Monday, March 19, 2018

The opposite of Artificial Intelligence is Normal Stupidity but why design it into a device? Something for my Software Architecture class.
People are accidentally setting off Apple’s Emergency SOS alert
If you sleep on your Apple Watch the wrong way, you might get a wake-up call from the police. That’s what happened to Jason Rowley, who tweeted about the incident earlier this week. Using his watch as a sleep tracker, he ended up holding down the crown button to trigger an emergency call to the police, who showed up in his bedroom at 1AM. Rowley told us the police were friendly and helpful, and accustomed to WatchOS misdials like this one.
If you scan through Twitter, you’ll find a surprising number of stories like Rowley’s. It’s a problem for iPhones too, since the same alert can be triggered through the side button. (One Verge staffer triggered an alert after mistaking the power button for the volume controls.) In each case, you’ll get a blaring countdown and have three to five seconds to turn it off before your device calls 911 and texts any emergency contacts you’ve set up.
… The exact sequence of buttons varies from device to device. A Watch will slip into an alert just from holding down the crown button long enough, which seems to be a particular danger if you wear it to sleep. If you’re running the latest iOS on an iPhone 7 or older, you trigger an SOS by tapping the side button five times (apparently a common practice for fidgeters), and more recent iPhones will start the countdown just from holding the button.
Of course, you can fix some of this by turning off Autocall in Settings > Emergency SOS, which will add an extra slider step. But it’s easy to see why you might not want to. Maybe a few accidental 911 calls isn’t so bad compared to the risk of an actual emergency?

It may be out there, so we have to search?
Sidney Fussell reports:
Google was served at least four sweeping search warrants by Raleigh, North Carolina police last year, requesting anonymized location data on all users within areas surrounding crime scenes. In one case, Raleigh police requested information on all Google accounts within 17 acres [??? Bob] of a murder, overlapping residences, and businesses. Google did not confirm or deny whether it handed over the requested data to police.
WRAL reporter Tyler Dukes found four investigations in 2017 where police issued these uniquely extensive warrants: two murder cases, one sexual battery case, and an arson case that destroyed two apartment complexes and displaced 41 people.
Read more on Gizmodo.
[From Gizmondo:
Instead of finding a suspect, and then searching that person’s data, police are searching enormous amounts of data to pinpoint a potential suspect.
… Police in each case were requesting account identifiers, an anonymized string of numbers unique to each device, and time-stamped location coordinates for every device. Police wanted to review this information, narrow down their list, [How? Bob] and then request user names, birth dates, and other identifying information regarding the phones’ owners. This information doesn’t reveal actual text messages or phone call logs. For that information, police would have to go through a separate warrant process.
Disturbingly, if Google has handed over data, it could be under court order not to notify individual users.

I don’t own a phone. Probably makes me a suspect.
Eva Fedderly reports:
A divided 11th Circuit on Thursday upheld the conviction of a Florida man stemming from a warrantless search of his cellphone, holding that such searches do not violate the Fourth Amendment.
The appellant in the case, Hernando Javier Vergara, was returning home to Tampa, Florida following a cruise to Cozumel, Mexico, when he was subjected to a search of luggage by a Customs and Border Protection officer.
Read more on Courthouse News.

Could this happen here?
Reuters reports:
China said it will begin applying its so-called social credit system to flights and trains and stop people who have committed misdeeds from taking such transport for up to a year.
Read more on Reuters.
And now do you wonder whether too many people are too quick to say they have nothing to hide?

For my Computer Security class.
Preventing Business Email Compromise Requires a Human Touch
Human-powered Intelligence Plays a Critical Role in Defending Against Socially Engineered Attacks
The FBI’s Internet Crime Complaint Center (IC3) declared Business Email Compromise (BEC) the “3.1 billion dollar scam” in 2016, an amount which then grew in the span of one year into a “5 billion dollar scam.” Trend Micro now projects those losses in excess of 9 billion dollars.
It’s an understatement to say BEC scams and the resulting damages are on the rise. But with cybersecurity spending across all sectors at an all-time high, how is such an unsophisticated threat still costing otherwise well-secured organizations billions of dollars?
Unlike the numerous types of attacks that incorporate malware, most BEC scams rely solely on social engineering. In fact, its use of trickery, deception, and psychological manipulation rather than malware is largely why BEC continually inflicts such substantial damages. Since most network defense solutions are designed to detect emails containing malware and malicious links, BEC emails often land directly in users’ inboxes. And when this happens, the fate of an attempted BEC scam is in the hands of its recipient.

If it can be done, should my Ethical hackers give it a try? The article gives some tips on how it works…
GrayKey iPhone unlocker poses serious security concerns
… In late 2017, word of a new iPhone unlocker device started to circulate: a device called GrayKey, made by a company named Grayshift. Based in Atlanta, Georgia, Grayshift was founded in 2016, and is a privately-held company with fewer than 50 employees. Little was known publicly about this device—or even whether it was a device or a service—until recently, as the GrayKey website is protected by a portal that screens for law enforcement affiliation.
According to Forbes, the GrayKey iPhone unlocker device is marketed for in-house use at law enforcement offices or labs. This is drastically different from Cellebrite’s overall business model, in that it puts complete control of the process in the hands of law enforcement.
Thanks to an anonymous source, we now know what this mysterious device looks like, and how it works. And while the technology is a good thing for law enforcement, it presents some significant security risks.

Social Media as a targeting tool.
US spy lab hopes to geotag every outdoor photo on social media
Imagine if someone could scan every image on Facebook, Twitter, and Instagram, then instantly determine where each was taken. The ability to combine this location data with information about who appears in those photos—and any social media contacts tied to them—would make it possible for government agencies to quickly track terrorist groups posting propaganda photos. (And, really, just about anyone else.)
That's precisely the goal of Finder, a research program of the Intelligence Advanced Research Projects Agency (IARPA), the Office of the Director of National Intelligence's dedicated research organization.
For many photos taken with smartphones (and with some consumer cameras), geolocation information is saved with the image by default. The location is stored in the Exif (Exchangable Image File Format) data of the photo itself unless geolocation services are turned off. If you have used Apple's iCloud photo store or Google Photos, you've probably created a rich map of your pattern of life through geotagged metadata. However, this location data is pruned off for privacy reasons when images are uploaded to some social media services, and privacy-conscious photographers (particularly those concerned about potential drone strikes) will purposely disable geotagging on their devices and social media accounts.
… The Finder program seeks to fill in the gaps in photo and video geolocation by developing technologies that build on analysts' own geolocation skills, taking in images from diverse, publicly available sources to identify elements of terrain or the visible skyline. In addition to photos, the system will pull its imagery from sources such as commercial satellite and orthogonal imagery. The goal of the program's contractors—Applied Research Associates, BAE Systems, Leidos (the company formerly known as Science Applications Incorporated), and Object Video—is a system that can identify the location of photos or video "in any outdoor terrestrial location."

What Do Saudi Arabia, Iraq, UAE, Egypt, Kazakhstan, Turkmenistan, Nigeria, Burma And Bangladesh Have In Common?
They’ve all bought military UAVs from China. I didn’t realize China had advanced so far in military exports.

Looks like a dogpile on Facebook.
Facebook may have violated FTC privacy deal, say former federal officials, triggering risk of massive fines

Probably all social media will have to have a generalized version of this soon. Easy to see how that capability could be misused.
France’s new cyberhate law will require Facebook and Twitter to remove racist content within 24 hours
As part of an ongoing effort to fight rising racism and anti-Semitism, the French government announced today that it will introduce new legislation requiring digital platforms to more swiftly remove offensive content.
In announcing details of the proposed law after months of review, French prime minister Edouard Philippe said France will move to adopt the cyberhate law immediately while also pressing the European Union to adopt a version of the same measures for all members. While only some of the details were revealed, the French proposal mirrors a German law that went into effect this years and threatens fines of up to €50 million ($62 million) if a social network does not take down content identified as hate speech within 24 hours.

Voice Chat App Zello Turned a Blind Eye to Jihadis for Years
Despite warnings and flagged accounts, Zello left accounts with ISIS flag avatars and jihadist descriptions live on its service.

One Way Facebook Can Stop the Next Cambridge Analytica
In a 2013 paper, psychologist Michal Kosinski and collaborators from University of Cambridge in the United Kingdom warned that “the predictability of individual attributes from digital records of behavior may have considerable negative implications,” posing a threat to “well-being, freedom, or even life.” This warning followed their striking findings about how accurately the personal attributes of a person (from political leanings to intelligence to sexual orientation) could be inferred from nothing but their Facebook likes. Kosinski and his colleagues had access to this information through the voluntary participation of the Facebook users by offering them the results of a personality quiz, a method that can drive viral engagement. Of course, one person’s warning may be another’s inspiration.
Kosinski’s original research really was an important scientific finding. The paper has been cited more than 1,000 times and the dataset has spawned many other studies. But the potential uses for it go far beyond academic research. In the past few days, the Guardian and the New York Times have published a number of new stories about Cambridge Analytica, the data mining and analytics firm best known for aiding President Trump’s campaign and the pro-Brexit campaign. This trove of reporting shows how Cambridge Analytica allegedly relied on the psychologist Aleksandr Kogan (who also goes by Aleksandr Spectre), a colleague of the original researchers at Cambridge, to gain access to profiles of around 50 million Facebook users.

Suppose Amazon wants to buy in…
Google plans to boost Amazon competitors in search
Google may be assembling a supergroup of big retail brands to go to war with Amazon over the future of online shopping. Reuters is reporting that the search engine is teaming up with Target, Walmart, Home Depot, Costco and Ulta for the new project. These companies, and any other willing participants, can index their catalogs on Google, which will show up when someone starts searching for stuff to buy. Naturally, rather than receiving an ad fee, Google simply gets a cut of the sales that are subsequently generated.
The report claims that Google is selling its new anti-Amazon tools on the basis that it is utterly dominant in the search world.

Paper – Law, Metaphor, and the Encrypted Machine
Gill, Lex, Law, Metaphor, and the Encrypted Machine (March 12, 2018). Osgoode Legal Studies Research Paper No. 72, Volume 13, Issue 16, 2018. Available at SSRN:
“The metaphors we use to imagine, describe and regulate new technologies have profound legal implications. This paper offers a critical examination of the metaphors we choose to describe encryption technology in particular, and aims to uncover some of the normative and legal implications of those choices. Part I provides a basic description of encryption as a mathematical and technical process. At the heart of this paper is a question about what encryption is to the law. It is therefore fundamental that readers have a shared understanding of the basic scientific concepts at stake. This technical description will then serve to illustrate the host of legal and political problems arising from encryption technology, the most important of which are addressed in Part II. That section also provides a brief history of various legislative and judicial responses to the encryption “problem,” mapping out some of the major challenges still faced by jurists, policymakers and activists. While this paper draws largely upon common law sources from the United States and Canada, metaphor provides a core form of cognitive scaffolding across legal traditions. Part III explores the relationship between metaphor and the law, demonstrating the ways in which it may shape, distort or transform the structure of legal reasoning. Part IV demonstrates that the function served by legal metaphor is particularly determinative wherever the law seeks to integrate novel technologies into old legal frameworks. Strong, ubiquitous commercial encryption has created a range of legal problems for which the appropriate metaphors remain unfixed. Part V establishes a loose framework for thinking about how encryption has been described by courts and lawmakers — and how it could be. What does it mean to describe the encrypted machine as a locked container or building? As a combination safe? As a form of speech? As an untranslatable library or an unsolvable puzzle? What is captured by each of these cognitive models, and what is lost? This section explores both the technological accuracy and the legal implications of each choice. Finally, the paper offers a few concluding thoughts about the utility and risk of metaphor in the law, reaffirming the need for a critical, transparent and lucid appreciation of language and the power it wields.”

For the toolkit.
Twitter for Business: Everything You Need to Know

Another tool for the toolkit. Knowing it can be done is half the battle.
Easy Screen OCR is a solid program for grabbing the text from any image on your PC. Head to its homepage and download it, opting for the portable version if you like.

Just in time for my Software Architecture class!
Ongoing series of nonverbal algorithm assembly instructions based on IKEA methodology
IDEA is a series of nonverbal algorithm assembly instructions by Sándor P. Fekete, Sebastian Morr, and Sebastian Stiller. They were originally created for Sándor’s algorithms and datastructures lecture at TU Braunschweig, but we hope they will be useful in all sorts of context. We publish them here so that they can be used by teachers, students, and curious people alike. Visit the about page to learn more.”

Something to mention to my students. (Yes, that includes textbooks!)
Preaching to the choir – Why Reading Books Should be Your Priority, According to Science
Inc., Christina DesMarais: “More than a quarter–26 percent–of American adults admit to not having read even part of a book within the last year. That’s according to statistics coming out of the Pew Research Center. If you’re part of this group, know that science supports the idea that reading is good for you on several levels.
  • Reading fiction can help you be more open-minded and creative.
  • People who read books live longer. [Good to know!!]
  • Reading 50 books a year is something you can actually accomplish.
  • Successful people are readers….”

Dilbert on the future technology of crime fighting?

Sunday, March 18, 2018

I wonder. Is this “Oh look, we’re victims too!” or is this a few countries letting Russia know they could tamper with their elections, if Russia actually had elections?
Russia claims foreign hackers are trying to interfere with its election
Russia, a country which has been accused numerous times of attempting to interfere with elections overseas, has claimed that its own presidential contest is under attack from foreign hackers.
Officials in Moscow said that the Russian Central Election Commission's website was hit by a coordinated attack by IP addresses from 15 different countries on election day.
It said that a distributed denial of service (DDoS) attack, which bombards a website with data requests in an attempt to overwhelm it, hit between 2 a.m. and 5 a.m. on polling day.

Maybe all that ‘fake news’ didn’t come from Russia…
Facebook and its executives are getting destroyed after botching the handling of a massive data 'breach'
Facebook and its executives faced a torrent of backlash on Saturday following news reports that the data firm Cambridge Analytica, which worked on the Trump campaign in 2016, improperly harvested private information from 50 million Facebook users.
The company quickly faced calls for increased regulation and oversight, and Massachusetts' Attorney General, Maura Healey, even announced an investigation.
… Sen. Amy Klobuchar of Minnesota also excoriated the company, demanding that Facebook CEO Mark Zuckerberg face the Senate Judiciary Committee for questioning.
… But much of the online outrage came after multiple Facebook executives took to Twitter to respond to the news reports, insisting the incident was not a "data breach."
… In a series of tweets that have since been deleted, Facebook's chief security officer, Alex Stamos, insisted that although user's personal information may have been misused, it wasn't retroactively a "breach."

Cambridge Analytica and Facebook accused of misleading MPs over data breach
The head of the parliamentary committee investigating fake news has accused Cambridge Analytica and Facebook of misleading MPs in testimony, after the Observer revealed details of a vast data breach affecting tens of millions of people.
After a whistleblower detailed the harvesting of more than 50 million Facebook profiles for Cambridge Analytica, Damian Collins, the chair of the House of Commons culture, media and sport select committee, said he would be calling on the Facebook boss, Mark Zuckerberg, to testify before the committee.
He said the company appeared to have previously sent executives able to avoid difficult questions who had “claimed not to know the answers”.
Collins also said he would be recalling the Cambridge Analytica CEO, Alexander Nix, to give further testimony.

Here’s how Facebook allowed Cambridge Analytica to get data for 50 million users
Facebook says it isn’t at fault.

I’ll skip the long list. I’m sure they each feel justified, if not just.
Compiled by the Daily Record, where you can read more, the following is what they report as the full list of organizations and agencies that can ask ISPs for any UK citizens browsing history for the prior 12 months:

More fuel for the ongoing AI debate my students are having.
When an AI finally kills someone, who will be responsible?
Here’s a curious question: Imagine it is the year 2023 and self-driving cars are finally navigating our city streets. For the first time one of them has hit and killed a pedestrian, with huge media coverage. A high-profile lawsuit is likely, but what laws should apply?
… At the heart of this debate is whether an AI system could be held criminally liable for its actions. Kingston says that Gabriel Hallevy at Ono Academic College in Israel has explored this issue in detail.
Criminal liability usually requires an action and a mental intent (in legalese an actus rea and mens rea). Kingston says Hallevy explores three scenarios that could apply to AI systems.
The first, known as perpetrator via another, applies when an offense has been committed by a mentally deficient person or animal, who is therefore deemed to be innocent. But anybody who has instructed the mentally deficient person or animal can be held criminally liable. For example, a dog owner who instructed the animal to attack another individual.
… The second scenario, known as natural probable consequence, occurs when the ordinary actions of an AI system might be used inappropriately to perform a criminal act. Kingston gives the example of an artificially intelligent robot in a Japanese motorcycle factory that killed a human worker. “The robot erroneously identified the employee as a threat to its mission, and calculated that the most efficient way to eliminate this threat was by pushing him into an adjacent operating machine,” says Kingston. “Using its very powerful hydraulic arm, the robot smashed the surprised worker into the machine, killing him instantly, and then resumed its duties.”
The key question here is whether the programmer of the machine knew that this outcome was a probable consequence of its use.
The third scenario is direct liability, and this requires both an action and an intent. An action is straightforward to prove if the AI system takes an action that results in a criminal act or fails to take an action when there is a duty to act.
The intent is much harder to determine but is still relevant, says Kingston. “Speeding is a strict liability offense,” he says. “So according to Hallevy, if a self-driving car was found to be breaking the speed limit for the road it is on, the law may well assign criminal liability to the AI program that was driving the car at that time.”

Who said the our legal system always makes sense?
A $1.6 billion Spotify lawsuit is based on a law made for player pianos
Spotify is finally gearing up to go public, and the company’s February 28th filing with the SEC offers a detailed look at its finances. More than a decade after Spotify’s launch in 2006, the world’s leading music streaming service is still struggling to turn a profit, reporting a net loss of nearly $1.5 billion last year. Meanwhile, the company has some weird lawsuits hanging over its head, the most eye-popping being the $1.6 billion lawsuit filed by Wixen Publishing, a music publishing company that includes the likes of Tom Petty, The Doors, and Rage Against the Machine.
… Spotify is being sued by Wixen because of mechanical licenses — a legal regime that was created in reaction to the dire threat to the music industry posed by player pianos. Yes, the automated pianos with the rolls of paper with punch holes in them.
But that’s not actually the weird part. The weird part is that Spotify is fundamentally being sued for literal paperwork: Wixen says Spotify is legally required to notify songwriters in writing that they’re in the Spotify catalog — a fact that escapes probably zero songwriters today. A paper notice requirement made sense in the age of player pianos when songwriters could hardly be expected to keep track of every player piano roll in the country. It makes no sense in the age of Spotify, Pandora, and Apple Music.

Dilbert again is not talking about the White House. Honest!

Saturday, March 17, 2018

This sounds juvenile but I’m surprised North Korea isn’t trying to rig a lottery somewhere.
Sean Poulter reports:
The National Lottery is advising all 10.5million people with online accounts to change their passwords following a security breach ahead of tonight’s £14 million Euromillions draw.
The move follows an attempt by hackers to access accounts using a technique known as ‘credential stuffing’.
Read more on Daily Mail.

Is it time to start investigating the Board of Directors? Do they know what their responsibilities are?
Report: Wells Fargo investigation broadens to wealth division
… The Justice Department is now investigating whether Wells Fargo made inappropriate recommendations or referrals, or failed to inform customers about potential conflicts of interest, the Journal reported, citing unnamed people familiar with the matter.

No doubt it was just the AI having a joke.
Facebook apologises for search suggestions of child abuse videos
… The social network’s search suggestions, which are supposed to automatically offer the most popular search terms to users, apparently broke around 4am in the UK, and started to suggest unpleasant results for those who typed in “video of”.
Multiple users posted examples on Twitter, with the site proposing searches including “video of girl sucking dick under water”, “videos of sexuals” and “video of little girl giving oral”. Others reported similar results in other languages.
Even after the offensive search terms stopped being displayed, users still reported odd algorithmic suggestions, seemingly far from what Facebook would normally offer, such as “zodwa wabantu videos and pics” (a South African celebrity) and “cristiano ronaldo hala madrid king video call”.

Have they forgotten that monopoly thing they faced a few years ago?
Microsoft wants to force Windows 10 Mail users to use Edge for email links
Microsoft is testing a new change to its future version of Windows 10 which will probably annoy anyone using the operating system. The software giant revealed today that “we will begin testing a change where links clicked on within the Windows Mail app will open in Microsoft Edge.” The change means if you have Chrome or Firefox set as your default browser in Windows 10, Microsoft will simply ignore that and force you into Edge when you click a link within the Mail app.

Worth a listen?
Why Regulation Is a Tricky Business in the Sharing Economy
New research from Sarah Light, Wharton professor of legal studies and business ethics, examines what role the federal government should play in regulating these organizations. Her paper is titled, “The Role of the Federal Government in Regulating the Sharing Economy,” and it will appear in the forthcoming book, Cambridge Handbook on the Law of the Sharing Economy. Light recently joined Knowledge@Wharton to discuss what she’s uncovered.
An edited transcript of the conversation follows.

Friday, March 16, 2018

So is this the Cyberwar equivalent of moving troops to the boarder or something more sinister?
Cyberattacks Put Russian Fingers on the Switch at Power Plants, U.S. Says
The Trump administration accused Russia on Thursday of engineering a series of cyberattacks that targeted American and European nuclear power plants and water and electric systems, and could have sabotaged or shut power plants off at will.
United States officials and private security firms saw the attacks as a signal by Moscow that it could disrupt the West’s critical facilities in the event of a conflict.
… according to a Department of Homeland Security report issued on Thursday, Russian hackers made their way to machines with access to critical control systems at power plants that were not identified. The hackers never went so far as to sabotage or shut down the computer systems that guide the operations of the plants.
Still, new computer screenshots released by the Department of Homeland Security on Thursday made clear that Russian state hackers had the foothold they would have needed to manipulate or shut down power plants.

(Related) Why not name names? Because they don’t know who did it?
Hackers Tried to Cause Saudi Petrochemical Plant Blast: NYT
Cyber-attackers tried to trigger a deadly explosion at a petrochemical plant in Saudi Arabia in August and failed only because of a code glitch, The New York Times reported.
Investigators declined to identify the suspected attackers, but people interviewed by the newspaper unanimously said that it most likely aimed to cause a blast that would have guaranteed casualties. A bug in the attackers' code accidentally shut down the system instead, according to the report.
The cyber-attack -- which could signal plans for other attacks around the world – was likely the work of hackers supported by a government, according to multiple insiders interviewed by the newspaper.
All sources declined to name the company operating the plant as well as the countries suspected to have backed the hackers, The New York Times said.

Did everyone involved understand that this was a Beta test or was there an assumption that this was foolproof?
New Orleans ends its Palantir predictive policing program
Two weeks ago, The Verge reported the existence of a six-year predictive policing collaboration between the New Orleans Police Department and Palantir Technologies, a data mining giant co-founded by Peter Thiel. The nature of the partnership, which used Palantir’s network-analysis software to identify potential aggressors and victims of violence, was unknown to the public and key members of the city council prior to publication of The Verge’s findings.
Yesterday, outgoing New Orleans Mayor Mitch Landrieu’s press office told the Times-Picayune that his office would not renew its pro bono contract with Palantir, which has been extended three times since 2012. The remarks were the first from Landrieu’s office concerning Palantir’s work with the NOPD. The mayor did not respond to repeated requests for comment from The Verge for the February 28th article, done in partnership with Investigative Fund, or from local media since news of the partnership broke.
There is also potential legal fallout from the revelation of New Orleans’ partnership with Palantir. Several defense attorneys interviewed by The Verge, including lawyers who represented people accused of membership in gangs that, according to documents and interviews, were identified at least in part through the use of Palantir software, said they had never heard of the partnership nor seen any discovery evidence referencing Palantir’s use by the NOPD.

(Related) If it was good policing, they would be bragging about it.
C.J. Ciaramella reports:
In 2004, Ascension Alverez-Tejeda and his girlfriend were stopped at a traffic light in Oregon when their car was rear-ended by a drunk driver. The police arrived and arrested the drunk, but while Alverez-Tejeda was outside dealing with the situation, a thief jumped in his car and tore off down the road.
Police recovered the car and, after obtaining a search warrant from a judge, found in it cocaine and methamphetamine that Alverez-Tejeda was trafficking from California to Washington.
It looked like a case of very bad luck for Alverez-Tejeda. The truth didn’t come out until the trial: The whole thing had been staged. The only ones who weren’t in on the plot were Alverez-Tejeda, his girlfriend, and the judge who signed the warrant.
Read more on Reason.
[From the article:
The cops then constructed an elaborate ruse to gain probable cause to search his car.

Is a ‘feature,’ but not without risk.
You can store the following information in your Medical ID, which is viewable by anyone who knows how to access it:
  • Your name, Apple ID picture, and date of birth.
  • Known medical conditions (for example, asthma).
  • Relevant medical notes relating to conditions (for example, any metal pins from past surgery).
  • Known allergies and reactions.
  • Any medication you are currently taking.
  • Your blood type and organ donor status.
  • Your weight and height.
  • An emergency contact of your choosing.
Keep in mind that there’s no way of limiting this information to strictly emergency personnel. Anyone with physical access to your iPhone can find your Medical ID if they’re looking for it. This does raise some potential privacy concerns, but it’s a trade you’ll have to make if you want to use the feature.

For my Ethical hacking students’ toolkit.

Why the answers are obvious! Wrong, but obvious!
Orin Kerr writes:
I recently posted a draft of a new article, Cross-Enforcement of the Fourth Amendment, forthcoming in the Harvard Law Review. Here’s the opening:
Imagine you are a state police officer in a state that has decriminalized marijuana possession. You pull over a car for speeding, and you smell marijuana coming from inside the car. Marijuana possession is legal under state law but remains a federal offense. Can you search the car for evidence of the federal crime even though you are a state officer?
Next imagine you are a federal immigration agent driving on a state highway. You spot a van that you have a hunch contains undocumented immigrants. You lack sufficient cause to stop the van to investigate an immigration offense, but you notice that the van is speeding in violation of state traffic law. Can you pull over the van for speeding even though you are a federal agent?
Read more on The Volokh Conspiracy.

An end to confusion? If your accountants understand it, the Board of Directors can relax, maybe.
PricewaterhouseCoopers LLP plans to unveil a new offering to audit companies’ use of the blockchain—making sure companies are implementing and using it properly, and allowing people within a company to continuously monitor its blockchain transactions.

Perspective. This is why we are so easily slotted into categories.
Americans Are Partisan About Everything — Even Sex Scandals
Poll of the week
Views about President Trump’s relationship (or lack thereof) with adult film actress Stormy Daniels are split along partisan lines, according to a Huffington Post/YouGov survey released this week. Seventy percent of Democrats found credible Daniels’ account of an extramarital affair with Trump in 2006, while just 11 percent of Republicans said the same. And if Trump did have an affair with Daniels, 82 percent of Democrats said it would have been immoral, compared with 54 percent of Republicans.
Perhaps because Daniels is in the news, along with other alleged affairs by Trump, just 26 percent of Democrats (vs. 67 percent of Republicans) agreed that “an elected official who has committed an immoral act in their personal life can still behave ethically and fulfill their duties in their public and professional life.”

In a landmark 2016 study Johns Hopkins researchers estimated that more than 250,000 Americans die each year from treatment-related mistakes, making medical error the third-leading cause of death in the United States.
… . Due to the progressive digitization of the cockpit and pilot decision support, flying by and trusting instruments is now essential for avoiding accidents. The U.S. Department of Defense’s new F-35 aircraft is so advanced that the pilot interacts continuously through a “heads-up” digital display projected on the helmet, providing total situational awareness. Pilots who aren’t adept at working with computer interfaces and don’t trust algorithms to help fly the aircraft will not just perform poorly, they’ll crash on takeoff.
… to realize the full potential of AI and other digital technologies we will need to overhaul medical education for future physicians and nurses and rethink professional development for current caregivers.

Handy notes for website builders.

Thursday, March 15, 2018

My students easily identified this as insider trading, why did the CIO think no one would notice?
Equifax CIO Put ‘2 and 2 Together’ Then Sold Stock, SEC Says
The text from the Equifax Inc. executive sounded ominous: “We may be the one breached.”
Yet before the wider world learned of the credit bureau’s massive hack – in which sensitive information for more than 140 million U.S. consumers had been compromised – the executive, Jun Ying, was selling Equifax stock, federal authorities now say.
Six months after the cyberattack shook Equifax and raised questions about suspicious trading by several executives there, the Department of Justice on Wednesday charged Ying with insider trading. Prosecutors say he searched on the internet for what might happen to Equifax stock when the news of the attack broke, then exercised all of his stock options. The move netted him more than $480,000. Ying’s lawyers, Douglas I. Koff and Craig S. Warkol of Schulte Roth & Zabel, declined to comment on Ying’s behalf.
… Ying, who was next in line to become the company’s global CIO, avoided more than $117,000 of losses by selling his shares, the SEC said.

My students are aware that new technologies are often introduced before security is considered. Not everyone has got the “design for security” word yet.
Why do the Vast Majority of Applications Still Not Undergo Security Testing?
Did you know that 84% of all cyber attacks target applications, not networks? What’s even more curious is that 80% of Internet of Things (IoT) applications aren’t even tested for security vulnerabilities.
It is 2018, and despite all the evidence around us, we haven’t fully accepted the problem at hand when it comes to software security. Because we haven’t accepted the problem, we are not making progress in addressing the associated vulnerabilities. Which is why after an active 2017, we are already seeing numerous new attacks before we leave the first quarter of the year.

Always interesting.
Microsoft Publishes Bi-annual Security Intelligence Report (SIR)
Microsoft's 23rd bi-annual Security Intelligence Report (SIR) focuses on three topics: the disruption of the Gamarue (aka Andromeda) botnet, evolving hacker methodologies, and ransomware. It draws on the data analysis of Microsoft's global estate since February 2017, including 400 billion email messages scanned, 450 billion authentications, and 18+ billion Bing webpage scans every month; together with the telemetry collected from the 1.2 billion Windows devices that opt in to sharing threat data with Microsoft.
The report has five primary recommendations to counter the threat of ransomware: backup data; employ multi-layered security defenses; upgrade to the latest software and enforce judicious patching; isolate or retire computers that cannot be patched; and manage and control privileged credentials. A new survey from Thycotic demonstrates just how poor many organizations are at managing privileged accounts.
There is no mention of a sixth potential recommendation -- if infected with ransomware, immediately visit the NoMoreRansom project website. This project aggregates known ransomware decryptors, and it is possible that victims might be able to recover encrypted files without recourse to the risky option of paying the ransom. For now, Microsoft does not appear to be a partner in this project.

Cool! I could ping your phone to get the same information. If I was a stalker, I be giggling! On the other hand, I don’t own a smartphone. Will I still be able to drive?
Joe Cadillic sent me an email with a subject line comment all in capital letters. That’s usually a clue that I’m about to read a very disturbing news development.
Jerry Smith reports:
Delaware could be among the first states to use mobile driver’s licenses.
Features of the mDL that will be tested include:
• Enhanced privacy for age verification: No need to show a person’s address, license number and birthdate. The mobile driver’s license will verify if the person is over 18 or 21 and display a photo.
• Law enforcement use during a traffic stop: The mobile driver’s license will allow law enforcement officers to ping a driver’s smartphone to request their driver’s license information before walking to the vehicle.
Read more on Delaware Online. I’m guessing it was that second bullet that really made Joe apoplectic.

Guidelines for anyone wishing to influence an election? Grab them fast, because they will likely get wiped too.
Facebook Quietly Hid Webpages Bragging of Ability to Influence Elections
The Intercept: “When Mark Zuckerber was asked if Facebook had influenced the outcome of the 2016 presidential election, the founder and CEO dismissed the notion that the site even had such power as “crazy.” It was a disingenuous remark. Facebook’s website had an entire section devoted to touting the “success stories” of political campaigns that used the social network to influence electoral outcomes. That page, however, is now gone, even as the 2018 congressional primaries get underway… The case studies that Facebook used to list from political campaigns, however, included more interesting claims. Facebook’s work with Florida’s Republican Gov. Rick Scott “used link ads and video ads to boost Hispanic voter turnout in their candidate’s successful bid for a second term, resulting in a 22% increase in Hispanic support and the majority of the Cuban vote.” Facebook’s work with the Scottish National Party, a political party in the U.K., was described as “triggering a landslide.” The “success stories” drop-down menu that once included an entire section for “Government and Politics” is now gone. Pages for the individual case studies, like the Scott campaign and SNP, are still accessible through their URLs, but otherwise seem to have been delisted…”

(Related) It’s a start, but they better not screw it up!
YouTube announces plan to provide users with info cues to combat conspiracy theory videos
Wired: “After the mass shooting in Parkland, Florida, in February, the top trending video on YouTube wasn’t a news clip about the tragedy, but a conspiracy theory video suggesting survivor David Hogg was an actor. The video garnered 200,000 views before YouTube removed it from its platform. Until now, the company hasn’t said much about how it plans to handle the spread of that sort of misinformation moving forward. On Tuesday, however, YouTube CEO Susan Wojcicki detailed a potential solution. YouTube will now begin displaying links to fact-based content alongside conspiracy theory videos. Wojcicki announced the new feature, which she called “information cues,” during a talk with WIRED editor-in-chief Nicholas Thompson at the South by Southwest conference in Austin, Texas. Here’s how it will work: If you search and click on a conspiracy theory video about, say, chemtrails, YouTube will now link to a Wikipedia page that debunks the hoax alongside the video. A video calling into question whether humans have ever landed on the moon might be accompanied by the official Wikipedia page about the Apollo Moon landing in 1969. Wojcicki says the feature will only include conspiracy theories right now that have “significant debate” on the platform…”

(Related) I wonder if they checked to see if a high volume of referrals could harm Wikipedia?
YouTube didn’t tell Wikipedia about its plans for Wikipedia
YouTube doesn’t need to officially partner with Wikimedia to use information from Wikipedia, but it’s still a bemusing tactic to make such an announcement without any official word passed between the two.

This will never be anonymous. (Anonymous entity #4567 arrested for 17 counts of murder in Parkland, Florida)
Florida Could Start a Criminal-Justice Data Revolution
There’s no such thing as the US criminal justice system. There are, instead, thousands of counties across the country, each with their own systems, made up of a diffuse network of sheriffs, court clerks, prosecutors, public defenders, and jail officials who all enforce the rules around who does and doesn’t end up behind bars. It’s hard enough to ensure that key details about a case pass from one node of this convoluted web to the other within a single county; forget about at the state or national level.
That's what makes a new criminal justice reform bill now making its way to Florida governor Rick Scott’s desk especially noteworthy. On Friday, the Florida Legislature approved a bill, introduced by Republican state representative Chris Sprowls, that requires every entity within the state’s criminal justice system to collect an unprecedented amount of data and publish it in one publicly accessible database. That database will store anonymized data about individual defendants—including, among other things, previously unrecorded details about their ethnicities and the precise terms of their plea deals. It will also include county-level data about the daily number of people being held in a given jail pre-trial, for instance, or a court’s annual misdemeanor caseload. All in, the bill requires counties to turn over about 25 percent more data than they currently do.

The law, she keeps a-changing!
German Court's Privacy Ruling Against Facebook Will Have Far-Reaching Effects
Facebook has millions of users in the European Union, and a German court recently ruled against the company in a case involving its Privacy Policy. Few ever read privacy policies except judges, who must examine them when challenges arise.
The new EU General Data Protection Regulations, which go into effect on May 25, will make things even more complicated.
If you have any customers who are EU residents, the new GDPR will impact you.
… A German court earlier this year ruled that Facebook's terms of use did not comply with informed consent.
Informed consent is specific under EU rules. Article 4(11) of the GDPR defines consent as
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
Five criteria must be met to constitute consent:
  • freely given
  • specific
  • informed
  • unambiguous
  • affirmative

… Facebook and many U.S. websites use default privacy settings. The German court found several of those settings were difficult for the user to find and change. By implementing default settings, Facebook had failed to get informed consent.

At what point do you need to talk to a real lawyer? Perhaps an AI app could help answer that.
Legal tech is opening the system to those who need legal representation the most
TechCrunch: “…Emerging startups like and legal tech products like LegalZoom and DocuSign have lowered the barrier to entry for legal protection that was previously confined to law offices. Now anyone can write their will or incorporate a company without having to seek legal counsel. The dissolution of the traditional legal business model is good news for public interest law. Access to justice is a fundamental human right, but most can’t afford to hire legal representation when the need arises. Public defenders, pro bono lawyers, and immigration attorneys provide a great service to citizens, yet the demand for legal support far outweighs the supply of legal aid services. There simply aren’t enough public interest lawyers to go around. Financial hardship shouldn’t be a barrier to justice. Fortunately, simple applications of technology can streamline legal representation, and with wider adoption, may reduce a key contributor to the economic inequality equation. While law firms have been slow to embrace new disruptive technologies, public interest law is different. Tech allows them to serve more clients. It’s a disruption for good, and nonprofit tech companies are spearheading this movement….”

Making my students more productive?
If you’re a programmer who doesn’t use Chrome, you’re in the minority.

Might be useful for students describing their projects to potential employers.
A Great List of Tools for Making Cool Infographics
Cool Infographics is a book and a blog written by Randy Krum. I read his book a few years ago and came away with some great design ideas that I now use in my slides and in some social media posts. On his blog Randy critiques the design quality and information accuracy of infographics found around the Internet. His blog also contains a section in which he lists dozens of tools for creating all kinds of data visualizations.
The Cool Infographics tools page lists dozens of tools for building all kinds of data visualizations from simple word clouds to complex interactive designs. The Cool Infographics tools page also lists resources for free images, resources on picking the right design for your project, and places to find data to use in your projects.
Some of the tools on the Cool Infographics tools page will be familiar to readers of this blog. Canva and Timeline JS, for example, have been featured many times on this blog. Some tools, like Zanifesto, were completely new to me.

This could be useful for many of my students.

(Related) This one, not so much. Apparently, they think there is a market.
Duolingo targets Trekkies with new Klingon language course

Wednesday, March 14, 2018

Are we secretly at war? How do we tell random criminal breaches from organized state sponsored attacks? (Have we drawn a line in the sand?)
This sounds serious. Zack Hale reports:
The Port of Longview was recently victimized by a cyber attack that may have affected hundreds of past and current employees and dozens of vendors.
The FBI notified the port of the attack on Feb. 1, according to an internal memo obtained Monday by The Daily News.
However, the FBI told the port additional details about the attack are “classified,” according to the memo.
Investigators traced the attack to internet service provider addresses in Russia, Liberia and Kazakhstan, according to the memo.
Read more on TDN.
As a matter of opinion, I am tired of seeing entities engage law firms so that they can decline to reveal details and shield them as “privileged.” There needs to be an exception for matters of significant public concern, and a foreign attack on a port should qualify for needing public disclosure. Or at least a Congressional investigation and inquiry – if we had a Congress that could actually investigate anything without turning things into a partisan circus.

Not the kind of “First” you want to be remembered for…
J. Robert MacAneney of Carlton Fields writes:
On March 5, Yahoo, Inc. (“Yahoo”) announced a proposed settlement in In re Yahoo Inc. Securities Litigation, which was filed in U.S. District Court in San Francisco. The $80 million proposed settlement relates to a securities class litigation stemming from Yahoo’s 2013 and 2014 data breaches. While many elements of the Yahoo securities class action may be factually unique, the settlement is a milestone because it is the first significant securities fraud settlement from a cybersecurity breach.
Read more on JDSupra.

A problem with archives.
The Quest for a Universal Translator for Old, Obsolete Computer Files
“…The digital world continues to expand and mutate in all sorts of ways that will orphan and otherwise impair file formats and programs—from ones long forgotten to ones that work just fine today but carry no guarantees against obsolescence. Instead of a patchwork of one-off solutions, perhaps there’s a better way to keep old software running smoothly—a simpler process for summoning the past on demand. A team at the Yale University Library is trying to build one. Digital archivists deal with least two broad categories of artifacts. There are analog objects or documents scanned into a second, digital life—digitized maps, for instance, or scanned photos. The other objects are natives of the digital world. These files can include everything from a simple compressed image to a game on a CD-ROM to a CAD design for a skyscraper. The relentless march of new versions and new platforms makes obsolescence a constant presence, from as soon as digital objects are conceived…”

This may help me explain ‘harm’ to my students.
In lawsuits about data breaches, the issue of harm has confounded courts. Harm is central to whether plaintiffs have standing to sue in federal court and whether their legal claims are viable. Plaintiffs have argued that data breaches create a risk of future injury, such as identity theft, fraud, or damaged reputations, and that breaches cause them to experience anxiety about this risk. Courts have been reaching wildly inconsistent conclusions on the issue of harm, with most courts dismissing data-breach lawsuits for failure to allege harm. A sound and principled approach to harm has yet to emerge.
In the past five years, the U.S. Supreme Court has contributed to the confusion. In 2013, the Court, in Clapper v. Amnesty International, concluded that fear and anxiety about surveillance—and the cost of taking measures to protect against it—were too speculative to satisfy the “injury in fact” requirement to warrant standing. This past term, the U.S. Supreme Court stated in Spokeo v. Robins that “intangible” injury, including the “risk” of injury, could be sufficient to establish harm. When does an increased risk of future injury and anxiety constitute harm? The answer remains unclear. Little progress has been made to harmonize this troubled body of law, and there is no coherent theory or approach.
In this Article, we examine why courts have struggled to conceptualize harms caused by data breaches. The difficulty largely stems from the fact that data-breach harms are intangible, risk-oriented, and diffuse. Harms with these characteristics need not confound courts; the judicial system has been recognizing intangible, risk-oriented, and diffuse injuries in other areas of law. We argue that courts are far too dismissive of certain forms of data-breach harm and can and should find cognizable harms. We demonstrate how courts can assess risk and anxiety in a concrete and coherent way, drawing upon existing legal precedent.
Solove, D.J. and Citron, D.K. Risk and Anxiety: A Theory of Data-Breach Harms. Texas Law Review. March, 2018, 96:737. Download here.

I kinda thought they were already doing this. Do you think they actually expected customers to walk into their stores?
Why Luxury Brands Are Racing to Embrace E-commerce
Farfetch is on the cusp of accomplishing something rare in the world of luxury retail: It potentially could become one of the few luxury tech “unicorns” with an upcoming $5 billion IPO. The lofty valuation marks a remarkable turn for an industry that had long been resistant to selling online, fearful that the internet’s mass access would damage luxury brands’ exclusivity. But now luxury fashion houses from Louis Vuitton to Chanel and Gucci have been racing to embrace digital, whether it is partnering with multi-brand sites like Farfetch, developing their own platforms or both.
The pivot to digital makes sense: Online sales are expected to drive future growth in the luxury goods market, making up 25% of the market by 2025 up from an estimated 9% last year, according to a 2017 report from Bain & Co. That means sales from offline stores will shrink to 75% of the total from 91%. Such projections serve as a wake-up call to luxury brands that have long relied on partners such as department stores — and their own boutiques — to sell products. But traditional retailers are struggling and more customers are becoming comfortable buying luxury goods online.

Apparently this is how you ‘campaign’ in Russia. “Vote for me or else?”
Putin enemy found dead in London eight days after Skripal poisoning, as counter-terror police launch investigation
Counter-terrorism police have opened an investigation into the “unexplained” death on British soil of an arch enemy of Vladimir Putin, just eight days after the nerve gas assassination attempt on a Russian double agent.
Nikolai Glushkov, 68, the right-hand man of the deceased oligarch Boris Berezovsky, Mr Putin’s one-time fiercest rival, was found dead at his London home on Monday.
A Russian media source said Glushkov, the former boss of the state airline Aeroflot, who said he feared he was on a Kremlin hit-list, was found with “strangulation marks” on his neck.

Resources for my undergrads…
Look for scholarships with Free Graduate School Scholarship Search
Sallie Mae- “Learn why scholarships—free money that you don’t have to pay back—are important and how to search for them to help you pay for graduate school…. Getting started is easy; students register free of charge, fill out a profile that can be updated at any time, and start searching. The tool responds with matches that identify relevant scholarships and their award amounts, application requirements, and deadlines. In addition, Graduate School Scholarship Search automatically will send updates when it identifies new matches.”

For our Python students.

None of the social media giants have offered guidance, as far as I know.