Saturday, March 07, 2020


When my ethical hackers show up in new cars…
Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys
Over the past few years, owners of cars with keyless start systems have learned to worry about so-called relay attacks, in which hackers exploit radio-enabled keys to steal vehicles without leaving a trace. Now it turns out that many millions of other cars that use chip-enabled mechanical keys are also vulnerable to high-tech theft. A few cryptographic flaws combined with a little old-fashioned hot-wiring—or even a well-placed screwdriver—lets hackers clone those keys and drive away in seconds.




Quis custodiet ipsos custodes? Don’t you feel safer knowing DHS is on the job?
Former DHS Acting Inspector General Indicted for Stealing Database with Personnel Information
The 16-count indictment includes charges of theft of proprietary software and intent to defraud the U.S. government.




Another one for the Disaster Recovery lecture. Imagine all evils.
India’s Yes Bank breakdown disrupts Walmart’s PhonePe among a dozen other services
Tens of millions of merchants and users in India are struggling to make online transactions and use several popular services after the nation’s central bank seized control of Yes Bank, the fourth largest lender in the country.
The emergency takeover of the private sector bank has taken off several financial startups that rely on it to facilitate services such as processing QR codes, point-of-sale terminals as well as transactions through popular UPI infrastructure.
Leading payments app PhonePe, owned by e-commerce giant Walmart, has been inaccessible to tens of millions of its users since Thursday evening (local time). The startup said in a statement that it was working to restore its services and has solved some of the issues for its merchant partners.
In a tweet, Nigam said the startup had multiple redundancies in place, but “never imagined [that] the bank itself would go totally dark like this. Lesson learnt in the hardest possible way.




Easy encryption. (Sorry FBI)
How to Encrypt and Decrypt Text Strings with JavaScript
A simple method for encrypting and decrypting text strings and passwords in JavaScript and Google Apps Script




There must be a reason… Oh, wait… Apparently there does not need to be a reason.
Trump Administration Orders Shiji to Sell Hotel Tech Firm StayNTouch
The Trump Administration on Friday demanded that Beijing Shiji Information Technology, whose international arm is known as Shiji Group, unwind its acquisition of StayNTouch, a maker of hotel operational software.
President Donald Trump said the acquisition of the U.S.-based startup might “threaten to impair the national security of the United States.” The order didn’t explain details of the threat.




Faster than the Coronavirus?
Live Facial Recognition Is Spreading Around the World
Today in the United States, this isn’t the norm. While it’s become common for law enforcement, from local police to the federal government, to use facial recognition, it’s often used retrospectively. That means instead of scanning everyone’s face whose face appears in a live video, they analyze an image of a suspect’s face from a crime scene and compare it against a mugshot database, or some other database of face images, to find out who it is.
But that reluctance to embrace live facial recognition is changing — it already has changed around the world. We’ve seen that in Surat, India. And Buenos Aires, Argentina, live facial recognition is already here.
Privacy advocates oppose live facial recognition, especially in body cameras worn by police. “Body cameras were promised to communities as a tool for officer accountability. They should not be twisted into surveillance systems to be used against communities,” the ACLU wrote on Twitter in response to OneZero’s story.


(Related)
India authorizes roll out of automated biometric facial recognition in police investigations
India’s National Crime Records Bureau (NCRB) is now allowed to use a biometric automated facial recognition system (AFRS) to identify suspects, bodies and missing people, writes the Times of India, after India’s Home Ministry officially informed the Rajya Sabha (India’s upper legislative house) about the decision.
The AFRS will only use police records and can only be accessed by police officers, the institution said insisting on the importance of ensuring citizens’ privacy. Implementation approval was confirmed in writing by Union Minister of State for Home Affairs G Kishan Reddy. The NCRB sought in November to assure privacy advocates that the system will not violate the principle of consent, and will be subject to strict operational safeguards.




I’ll tell my niece and nephew, if they ever take those earbuds out.
Stream Music for Free With These 5 Little-Known Apps



Friday, March 06, 2020


Sounds like the FBI had a mole in Intel’s chip design shop.
Security researchers with Positive Technologies sounded the alarm about the vulnerability in a blog post Thursday, describing it as a doomsday-level threat in no uncertain terms.
essentially this flaw allows bad actors to hack your computer’s encryption process, which opens the door to all kinds of industrial espionage and sensitive information leaks. If that weren’t bad enough, the process is completely undetectable since it works at the hardware level, which allows any malicious code to fly under the radar of most traditional security measures. Worse still, virtually all Intel chipsets from the last five years carry this vulnerability, Positive Technologies reported.




Something for my Architecture students to debate? How long should support last?
Over one billion Android devices at risk as they no longer receive security updates
More than one billion Android devices are at risk of being hacked or infected by malware, because they are no longer supported by security updates and built-in protection.
That’s the conclusion of an investigation by Which?, which found that at-risk smartphones are still being sold by third-parties via sites like Amazon, despite the range of malware and other threats to which they are vulnerable.
The report cites data that Google collected itself in May 2019, which discovered that 42.1% of active Android users worldwide were running version 6.0 (known as Marshmallow) of the operating system or earlier.




To recognize or not to recognize, that’s a good question…
Dave Gershgorn reports:
Wolfcom, a company that makes technology for police, is pitching body cameras with live facial recognition to law enforcement groups across the United States, OneZero has learned. It’s a move that pushes against industry norms: Axon, the largest manufacturer of body cameras in the United States, declared last year that it would not put the invasive technology in its hardware, citing “serious ethical concerns.” NEC, which sells live facial recognition elsewhere in the world, has also not sold it to U.S. law enforcement.
Read more on Medium.




The data is there. Expect someone will use it.
Power Through apps, not warrants, ‘Locate X’ allows federal law enforcement to track phones
protocol: “U.S. law enforcement agencies signed millions of dollars worth of contracts with a Virginia company after it rolled out a powerful tool that uses data from popular mobile apps to track the movement of people’s cell phones, according to federal contracting records and six people familiar with the software. The product, called Locate X and sold by Babel Street, allows investigators to draw a digital fence around an address or area, pinpoint mobile devices that were within that area, and see where else those devices have traveled, going back months, the sources told Protocol. They said the tool tracks the location of devices anonymously, using data that popular cell phone apps collect to enable features like mapping or targeted ads, or simply to sell it on to data brokers…”




What should you do with this information? (See next article?)
Privacy-focused DuckDuckGo launches new effort to block online tracking
DuckDuckGo, the maker of search engine and browser technology that doesn't track you online, is sharing data it's collected about online trackers with other companies so they can also protect your privacy.
The company said Thursday it's started sharing a data set called Tracker Radar that details 5,326 internet domains used by 1,727 companies and organizations that track you online. The data is available to anyone, and browser maker Vivaldi said on Tuesday it has begun doing so.




Some applications of technology are inevitable.
Robo lawyer will sue organizations that will not delete your personal info
Fortune: “In January, a new law gave consumers the power to stop companies collecting their personal information. The law, known as the California Consumer Privacy Act (or the CCPA ), can be a powerful tool for privacy, but it comes with a catch: Consumers who want to exercise their CCPA rights must contact every data broker individually, and there are more than a hundred of them. But now they have an easier option. On Thursday March 5, 2020, a startup called DoNotPay unveiled a service it calls Digital Health that automates the data-deletion process. Priced at $3 a month, the service will contact more than 100 data brokers on your behalf and demand they delete your and your family’s personal information. It will also show you the types of data the brokers have collected—such as phone number or location info—and even initiate legal proceedings if the firms fail to comply. The monthly fee also gives subscribers access to DoNotPay’s other automated avenging services, like appealing parking tickets in any city, claiming compensation for poor in-flight Wi-Fi, and Robo Revenge, which sues robocallers...
Note – please be sure to read the Terms of Service and Privacy Policy




...because I’m cheap.
Book price comparison search engine
booksprice.com: “BooksPrice is a free-of-charge website that enables users to search for the best deals as related to prices of books, CDs, DVDs and other products offered by thousands of stores across the Web. BooksPrice specializes in conducting comparisons of multiple books, CDs and DVDs as part of one single search. BooksPrice is an independent website that is not owned or controlled to any extent by any other business entities. Therefore, all search results are completely objective…”




An interesting tool?
A Flashy New AI Tool Could Be a Producer’s Dream and a Copyright Nightmare
Imagine being able to hear exactly what’s under the hood of any piece of recorded music. You upload a file and a few minutes later, a song like “Born to Run” splits apart to reveal its secrets. Each player’s mastery is laid bare: There’s Bruce Springsteen’s isolated vocal take, every murmur and cry heard clearly; Garry Tallent’s propulsive bassline; Clarence Clemons’ fired-up saxophone solo; and that memorable sprinkling of glockenspiel, courtesy of Danny Federici.
Such is the promise of Spleeter, a free, open-source AI tool that was developed and released by the streaming service Deezer late last year. Using a process called source separation, Spleeter splits the audio file of any given song into four new audio “stems,” which isolate particular instruments or groups of instruments: vocals, bass, drums, and so on. Some songs and instruments yield better results than others. Bass and drum stems tend to sound muddy or distorted on their own, but vocals fare better, especially if the surrounding music is relatively sparse.
(It requires some coding knowledge to operate, but its open-source nature means third parties are free to create their own, more user-friendly versions.)
But it may also be an intellectual property minefield, giving mashup DJs and producers the power to repurpose bits of copyrighted material with far more precision and flexibility than old-fashioned sampling offers, and in ways that elude easy identification. (Would you be able to recognize the “Born to Run” bassline if it were ripped from its context, chopped up, and placed in a country song?)




Dilbert’s social media warning: The evil that men do lives after them; the good is oft interred with their bones.



Thursday, March 05, 2020


I didn’t know that slot machines used the network. IoT?
Casinos in Las Vegas Hit by Suspected Ransomware Attack
Slot machines in two Las Vegas casinos were out of action for almost a week in an incident that bears all the hallmarks of a ransomware attack.
Investigations are currently underway by the Nevada State Game Control Board, which told us it is “actively monitoring the situation”.
Four Queens Hotel and Casino and Binion’s Casino in downtown Las Vegas are open for business but for several days were only able to trade in cash, while startling videos of rows of crippled slot machines on empty casino floors swept across Twitter.
The two casinos’ websites also remained down on Tuesday, after the incident, first reported six days earlier, on February 27




Take a peek without giving up your personal information.
How to Find and Grab Free Logins for Websites
Login2.me is a database of free logins for different websites. People can ask the website for an account, and Login2 will give them one.
These accounts are not for you to “keep.” They’re community accounts that anyone can use at any time. They’re handy if you want to log into a website only to do one thing, and you don’t want to sign up just for that one thing.




Making my students think.
Winning in the New Era of Digital Regulation
. Look for more and expanded privacy laws down the line. Already in the U.S., at least 29 states have passed laws related to data privacy, the Internet Association says.
Meanwhile, other regulations continue to amass. By 2021, financial services firms alone will face 374 “legislative initiatives,” and the number will continue to grow beyond that time horizon, regulatory change management expert JWG says.
For businesses, the challenges are not just that new regulations are being put into place. It’s also that new activities, processes and functions are being audited, up to and including the very act of decision making itself. Indeed, it’s no longer just the “what” that is being regulated. It is also the “how” as regulatory policy shifts from a narrow focus on data points to a more holistic, system-wide view, JWG asserts.




Is law enforcement an “easy sell?”
Banjo AI surveillance is already monitoring traffic cams across Utah
A small company called Banjo is bringing pervasive AI surveillance to law enforcement throughout Utah, Motherboard reports. In July, Banjo signed a five-year, $20.7 million contract with Utah. The agreement gives the company real-time access to state traffic cameras, CCTV and public safety cameras, 911 emergency systems, location data for state-owned vehicles and more. In exchange, Banjo promises to alert law enforcement to "anomalies," aka crimes, but the arrangement raises all kinds of red flags.
Banjo relies on info scraped from social media, satellite imaging data and the real-time info from law enforcement. Banjo claims its "Live Time Intelligence" AI can identify crimes -- everything from kidnappings to shootings and "opioid events" -- as they happen.
… According to Motherboard, Banjo says it removes all personal data from its system, but how and how well it does this remain unclear.




Perspective. How would Ford view this?
Moving Away From ‘Peak Car’
Overview: How a changing relationship with cars may shape the future of transportation – “Automobiles make up 70% of the emissions from all forms of transportation. There are an estimated 1 billion cars on the planet, with around 80 million new cars sold each year. Despite continually strong sales, experts suggest we have reached ‘Peak Car’ – meaning the average distance traveled per person in cars has peaked, and will continue to fall over time. There are many different factors contributing to this trend, such as a global shift towards urban living, new forms of mobility, new government policies for reducing traffic, and a slowing expansion of road networks…”




Modern communication?
Emoji etiquette in the workplace
Human Resources – The good, the bad and the downright inappropriate – “Emojis are everywhere nowadays. When words fail us or we want to lighten the mood, very often we turn to emojis. In fact even in a professional work setting, 71% of respondents in Perkbox’s latest survey feel emojis should be encouraged. Polling 1000 UK workers, the research found that the ‘thumbs up’ emoji came top as the best way to convey a ‘well done’ (51%), followed by the ‘OK’ (16%), ‘starry eyes’ (13%), ‘smiley face’ (11%) and ‘raised hands’ emoji (10%). When it came to what emoji was the biggest compliment – in first place was the ‘party popper’ emoji, followed by ‘raised hands’, ‘bicep’, ‘thumbs up’, ‘clap’ and somewhat surprisingly the ‘star’ in final place. However, more than one in four employee says they still prefer to receive praise the ‘old school way’ through a written email. Of those who said they prefer an informal chat using emoji (49%), 27% believe it should only apply if the recipient is a Millennial or younger, with one in five of the respondents saying this group believes emojis are more heartfelt…”



Wednesday, March 04, 2020


This was not unexpected. Getting caught was… Why were these tools in a file labeled “CIA” rather than a “country unknown” file?
CIA Hackers Targeted China in Decade-Long Campaign: Chinese Security Firm
A report published on Monday by Chinese cybersecurity firm Qihoo 360 claims that the U.S. Central Intelligence Agency (CIA) conducted an 11-year-long cyberespionage operation aimed at China’s critical industries.
Qihoo’s research revolves around the Vault 7 files published in 2017 by WikiLeaks. The Vault 7 files include exploits and tools used by the CIA to target computers, routers, mobile devices, and IoT systems.




First: Secure thyself.
https://www.bespacific.com/how-to-dox-yourself-on-the-internet/
How to Dox Yourself on the Internet
The NYT Open Team –A step-by-step guide to finding and removing your personal information from the internet. “No one wants their home address on the internet. That is personal information we typically only give out to friends, family and maybe our favorite online stores. Yet, for many of us, that information is available and accessible to anyone with an internet connection. And increasingly for journalists, public figures and activists, this kind of information is dug up and posted to online forums as a form of harassment, or doxxing. Doxxing (also sometimes called “doxing”) is a low-level tactic with a high-impact outcome: it often does not require much time or many resources, but it can cause significant damage to the person targeted. Once sensitive information — such as home address, phone number, names of family members or email addresses — about a targeted individual is posted to public forums, it can be used by others for further targeting… When our team begins looking into the personal information that is available online for a colleague, we think like doxxers and use some of the same readily available online resources that doxxers may use to surface personal information…”




Politics 2.0?
The Man Behind Trump’s Facebook Juggernaut
We have turned the R.N.C. into one of the largest data-gathering operations in United States history,” he said. He was referring to the Republican National Committee, which has raised two hundred and sixty-three million dollars for the 2020 elections. (The Democratic National Committee has raised just over a hundred million.) As Parscale explained, the Trump campaign has been operating more or less full time since 2016, continually improving its “technology and data operations.” During this period, the campaign and the R.N.C. have essentially merged, sharing staff, voter data, and other resources. The Democrats do not yet have a nominee for President, and some of their systems for acquiring and sharing data are considered outdated by comparison. “You cannot just build an app, or build out data, in the few months you have from the Convention,” Parscale said. “The Democrats will have that problem this time. As they all interfight, we are building for our future.”





How tech handles Corona.
Amazon employee in Seattle tests positive for coronavirus


(Related)
Apple Restricts Employee Travel to Italy, Korea on Coronavirus


(Related)
Google cancels I/O 2020 due to coronavirus concerns - 9to5Google


(Related)
Twitter tells employees to work from home as tech firms react to coronavirus





Some extra for my students.
https://www.makeuseof.com/tag/3-websites-started-learning-programming-language/
How to Learn C++ Programming: 6 Sites to Get Started




Tuesday, March 03, 2020


Is “fight back” a targeted concept in this surveillance?
EFF LAUNCHES SURVEILLANCE SELF-DEFENSE GUIDE FOR STUDENTS
San Francisco – Schools across the country are increasingly using technology to spy on students at home, at school, and on social media.
Today, the Electronic Frontier Foundation (EFF) launched a new Surveillance Self-Defense guide for students [1] and their parents, so they can learn more about how schools are watching them, and how they can fight back.
The surveillance technology currently in use includes software to scan students’ social media posts [2], cameras with facial recognition and other scanning capabilities [3], and microphones to “detect aggression [4].” Schools can even track you on devices that they don’t control: if you have to download a certain kind of security certificate to use the school Internet [5], they may be monitoring your browser history and messages you send.
Some administrators argue that they need to use this technology to keep schools safe, yet there is little evidence that it works,” said EFF
In the new guide, EFF shows students and concerned parents what kind of technologies to watch for, how they can track you, and what it means for privacy. For example, some schools are tracking students’ locations, ostensibly to automate attendance or track school bus ridership. This monitoring can be conducted through tools ranging from students’ cell phones to ID cards with tracking chips, and it can easily continue when you are off campus. Location information is extraordinarily sensitive–it can reveal who your friends are and what you do when you see them, as well as what kind of medical appointments you might have or what sort of meetings or groups you attend regularly. In some cases, student data is reported to school resource officers or the police, and it can be kept over time, creating a granular history of a student’s actions.
For Privacy for Students: https://ssd.eff.org/en/module/privacy-students [1]




Clearly, “It’s for your own good!”
Katie Jickling reports:
On March 1, thousands of Vermonters’ medical records became available to doctors, even for patients who have not given consent for their records to be shared.
The new sharing policy went into place Sunday for records on the statewide health information exchange, a database run by Vermont Information Technology Leaders.
Previously, Vermonters had to give consent for doctors to access their lab tests or medical history on the exchange, which stores the health records of all patients in the state.
Read more on VTDigger.




Jobs for my students?
The New Pace of Privacy: More Changes Ahead Require Adaptable CPOs
2020 is shaping up to be another eventful and demanding year for CPOs. In fact, the job of the CPO will continue to grow in significance and evolve in complexity as more privacy laws are enacted, organizations focus on compliance with new requirements and media attention on privacy issues continues to increase public awareness.
Looking back, it seems like GDPR, effective as of 2018, was the starting gun for a race in the evolving privacy landscape. In 2019, CCPA kept privacy professionals working at a rapid pace, interpreting new privacy requirements along with how to apply rules from various jurisdictions to business operations. Now, with several recently announced federal privacy bills, numerous state legislatures debating various forms of privacy laws, and a collection of new privacy laws taking shape around the world, the responsibilities of CPOs will continue to expand in the years ahead. This may be a privacy marathon.
California and Nevada passed privacy laws in 2019, but numerous other states are introducing a variety of legislative proposals this year. For example, Virginia introduced the Virginia Privacy Act in January, which would require a broader use of privacy risk assessments than current laws. Illinois also introduced the Data Transparency and Privacy Act, which includes opt-out rights for consumers. In addition, Washington recently reintroduced privacy legislation from 2019, the Washington Privacy Act, with the strong backing of Microsoft, which now includes standards for the use of facial recognition tools.




I think I understand this – treat AI like an employee.
Algorithms and Contract Law
Scholz, Lauren, Algorithms and Contract Law (August 1, 2019). Cambridge Handbook of the Law of Algorithms, 2019. Available at SSRN: https://ssrn.com/abstract=3525503 – “Generalist confusion about the technology behind complex algorithms has led to inconsistent case law for algorithmic contracts. Case law explicitly grounded in the principle that algorithms are constructive agents for the companies they serve would provide a clear basis for enforceability of algorithmic contracts that is both principled from a technological perspective and is readily intelligible and able to be applied by generalists.”


(Related) Should all algorithms be open source?
ICE’S NEW YORK OFFICE USES A RIGGED ALGORITHM TO KEEP VIRTUALLY ALL ARRESTEES IN DETENTION. THE ACLU SAYS IT’S UNCONSTITUTIONAL.
IN 2013, U.S. Immigration and Customs Enforcement quietly began using a software tool to recommend whether people arrested over immigration violations should be let go after 48 hours or detained. The software’s algorithm supposedly pored over a variety of risk factors before outputting a decision.
A new lawsuit, however, filed by the New York Civil Liberties Union and Bronx Defenders, alleges that the algorithm doesn’t really make a decision, at least not one that can result in a detainee being released. Instead, the groups said, it’s an unconstitutional cudgel that’s been rigged to detain virtually everyone ICE’s New York Field Office brings in, even when the government itself believes they present a minimal threat to public safety.




Leave it to the lawyers to invent a new sin.
Retrievable Images on Social Media Platforms: A Call for a New Privacy Tort
The recognition of a right of privacy in Warren and Brandeis’s famous article has long been celebrated and lamented. It is celebrated because privacy is a central feature of individual well-being that deserves legal protection. It is lamented because the protection they contemplated, and that is actually provided by the law, is quite modest. Modern technology, especially social media platforms, has only raised the stakes. Anytime one goes out in public, one risks having one’s image captured and shared worldwide, leaving us with little or no control over how we are perceived by others.
This Article argues for the recognition of a new privacy tort: the tort of unwanted broadcasting. It would allow a person whose image is, without permission, shared widely on one or more social media platforms that has an enduring retrievable character, to recover damages from a person who posts it. While in some respects novel and far-reaching, the unwanted broadcasting tort has a solid grounding in privacy theory and doctrinal roots in English case law. This Article also shows that this tort can be fashioned in a manner that renders it consistent with First Amendment principles.




What the industry thinks?
Key Takeaways From The Gartner Magic Quadrant For AI Developer Services
Within weeks of publishing the Magic Quadrant (MQ) report on Data Science and Machine Learning, Gartner has come out with another MQ report related to ML and AI.
According to Gartner, machine learning is a subset of data science while artificial intelligence is the business outcome of machine learning.
It’s not a surprise to see AWS, Google, IBM, and Microsoft securing the slots in the leadership quadrant.
AWS, which was excluded in the DSML MQ report is ranked as the top AI developer services vendor. With its unique advantage of addressing both the enterprise and consumer market needs through AWS and Alexa respectively, Amazon has a vantage point into the use cases and scenarios.
Google is one of the first to offer AI and AutoML services to developers and businesses. Like AWS, Google also has access to large datasets from the enterprise and consumer markets which is helping the company in building innovative AI services.
IBM has also found place in the leadership quadrant. Thanks to the investments in Watson and Augmented AI, IBM enjoys top-of-mind brand recall in the AI market. The efforts around positioning cognitive computing and AutoAI through Watson have started to pay off.




Free is good. (registration required)
Free PDF download: Cybersecurity: Let's get tactical
Cyberattacks compromise data, damage reputations, put customers and users at risk -- and show no signs of slowing down. This special report from ZDNet and TechRepublic offers advice on cybersecurity strategies, prevention tips, and how to implement new tactics like artificial intelligence (AI) and machine learning (ML) for protection.
To read all the content in this special feature plus additional analysis, download the free PDF ebook Cybersecurity: Let's get tactical.