Saturday, July 04, 2020


Another swing of he pendulum?
Maeve Allsup reports:
The government may compel individuals to unlock devices using biometrics during the execution of a search warrant without violating the individual’s Fourth or Fifth Amendment rights, a federal court in Kentucky ruled Thursday.
The federal government sought to obtain a search warrant to seize evidence on cellphones, computers and other electronic devices found on the premises that contain evidence of, or were the instruments of, alleged crime. That warrant also sought authorization to force all individuals present to provide biometrics to unlock devices.
Read more on Bloomberg Law. That last sentence above is what really caught my eye.
The opinion joins other opinions that the government can compel biometric access when executing a search warrant. What the government can’t do — at least not in the Eastern District of Kentucky — is compel biometric access to all devices by all individuals who might just happen to be on the premises or in the area where there is evidence of a crime or other devices that might be involved in an alleged crime. As Magistrate Judge Stinnett framed the questions the court grappled with this way:
First, is capturing the physical characteristics of an individual, such as a fingerprint, a search? If so, then second, what standard or burden must the government meet to capture such physical attributes of an individual incident to a search warrant?
The first question was easily answered that yes, capturing biometric characteristics is a search. Then how does the Fourth Amendment apply to searching the devices that may belong to non-targets of a warrant? The court applies the reasonable suspicion standard and concluded that
the United States may only compel individuals present during warrant execution to provide biometric markers to unlock electronic devices where the United States has reasonable suspicion that such an individual has committed a criminal act that is the subject matter of the warrant, and reasonable suspicion that the individual’s biometrics will unlock the device.
The case is Favorite In re Search Warrant No. 5165, 2020 BL 246200, E.D. Ky., No. 5:20-MJ-5165, 7/2/20.




Is this a useful ‘bad example?’
National security law: Hong Kong internet firms ‘will have to comply’ with police requests
Under the new national security law Beijing has imposed on Hong Kong, police no longer have to seek court orders before requiring internet users or “relevant service providers”– believed to cover social media platforms and also firms – to remove information or help with an investigation.




Allow me to provoke some thought. Worth reading!
How Cyberinsurance Is Responding to Ransomware: An Interview with Ken Suh, Mark Singer, and Marcello Antonucci




Is our education system falling behind?
Study: Only 18% of data science students are learning about AI ethics
Amid a growing backlash over AI‘s racial and gender biases, numerous tech giants are launching their own ethics initiatives — of dubious intent.
The schemes are billed as altruistic efforts to make tech serve humanity. But critics argue their main concern is evading regulation and scrutiny through “ethics washing.”
At least we can rely on universities to teach the next generation of computer scientists to make. Right? Apparently not, according to a new survey of 2,360 data science students, academics, and professionals by software firm Anaconda.
Only 15% of instructors and professors said they’re teaching AI ethics, and just 18% of students indicated they’re learning about the subject.


(Related)
Why China's Race For AI Dominance Depends On Math
Forget about “AI” itself: it’s all about the math, and America is failing to train enough citizens in the right kinds of mathematics to remain dominant.




The joy of anti-social distancing?



Friday, July 03, 2020


Did someone in Marketing screw up? I doubt this passed a legal department review.
With Edge, Microsoft’s forced Windows updates just sank to a new low
If I told you that my entire computer screen just got taken over by a new app that I’d never installed or asked for — it just magically appeared on my desktop, my taskbar, and preempted my next website launch — you’d probably tell me to run a virus scanner and stay away from shady websites, no?
But the insanely intrusive app I’m talking about isn’t a piece of ransomware. It’s Microsoft’s new Chromium Edge browser, which the company is now force-feeding users via an automatic update to Windows.
Seriously, when I restarted my Windows 10 desktop this week, an app I’d never asked for:
  1. Immediately launched itself
  2. Tried to convince me to migrate away from Chrome, giving me no discernible way to click away or say no
  3. Pinned itself to my desktop and taskbar
  4. Ignored my previous browser preference by asking me — the next time I launched a website — whether I was sure I wanted to use Chrome instead of Microsoft’s oh-so-humble recommendation.

Did I mention that, as of this update, you can’t uninstall Edge anymore?
It all immediately made me think: what would the antitrust enforcers of the ‘90s, who punished Microsoft for bundling Internet Explorer with Windows, think about this modern abuse of Microsoft’s platform?




Has someone crossed the line? Is this how a cyber war begins?
Cyberattacks Possibly Involved in Explosions at Iranian Nuclear, Military Facilities
There have been several incidents at major Iranian industrial facilities in recent weeks, including a fire at the Natanz nuclear enrichment site and an explosion at the Parchin military complex near Tehran, which is believed to be involved in the production of missiles.
Iranian officials blamed the Parchin explosion on a gas leak and in the case of Natanz they downplayed the incident claiming that it only impacted a warehouse that was under construction.
However, some believe the damage was more extensive than Tehran admitted and in the case of Natanz there also appears to have been an explosion. Experts told the Associated Press that the Natanz incident apparently impacted a production facility.
Natanz, one of Iran’s primary nuclear facilities, was targeted a decade ago with the Stuxnet malware as part of a campaign supposedly conducted by the United States and Israel.




At some point, “mandatory” has to be enforced.
Committee hits roadblock in probing Commonwealth cybersecurity performance
In an attempt to find the direct lines of accountability within Australian government entities where cybersecurity is concerned, the Joint Committee of Public Accounts and Audit (JCPAA) on Thursday was sent running in circles like a dog chasing its tail.
Australian government entities are required to comply with the Australian Signals Directorate's (ASD) Top Four mitigation strategies for cybersecurity compliance, despite there being an Essential Eight.
Commonwealth entities are responsible for their own assessments against the Top Four, and as the JCPAA previously requested -- a request that was agreed to by the government -- entities are required to report on their performance and compliance annually.
But as Shadow Assistant Minister for Cyber Security Tim Watts has pointed out at length before, there is no mechanism that allows the individual performance of Commonwealth entities to be probed.
"At present, is there no way that the Parliament can hold individual Commonwealth entities accountable for seven years of failing to comply with mandatory ASD cybersecurity requirements?" Watts asked, receiving no further answers from those providing testimony to the JPCAA.




IP in the AI Age…
Artificial Intelligence Systems Will Need to Have Certification, CISA Official Says
Vendors of artificial intelligence technology should not be shielded by intellectual property claims and will have to disclose elements of their designs and be able to explain how their offering works in order to establish accountability, according to a leading official from the Cybersecurity and Infrastructure Security Agency.
I don’t know how you can have a black-box algorithm that’s proprietary and then be able to deploy it and be able to go off and explain what’s going on,” said Martin Stanley, a senior technical advisor who leads the development of CISA’s artificial intelligence strategy. “I think those things are going to have to be made available through some kind of scrutiny and certification around them so that those integrating them into other systems are going to be able to account for what’s happening.”
Stanley was among the speakers on a recent Nextgov and Defense One panel where government officials, including a member of the National Security Commission on Artificial Intelligence, shared some of the ways they are trying to balance reaping the benefits of artificial intelligence with risks the technology poses.




One of those articles (and podcast) that make me order the book. (From my friendly neighborhood library)
What Poker Can Teach Us about Making the World a Better Place
In her new book, The Biggest Bluff, psychologist and journalist Maria Konnikova writes about her immersion into the world of high-stakes poker. Starting as a novice who knew nothing about the game, she eventually rose to become a world-class professional poker player. Yet, poker was never just about the cards or money for Konnikova, and neither is her book. Instead, she picked up poker as a means to explore human decision-making in an environment where every player has very little control.



Thursday, July 02, 2020


War is an economic event. Can there be “war” against a single company? An article for my Computer Security students.
Did a Chinese Hack Kill Canada’s Greatest Tech Company?
Nortel was once a world leader in wireless technology. Then came a hack and the rise of Huawei.




A guide for my ethical hackers. You don’t do this, do you?
One out of every 142 passwords is '123456'
Last month, Hakçıl, a Turkish student studying at a university in Cyprus, downloaded and analyzed more than one billion leaked credentials.
The main discovery was that the 1,000,000,000+ credentials dataset included only 168,919,919 unique passwords, of which more than 7 million were the "123456" string.
This means that one out of every 142 passwords included in the sample Hakçıl analyzed was the weakest password known today – with the "123456" string being the most commonly reused password online for the past five years in a row, and counting.
The study's full results are available on GitHub, with a short summary below:




Not enough technical detail to understand how they did it. If the encryption was done on the phones, hacking Encrochat would not give them access. Something is missing from this story.
How Police Secretly Took Over a Global Phone Network for Organized Crime
Police monitored a hundred million encrypted messages sent through Encrochat, a network used by career criminals to discuss drug deals, murders, and extortion plots.
Because the messages were encrypted on the devices themselves, police couldn't tap the group's phones or intercept messages as authorities normally would.
French authorities had penetrated the Encrochat network, leveraged that access to install a technical tool in what appears to be a mass hacking operation, and had been quietly reading the users' communications for months. Investigators then shared those messages with agencies around Europe.
In the press release, French authorities wrote "Despite the findings of the criminal use of Encrochat terminals [phones]," that they hope "users claiming to be of good faith and wishing to have their personal data deleted from the legal proceedings can send their request to the investigation department." They also invited administrators or managers of Encrochat itself to contact them if they wanted to discuss the legality of law enforcement deploying the technical tool to read messages.




A major escalation of ransomware?
Hacker ransoms 23k MongoDB databases and threatens to contact GDPR authorities
A hacker has uploaded ransom notes on 22,900 MongoDB databases left exposed online without a password, a number that accounts for roughly 47% of all MongoDB databases accessible online, ZDNet has learned today.
The hacker is using an automated script to scan for misconfigured MongoDB databases, wiping their content, and leaving a ransom note behind asking for a 0.015 bitcoin (~$140) payment.
The attacker is giving companies two days to pay, and threatens to leak their data and then contact the victim's local General Data Protection Regulation (GDPR) enforcement authority to report their data leak.




Inevitable, since NY is now taking the pandemic seriously.
Party Guests Won’t Talk After 9 Test Positive. Now They Face Subpoenas.
The New York Times – Rushing to contain a coronavirus cluster tied to a big party in a New York City suburb, officials turned to an unusual legal strategy. “On June 17, a crowd of up to 100 people, most of them in their early 20s, attended a party at a home in Rockland County, N.Y., just north of New York City. The event violated a state order in effect at the time that capped gatherings at 10 people in an effort to slow the coronavirus’s spread. For local officials, that was just the start of the problem. The party’s host, who was showing signs of being sick at the time, later tested positive for the virus. So did eight guests. County officials, eager to keep the cluster from growing, dispatched disease tracers to try to learn who else might have been exposed to the virus at the party. The tracers hit a wall. “My staff has been told that a person does not wish to, or have to, speak to my disease investigators,” Dr. Patricia Schnabel Ruppert, the county’s health commissioner, said on Wednesday. Of those being contacted about the party, she added: “They hang up. They deny being at the party even though we have their names from another party attendee.” Frustrated by the response, county officials on Wednesday took the unusual step of issuing subpoenas to eight people who they believe were at the June 17 party. Those who do not comply and share what they know by Thursday will face fines of $2,000 a day, officials said…”




"The first thing we do, let's re-boot all the lawyers"
Robot lawyers are thriving during the pandemic
Fortune: “…I spoke with Jason Brennan, the chief executive officer of U.K.-based legal A.I. company Luminance. He told me the company, which now has more than 250 customers across the globe, including a fifth of the world’s largest 100 law firms, has had a 30% increase in customers since the start of 2020… This is important because it turns out that a lot of the “grunt work” of Big Law involves doing exactly what Luminance does: combing through vast troves of documents, trying to find those clauses that might be problematic. Maybe they need to be updated due to a regulatory change. Or maybe they are part of the contracts held by a company that is being acquired and would open up a big liability issue for the buyer. Either way, law firms once deployed small armies of paralegals and junior associates to find them. It used to be that law firms could simply charge for all this labor and pass the cost on to the client. But that hasn’t been true for at least a decade. These days, clients are more likely to demand law firms accept a flat fee for this sort of work, or pay based on some pre-agreed outcome, not on man hours. So firms have had to become much more efficient. Corporate in-house legal departments are also having to do more with less…”


(Related) Dying? There’s an App for that! (Probably something to think about during the pandemic)
Goodbye World – An Innovative Approach to Estate Planning
Goodbye World is an online estate planning tool and mobile application that helps people who want to create an estate plan by educating them and simplifying the process. The app gamifies data entry and rewards clients who complete various sections by unlocking fun bonus features. Using a series of visual tools, the app presents the entered data in different ways to ensure accuracy and completeness. The data provided by clients is used to auto fill estate planning documents that our attorneys then review.
Goodbye World is a technology tool developed for Reid Law LLC.




Another guide for my students. Emphasis on understanding the business!
How to build a machine learning model in 7 steps
All types of organizations are implementing AI projects for numerous applications in a wide range of industries. These applications include predictive analytics, pattern recognition systems, autonomous systems, conversational systems, hyper-personalization activities and goal-driven systems. Each of these projects has something in common: They're all predicated on an understanding of the business problem and that data and machine learning algorithms must be applied to the problem, resulting in a machine learning model that addresses the project's needs.


(Related) Note the need for an ethics specialist.
9 emerging job roles for the future of AI
We reached out to IT leaders, AI experts, and industry analysts to get a sense of the kinds of AI roles they see emerging as AI takes firmer hold of the enterprise. Some leading-edge companies are already filling these positions, lending insight into the mix of skills necessary to succeed in them.




Research tools
Reverse Image Search: Your Complete Guide



Wednesday, July 01, 2020


Just a reminder…
California begins enforcing digital privacy law, despite calls for delay
Measure took effect in January, with a six-month grace period




No big fines YET.
Nick Valentine, Laura Scampion, and Rachel Taylor of DLA Piper write:
After a lengthy process (dating as far back as 1998, depending on how you measure it) the Privacy Bill, which amends the Privacy Act 1993, has finally made its way through Parliament, receiving Royal Assent on 30 June 2020.
The amendments, which come into effect on 1 December 2020, introduce some of the most significant changes to New Zealand’s privacy law since the enactment of the Privacy Act, including:
  • mandatory data breach reporting;
  • restrictions on offshore transfers of personal information; and
  • clarifications on the extraterritorial scope of the Privacy Act.
However, Parliament has deliberately chosen not to align the Privacy Act with international precedent in terms of broader data subject rights or large fines for non-compliance. This means the Privacy Act remains a bit of a ‘toothless tiger’ relative to other global data protection laws.
Read more on Privacy Matters.




There is an easy way to avoid the suspicion that you “have something to hide.”
California Police Are Using Copyright to Hide Surveillance Documents
California police are refusing to release documents about the surveillance technology it uses, despite a new law that requires their release.
On January 1, SB 978 went into effect, which requires the Commission on Peace Officer Standards and Training (POST) to "conspicuously" publish all law enforcement agency training materials. The agency has said that it will not comply on copyright grounds.
Any attempt to download training materials concerning facial recognition technology or automated license plate readers (ALPRs), as well as materials relating to courses on the use of force, lead to a Word document that reads "The course presented has claimed copyright for the expanded course online."
On Thursday, the Electronic Frontier Foundation sent a letter to the POST outlining why this copyright claim was unlawful and unacceptable, pointing out that the California Public Records Act (CPRA) allows copyrighted material to be made available to the public.




So what should we trademark? Generic.com? Privacy.org? Not-A-Trademark.com?
Booking.com wins at Supreme Court with law written decades before the internet
The U.S. Supreme Court ruled Tuesday that a company can get a federal trademark by tacking on the dot-com domain name to a common word if enough enough people think of the result as a distinctive brand name, in a decision applying the 74-year-old law governing trademarks to the Internet age.
The ruling was a victory for the hotel reservation site Booking.com, which had been denied a federal trademark.
The U.S. Patent and Trademark office said term was generic, the very opposite of a trademark. The government rejected similar requests to grant protection to Hotels.com and Lawyers.com. But lower federal courts said that was wrong. They found that nearly 75 percent of respondents in a survey considered Booking.com to be a distinctive brand name.
By an 8-1 vote, the Supreme Court said it was distinctive enough. Justice Ruth Bader Ginsburg's majority opinion said a term is generic only if consumers think of it as representing a broad class of services. But it they think it refers to something specific, it can be trademarked.




A great collection of articles.
12 Essential Strategy Insights
For decades, researchers have published findings in MIT Sloan Management Review about developing and executing strategy. This collection offers a dozen of our most popular strategy articles of all time.




Perspective.
An Infrastructure Arms Race Is Fueling the Future of Gaming
As videogame companies increasingly shift to the cloud, data centers have taken on outsized importance.




Jobs my students might want…
What is a Chief Technology Officer? Everything you need to know about the CTO
The chief technology officer (CTO) is the executive responsible for managing technology within an organisation; that can include everything from creating a technology strategy though to cybersecurity and onto product development. They need to understand broad technology trends and be able to align innovation with business goals.
Salary research specialist PayScale says popular skills for CTOs include expertise in software architecture, leadership, IT management, product development, and project management. However, CTOs are increasingly prized for their knowledge of pioneering areas of technology, such as digital products, technical vision and research and development (R&D).




Tips for my students.
Good dashboard design: 8 tips and best practices for BI teams
Dashboards display KPIs and other data for business executives, managers and workers in a visual interface. Good dashboard design starts by thinking about UX, as well as the data needs of users and the overall goals of the business. It's not just about presenting numbers, but also figuring out what to draw attention to and how to do so effectively.
"Analytics is only powerful if it drives action," said Penny Wand, director in the technology practice at IT and business consultancy West Monroe Partners.
Here are eight tips for designing effective dashboards and deploying them as part of business intelligence initiatives to provide views of revenue, product sales, orders and other business metrics.




Why Kim blew up that liaison office…
Kim Jong Un reportedly blew up office over ‘dirty depictions’ of his wife
North Korean President Kim Jong Un was so furious about the “dirty, insulting” depictions of his wife in an anti-Pyongyang leaflet campaign initiated by defectors in South Korea that he blew up a liaison office with Seoul and threatened to take military action, according to a report Monday.
The leaflets, carried over the highly militarized border by balloons, are a propaganda tactic that the two countries have used since the Korean War.



Tuesday, June 30, 2020


Pros and Cons, who’s winning?
What Facial Recognition Technology Can Do for Safety Right Now—And What It Can’t Do Yet
Everyone’s looking for ways to stay safer now, and many are looking to technology for help. Facial recognition is one of the tools that government agencies and businesses are exploring—both to slow the spread of the new coronavirus and to protect data from cybercriminals trying to profit from pandemic-related disruption. However, it’s not always immediately clear what facial recognition can do reliably now, what it can’t do and what it can do when people are wearing masks, sunglasses and other items that obscure the face.


(Related) What was the strategy?
Angelica Mari reports
The company responsible for the operation of São Paulo’s subway system has failed to demonstrate sufficient evidence that it is ensuring the protection of user privacy in the implementation of a new surveillance system that will use facial recognition technology.
This is the conclusion of a group of consumer rights bodies following the conclusion of legal action initiated against Companhia do Metropolitano de São Paulo (METRO) about a project aimed at modernizing the subway’s surveillance system.
Read more on ZDNet.




Better than the GDPR?
From Hunton Andrews Kurth:
Zeyn Bhyat of ENSafrica reports that on June 22, 2020, it was announced that South Africa’s comprehensive privacy law known as the Protection of Personal Information Act, 2013 (the “POPIA”) will become effective on July 1, 2020. POPIA acts as the more detailed framework legislation supporting South Africa’s constitutional right to privacy.
POPIA has been a work-in-progress since it was earmarked for implementation by the South African Law Reform Commission in 2005. The delay in its enactment was attributable, in part, to the publication of the draft EU General Data Protection Regulation (“GDPR”) in 2013, as the POPIA drafting committee paused to consider some of the proposed innovations in the GDPR and also to take steps to ensure that the South African privacy regulator (i.e., the Information Regulator (“SAIR”)) was given an opportunity to develop operational capabilities.




Suggests we may not have a lot of support for a strong federal privacy law.
Why Trump’s administration is going after the GDPR
As the EU touts the “success” of its flagship privacy law, the General Data Protection Regulation (GDPR), Donald Trump’s administration is ramping up attacks on a system it says provides cover to cybercriminals and threatens public health.
Many of those arguments — namely, that the GDPR has rendered a database of domain name owners, WHOIS, far less effective in tracking down suspected cybercriminals — are the same today as they were two years ago.
Yet in the past few weeks, as EU privacy watchdogs wrapped up their first major probes into U.S. companies and Google lost an appeal against a €50 million fine in France, the criticism from Washington has grown more fervent, and a lobbying campaign has gotten underway in the U.S. to push back against the effects of the GDPR at home.




Whatever Mr. Zillman seeks, he finds. Always worth looking for hidden treasures in these lists.
2020 Directory of Directories
Via LLRX 2020 Directory of Directories This new guide by Marcus P. Zillman is a comprehensive listing of directory, subject guide and index resources and sites on the Internet. The guide includes sites in the private, public, corporate, academic and non-profit sectors and spans the following subject matters: Academic/Education; Economics/Business; Government and Statistics; Humanities; Information and Information Science; Law; Medicine; News; Science and Engineering; and Social Sciences.



Monday, June 29, 2020


I lecture about maturity models a lot. I’d like to produce mature IT managers. Government likes to produce its own ‘Catch 22.’
Achieving CMMC Compliance: Navigating Unchartered Waters
Does your organization do business with the Department of Defense (DoD) and process, store, or transmit Controlled Unclassified Information (CUI)? If so, you probably rushed to create documentation to self-attest NIST SP 800-171 compliance when DoD issued the Defense Federal Acquisitions Regulations System (DFARS) 252.204-7012 back in 2017 to protect CUI confidentiality.
Things are different now, with the introduction of the Cybersecurity Maturity Model Certification (CMMC) in January 2020 (cue warning music). This new program just changed the calculus for about 350,000 businesses that deal with the DoD in every aspect—from supply chain to cybersecurity. Although the CMMC security requirements are not that different from 800-171 (in fact, all 110 requirements are included in CMMC Level 3, verbatim), CMMC introduces a few new things, including the need for a pre-award validation of CMMC compliance using an accredited independent auditor. Uh-oh! You are also required to show you are compliant with DFARS clause 252.204-7012, which includes implementing additional requirements related to incident reporting and forensics, commonly referred to as clauses (C)–(G).
That, of course, creates a whole new set of challenges for businesses that will have to comply by October 2020, according to DoD’s current projections.
As of this date, the CMMC Accreditation Board (AB) has not announced accreditation guidelines for how to become one of those auditors—called a C3PAO—so no such auditors exist.




Recourse.
From the Reference Desk: Cyber Operations and International Law
FCIL Special Interest Section of AALL – Jonathan Pratter – “A student had a question: If State A doxes State B for hacking State C, what would be the result under international law? The student was in the law school class, International Law of Cyber Conflict. My immediate response was, “That is a good question. Let me get back to you.” Every reference librarian needs a fall-back response like this. We can’t know everything immediately. The question was substantive, but since the student was asking a librarian, I understood that she wanted to know what resources there are that would help answer the question…”




Gartner talks to CIO’s and other IT leaders. This is interesting!
100 Data and Analytics Predictions Through 2024
The digital business future provides organizations with nearly unlimited possibilities to create business value. Increasingly, data and analytics have become a primary driver of business strategy, and the potential for data-driven business strategies and information products is greater than ever. It is a part of everything that organizations do. Yet, for many, the ability to “think in data” is still difficult.
Gartner’s annual predictions disclose the varied importance of data and analytics across an ever-widening range of business and IT initiatives.
Complete the form to get your free copy.




A tool for “WHEN.” Also some forensic applications?
Microsoft’s New ‘Windows File Recovery’ Tool Restores Deleted Data
How To Recover Deleted Data With The New Microsoft Windows 10 File Recovery Tool: “Anyone who has accidentally deleted a file knows the panic that comes with the mistake. Sometimes you can find the files in the recycle bin and restore them, but other times the files are just plain gone. Anyone familiar with how Windows and other operating systems work might know that files aren’t actually deleted, they’re marked to allow other data to overwrite them in the future. That means with the right recovery software, there is a chance to recover “deleted” files like images or documents. To that end, Microsoft has quietly launched a new tool specifically to help with this task. The new tool is called Windows File Recovery and it’s free…the tool can be found here, and the app is available to download here …”




Evidence” Washington is infected?