality of the camera or step tracking, but the security and privacy practices of the companies that will collect (and sell) the data it produces. Mozilla has produced a handy resource ranking 70 of the latest items, from Amazon Echos to smart teddy bears.




I’m going to look at this carefully before I comment. I had a brief vision of TSA Agents standing next to every computer controlled device in the country. Shudder!
Congress Passes Bill Creating Cybersecurity Agency at DHS
The U.S. House of Representatives this week passed a bill that creates a new cybersecurity agency at the Department of Homeland Security (DHS).
The Cybersecurity and Infrastructure Security Agency (CISA) Act, which passed Senate in October, is headed to the president to be signed into law. Congress passed the legislation unanimously.
The bill reorganizes the National Protection and Programs Directorate (NPPD) into the Cybersecurity and Infrastructure Security Agency (CISA), and puts it in charge of cyber and physical infrastructure security.




Finding a balance must be hard. Facebook is missing some content they should take down and taking down some they should not.
70 of the world's leading human rights groups ask Mark Zuckerberg to create due process for censored content
Pam Cowburn from Article 19 sez, "Over 70 civil society groups have written to Mark Zuckerberg asking for Facebook to review its content removal processes and give all users the opportunity to appeal against content takedowns that they think have been made in error."




It’s a people problem.
Billions spent on armored school doors, bulletproof whiteboards and secret snipers
Washington Post: “Although school security has grown into a $2.7 billion market — an estimate that does not account for the billions more spent on armed campus police officers — little research has been done on which safety measures do and do not protect students from gun violence. Earlier this fall, The Washington Post sent surveys to every school in its database that had endured a shooting of some kind since the 2012 killings of 20 first-graders in Newtown, Conn., which prompted a surge of security spending by districts across the country. Of the 79 schools contacted, 34 provided answers, including Sandy Hook Elementary. Their responses to questions about what they learned — some brief but many rich in detail — provide valuable insight from administrators in urban, suburban and rural districts who, as a group, have faced the full spectrum of campus gun violence: targeted, indiscriminate, accidental and self-inflicted.
When asked what, if anything, could have prevented the shootings at their schools, nearly half replied that there was nothing they could have done. Several, however, emphasized the critical importance of their staffs developing deep, trusting relationships with students, who often hear about threats before teachers do. Only one school suggested that any kind of safety technology might have made a difference. Many had robust security plans already in place but still couldn’t stop the incidents…”




My students were adamant that no one could compete with Amazon.
Amazon Go competitor Standard Cognition raises $40 million to expand its cashierless store solution
Cashierless shopping feels a little bit like magic. There’s something indescribably awesome about being able to grab something from a shelf, stuff it in a coat pocket, and waltz away without having to contend with long lines or busted self-checkout machines. That “coolness” factor — along with the significant cost savings cashierless experiences promise — have given rise to a cottage industry of solutions led by standard-bearer Amazon and its Amazon Go chain.
The space’s startups have been mostly retailer-agnostic so far, and it’s no wonder why — brick-and-mortar space is expensive. San Francisco-based Standard Cognition this summer announced a partnership with Paltac in Japan that will see its autonomous checkout solution deployed in 3,000 stores, along with unnamed retailers in North America and Europe — and it’s impressed investors with its progress.




Perspective. My students have been looking at the wider economic impacts.
How Autonomous Vehicles Will Upend Transportation
Knowledge@Wharton: How will it change the trucking industry?
Burns: When you look at an over-the-road tractor, ask yourself: What parts are on that tractor because there’s a driver in it? The windshield, the doors, the seats, the steering controls, the brakes — you begin to get the picture. In fact, the parts you can take off of that tractor will likely cost more than the parts you’re going to add to make it autonomous.
… After this DARPA Urban Challenge, the only company that really stepped up for public road use application of this was Google. Larry Page and Sergey Brin challenged a small team of the participants in that DARPA challenge to come up with a vehicle that could go on public roads and prove the concept out.
The auto industry was in denial for five or six years. We re-create that in Autonomy. We tell the story of how Google got started into this area, and then how some of the engineers on Google’s team reached out to the auto industry and had the door slammed in their face.




The squeaky wheel(My students would agree.)


Wednesday, November 14, 2018

The best hacks always try to look like an innocent mistake. Sometimes mistakes look like they aren’t so innocent.
Google Internet Traffic Wasn't Hijacked, But It Was Out of Control
For two hours Monday, internet traffic that was supposed to route through Google's Cloud Platform instead found itself in quite unexpected places, including Russia and China. But while the haphazard routing invoked claims of traffic hijacking—a real threat, given that nation states could use the technique to spy on web users or censor services—the incident turned out to be a simple mistake with outsized impacts.
Google noted that almost all traffic to its services is encrypted, and wasn't exposed during the incident no matter what. As traffic pinballed across ISPs, though, some observers, including the monitoring firm ThousandEyes, saw signs of malicious BGP hijacking—a technique that manipulates the web's Border Gateway Protocol, which helps ISPs automatically collaborate to route traffic seamlessly across the web.
ThousandEyes saw Google traffic rerouting over the Russian ISP TransTelecom, to China Telecom, toward the Nigerian ISP Main One. "Russia, China, and Nigeria ISPs and 150-plus [IP address] prefixes—this is obviously very suspicious," says Alex Henthorne-Iwane, vice-president of product marketing at ThousandEyes. "It doesn’t look like a mistake."
… In this case, it appears that the Russian and Chinese ISPs, and perhaps others as well, offered a path to the Google traffic because they hadn't implemented protective configurations. [Think of it as keeping a door open for anything you can grab. Bob]




Think of this as a guide to social engineering of senior management.
Heads rolled in this one, when executives did not spot or prevent business email compromise. As reported by DutchNews.nl:
The Dutch operation of the Pathé cinema group was ripped off by internet con men to the tune of over €19m, court documents published on Friday show.
The con cost both the chief executive and financial director of the Dutch operation their jobs, and it is unclear if any of the money has been recovered.
The court documents, which cover the unfair dismissal case brought by sacked finance chief Edwin Slutter, show in detail how the thieves went about scamming Pathé Nederland earlier this year.
Read more at DutchNews.nl.




One person ignoring one procedure and no one checked?
20,667 Drunken-Driving Convictions Tainted by Bad Breathalyzer Test in New Jersey
More than 20,000 drunken-driving convictions in New Jersey could be in jeopardy after the state’s highest court ruled on Tuesday that breathalyzer tests used to win those judgments were inadmissible.
The unanimous ruling by the Supreme Court stems from criminal charges brought more than two years ago against a State Police sergeant who was accused of falsifying calibration records on breath test devices that were used in five of New Jersey’s 21 counties.
It is unclear how state courts and law enforcement officials will now proceed. The Supreme Court ruling does not automatically expunge all the drunken-driving convictions, but the justices did note that defendants tested by the affected breath machines could now seek to challenge their convictions.




This looks like the “Big is always bad” argument mixed with a bit of the “we are powerless to stop them” rant.
Google, Facebook, and Amazon benefit from an outdated definition of “monopoly”
Quartz: “…big tech companies have amassed so much power that even Apple CEO Tim Cook has called for stricter regulations to be placed on them. Google owns 92% market share of internet searches, Facebook an almost 70% share of social networks. Both have a duopoly in advertising with no credible competition or regulation. [Incredible! Bob] Amazon, meanwhile, is crushing retailers and faces conflicts of interest as both the dominant e-commerce seller and the leading online platform for third-party sellers. Apple’s iPhone and Google’s Android completely control the mobile app market, and they determine whether businesses can reach their customers and on what terms. So why hasn’t the Federal Trade Commission (FTC) taken action to break up these companies?
I believe that an outdated interpretation of antitrust law is partly to blame. For decades the standard for evaluating whether to break up monopolies, or block the mergers that create them, has been “consumer welfare.” And this consumer welfare standard has predominantly been interpreted as low prices. If companies can show that a merger or acquisition would not impact prices, for the most part, they win approval. But in the context of technology companies—which often offer “free” platforms and instead sell user attention as their product—this low-prices-focused paradigm makes no sense…”


(Related) ...and Facebook has replaced governments?
Digital Journalism and the New Public Square – Or’ Emet Lecture
A few months ago, the Guardian published a remarkable story revealing that a Cambridge University researcher had harvested as many as 50 million Facebook profiles for Cambridge Analytica, a data analytics firm headed at the time by Steve Bannon, one of Donald Trump’s key advisors.
… Most of you probably remember the Guardian’s story. You may not be familiar, though, with what happened the day before it was published. As the Guardian’s editors were readying their story for print, their lawyers received a letter from Facebook. The letter threatened a lawsuit if the Guardian went ahead with the story. Facebook knew the story would provoke disbelief and outrage and perhaps even a regulatory response, so it tried to quash it with the threat of a lawsuit.
… What are the mechanisms of this influence? In a new article, the legal scholar Kate Klonick argues that the social media platforms should be thought of as “systems of governance,” because they’re now the principal regulators of speech that takes place online. Through their control of the new public square, the platforms are exercising power we ordinarily associate with state actors.




Perspective.
Google Data Collection Is More Extensive and Intrusive Than You Ever Imagined
A new 55-page report from Digital Content Next and Vanderbilt University on Google data collection practices has raised new questions about the extent to which the top tech companies in the world collect and collate user data without their permission or knowledge. The report, authored by Douglas Schmidt, a professor of Computer Science at Vanderbilt, is a detailed look at “a day in the life” of a typical Internet user, offering a never-before-seen look at just how much data Google collects on the average user.


Tuesday, November 13, 2018

The question is: can my Ethical Hackers do the same? (Can we try it on your VW?)
Volkswagen owners can use Siri Shortcuts to unlock their car




Obviously it’s a variation of the old “these are not the droids you are looking for” Jedi mind trick. No evidence of attack means no budget for defense. Remember, it’s the President they’re worried about.
Russian Hackers Largely Skipped the Midterms, and No One Really Knows Why
After unleashing widespread cyberattacks and disinformation warfare on the U.S. during the 2016 presidential election, Russia’s trolls and hackers mostly appeared to have sat on the sidelines during the campaign ahead of last week’s midterm elections.
No one is sure why.




Another concern for developers.
New IoT Security Regulations
… It falls upon lawmakers to create laws that protect consumers. While the US government is largely absent in this area of consumer protection, the state of California has recently stepped in and started regulating the Internet of Things, or "IoT" devices sold in the state and the effects will soon be felt worldwide.
California's new SB 327 law, which will take effect in January 2020, requires all "connected devices" to have a "reasonable security feature." The good news is that the term "connected devices" is broadly defined to include just about everything connected to the internet. The not-so-good news is that "reasonable security" remains defined such that companies trying to avoid compliance can argue that the law is unenforceable.




Sound familiar?
WhatsApp overwhelmed by volume of fake news spread in India...
A lack of trust in the mainstream media has led to dissemination of a large amount of false digital information on social networks, but in India it appears things have taken a turn for the worst, according to BBC researchers.
… WhatsApp is having a hard time ending or controlling disinformation, found the BBC World Service. The practice is linked to growing Hindu nationalism and the dropping price of mobile phone data, as well as strong encryption behind WhatsApp communication. It’s not uncommon for Indians to put more faith in what an acquaintance says, than in the traditional media.
… Research leader Dr Santanu Chakrabarti says the current Indian prime-minister, known for validating Hindu nationalism, has created the belief that it is their duty to spread the information through the group-messaging app, as they assume it has already been checked and confirmed.
“They are effectively looking for validation of their belief systems,” he said. “On these platforms, then, validation of identity trumps verification of the fact.”




The revision of the auto industry or a whole new ballgame?
Waymo to Start First Driverless Car Service Next Month
… Waymo, the secretive subsidiary of Google’s parent company, Alphabet Inc., is planning to launch the world’s first commercial driverless car service in early December, according to a person familiar with the plans. It will operate under a new brand and compete directly with Uber and Lyft.
Waymo is keeping the new name a closely guarded secret until the formal announcement, said the person, who asked not to be identified because the plans haven’t been made public.
… When Waymo starts its commercial program, there will be backup drivers in some cars to help ease customers into the service and to take over if necessary, according to the person familiar with the plans. The fleet of heavily modified Chrysler Pacifica minivans will drive themselves more than 99.9 percent of the time, based on data from Waymo’s test program submitted to California regulators.




An interesting (if somewhat comic book formatted) article to encourage my Architecture students to consider the difficulties of playing catch-up.
Walmart has apparently been worried about Amazon for more than 15 years — here are all of the changes it has made to keep up in the online-shopping battle




Confusion by over-thinking? Trying to control every uncontrollable thing?
… Take the global music hit “Despacito”. This video contains multiple copyrights, ranging from sound recording to publishing rights. Although YouTube has agreements with multiple entities to license and pay for the video, some of the rights holders remain unknown. That uncertainty means we might have to block videos like this to avoid liability under article 13. Multiply that risk with the scale of YouTube, where more than 400 hours of video are uploaded every minute, and the potential liabilities could be so large that no company could take on such a financial risk.




No longer approximate.
Say Au Revoir To That Hunk Of Metal In France That Has Defined The Kilogram
… Now, after researchers spent years creating an elaborate new kind of weighing machine called a Kibble balance, it's finally the kilogram's turn.




I wonder how many of my students already have this App.
Cloudflare’s 1.1.1.1 App Makes Your Phone’s Internet Faster and Private
… With 1.1.1.1, Cloudflare is letting your phone use their 1.1.1.1 DNS resolver to connect to the internet. That’s where the faster and privacy parts come in. Cloudflare expects you to get a faster connection to 1.1.1.1, which should lead to faster connections to websites or apps or whatever your internet connection is trying to do.




I’ve never heard of such a thing, but I want to look it over.
The Voice of the ‘Intellectual Dark Web’
Claire Lehmann’s online magazine, Quillette, prides itself on publishing ‘dangerous’ ideas other outlets won’t touch. How far is it willing to go?


Monday, November 12, 2018

An article worth reading. Social engineering at the wholesale level? Let’s define “good.”
Top US Intelligence Official Sue Gordon Wants Silicon Valley on Her Side
… On a recent trip to Silicon Valley, Gordon sat down with WIRED to talk about how much government needs Silicon Valley to join the fight to keep the US safe. She was in town to speak at conference at Stanford, but also to convince tech industry leaders industry that despite increasing employee concerns, the government and tech have a lot of shared goals.
“I had a meeting with Google where my opening bid was: ‘We're in the same business’. And they're like ‘What?’ And I said: ‘Using information for good,’” Gordon says.
That’s a hard sell in Silicon Valley, especially in the post-Snowden years. After Snowden’s leaks, tech companies and tech workers didn’t want to be seen as complicit with a government that spied on its own people—a fact Gordon disputes, saying that any collection of citizen’s information was incidental and purged by their systems. This led to a much-publicized disconnect between the two power centers, one that has only grown more entrenched and public in 2018, as Silicon Valley has undergone something of an ethical awakening.
… Artificial intelligence, she says, presents a huge opportunity for the government and the private sector, but the risks of its being abused, biased, or deployed by foreign adversaries is so real that the government and tech companies should be collaborate to secure it.




Perspective.
Alibaba sets new Singles Day record with more than $30.8 billion in sales in 24 hours
… Gross merchandise value (GMV), a figure that shows sales across the Chinese e-commerce giant's various shopping platforms, surpassed last year's $25.3 billion record at around 5:34 p.m. SIN/HK (4:34 a.m. ET) on Sunday, and kept marching higher through the rest of the day.




Perspective. Younger than most of my Grad students.
MIT CSAIL
25 years ago today the first major web browser was released: Mosaic 1.0.




An extremely accurate inertial navigation system, for when the hackers take down the GPS system.
Brit boffins build quantum compass, say goodbye to GPS
… The compass is a quantum accelerometer that is capable of measuring tiny shifts in supercooled atoms and so calculate how far and how fast the device has moved. Stuck on a boat, it would mean that the captain knows exactly where his ship was without having to rely on orbiting satellites.
… The system could be of particular benefit to the UK's military after Europe made it clear that following Brexit, the UK would no longer gain secure access to Europe's new Galileo GPS system despite years of assisting in the system's development and deployment.
But this is not something you're going to find in your smartphone: the prototype system shown off this week in London is about three-feet wide and high and it is incredibly expensive.




Because: Kulture!
52,438 High-Definition Images of Artworks Into the Public Domain
Kottke: “The Art Institute of Chicago has placed high-definition images of 52,438 public-domain artworks onto its website (with magnification tools) under a CC0 license (no rights reserved), including The Great Wave, A Sunday on La Grand Jette (unfortunately not magnifiable to this extent), Nighthawks, Van Gogh’s Self-Portrait, Warhol’s Mao, and Two Sisters on the Terrace…”




A guide to useful tools.


Sunday, November 11, 2018

...and why not? A good cyberattack gives all the satisfaction of a missile attack but with no risk of it spreading to conventional weapons. Yet.
US banks prepare for Iranian cyberattacks as retaliation for sanctions
New York (CNN)As the United States reinstated economic sanctions on Iran on Monday, American banks were gearing up for retaliatory Iranian cyberattacks.
Bank executives believe Iranian hackers could attempt to disrupt financial services, perhaps as they did between 2011 and 2013 – with denial-of-service attacks that interrupted bank websites and other internet financial services.
… "Iran, while more limited (than some other countries) in the sophistication of their cyber capabilities, (has) demonstrated a greater willingness to conduct destructive cyberattacks that are well beyond the norms of state behavior in peacetime," Lt. Col. Audricia Harris told CNN in an email.




Because we’d be upset if the CIA or NSA did it?
Greg Nichols reports:
When a national fingerprinting company joins forces with a startup that authenticates identity using AI-based facial recognition and behavioral prediction in natural settings, the future of human identification tech starts to look an awful lot like sci fi. That’s the the new reality as SureID, a biometrics and fingerprinting firm, partners with Robbie.AI, a Boston-based startup, on R&D that could result in the United States’ first nationwide biometrics gathering system.
Read more on ZDNet.




Well, maybe it could’a…
Mark Osborne reports:
Authorities in New Hampshire are hopeful a smart speaker will be smart enough to convict a double murderer.
Amazon was ordered by a judge on Friday to hand over recordings taken by an Echo device in the Farmington, New Hampshire, home where Christine Sullivan lived with her boyfriend. Sullivan was found murdered in the backyard of the home on Jan. 29, 2017, along with Jenna Pellegrini, who was staying at the home.
The bodies were left in the backyard, under a tarp, and a knife was buried nearby, police said.
Read more on ABC.
[From the article:
It's unclear whether there is any audio evidence on the device, but the court found probable cause that the speaker could have recorded "evidence of crimes committed against Ms. Sullivan, including the attack and possible removal of the body from the kitchen."
An Amazon spokesperson told The Associated Press it would not release the recordings "without a valid and binding legal demand properly served on us."