Saturday, November 07, 2020

Just to demonstrate that we are not battling amateurs.

https://www.databreaches.net/ransomware-crims-read-our-bank-balance-and-demanded-the-lot-reveals-scotlands-dundee-and-angus-college/

Ransomware crims read our bank balance and demanded the lot, reveals Scotland’s Dundee and Angus College

Ransomware operators often do their research on their victim to know what assets to go after. Here’s an example where threat actors did their research, but were perhaps too greedy in their demands. Gareth Corfield reports:

The criminals who took out Scotland’s Dundee and Angus College made a ransom demand that precisely added up to the contents of its bank account – and that was no accident, its principal has said……. “The cyber attackers had managed to get access to our bank account and knew how much money we had in it, which was the budget for the whole year. They demanded a ransom of exactly that amount, which we were never going to be able to pay,” Hewitt told Jisc.

Read more on The Register.





Seems biased to me. No taxation without representation! (By AI legislators?)

https://searchenterpriseai.techtarget.com/feature/AI-might-not-have-rights-but-it-could-pay-taxes

AI might not have rights, but it could pay taxes

Artificial intelligence systems shouldn't have rights, but they might have to pay taxes.

That's according to Ryan Abbott, professor of law and health sciences at the University of Surrey in Guildford, England.

During a virtual panel discussion on AI rights at Washburn University School of Law's symposium on the topic, Abbott said that while AI systems now "do the sorts of things people used to do," they don't have consciousness or morals, and thus don't deserve rights.

if AGI were created, it could deserve humanlike rights, noted David Opderbeck, professor of law and co-director of the Gibbons Institute of Law, Science & Technology at Seton Hall University School of Law in Newark, N.J.

That's not to say governments shouldn't subject current AI systems to laws, however.

Tax laws, for example, don't currently take automated workers into account. While human employees contribute payroll and income taxes, an automated "employee" doesn't, Abbott noted.

Governments could lose out on quite a bit of income tax as AI becomes more prevalent and possibly displaces more human workers. Granted, that argument only works if displaced employees don't find other jobs. Abbott predicted that that may happen as AI becomes smarter at a rate that outpaces people's ability to learn new skills or find job training.

"Automation threatens our tax revenue," Abbott said, noting that the biggest sources of federal tax revenue in the U.S. are income and payroll taxes.





Medical-grade coffee may have a future in politics.

https://dilbert.com/strip/2020-11-07



Friday, November 06, 2020

What if they went after the Supreme Court while it was considering election issues…

https://www.theregister.com/2020/11/06/brazil_court_ransomware/

Ransomware attack shutters Brazilian courts. But did attackers breach the virtual machine divide?

Brazil’s Superior Tribunal de Justiça has temporarily shut down after a suspected ransomware attack.

The Tribunal (STJ) is second-highest of Brazil’s courts and is the highest court that decides on federal matters other than constitutional law. At the time of writing, the court’s website consists of nothing but a series of updates on the attack. Those notifications state that a virus attack was detected on November 3, when court networks were shut down as a precaution.

The most recent update says the attacked encrypted data related to legal proceedings, email, and administrative contracts. The statement says the data has been backed up and that work to restore systems is under way, with court business to resume on Monday November 9. Which will be more than welcome because hundreds of cases have been suspended due to the incident.





You probably won’t get all of your employees to read this paper, but you need to.

https://dl.acm.org/doi/10.1145/3415231

How Experts Detect Phishing Scam Emails

Phishing scam emails are emails that pretend to be something they are not in order to get the recipient of the email to undertake some action they normally would not. While technical protections against phishing reduce the number of phishing emails received, they are not perfect and phishing remains one of the largest sources of security risk in technology and communication systems. To better understand the cognitive process that end users can use to identify phishing messages, I interviewed 21 IT experts about instances where they successfully identified emails as phishing in their own inboxes. IT experts naturally follow a three-stage process for identifying phishing emails. In the first stage, the email recipient tries to make sense of the email, and understand how it relates to other things in their life. As they do this, they notice discrepancies: little things that are "off'' about the email. As the recipient notices more discrepancies, they feel a need for an alternative explanation for the email. At some point, some feature of the email --- usually, the presence of a link requesting an action --- triggers them to recognize that phishing is a possible alternative explanation. At this point, they become suspicious (stage two) and investigate the email by looking for technical details that can conclusively identify the email as phishing. Once they find such information, then they move to stage three and deal with the email by deleting it or reporting it. I discuss ways this process can fail, and implications for improving training of end users about phishing.





Perspective. (Will the US follow their lead?)

https://www.theregister.com/2020/11/06/surveillance_camera_commissioner_80000_half_uk_councils/

Snap-crappy: 183 Brit local authorities operate 80,000 CCTV cams between them, says surveillance watchdog

"There are over 6,000 systems and 80,000 cameras in operation across 183 LAs!" So exclaimed the UK's outgoing Surveillance Camera Commissioner as he detailed just how many council CCTV cameras there are across the nation.

In a public plea asking councils to take compliance with surveillance laws seriously, Tony Porter lifted the lid on the scale and depth of CCTV camera deployment across Great Britain.

The figure of 80,000 cameras across 183 councils covers just under half of Britain's 343 local authorities (LAs), meaning district and county councils, unitary authorities, metropolitan districts and London boroughs.

Local authorities have access to "recent innovations such as dash cams and body-worn video" deployed across the length and breadth of boroughs and counties, as Porter explained in a recent blog post asking councils to ensure they comply with the Protection of Freedoms Act 2012.





It’s for your own good!”

UK: Woman threatened with police visit after refusing to download NHS corona tracking app

Cindy Harper reports:

A British woman has been threatened with a visit from police for refusing to download the NHS coronavirus tracking app on her smartphone and allowing herself to be tracked. This the latest story in how the coronavirus is leading to an erosion of civil liberties in many countries.
The woman recently tested positive for COVID and is in self-isolation at home.

Read more on Reclaim the Net.





Correlation is not causation, except when it is.

https://www.bespacific.com/counties-with-worst-virus-surges-overwhelmingly-voted-for-trump/

Counties with worst virus surges overwhelmingly voted for Trump

AP – “U.S. voters went to the polls starkly divided on how they see President Donald Trump’s response to the coronavirus pandemic, with a surprising twist: In places where the virus is most rampant now, Trump enjoyed enormous support. An Associated Press analysis reveals that in 376 counties with the highest number of new cases per capita, the overwhelming majority — 93% of those counties — went for Trump, a rate above other less severely hit areas. Most were rural areas in Montana, the Dakotas, Nebraska, Kansas, Iowa and Wisconsin. Taking note of the contrast, state health officials are pausing for a moment of introspection. Even as they worry about rising numbers of hospitalizations and deaths, they hope to reframe their messages and aim for a reset on public sentiment now that the election is over. “Public health officials need to step back, listen to and understand the people who aren’t taking the same stance” on mask-wearing and other control measures, said Dr. Marcus Plescia of the Association of State and Territorial Health Officials. “I think there’s the potential for things to get less charged and divisive,” he said, adding that there’s a chance a retooled public health message might unify Americans around lowering case counts so hospitals won’t get swamped during the winter months. The AP’s analysis was limited to counties in which at least 95% of precincts had reported results, and grouped counties into six categories based on the rates of COVID-19 cases they’d experienced per 100,000 residents…”





Might be useful for ‘normal people’ too.

https://www.makeuseof.com/tag/sites-law-students/

The 10 Best Websites for Law Students





I’ll ask my niece to explain some of these.

https://www.makeuseof.com/tag/20-awesome-music-extensions-for-chrome/

The 20 Best Music Extensions for Google Chrome

… since the selection of music extensions available for Chrome is changing all the time, it can be easy to miss the best ones coming onto the scene. You may not even realize how much you needed a certain one until you try it.



Thursday, November 05, 2020

If you have an interest in Privacy, you will want to listen to this!

https://www.law.du.edu/privacy-foundation

The Privacy Foundation at the University of Denver Sturm College of Law

Friday, October 30, 2020 12:00 - 1:00 pm Via Zoom

Facial Recognition & Privacy Session Recording

(This session recording is password protected. Please contact Vincent Gonzales vgonzales@law.du.edu for the password)





I’m shocked! Shocked I tell you!

https://www.databreaches.net/don-t-pay-ransom-on-the-promise-your-data-will-be-deleted-because-it-wont-be-coveware/

Don ‘t pay ransom on the promise your data will be deleted, because it won’t be — Coveware

    In Coveware’s Q3 2020 report, there’s a section on criminals not keeping their word about deleting data if you’ll just pay them their extortion demands (imagine criminals not keeping their word — oh, the shock):

    PAYING A RANSOM MAY NOT STOP RANSOMWARE GROUPS FROM LEAKING THE EXFILTRATED DATA
    Coveware feels that we have reached a tipping point with the data exfiltration tactic. Despite some companies opting to pay threat actors to not release exfiltrated data, Coveware has seen a fraying of promises of the cybercriminals (if that is a thing) to delete the data. The below list includes ransomware groups whom we have observed publicly DOX victims after payment, or have demanded a second extortion payment from a company that had previously paid to have the data deleted / no leaked:
    • Sodinokibi: Victims that paid were re-extorted weeks later with threats to post the same data set.

    • Maze / Sekhmet / Egregor (related groups): Data posted on a leak site accidentally or willfully before the client understood there was data taken.

    • Netwalker: Data posted of companies that had paid for it not to be leaked

    • Mespinoza: Data posted of companies that had paid for it not to be leaked

    • Conti: Fake files are shown as proof of deletion

    Although victims may decide there are valid reasons to pay to prevent the public sharing of stolen data, Coveware’s policy is to advise victims of data exfiltration extortion to expect the following if they opt to pay:
  • The data will not be credibly deleted. Victims should assume it will be traded to other threat actors, sold, or held for a second/future extortion attempt
  • Stolen data custody was held by multiple parties and not secured. Even if the threat actor deletes a volume of data following a payment, other parties that had access to it may have made copies so that they can extort the victim in the future
  • The data may get posted anyway by mistake or on purpose before a victim can even respond to an extortion attempt
    They present a powerful case for not paying that second extortion. But can victims get the decryption key without paying the second part of the ransom? Won’t threat actors just increase the ransom for the decryption key if they learn that their victims will NOT pay them to delete data or promise not to publish it?
    In a way, I think it’s a shame that Coveware and other experts haven’t publicly and immediately pointed out when criminals have broken their word. Maybe if they had/did, other victims wouldn’t have paid the ransom when criminals assured them that their word was good because if they lied, no one would ever believe them again.

Read Coveware’s full report on their site.





New law.

https://fpf.org/2020/11/04/californias-prop-24-the-california-privacy-rights-act-passed-whats-next/

California’s Prop 24, the “California Privacy Rights Act,” Passed. What’s Next?

California voters approved Proposition 24 (the California Privacy Rights Act) (CPRA) (full text here ). Garnering 56.1% of the vote so far, the initiative will almost certainly meet the majority threshold to become the new law of the land in California.



(Related)

Portland, Maine Votes to Add Teeth to Ban on Facial Recognition

From EPIC.org:

Voters in Portland, Maine passed a ballot initiative that strengthens the city’s ban on the use of facial recognition by law enforcement and city agencies. The City Council previously passed an order banning face surveillance, but the initiative strengthens the ban with a private right of action and penalties for violations of the law. A growing list of cities have banned facial recognition technology, including Boston, Oakland, San Francisco, and Portland, Oregon. EPIC has launched a campaign to Ban Face Surveillance and through the Public Voice coalition gathered the support of over 100 organizations and many leading experts across 30 plus countries. Earlier this year, an EPIC-led coalition called on the Privacy and Civil Liberties Oversight Board to recommend the suspension of face surveillance systems across the federal government.



(Related)

Michigan Passes Warrant Requirement for Electronic Data Searches

Alex Ebert reports:

Michigan voters approved a state constitutional amendment that will require state and local law enforcement officers to get a warrant before searching through suspects’ electronic data.

Read more on Bloomberg Law.





Getting closer to eliminating lawyers?

https://thenextweb.com/offers/2020/11/05/with-docpro-you-can-create-all-your-own-legal-documents-for-your-business-in-minutes/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheNextWeb+%28The+Next+Web+All+Stories%29

With DocPro, you can create all your own legal documents for your business in minutes

TLDR: With DocPro, you get access to over 1,500 templates for legal documents of every kind, all fully customizable for all your business and personal needs.





At least they are thinking about it. Let’s hope corporate Boards are doing the same.

Military AI Is Bigger Than Just The Kill Chain: JAIC Chief

The military must not get so fixated on using artificial intelligence to find targets that it neglects its wider applications from deployment planning to escalation control, warns the new director of the Pentagon’s Joint AI Center.

In recent field tests, an experimental Army AI was able to find targets in satellite imagery and relay target coordinates to artillery in under 20 seconds. Accelerating the “kill chain” from detection to destruction this way is a powerful but narrow application of artificial intelligence, said Lt. Gen. Michael Groen, a Marine Corps intelligence officer who took over JAIC on Oct. 1st.

Misapplication of AI raises the potential for “rapid escalation and strategic instability,” Groen told an NDIA conference last week. “That’s really where we have to…go back to ethical principles.

The principles for military AI promulgated in February, Groen noted, require artificial intelligence to be “governable.” To quote that policy (the emphasis is ours): “The Department will design and engineer AI capabilities to fulfill their intended functions while possessing the ability to detect and avoid unintended consequences, and the ability to disengage or deactivate deployed systems that demonstrate unintended behavior.”





Learning is never done.

https://www.cnbc.com/2020/11/04/valuable-skills-to-learn-before-2021-and-where-to-find-free-online-courses-according-to-futurist.html

These are the top 5 skills to learn right now, says futurist—and where to find free online courses

As a futurist who has helped more than 1,000 companies adapt to change and uncertainty, I’ve found that, while hard skills remain important, there are five forward-thinking — and often ignored — soft skills you need in order to remain valuable and relevant in a rapidly-changing workforce.

Here are the skills to master before 2021, along with the best free online courses to help you build upon them:

1. Futuristic thinking skills

2. Courageous leadership skills

3. Emotional intelligence skills

4. Interpersonal communication skills

5. Cognitive flexibility



Wednesday, November 04, 2020

Might I suggest: Secure first, smoke later?

https://www.zdnet.com/article/configuration-snafu-exposes-passwords-for-two-million-marijuana-growers/#ftag=RSSbaffb68

Configuration snafu exposes passwords for two million marijuana growers

GrowDiaries, an online community where marijuana growers can blog about their plants and interact with other farmers, has suffered a security breach in September this year.

The breach occurred after the company left two Kibana apps exposed on the internet without administrative passwords.





Learn to hate your neighbor?

https://threatpost.com/police-livestream-ring-camera-mississippi/160936/

Police to Livestream Ring Camera Footage of Mississippi Residents

Police in Mississippi are testing a program in which they can livestream video from Ring cameras installed at private homes and businesses. The move is sounding an alarm bell with the American Civil Liberties Union (ACLU) and other privacy advocates who have long disapproved of the Amazon-owned company’s alliance with law enforcement.

The program in Jackson, Miss., to use the Ring door cameras as part of surveillance efforts, is being touted as a new way to help police fight rising crime, according to a report in the Jackson Free Press.

Police have partnered with two technology companies – Jackson-based tech consulting company PILEUM and Georgia-based cloud services provider Fusus – to allow law enforcement to access private Ring camera surveillance of residents or businesses who agreed to participate in the 45-day program. If private participants allow, the city now has permission to access those cameras through the platform, and could use the data collected to track criminal activity.

The ACLU, however, called the launch of the program its “worst fears” being “confirmed,” in a Tuesday blog post by ACLU policy analyst Matthew Guariglia.





Will this get their attention?

https://www.computerweekly.com/news/252491537/GDPR-lawsuit-against-Oracle-and-Salesforce-moves-forward

GDPR lawsuit against Oracle and Salesforce moves forward

The data processing policies and practices of two of the world’s largest software companies, Salesforce and Oracle, will come under scrutiny in the High Court of England and Wales in the biggest digital privacy class action lawsuit ever filed.

The suit, filed by privacy campaigner and data protection specialist Rebecca Rumbul, is seeking damages that have been estimated in excess of £10bn, which could conceivably lead to awards of £500 for every internet user in the UK. A parallel suit in the Netherlands backed by a Dutch group called The Privacy Collective Foundation could take the total damages to more than €15bn.





Another perspective.

https://www.statnews.com/2020/11/03/artificial-intelligence-health-care-ten-steps-to-ethics-based-governance/

Ten steps to ethics-based governance of AI in health care

Artificial intelligence has the potential to transform health care. It can enable health care professionals to analyze health data quickly and precisely, and lead to better detection, treatment, and prevention of a multitude of physical and mental health issues.

Artificial intelligence integrated with virtual care — telemedicine and digital health — interventions are playing a vital role in responding to Covid-19. Penn Medicine, for example, has designed a Covid-19 chatbot to stratify patients and facilitate triage. Penn is also using machine learning to identify patients at risk for sepsis.

The University of California, San Diego, health system is applying AI by using machine learning to augment lung imaging analyses for detecting pneumonia in chest X-rays to identify patients likely to have Covid-19 complications. The U.S. Veterans Health Administration is piloting an AI tool to predict Covid-19 outcomes such as length of hospitalization and death. Mass General Brigham developed a Covid-19 screener chatbot to rapidly stratify sick patients, facilitate triage of patients to appropriate care settings, and alleviate the workload on contact centers.

. A data governance framework based on the following 10 steps can assist health care systems embrace artificial intelligence applications in ways that reduces ethical risks to patients, providers, and payers.





Worth studying.

https://fpf.org/2020/11/04/understanding-blockchain-a-review-of-fpfs-oct-29th-digital-data-flows-masterclass/

Understanding Blockchain: A Review of FPF’s Oct. 29th Digital Data Flows Masterclass

On 29 October 2020, Vrije Universiteit Brussel (VUB and Future of Privacy Forum (FPF) hosted the eight Digital Data Flows Masterclass. The masterclass on blockchain technology completes the VUB-FPF Digital Data Flows Masterclass series.

The most recent masterclass explored the basics of how blockchain technologies work, including established and proposed use cases, which were then evaluated through the lens of privacy and data protection.

The slides of the presenters can be accessed here and here.

The recording of the class can be accessed here.



Tuesday, November 03, 2020

Deep pockets are huge targets.

https://www.techradar.com/news/this-could-be-the-most-expensive-data-breach-ever

This could be the most expensive data breach ever

JM Bullion, which sells gold, silver, copper, platinum and palladium, became the victim of a cyberattack back in February that was not discovered until July. It remains unclear why the hack is only just being disclosed publicly.

This type of attack is known as MageCart and works by placing lines of malicious JavaScript code into a website. Then, when an individual enters payment information, the code diverts it to an external server operated by the hacker.

    … “Through an investigation, it was determined that malicious code was present on the website from February 18, 2020 to July 17, 2020, which had the ability to capture customer information entered into the website in limited scenarios while making a purchase.”





Again, for my Ethical Hackers.

https://www.bespacific.com/cyberlaw-clinic-and-eff-publish-guide-to-legal-risks-of-security-research/

Cyberlaw Clinic and EFF publish Guide to Legal Risks of Security Research

Cyberlaw Clinic: “We are excited to announce the release of A Researcher’s Guide to Some Legal Risks of Security Research (pdf), a report authored by Sunoo Park and Kendra Albert, and co-published by the Cyberlaw Clinic and the Electronic Frontier Foundation (EFF). Just last month, over 75 prominent security researchers signed a letter urging the Supreme Court not to interpret the Computer Fraud and Abuse Act (CFAA), the federal anti-hacking / computer crime statute, in a way that would criminalize swaths of valuable security research. The case in question, Van Buren v. United States, is still pending. Meanwhile, security researchers routinely face legal risks and receive legal threats, with documented chilling effects on their work. This harms security research, which in turn harms the security of the technologies on which we all increasingly rely. Such risk extends beyond anti-hacking laws, implicating copyright law and anti-circumvention provisions (DMCA §1201), electronic privacy law (ECPA), and cryptography export controls, as well as broader legal areas such as contract and trade secret law. Our Guide gives the most comprehensive presentation to date of this landscape of legal risks, with an eye to both legal and technical nuance. Aimed at researchers, the public, and technology lawyers alike, its aims both to provide pragmatic guidance to those navigating today’s uncertain legal landscape, and to provoke public debate towards future reform…”





Your face on a body camera or other video is like leaving fingerprints behind, but not in this case. Police found a face on Twitter and “identified” it before running it through the system. (Or is the article wrong?)

https://www.washingtonpost.com/local/legal-issues/facial-recognition-protests-lafayette-square/2020/11/02/64b03286-ec86-11ea-b4bc-3a2098fc73d4_story.html

Facial recognition used to identify Lafayette Square protester accused of assault

A line of U.S. Park Police officers pushed protesters back from Lafayette Square on June 1, firing pepper balls and rolling canisters spewing irritant gas into the retreating crowds on H Street NW, video shows.

Amid screams and smoke, a man in a tie-dye T-shirt pulled an officer to the ground and punched him in the face, before disappearing into the chaos, according to charging documents.

The man grabbed another officer, before police caught up with him and attempted to make an arrest, authorities said. But the man wrestled free and vanished once again.

The protester might never have been identified, but an officer found an image of the man on Twitter and investigators fed it into a facial recognition system, court documents state. They found a match and made an arrest.

The court documents are believed to be the first public acknowledgment that authorities used the controversial technology in connection with the widely criticized sweep of largely peaceful protesters ahead of a photo op by President Trump.





Executive orders are not magic wands…

https://www.makeuseof.com/tiktok-dodges-us-ban-again/

TikTok Dodges a US Ban Once Again

TikTok was supposed to be officially removed from US app stores on September 20th, however, a federal judge delayed the ban. Even still, that judge's ruling didn't block the other portion of Trump's executive order that would stop all use of TikTok starting November 12th.

In response to the potential November 12th ban, three TikTok influencers filed a lawsuit against the Trump administration. The influencers cited that a TikTok ban would hurt their ability to earn a living. The influencers who filed the suit, Cosette Rinab, Douglas Marland, and Alec Chambers each have millions of followers on TikTok.





Best election forecasting site. (If you can’t stand the suspense.)

https://projects.fivethirtyeight.com/2020-election-forecast/





Freebie.

https://www.infoq.com/articles/book-review-accelerating-software-quality/

Q&A on the Book Accelerating Software Quality

The book Accelerating Software Quality by Eran Kinsbruner explores how we can combine techniques from artificial intelligence and machine learning with a DevOps approach to increase testing effectiveness and deliver higher quality. It provides examples and recommendations for using AI/ML-based solutions in software development and operations.

InfoQ readers can download a sample of Advancing Software Quality.