Friday, July 29, 2022

Imagine a hacker who thinks he is untouchable…

https://www.politico.com/news/2022/07/28/justice-department-data-breach-federal-court-system-00048485

Justice Department investigating data breach of federal court system

House Judiciary Committee Chair Jerrold Nadler (D-N.Y.) told fellow lawmakers that “three hostile foreign actors” attacked the U.S. Courts’ document filing system as part of a breach in early 2020 causing a “system security failure.” The comments — at a committee hearing on oversight of the Justice Department’s National Security Division — were the first public disclosure of the hack.

Nadler said the committee learned in March about the “startling breadth and scope” of the breach, which was separate from the SolarWinds hack revealed in late 2020. SolarWinds involved Russian government-backed hackers infiltrating the networks of over a dozen U.S. federal agencies for much of 2020, including the federal courts systems.



(Related)

https://www.theregister.com/2022/07/29/us_judiciary_attack/

US court system suffered 'incredibly significant attack' – sealed files at risk

That incident may have exploited vulnerabilities in CM/ECF and "greatly risk compromising highly sensitive non-public documents stored on CM/ECF, particularly sealed filings."

Such documents are filed by the US government in cases that touch on national security, and therefore represent valuable intelligence.





A sign that organizations are taking ransomware seriously?

https://www.databreaches.net/ransom-payments-fall-as-fewer-victims-choose-to-pay-hackers/

Ransom payments fall as fewer victims choose to pay hackers

Bill Toulas reports:

Ransomware statistics from the second quarter of the year show that the ransoms paid to extortionists have dropped in value, a trend that continues since the last quarter of 2021.
Ransomware remediation firm Coveware has published a report today with ransomware data from the second quarter of 2022 showing that although the average payment increased, the median value recorded a significant drop.

Read more at BleepingComputer.



Thursday, July 28, 2022

I’m willing to have investment cash poured on me. Just saying.

https://www.ft.com/content/b6f0796e-0265-40c6-ad4c-a900cd788c39

Why are investors pouring money into legal technology?

Backers eye potential for digital tools to speed up pace and effectiveness of legal work. Plus: seven case studies, and four questions to ask before you buy





I see a revision to my Ethical Hacking syllabus is indicated.

https://thehackernews.com/2022/07/us-offers-10-million-reward-for.html

U.S. Offers $10 Million Reward for Information on North Korean Hackers

The U.S. State Department has announced rewards of up to $10 million for any information that could help disrupt North Korea's cryptocurrency theft, cyber-espionage, and other illicit state-backed activities.





Where have you been? How often? Why drive so fast?

https://themarkup.org/the-breakdown/2022/07/27/who-is-collecting-data-from-your-car

Who Is Collecting Data from Your Car?

A firehose of sensitive data from your vehicle is flowing to a group of companies you’ve probably never heard of

Today’s cars are akin to smartphones, with apps connected to the internet that collect huge amounts of data, some of which is highly personal.

Most drivers have no idea what data is being transmitted from their vehicles, let alone who exactly is collecting, analyzing, and sharing that data, and with whom. A recent survey of drivers by the Automotive Industries Association of Canada found that only 28 percent of respondents had a clear understanding of the types of data their vehicle produced, and the same percentage said they had a clear understanding of who had access to that data.

Welcome to the world of connected vehicle data, an ecosystem of dozens of businesses you never knew existed.

The Markup has identified 37 companies that are part of the rapidly growing connected vehicle data industry that seeks to monetize such data in an environment with few regulations governing its sale or use.





Some perspective.

https://techcrunch.com/2022/07/27/an-ai-for-art-copyright-considerations-for-artificial-intelligence/

An AI for art: Copyright considerations for artificial intelligence

We briefly set out the differences between AI inventorship in the context of patents, and AI authorship in copyright law. We then consider how the U.K. Court might approach the issue of AI authorship and joint authorship and conclude with some useful considerations for AI programmers and authors to have in mind.



(Related) Same debate, different angle?

https://www.engadget.com/dall-e-generative-ai-tracking-data-privacy-160034656.html

Is DALL-E's art borrowed or stolen?

Creative AIs can't be creative without our art.





A new sheriff in town. What if I approach Meta?

https://www.nytimes.com/2022/07/27/technology/meta-facebook-vr-ftc.html

F.T.C. Sues to Block Meta’s Virtual Reality Deal as It Confronts Big Tech

The move is a potential blow to Meta’s metaverse efforts and signals a shift in how the Federal Trade Commission is approaching tech deals.

The antitrust lawsuit is the first under Lina Khan, the commission’s chair and a leading progressive critic of corporate concentration, against one of the tech giants. Ms. Khan has argued that regulators must stop competition and consumer protection violations when it comes to the bleeding edge of technology, including virtual and augmented reality, and not just in areas where the companies have already become behemoths.

The F.T.C.’s request for an injunction puts Ms. Khan on a collision course with Mark Zuckerberg, Meta’s chief executive, who is also named as a defendant in the request. He has poured billions of dollars into building products for virtual and augmented reality, betting that the immersive world of the metaverse is the next technology frontier. The lawsuit could crimp those ambitions.

Meta could have chosen to try to compete with Within on the merits,” the F.T.C. said in its lawsuit, which was filed in the U.S. District Court for the Northern District of California. “Instead, it chose to buy” a top company in what the government called a “vitally important” category.



Wednesday, July 27, 2022

It’s only money! Are there any institutions that hackers would avoid because an attack would start a war? What defines a digital Pearl harbor?

https://www.theregister.com/2022/07/27/weak_data_protection_helped_chinese/

Weak data protection helped China attack US Federal Reserve, report says

China's cyber espionage activities are extensive and sophisticated but when the Middle Kingdom tried to steal sensitive economic data from the US Fed, poor security meant its operatives didn't have to dip too far into their bags of tricks.

Or at least that’s according to the findings of an investigation by the Senate’s Committee on Homeland Security and Governmental Affairs, led by Republican Senator Rob Portman and released [PDF] on Tuesday.





Think about it. Nothing really new, but seldom mentioned.

https://www.csoonline.com/article/3667442/5-trends-making-cybersecurity-threats-riskier-and-more-expensive.html#tk.rss_all

5 trends making cybersecurity threats riskier and more expensive

Since the pandemic the cyber world has become a far riskier place. According to the Hiscox Cyber Readiness Report 2022, almost half (48%) of organizations across the U.S. and Europe experienced a cyberattack in the past 12 months. Even more alarming is that these attacks are happening despite businesses doubling down on their cybersecurity spend.

Cybersecurity is at a critical inflection point where five megatrends are making the threat landscape riskier, more complicated, and costlier to manage than previously reported. To better understand the evolution of this threat landscape, let’s examine these trends in more detail.





Perspective.

https://siliconangle.com/2022/07/27/ibm-security-report-finds-data-breaches-costlier-ever/

IBM Security report finds data breaches are costlier than ever before

A new report from IBM Security today reveals that data breaches are costlier and more impactful than ever before.

IBM Security’s 2022 Cost of a Data Breach Report, based on analysis of real-world data breaches experienced by 550 organizations globally between March 2021 and March 2022, found that the average cost of a data breach has hit an all-time high of $4.35 million.

Figures relating to large companies and the cost involved in dealing with data breaches may seem academic to many, but interestingly the report suggests that the increasing cost of these incidents — up 13% over the last two years — is contributing to rising costs of goods and services. Sixty percent of studied organizations raised their product or service prices after experiencing a data breach. Those increases come at a time the cost of goods is already increasing from inflation and supply chain issues.





Of course it’s surveillance software, but it’s packaged as part of the security software that will be in self-driving vehicles, even though these aren’t self driving. Either way, this data is recorded and kept forever.

https://techcrunch.com/2022/07/27/drover-ai-is-using-computer-vision-to-keep-scooter-riders-off-sidewalks/

Drover AI is using computer vision to keep scooter riders off sidewalks

Shared micromobility companies have been adopting startlingly advanced new tech to correct for the thing that cities hate most — sidewalk riding. Some companies, like Bird, Neuron and Superpedestrian, have relied on hyper-accurate GPS systems to determine if a rider is riding inappropriately. Others, like Lime, have started integrating camera-based computer vision systems that rely on AI and machine learning to accurately detect where a rider is.

The latter camp has largely leaned on the innovations of Drover AI, a Los Angeles-based startup that has tested and sold its attachable IoT module to the likes of Spin, Voi, Helbiz, Beam and Fenix to help operators improve scooter safety and, most importantly, win city permits.

… “Our system can tell you, for example, the rider was on the bike lane for 20% of the time, 30% of the time on the sidewalk and the rest in the street,” said Nesic. “That can inform a lot of policy decisions on where to put bike lanes or whether the bike lanes you’ve invested in are working.”

Drover has been receiving interest from transportation agencies like Transport for London, as well as insurance companies that want this kind of granular data to understand how new mobility modes are being used in the infrastructure.





We think your great uncle Willie was a criminal so we want to test your DNA. (This will make more sense when you are old enough to understand.)

https://www.pogowasright.org/police-are-using-newborn-genetic-screening-to-search-for-suspects-threatening-privacy-and-public-health/

Police Are Using Newborn Genetic Screening to Search for Suspects, Threatening Privacy and Public Health

Crystal Grant writes:

Nearly every baby born in the U.S. has blood drawn in the immediate hours after their birth, allowing the baby to be tested for a panel of potentially life-threatening inherited disorders. This is a vital public health program, enabling early treatment of newborns with genetic disorders; for them, it can be the difference between a healthy life and an early death. But recent news suggests that police are seeking access to these newborn blood samples in criminal investigations. Such use of this trove of genetic material — to hunt for evidence that could implicate a child’s relative in a crime — endangers public trust in this vital health program and threatens all Americans’ right to genetic privacy.
A public records lawsuit filed in New Jersey this month details how police subpoenaed a newborn blood sample to investigate a 1996 cold case. While law enforcement’s desire to use these blood samples in criminal investigations was always a possibility — and one the ACLU has opposed — the increasing use of Investigative Genetic Genealogy (IGG) has only increased the government’s interest in easy access to people’s DNA.

Read more at ACLU.



Tuesday, July 26, 2022

I worry about absolute bans absolutely. Not sure how banning our government from purchasing the software would keep any other government from using it…

https://www.cyberscoop.com/house-intelligence-bill-combating-spyware/

Congress goes after spyware purveyors. Will it make a difference?

The Intelligence Authorization Act, which passed the House Intelligence Committee last week with bipartisan support, includes several spyware provisions. In addition to authorizing the Office of the Director of National Intelligence to ban contracts with foreign firms making surveillance tech and allowing the president to impose sanctions on firms targeting the intelligence community (IC) with spyware, the bill also augments funding for investigations into the use of foreign commercial surveillance software.

… “Foreign governments that previously had limited electronic spying capabilities can now purchase a package of tools that may allow them to access, undetected, any information stored on or transiting through a cell phone, tablet or computer connected to the internet,” the spokesperson said. “Nobody is safe from the reach of spyware, and that includes US government officials and Americans.”

Other experts said that the problem will be challenging to fix, especially since private companies have now overtaken nation-states as manufacturers of the technology.





A model solution for all anti-trust issues? What rules should apply?

https://www.bloomberg.com/news/articles/2022-07-26/uk-love-affair-with-music-streaming-delivers-for-britons-cma

UK ‘Love Affair’ With Music Streaming Delivers for Britons: CMA

The music streaming market dominated by a handful of major players is giving consumers a fair shake, the UK’s antitrust watchdog said in a much anticipated report, as it pulled back from a deeper investigation into the likes of Spotify Technology SA and Apple Inc.

The concentrated” nature of the market dominated by just a handful of players is not “currently causing consumers harm,” and “labels nor streaming services appear to be making sustained excess profits,” the Competition and Markets Authority said in a statement on Tuesday.





A long article worth reading.

https://www.pogowasright.org/hey-siri-virtual-assistants-are-listening-to-children-and-then-using-the-data/

Hey Siri’: Virtual assistants are listening to children and then using the data

The VAPAs are continuously listening, recording and processing acoustic happenings in a process that has been dubbed “eavesmining,” a portmanteau of eavesdropping and datamining. This raises significant concerns pertaining to issues of privacy and surveillance, as well as discrimination, as the sonic traces of peoples’ lives become datafied and scrutinized by algorithms.

There is more being gathered than just uttered statements, as VAPAs and other eavesmining systems overhear personal features of voices that involuntarily reveal biometric and behavioural attributes such as age, gender, health, intoxication and personality.

Information about acoustic environments (like a noisy apartment) or particular sonic events (like breaking glass) can also be gleaned through “auditory scene analysis to make judgments about what is happening in that environment.

Eavesmining systems already have a recent track record for collaborating with law enforcement agencies and being subpoenaed for data in criminal investigations. This raises concerns of other forms of surveillance creep and profiling of children and families.

This article is republished from The Conversation under a Creative Commons license. Read the original article.





Perspective.

https://www.bespacific.com/the-future-of-remote-work-according-to-6-experts/

The future of remote work, according to 6 experts

Vox – Make the case for working remotely — but not so much that your job gets outsourced. “Whether you’re a remote work booster or a skeptic, there are lots of unanswered questions about what happens next for remote work, especially as Covid-19 restrictions continue to fade and as fears of a recession loom. How many people are going to work remotely in the future, and will that change in an economic downturn? Will remote work affect their chances of promotion? What does it mean for where people live and the offices they used to work in? Does this have any effect on the majority of people who don’t get to work remotely? If employees don’t have to work in person to be effective, couldn’t their jobs be outsourced? It turns out there’s a dangerous line between arguing for remote work and arguing yourself out of a job. And since remote work makes employees less visible, they will have to find other ways to let higher-ups know they exist or risk being passed over for pay raises. Remote work will also have long-lasting effects on the built environment, requiring office owners to renovate and allowing employees the potential for a higher quality of living. Finally, what happens during a recession largely depends on whether your company decides to save money by reducing real estate or laying off the employees they never met. One thing that’s clear is that remote work is not going away. There are, however, a number of ways to make it better and more commonplace, and to ensure that it doesn’t harm you more than it helps. To get a better idea of what could be coming, we asked some of the most informed remote work thinkers — people who study economics, human resources, and real estate — to make sense of what to expect in the future of remote work. Their answers, edited for length and clarity, are below…”



(Related) Staffing your criminal enterprise...

https://www.theregister.com/2022/07/25/aig-unique-cybercrime-business/

Cyber-mercenaries for hire represent shifting criminal business model





Interesting but I have to ask if there is something we could do to “fix” digital devices to make them more like paper books? What is Kindle doing wrong?

https://www.bespacific.com/paper-books-linked-to-stronger-readers-in-an-international-study/

Paper books linked to stronger readers in an international study

The Hechinger Report: “An Organization for Economic Cooperation and Development (OECD) study across approximately 30 countries found that teens who said they most often read paper books scored considerably higher on a 2018 reading test taken by 15-year-olds compared to teens who said they rarely or never read books. Even among students of similar socioeconomic backgrounds, those who read books in a paper format scored a whopping 49 points higher on the Program for International Student Assessment, known as PISA. That’s equal to almost 2.5 years of learning. By comparison, students who tended to read books more often on digital devices scored only 15 points higher than students who rarely read – a difference of less than a year’s worth of learning. In other words, all reading is good, but reading on paper is linked to vastly superior achievement outcomes…”





Birds of a feather find each other on social media.

https://dilbert.com/strip/2022-07-26



Monday, July 25, 2022

I always classify these types of attacks as ‘Proof of Concept’ attacks. No matter who actually did it, or why they did it, it points out what is possible. And everyone makes note.

https://www.wired.com/story/france-paris-internet-cable-cuts-attack/

The Unsolved Mystery Attack on Internet Cables in Paris

BURIED DEEP BENEATH your feet lie the cables that keep the internet online. Crossing cities, countrysides, and seas, the internet backbone carries all the data needed to keep economies running and your Instagram feed scrolling. Unless, of course, someone chops the wires in half.

On April 27, an unknown individual or group deliberately cut crucial long-distance internet cables across multiple sites near Paris, plunging thousands of people into a connectivity blackout. The vandalism was one of the most significant internet infrastructure attacks in France’s history and highlights the vulnerability of key communications technologies.

Now, months after the attacks took place, French internet companies and telecom experts familiar with the incidents say the damage was more wide-ranging than initially reported and extra security measures are needed to prevent future attacks. In total, around 10 internet and infrastructure companies—from ISPs to cable owners—were impacted by the attacks, telecom insiders say.





Is this force? Hold the iPhone up to a suspects face or mug shot or Facebook image?

https://www.pogowasright.org/the-fbi-forced-a-suspect-to-unlock-amazons-encrypted-app-wickr-with-their-face/

The FBI Forced A Suspect To Unlock Amazon’s Encrypted App Wickr With Their Face

Thomas Brewster reports:

In November last year, an undercover agent with the FBI was inside a group on Amazon-owned messaging app Wickr, with a name referencing young girls. The group was devoted to sharing child sexual abuse material (CSAM) within the protection of the encrypted app, which is also used by the U.S. government, journalists and activists for private communications. Encryption makes it almost impossible for law enforcement to intercept messages sent over Wickr, but this agent had found a way to infiltrate the chat, where they could start piecing together who was sharing the material.
As part of the investigation into the members of this Wickr group, the FBI used a previously unreported search warrant method to force one member to unlock the encrypted messaging app using his face.

Read more at Forbes.





Perspective.

https://teachprivacy.com/a-faustian-bargain-is-preemption-too-high-a-price-for-a-federal-privacy-law/

A Faustian Bargain: Is Preemption Too High a Price for a Federal Privacy Law?

I see hope breaking out all over the Twitterverse. The American Data Privacy and Protection Act (ADPPA) advanced out of Committee. This is still an early round in the Squid Game of making a law in this country, but this law might have what it takes. It could go all the way.



(Related)

https://www.cpomagazine.com/data-privacy/the-american-data-privacy-protection-acts-potential-flaws-and-implications/

The American Data Privacy Protection Act’s Potential Flaws and Implications

Serious discussion of a federal privacy law has been going on since 2018. It’s now four years later and the US is the only major country in the world that doesn’t have federal data protection. For example, the UK has the General Data Protection Regulation (GDPR). Russia, Japan, and Egypt all have their own versions of federal data protection in place. In the US we have always relied on state-level and local laws as opposed to the government putting something together for the entire nation. It’s significant that Congress is finally acting and is putting a law in motion that will protect US citizens and our information and precious data. It’s a little late as we have been privy to multitudes of data and information being stolen, but as the saying goes, better late than never.





Before you spend all that money on cameras and software, shouldn’t you run this idea by your Chief Downside Officer?

https://www.theguardian.com/technology/2022/jul/25/bunnings-and-kmart-halt-use-of-facial-recognition-in-stores-as-australian-privacy-watchdog-investigates

Bunnings and Kmart halt use of facial recognition technology in stores as privacy watchdog investigates

Kmart and Bunnings have paused the use of facial recognition technology in their stores, amid an investigation from Australia’s privacy regulator.

Consumer group Choice last month revealed Bunnings and Kmart were using the technology – which captures images of people’s faces from video cameras as a unique faceprint that is then stored and can be compared with other faceprints – in what the companies say is a move to protect customers and staff and reduce theft in select stores.

The two companies are now being investigated by the Office of the Australian Information Commissioner (OAIC) over their use of the technology and whether it is consistent with privacy laws.

… Schneider accused Choice of “mischaracterising” the issue, stating that the technology was used only to detect when a person who has been banned from Bunnings stores enters a store.

… Schneider said regular customers did not have their images retained in the system. The technology, however, needs to scan the face of every customer entering the store to check against the database of banned customers.

The technology was already temporarily switched off in Bunnings stores as the company moves to a new system. [First system didn’t work? Bob]

… Kmart believes the use of the technology for “preventing criminal activity such as refund fraud” is appropriate and subject to strict controls, the spokesperson said.





Tools & Techniques. Surveillance starts in the family.

https://www.makeuseof.com/best-apps-tracking-your-new-teen-driver/

The 5 Best Apps for Tracking Your New Teen Driver



Sunday, July 24, 2022

It sounds morally correct. There are a few obvious concerns.

https://www.databreaches.net/florida-follows-north-carolina-in-prohibiting-state-agencies-from-paying-ransoms/

Florida Follows North Carolina in Prohibiting State Agencies from Paying Ransoms

Elise Elam and Benjamin Wanger of BakerHostetler write:

We recently wrote about North Carolina’s new law prohibiting state agencies – including public schools and universities – from paying a ransom or even communicating with a threat actor following a ransomware incident. On June 24, Florida followed suit when its governor signed HB 7055 into law, amending portions of the State Cybersecurity Act (the Act), which became effective on July 1.
Among other things, the Act now requires that if a Florida state agency, county or municipality experiences a ransomware incident, it must provide notice to Florida’s Cybersecurity Operations Center [1] and the Cybercrime Office of the Department of Law Enforcement [2] (and in the case of a local government, to the sheriff with jurisdiction over that local government) within 12 hours of discovery.

Read more at Data Counsel.





Now Meta will be opening an even larger can of worms.

https://link.springer.com/book/10.1007/978-3-031-06596-5?noAccess=true

Facebook and the (EU) Law

Focuses entirely on Facebook’s ambiguous relationship with the law

Provides a complete reference to all legal issues arising from the emergence of Facebook

Presents a new approach of EU Internet law with emphasis on specific cases and problematics





Perspective.

https://link.springer.com/article/10.1007/s43681-022-00196-y

Ethically contentious aspects of artificial intelligence surveillance: a social science perspective”

Artificial intelligence and its societal and ethical implications are complicated and conflictingly interpreted. Surveillance is one of the most ethically challenging concepts in AI. Within the domain of artificial intelligence, this study conducts a topic modeling analysis of scientific research on the concept of surveillance. Seven significant scholarly topics that receive significant attention from the scientific community were discovered throughout our research. These topics demonstrate how ambiguous the lines between dichotomous forms of surveillance are: public health surveillance versus state surveillance; transportation surveillance versus national security surveillance; peace surveillance versus military surveillance; disease surveillance versus surveillance capitalism; urban surveillance versus citizen ubiquitous surveillance; computational surveillance versus fakeness surveillance; and data surveillance versus invasive surveillance. This study adds to the body of knowledge on AI ethics by focusing on controversial aspects of AI surveillance. In practice, it will serve as a guideline for policymakers and technology companies to focus more on the intended and unintended consequences of various forms of AI surveillance in society.





Could be worth reading.

https://insidebigdata.com/white-paper/the-future-of-unstructured-data-processing/

The Future of Unstructured Data Processing

In this 2022 industry report sponsored by Veritone, we take a look at the future of unstructured data processing (UDP). With the emergence of AI-enabled UDP technology organizations of all types and sizes can now transform this “dark” data into powerful strategic assets.

Using a wide variety of machine learning techniques such as Natural Language Processing (NLP), video analytics, computer vision, speech and voice recognition technology, UDP solutions acquire, analyze, and act on unstructured data much like a human would. This not only allows organizations to automate content ingestion, but also access a treasure trove of decision intelligence.