Friday, September 22, 2017

The police will probably not toss out those stingray devices just yet.
Appellate court rules tracking cellphones without a warrant unconstitutional
by Sabrina I. Pacifici on Sep 21, 2017
Washington Examiner: “The D.C. Court of Appeals ruled on Thursday [September 21, 2017] that it is unconstitutional for law enforcement to use certain technologies that allow the tracking of a suspect’s cellular phone without a warrant. The ruling reversed a decision of the Superior Court of the District of Columbia that allowed police to use a particular tracking tool, the cell-site simulator, calling it a violation of Fourth Amendment privacy protections as they relate to policing tactics. Investigators have used cell-site simulators to act as fake cell towers to connect to devices they are searching instead of the device’s regular network.”




It might be useful to know how thinly the algorithm slices the data. I’d wager that there were hundreds of thousands (perhaps millions) of ad categories identified by analyzing all the data available to Facebook.
Facebook can't hide behind algorithms
If Facebook’s algorithms were executives, the public would be demanding their heads on a stick, such was the ugly incompetence on display this week.
First, the company admitted a “fail” when its advertising algorithm allowed for the targeting of anti-Semitic users.
Then on Thursday, Mark Zuckerberg said he was handing over details of more than 3,000 advertisements bought by groups with links to the Kremlin, a move made possible by the advertising algorithms that have made Mr Zuckerberg a multi-billionaire.
Gross misconduct, you might say – but of course you can’t sack the algorithm. And besides, it was only doing what it was told.
“The algorithms are working exactly as they were designed to work,” says Siva Vaidhyanathan, professor of media studies at the University of Virginia.
… Facebook didn’t create a huge advertising service by getting contracts with big corporations.
No, its success lies in the little people. The florist who wants to spend a few pounds targeting local teens when the school prom is coming up, or a plumber who has just moved to a new area and needs to drum up work.
Facebook’s wild profits - $3.9bn (£2.9bn) between April and June this year - are due to that automated process. It finds out what users like, it finds advertisers that want to hit those interests, and it marries the two and takes the money. No humans necessary.
… That system will be slightly less human-free in future. In his nine-minute address, a visibly uncomfortable Mark Zuckerberg said his company would be bringing on human beings to help prevent political abuses. The day before, its chief operating officer said more humans would help solve the anti-Semitism issue as well.
“But Facebook can’t hire enough people to sell ads to other people at that scale,” Prof Vaidhyanathan argues.


(Related). One verb is as good as another to an algorithm. Apparently, nothing triggers alarms.
Instagram uses 'I will rape you' post as Facebook ad in latest algorithm mishap
Instagram used a user’s image which included the text “I will rape you before I kill you, you filthy whore!” to advertise its service on Facebook, the latest example of social media algorithms boosting offensive content.
Guardian reporter Olivia Solon recently discovered that Instagram, which is owned by Facebook, made an advertisement out of a photo she had posted of a violent threat she received in an email, which said “Olivia, you fucking bitch!!!!!!!” and “I Will Rape You”.
Instagram selected the screenshot, which she posted nearly a year ago, to advertise the photo-sharing platform to Solon’s sister this week, with the message, “See Olivia Solon’s photo and posts from friends on Instagram”.




Change is hard. People (and companies) resist change way beyond all logic. They prefer to keep doing the same thing, even if the science proves them wrong.
European Commission Accused Of Burying Controversial Piracy Report
The European Commission has been called out for failing to publish data indicating that piracy has little effect on legitimate content sales.
Back in 2014, it paid Dutch consultancy Ecorys more than $400,000 to research how unauthorised access of music, video, books and video games displaced legitimate sales, both online and offline.
The report was completed in May 2015, but was never published - and Pirate Party MEP Julia Reda thinks this is fishy.
"Why did the Commission, after having spent a significant amount of money on it, choose not to publish this study for almost two years?" she asks.
The report concludes that, in most cases, piracy has little impact on legitimate sales.
… Indeed, it found that games piracy actually increased legitimate sales.
There is an exception to this, in the form of blockbuster movies.
"The results show a displacement rate of 40 per cent which means that for every ten recent top films watched illegally, four fewer films are consumed legally," reads the report.
Even so, the researchers conclude that the reason for this is almost entirely down to cost, and that cutting fees for TV and movies would make a big difference.




For my Computer Security students.


Thursday, September 21, 2017

Is North Korea trading US stocks?
Hackers May Have Profited From SEC Corporate Filing System Attack
The vulnerability of governments and businesses to cyberattacks was exposed again Wednesday when a top U.S. financial regulator said hackers had breached its electronic database of market-moving corporate announcements, and may have profited from the information they stole.
The hack of an aspect of the U.S. Securities and Exchange Commission’s Edgar filing system occurred last year, the regulator said in a statement. While the SEC has been aware of the breach since 2016, it wasn’t until last month that the agency concluded that the cybercriminals involved may have used their bounty to make illicit trades. The regulator disclosed the intrusion for the first time Wednesday.
… The SEC didn’t say which companies may have been impacted by the 2016 intrusion. Chris Carofine, a spokesman for Clayton, declined to comment when asked what type of information was improperly accessed.




This is just poor training. Why would you have anyone type a URL when you could copy and paste?
Equifax tweets fake phishing site to concerned customers

It keeps getting more complicated for Equifax.

The credit agency's Twitter account tweeted links on Wednesday to a fake site pretending to be Equifax, further bungling the company's response to a massive hack that affected 143 million customers.
Equifax, like many companies, handles customer service and complaints through its Twitter account. But in tweets replying to people asking for help and more information, it occasionally directed them to "securityequifax2017.com."
The domain, designed to look like a phishing site, was set up to criticize how the company handled the situation.
The official account tweeted links to the same site multiple times since September 9, two days after the breach was first announced. The links have been deleted, but screenshots show it was not a one-time flub.
It's easy to mistake the fake site for the real one: equifaxsecurity2017.com. The company created it earlier this month to share information on the major data breach.
Security experts criticized Equifax's decision to use this domain and website because it looks a lot like a scam site. Soon after it launched, some browsers flagged it as a phishing site. Experts warned hackers could create similar websites and trick people into giving up personal information.


(Related). In humor, truth? A video for my Computer Security class.
Equifax F.A.Q.




An interesting follow-up! If you want to avoid detection, piggyback on software the target already uses and trusts. Very slick.
Attack on Software Firm Was Sophisticated, Highly Targeted
While initially shouting out loud that the compromise was addressed before any harm was done to users, Avast on Wednesday confirmed that this was in fact a highly targeted attack and that a secondary payload was executed on some of the impacted systems.
Analysis of the logs found on the C&C server revealed that 20 machines in a total of 8 organizations received the second-stage payload. However, the logs only covered just over three days, and the actual number of machines that received the payload could be of hundreds, Avast says.
The security firm wouldn’t reveal the names of targeted organizations, but says that these were “select large technology and telecommunication companies in Japan, Taiwan, UK, Germany and the US.” This clearly means that most of the CCleaner users weren’t of interest to the attackers.




Another follow-up.
NotPetya cyber attack on TNT Express cost FedEx $300m
Falling victim to the Petya cyber attack cost FedEx around $300m during the last quarter of the financial year, the company has revealed in its latest earnings report.
Operations of FedEx's TNT Express unit in Europe were disrupted by the attack and the company previously warned that the financial cost of the incident was likely to be significant. But now, with the publication of its first quarter earnings FedEx has revealed the cost of falling victim to Petya to be an estimated $300 million in lost earnings.
… While no data breach or data loss occurred as a result of Petya, the company previously warned that it may not be able to recover all of the systems affected by the cyber attack.




Technology restrained?
Court upholds Illinois biometrics law on use of facial scans
by Sabrina I. Pacifici on Sep 20, 2017
Fortune – “A federal judge this week delivered a key victory for customers who claim the digital scrapbook company Shutterfly violated their privacy by collecting scans of their faces without permission. In a 19-page opinion, U.S. District Judge Joan Gottschall rejected Shutterfly’s argument that an Illinois state law, which restricts how companies can use biometric data, should not apply.”




What could possibly go wrong?
Apparently Joe Cadillic and I aren’t the only ones who thought that a Ravens promo raised a lot of warning flags, although our concern wasn’t as regulatory as much as privacy-oriented. Joe sent along this update:
Jeff Barker reports:
Massachusetts biotech firm still intends to give away DNA test kits to fans at a Ravens game this season, according to the team, but the promotion first must undergo scrutiny from a federal agency and the state.
The “DNA Day” event, scheduled for last Sunday’s Ravens-Cleveland Browns game at M&T Bank Stadium, was postponed after the federal Centers for Medicare & Medicaid Services raised questions with the state about approvals, state and federal officials said.
Read more on Baltimore Sun.
[From the article:
Fans attending the game were to receive test kits and, if they chose to participate, swab the inside of their cheek, drop the sample into a bin at the stadium and register with the company online to receive a free analysis.




Another example of, “Gee, maybe that algorithm isn’t perfect?” No doubt the FBI will be asking for a list of Amazon’s customers who purchased the suggested items...
Amazon ‘Reviewing’ Its Website After It Suggested Bomb-Making Items
Amazon said on Wednesday that it was reviewing its website after a British television report said the online retail giant’s algorithms were automatically suggesting bomb-making ingredients that were “Frequently bought together.”
The news is particularly timely in Britain, where the authorities are investigating a terrorist attack last week on London’s Underground subway system. The attack involved a crude explosive in a bucket inside a plastic bag, and detonated on a train during the morning rush.
The news report is the latest example of a technology company drawing criticism for an apparently faulty algorithm. Google and Facebook have come under fire for allowing advertisers to direct ads to users who searched for, or expressed interest in, racist sentiments and hate speech. Growing awareness of these automated systems has been accompanied by calls for tech firms to take more responsibility for the contents on their sites.




Interesting.
Kade N. Olsen and Craig A. Newman report on a court opinion in the D-Link case – a case that addresses some of the issues also raised in LabMD vs. FTC:
Yesterday, a District Court in Northern California weighed in on the U.S. Federal Trade Commission’s (FTC) authority to protect consumers from “unfair” and “deceptive” data security practices. The decision, which granted in part and denied in part the defendant’s motion to dismiss, is a mixed bag for the Commission.
As we previewed earlier this year, the FTC filed suit against D-Link Systems, Inc. (“D-Link”), a company that manufactures and sells home networking devices. According to the FTC, D-Link failed to protect its products from “widely known risks of unauthorized access” by not providing “easily preventable” measures against “‘hard-coded’ user credentials and other backdoors,” not maintaining the confidentiality of the private key D-Link used with consumers to validate software updates, and not deploying “free software, available since at least 2008, to secure users’ mobile app login credentials.” These practices, the FTC maintained, were both (1) “deceptive” and (2)“unfair” under Section 5 of the FTC Act, 15 U.S.C. § 45.
Read more on Patterson Belknap Data Security Law Blog. Here’s the part that may give LabMD a smile or a “That’s what we think, too” nod:
But, the court ultimately found “merit” in D-Link’s argument that the FTC had failed to plead sufficiently that consumers had been injured. As followers of our LabMD coverage will recall, Section 5(n) of the FTC Act provides that the Commission cannot declare an act “unfair” unless, inter alia, that act “causes or is likely to cause substantial injury to consumers.”
The district court explained that the FTC did “not allege any actual consumer injury in the form of a monetary loss or an actual incident where sensitive data was accessed or exposed.” It was not enough, Judge Donato held, that the FTC claimed that D-Link “put consumers at ‘risk.’” Without “concrete facts” of a “single incident where a consumer’s financial, medical or sensitive data has been accessed, exposed or misused in any way,” the unfairness claim depended on “wholly conclusory allegations” of “potential injury.”




I’m not sure I would go that far…
America needs Amazon more than Amazon needs America
… There may be blood in the water in Silicon Valley, but it isn’t coming from Amazon. The company’s stock is up roughly 30% this year, unperturbed by tepid financial results and the angry tweets of US president Donald Trump. Its business practices remain unfettered by federal regulators and seem unlikely to be criticized at the local and state level so long as HQ2 is on the auction block.
… As for the American public, why would they turn against Amazon? By one estimate, 85 million people, or roughly two-thirds of US households, are subscribers to Prime, Amazon’s $99-a-year membership program. They rely on it for everything from toilet paper to blenders to bluetooth speakers, spending an annual average of $1,300. Bezos wants Prime to be such a good deal “you’d be irresponsible not to be a member.” Put another way, that you’d be irresponsible not to like Amazon.




Perspective. Does the need to access technology now override security concerns?
Saudi Arabia to lift ban on internet calls
Saudi Arabia will lift a ban on internet phone calls, a government spokesman said, part of efforts to attract more business to the country.
All online voice and video call services such as Microsoft’s Skype and Facebook’s WhatsApp that satisfy regulatory requirements will become accessible at midnight (2100 GMT), Adel Abu Hameed, spokesman for the telecoms regulator CITC said on Twitter on Wednesday.
The policy reversal represents part of the Saudi government’s broad reforms to diversify the economy partly in response to low oil prices, which have hit the country’s finances.




Perspective. Think about this one. Your camera ‘knows’ when you are taking a picture of a cake or a bird. Perhaps it will rat you out to Mom & Dad when you start Sexting?
Facebook's New 'AI Camera' Team Wants to Add a Layer to the World
Take a video of a birthday cake’s candles sparkling in an Instagram story, then tap the sticker button. Near the top of the list you’ll see a slice of birthday cake.
It’s a little thing. This simple trick is not breathtaking nor magical. But it is the beginning of something transformative. Smartphones already changed how most people take pictures. The latest Silicon Valley quest is to reimagine what a camera is, applying the recent progress in artificial intelligence to allow your phone to read the physical world as easily as Google read the web.
… The AI Camera team is responsible for giving the cameras inside these apps an understanding of what you’re pointing them at. In the near future, your camera will understand its location, recognize the people in the frame, and be able to seamlessly augment the reality you see.


(Related).
Researchers at the University of Nottingham and Kingston University have created an algorithm that can translate any front-facing 2D photo into a bizarrely realistic 3D image.
… You can play around with the tool for yourself online. The researchers kindly provide a few photos for you to test out, and you can also upload a photo of yourself to try.




For my Computer Security students.
Preventing and Responding to Identity Theft
by Sabrina I. Pacifici on Sep 20, 2017
You can be a victim of identity theft even if you never use a computer. Malicious people may be able to obtain personal information (such as credit card numbers, phone numbers, account numbers, and addresses) by stealing your wallet, overhearing a phone conversation, rummaging through your trash (a practice known as dumpster diving), or picking up a receipt at a restaurant that has your account number on it. If a thief has enough information, he or she may be able to impersonate you to purchase items, open new accounts, or apply for loans. The Internet has made it easier for thieves to obtain personal and financial data. Most companies and other institutions store information about their clients in databases; if a thief can access that database, he or she can obtain information about many people at once rather than focus on one person at a time. The Internet has also made it easier for thieves to sell or trade the information, making it more difficult for law enforcement to identify and apprehend the criminals…”




For all my students.




For my cable cutting students.




Interesting App. What could similar Apps do for my students? Read their textbooks, for example?
LC – An App to Answer Your Questions about the Constitution
by Sabrina I. Pacifici on Sep 20, 2017
Margaret M. Wood, legal reference librarian in the Law Library. “Two years ago, in honor of Constitution Day—celebrated annually on September 17—I wrote a post about the publication “Constitution of the United States: Analysis and Interpretation,” also referred to as the “Constitution Annotated.” Along with the U.S. Code, it is one of my favorite work resources. Unfortunately, it is a behemoth of a work—it takes two hands to hold the volume, which weighs a good 10 pounds. Fortunately, the text is also available online through Congress.gov and through the U.S. Government Publishing Office, whose digital system includes both the most recent edition (2016) as well as historic editions back to 1992. But given my penchant for bringing work topics into social situations, even the online version is not very practical. I cannot, very easily, fire up the computer during a conversation at a dinner or cocktail party. However, fortunately for me, there is an app for the “Constitution Annotated.” It debuted in 2013, when Congress.gov was still in beta, and has since been updated…”
[From the App description:
This app:
- Delivers the full text of “Constitution of the United States of America: Analysis and Interpretation”
- Contains a clause-by-clause discussion of the entire Constitution
- Discusses all Supreme Court cases and selected historical documents relevant to interpreting the Constitution
- Lists all federal, state, and local laws struck down by the Supreme Court, and all cases where the Court overturned its prior precedent
- Contains a table of contents, table of cases, and an index


Wednesday, September 20, 2017

This could be very difficult. Some messages are obvious, others not so much.
Web firms told to remove terror content within two hours
Tech giants like Google, Facebook and Twitter must find ways to remove terror propaganda within two hours of being posted online - or face fines, Theresa May will demand.
The prime minister will help lead an international call for the internet firms to be set a deadline of a month to show they can develop the necessary technology fixes.
The move comes as YouTube faced criticism for failing to take down extremist content that included videos praising Hitler and the Taliban.
And days after a report found more jihadist propaganda is viewed online in the UK than any other country in Europe.
… The so-called Islamic State generated 27,000 extremist postings on platforms like Twitter in a five-month period between January and May this year.
The links ranged from bomb-making instructions to calls to commit atrocities with cars and knives, with the majority of shares taking place in the first two hours. [So even a two hour window will miss ‘the majority’ of shares? Bob]


(Related).
Twitter says its controls are weeding out users advocating violence
Twitter said it had removed 299,649 accounts in the first half of this year for the “promotion of terrorism”, a 20 percent decline from the previous six months, although it gave no reason for the drop. Three-quarters of those accounts were suspended before posting their first tweet.


(Related). A drop in the bucket or a way to identify potential solutions?
Google.org launches $5 million innovation fund to counter ‘hate and extremism’
With controversy continuing to mount over the role the internet has played in fueling extremist groups, Google.org today announced a new initiative it hopes will put a dent in the problem.
The organization said it will pump $5 million into an innovation fund that will give grants to researchers and organizations that are building products and services to combat the problem.




We need some new thinking.
The Hill reports:
A District of Columbia court has dismissed two lawsuits over the Office of Personnel Management (OPM) data breach disclosed in 2015.
The American Federation of Government Employees, the largest federal workers union, filed the class action lawsuit against the OPM in June 2015, alleging that the breaches stemmed from gross negligence on the part of federal officials.
The lawsuit was one of two consolidated complaints related to the OPM breach that the U.S. District Court for D.C. dismissed on Tuesday, ruling that both sets of plaintiffs lacked the standing to bring their cases.
Read more on The Hill.
Okay, since these lawsuits weren’t under the same laws we generally see in consumer lawsuits over breaches, we’ll have to dig into this one a bit more to see why the court did not find that the plaintiffs had standing. In the meantime, I’ll keep an eye out to see if any law firms provide an analysis of the opinion on their sites that I can link to here.
Keep in mind that I consider the OPM breach one of the worst breaches ever because of the amount of personal and sensitive information involved. If these plaintiffs have trouble demonstrating why they have standing, well….. maybe it’s time to revisit what it should take to demonstrate standing when your background checks, biometric data, and other personal and sensitive information wind up in the hands of unknown threat actors due to an entity’s failure to adequately safeguard your information.




Not all algorithms are perfect. (But some are amusing.)
Amazon sends accidental gift email to shoppers due to glitch
A technical glitch caused Amazon.com Inc to email some of its customers erroneously that they had received a gift, the company said on Tuesday.
The email displayed an image of a crawling infant and told shoppers they had received a present from their baby registry. A number of recipients, however, reported on social media that they were not expecting a child.
“Amazon just informed me that someone has purchased a gift from my baby registry. My baby is 21, and hopes it’s a keg,” Washington Post reporter Karen Tumulty said on Twitter.




I bet they would! Big money, but is it enough to get the attention of other Boards of Directors?
Equifax May Be Happy to Spend $1 Per Customer for Their Trouble
… While the 118-year-old credit-reporting firm has been hit with more than 100 consumer lawsuits over its massive security breach, legal experts say there’s room for a deal because neither side has a slam-dunk case.
A global settlement of about $200 million is plausible, said Nathan Taylor, a cybersecurity lawyer with Morrison Foerster LLP in Washington. That’s a projection based on the $115 million Anthem Inc. agreed to pay in June -- setting a U.S. record -- to resolve claims that it didn’t protect a smaller number of people from a 2015 criminal hack that stole similarly sensitive information, Taylor said.
With lawyers collecting as much as a third of any payout, the company may end up spending an average of less than $1 per person for credit monitoring and out-of-pocket expenses for 143 million Equifax consumers whose data was compromised.
That’s a good deal for the embattled credit reporting company as its exposure theoretically could amount to $143 billion under a federal law that carries damages of as much as $1,000 per violation, plus punitive damages.


(Related). Look before you leap. Caveat emptor. There’s a sucker born every minute.
LifeLock offers to protect you from the Equifax breach — by selling you services provided by Equifax




A link for my Computer Security students.




I may use this in my next Statistics class.
A visual introduction to machine learning
by Sabrina I. Pacifici on Sep 19, 2017
R2D3 is an experiment in expressing statistical thinking with interactive design: “In machine learning, computers apply statistical learning techniques to automatically identify patterns in data. These techniques can be used to make highly accurate predictions… Using a data set about homes, we will create a machine learning model to distinguish homes in New York from homes in San Francisco…”




Hard to show you’re a serious worker if you can’t even complete the application…
What’s keeping teenagers unemployed? Online personality tests
… Where once teenagers or early 20-somethings may have wandered into their local supermarket and applied for their first job, now a substantial share of employers are using online personality assessments to gauge the skill and character of potential dishwashers, burger-flippers and other entry-level jobs.
That’s putting young job seekers at a disadvantage, according to a report released Wednesday by JobsFirstNYC, a New York City-based nonprofit that advocates for out-of-school and out-of-work young adults. The report is based on an experiment, which asked 18 to 22-year-olds to submit applications to 42 major employers in the New York City area in 2012 and 2014.
The authors found that tests were so extensive — in some cases 200 questions — that they discouraged young people from applying or made it difficult for them to complete the applications, a problem that was particularly acute for low-income young people who may not have regular access to the internet. Young adults may struggle more than older applicants to answer some of the questions because their brain and personality development isn’t complete, they added.


(Related).
Why American teenagers are not interested in adult activities like sex, drinking — or working
Kids today are in no hurry to grow up.
Teenagers are increasingly less likely to engage in adult activities like drinking alcohol, working jobs, driving or having sex according to research from San Diego State University and Bryn Mawr College published in the peer-reviewed journal Child Development Tuesday.




This could be an interesting addition to student research papers.


Tuesday, September 19, 2017

This just got nasty.
You may have never heard of Flathead Valley in Montana. I’ll admit that I had never heard of it until tonight when I received a tip to go look at a post on their sheriff’s Facebook page. And that’s when I learned that Flathead County schools had not only been hacked and threatened if they didn’t pay the hackers, but parents had received messages threatening to kill their children. The threats were taken seriously enough that 30 schools were closed for days while the county and federal law enforcement investigated the threats.
We are now in the realm of TheDarkOverlord v2.0, it seems.
For those who, like this blogger, have followed the criminal activities of TheDarkOverlord, reading a report of them thoroughly hacking an entity and then writing a lengthy demand letter threatening to expose confidential files or personal information – well, that’s nothing new. But contacting parents of school children and threatening their children’s physical safety?
It is TheDarkOverlord on steroids, at the very least. But is it a real threat?
As The Flathead Beacon reported after the situation escalated:
The individual apparently gained access to the Columbia Falls School District’s electronically stored directory and began contacting and threatening families individually.
How do you terrorize an entire community? You raise the spectre of Sandy Hook. And you show that you know details about the children and the school.


TheDarkOverlord are masters at doing their research, and were aiming to create significant terror in their targets. I think it’s pretty clear that they accomplished that – at least in the short-term. But is this approach likely to result in more payments from victims, or has TheDarkOverlord misunderstood the psychology of its intended victims? There is certainly no indication that Flathead Valley will be paying them any money.
What the people of Flathead County may not know, but what law enforcement should certainly know, is that this is not the first time TheDarkOverlord has threatened physical violence against a victim. DataBreaches.net is not reproducing an earlier threat missive, but it, too, was designed to terrorize its target by threatening physical violence against the victim’s family. And the Flathead case is not the first case where TheDarkOverlord has contacted its victims by phone or SMS to threaten them or deliver obscenity-laden messages.
And maybe that’s the first thing law enforcement could have done to reassure the community: to recognize from the style and writing that this was/is the work of TheDarkOverlord and they’ve threatened physical violence before but never followed up on it – at least, not to date.
Of course, if TheDarkOverlord is really outside of the U.S., as the sheriff apparently told the community, then actual physical violence seems less likely. But should the county be telling the public that TheDarkOverlord is outside of the U.S.? It’s a reasonable hypothesis, but do they actually have any hard proof of that? If they don’t have actual proof, wouldn’t it be more honest to say, “We believe that they’re outside of the U.S.” than to assert that they are?
… In the meantime, the Flathead Beacon has done a truly admirable job of reporting on the situation as it has evolved, and you can get caught up on the details by reading their reports (in reverse chronological order, below:)




Management did not take the earlier breach as an indication that security was not up to snuff?
Equifax Suffered a Hack Almost Five Months Earlier Than the Date It Disclosed
Equifax Inc. learned about a major breach of its computer systems in March -- almost five months before the date it has publicly disclosed, according to three people familiar with the situation.
In a statement, the company said the March breach was not related to the hack that exposed the personal and financial data on 143 million U.S. consumers, but one of the people said the breaches involve the same intruders.
… Equifax hired the security firm Mandiant on both occasions and may have believed it had the initial breach under control, only to have to bring the investigators back when it detected suspicious activity again on July 29, two of the people said.
… The revelation of a March breach will complicate the company’s efforts to explain a series of unusual stock sales by Equifax executives. If it’s shown that those executives did so with the knowledge that either or both breaches could damage the company, they could be vulnerable to charges of insider trading. The U.S. Justice Department has opened a criminal investigation into the stock sales, according to people familiar with the probe.
Equifax has said the executives had no knowledge that an intrusion had occurred when the transactions were made.
… There’s no evidence that the publicly disclosed chronology is inaccurate, but it leaves out a set of key events that began earlier this spring, the people familiar with the probe said.
In early March, they said, Equifax began notifying a small number of outsiders and banking customers that it had suffered a breach and was bringing in a security firm to help investigate. The company’s outside counsel, Atlanta-based law firm King & Spalding, first engaged Mandiant at about that time. [Hired not by Equifax, but by their lawyers. Bob] While it’s not clear how long the Mandiant and Equifax security teams conducted that probe, one person said there are indications it began to wrap up in May. Equifax has yet to disclose that March breach to the public.
One possible explanation, according to several veteran security experts consulted by Bloomberg, is that the investigation didn’t uncover evidence that data was accessed. Most data breach disclosure laws kick in only once there’s evidence that sensitive personal identifying information like social security numbers and birth dates have been taken. The Equifax spokesperson said the company complied fully with all consumer notification requirements related to the March incident.




Apparently, a large percentage of people prefer conspiracy over truth.
Is There Any Hope for Facebook's Fact-Checking Efforts?
Facebook’s fact-checking efforts are on the rocks. Five months after the social-media giant debuted a third-party tool to stop the spread of dubious news stories on its platform, some of its fact-checker partners have begun expressing frustration that the company won’t share data on whether or not the program has been effective.
In the absence of that official data, a study by Yale researchers made waves last week by suggesting that flagging a post as “disputed” makes readers just a slim 3.7 percent less likely to believe its claim. Among Trump supporters and young people, the fact-checking program seems to backfire entirely: Those respondents were more likely to believe flagged posts than unflagged ones.
… Facebook users who cluster around conspiracy-related content tend to interact only with material that affirms their preexisting worldview, but in the rare cases when they do come into contact with dissenting information that attempts to debunk conspiracy theories—in the form of public posts by science-related pages—the conspiracy theorists become more, rather than less, likely to interact with conspiracy-related content in the future. In fact, conspiracy theorists who never interact with dissenting viewpoints are almost twice as likely as those who do to eventually drift away from conspiracy-themed content.
In other words, attempting to correct wrongheaded beliefs on Facebook appears to accomplish the precise opposite.




For my students who read.
Google adds local library ebook options to search results
… The user will need to first apply their location, though, so Google knows which library to search. T he results, as shown in the tweeted image above, lists the library under a ‘Borrow ebook’ section which itself appears to be found under the ‘Get Book’ tab. You’ll need to search the book’s title to see this, at which point there’s only a bit of scrolling and a tap to get to the item.
If you do tap the link to borrow the ebook, you’ll be taken to a page where you can then sign in with your library credentials. From there you can proceed as usual, reading a sample or outright borrowing the book if you already know you want it. The feature is rolling out now and can be found on mobile and desktop (at the bottom of the right-hand panel in the latter case).


Monday, September 18, 2017

I’m updating as I type this blog entry.
Hackers Hid Backdoor In CCleaner Security App With 2 Billion Downloads -- 2.3 Million Infected
Users of Avast-owned security application CCleaner for Windows have been advised to update their software immediately, after researchers discovered criminal hackers had installed a backdoor in the tool. The tainted application allows for download of further malware, be it ransomware or keyloggers, with fears millions are affected. According to Avast's own figures, 2.27 million ran the affected software, though the company said users should not panic.
… The malware would send encrypted information about the infected computer - the name of the computer, installed software and running processes - back to the hackers' server. The hackers also used what's known as a domain generation algorithm (DGA); whenever the crooks' server went down, the DGA could create new domains to receive and send stolen data. Use of DGAs shows some sophistication on the part of the attackers.




A good summary, but nothing new.




Social media has to respond to government “requests” to keep operating in that country. There is no higher court to appeal to.
Snapchat blocks Al Jazeera in Saudi Arabia at government’s request
Social media app Snapchat has blocked access to Al Jazeera articles and videos on the platform in Saudi Arabia, following a request from Saudi authorities.
Snapchat said it blocked access to AJ’s Discover Publisher Channel at the request of authorities because it allegedly violated Saudi laws.
Al Jazeera, a Qatari-backed broadcaster, was one of the points of contention in the ongoing dispute between Qatar on one side and Saudi Arabia, Bahrain, Egypt and the UAE on the other. All cut ties with Qatar for allegedly supporting terrorism. Doha denies the accusation.
The complete shutdown of Al Jazeera was included in the list of 13 conditions which Saudi Arabia gave to Qatar in return for the removal of sanctions.


(Related). The law is whatever we say it is.
Facebook Navigates an Internet Fractured by Governmental Controls
… Mr. Tuan’s arrest came just weeks after Facebook offered a major olive branch to Vietnam’s government. Facebook’s head of global policy management, Monika Bickert, met with a top Vietnamese official in April and pledged to remove information from the social network that violated the country’s laws.
While Facebook said its policies in Vietnam have not changed, and it has a consistent process for governments to report illegal content, the Vietnamese government was specific. The social network, they have said, had agreed to help create a new communications channel with the government to prioritize Hanoi’s requests and remove what the regime considered inaccurate posts about senior leaders.
Populous, developing countries like Vietnam are where the company is looking to add its next billion customers — and to bolster its ad business. Facebook’s promise to Vietnam helped the social media giant placate a government that had called on local companies not to advertise on foreign sites like Facebook, and it remains a major marketing channel for businesses there.
The diplomatic game that unfolded in Vietnam has become increasingly common for Facebook. The internet is Balkanizing, and the world’s largest tech companies have had to dispatch envoys to, in effect, contain the damage such divisions pose to their ambitions.
… As nations try to grab back power online, a clash is brewing between governments and companies. Some of the biggest companies in the world — Google, Apple, Facebook, Amazon and Alibaba among them — are finding they need to play by an entirely new set of rules on the once-anarchic internet.
And it’s not just one new set of rules. According to a review by The New York Times, more than 50 countries have passed laws over the last five years to gain greater control over how their people use the web.




At least they don’t have to record their choices in cursive. Perhaps we will soon need a new acronym: TO;CG (too old, call grandpa)?
LOL Democracy! Young Voters Are Baffled by Mail-In Ballots
Both sides in Australia’s referendum on same-sex marriage wonder if millennials, more accustomed to texting and social media, actually know how to send a letter.
The future of democracy faces an unexpected challenge from within.
Can young voters learn to use a mailbox?
The outcome of a national mail-in vote in Australia this fall on sanctioning same-sex marriage may teeter on the answer. “I don’t really know what the go is with post boxes, stamps, that kind of thing,” says 23-year-old Anna Dennis. Ms. Dennis, a sociology student at the elite Australian National University, says the last time she had to mail a parcel “I took my dad to help.”
… Tiernan Brady was recruited to run the Equality Campaign after heading Ireland’s same-sex marriage referendum in 2015. He says he starts campaign events by asking, “How many people have posted a letter in the past year?”
Typically, “only a handful of hands go up,” Mr. Brady says.
“Australians don’t do postal votes,” he says. “The last one was in 1917, so we can safely say no one alive remembers it.”
Like elsewhere, instant-message apps and email have taken their toll. Mail volume has plummeted, according to Australia Post, the national mail service: Australians sent a billion fewer letters last year than a decade ago. Business and government mail account for 95% of all letters.
Postal service appears to have joined the list of habits abandoned by millennials, including paying by check and answering the doorbell, a device that a majority in a recent Twitter poll agreed was “scary weird.”
… Sending a letter is like recalling the times table from grade-school arithmetic, says Yan Zhuang, a 21-year-old politics major at the University of Melbourne. “You sort of remember,” she says, “but not really.”
Australia Post says it doesn’t know how many young people send mail. A 2015 study for the Royal Mail in the U.K. found a third of them believe “writing letters is a thing of the past.” Half said they wrote friends on social media every day; most said they mailed about one letter a year.




Just out of curiosity, I’d like to see the cost projections they based this advertising scheme on.
Verizon disconnecting 8,500 people for being unprofitable
Verizon said it sent notices of disconnection to the affected customers this month and those customers will have until October 17th to find new mobile service. Verizon says that’s plenty of time for people to find new networks as the customers generate more in roaming charges than they generate income for Verizon.
“These customers live outside of areas where Verizon operates our own network. Many of the affected consumer lines use a substantial amount of data while roaming on other providers’ networks and the roaming costs generated by these lines exceed what these consumers pay us each month.”
The interesting part of this story is that Verizon’s letter to customers doesn’t provide any way for them to stick with Verizon by reducing their data use. The letter simply states the October 17 cut-off period. One affected customer contacted Ars Technica and said her family only used 50GB across 4 lines, which is well below the 22GB cut-off.
Verizon maintains that these customers are getting the boot because of their roaming charges, but also fails to mention that it advertised its own unlimited plans directly to these rural customers in order to entice them to get plans. Now that the cost has become more than Verizon can bare, they’re giving those customers the boot.




Would lawyers use/trust/admit to a free resource?
New on LLRX – The Fight to Bring Legal Research to the Front
by Sabrina I. Pacifici on Sep 17, 2017
Via LLRXThe Fight to Bring Legal Research to the Front – Law librarian and professor Brandon Adler identifies core issues to support educating third year law students in a wide range of reliable free and low cost legal resources. Many law librarians acknowledge that there is a lack of awareness and use of alternative legal resources, with the law student community as well across a large swath of attorneys in firms both large and small.




Perhaps not the most comprehensive review, but at least it’s a start.
New on LLRX – AI And The Rule Of Law
by Sabrina I. Pacifici on Sep 17, 2017
Via LLRX – AI And The Rule Of Law – Our exposure to and reliance upon an increasingly ubiquitous range of technology is intertwined with issues related to intellectual property law. With smartphone cameras used to capture and share what their respective creators otherwise claim as intellectual property, to the devices, services and applications that comprise the Internet of Things (IoT), Ken Grady raises significant and as yet unresolved concerns about how the rule of law will be applied in response to the use, and misuse, of AI and digital personal assistants.




Why lies work? Why it is hard to change the first thing you learn? The importance of a reliable first source?
Debunking Study Suggests Ways to Counter Misinformation and Correct ‘Fake News’
by Sabrina I. Pacifici on Sep 17, 2017
News release: “It’s no use simply telling people they have their facts wrong. To be more effective at correcting misinformation in news accounts and intentionally misleading “fake news,” you need to provide a detailed counter-message with new information – and get your audience to help develop a new narrative. Those are some takeaways from an extensive new meta-analysis [fee req’d] of laboratory debunking studies published in the journal Psychological Science. The analysis, the first conducted with this collection of debunking data, finds that a detailed counter-message is better at persuading people to change their minds than merely labeling misinformation as wrong. But even after a detailed debunking, misinformation still can be hard to eliminate, the study finds. “The effect of misinformation is very strong,” said co-author Dolores Albarracín, professor of psychology at the University of Illinois at Urbana-Champaign. “When you present it, people buy it. But we also asked whether we are able to correct for misinformation. Generally, some degree of correction is possible but it’s very difficult to completely correct…”
“Debunking: A Meta-Analysis of the Psychological Efficacy of Messages Countering Misinformation” was conducted by researchers at the Social Action Lab at the University of Illinois at Urbana-Champaign and at the Annenberg Public Policy Center of the University of Pennsylvania. The teams sought “to understand the factors underlying effective messages to counter attitudes and beliefs based on misinformation.” To do that, they examined 20 experiments in eight research reports involving 6,878 participants and 52 independent samples. The analyzed studies, published from 1994 to 2015, focused on false social and political news accounts, including misinformation in reports of robberies; investigations of a warehouse fire and traffic accident; the supposed existence of “death panels” in the 2010 Affordable Care Act; positions of political candidates on Medicaid; and a report on whether a candidate had received donations from a convicted felon. The researchers coded and analyzed the results of the experiments across the different studies and measured the effect of presenting misinformation, the effect of debunking, and the persistence of misinformation.”


(Related). Think this will help?
Bing now shows fact checks in search results
Following Google’s lead earlier this year, Bing has added fact checking tags to search results.




Perspective. You think I would have run into any Social Media tool this big, but strangely I have not.
Slack valued at $5.1 billion after new funding led by SoftBank
Software startup Slack Technologies Inc said it raised $250 million from SoftBank Group Corp (9984.T) and other investors in its latest funding round, boosting the company’s valuation to $5.1 billion.
… Slack’s sizeable funding round reflects the trend of a growing number of $100 million-plus checks pouring into technology startups. In the second quarter this year, there were 34 venture capital deals of $100 million or more, nearly triple the 12 such transactions in the first quarter, according to data firm PitchBook Inc.


Perspective. Maybe Apple is not crazy.
How Apple’s Pricey New iPhone X Tests Economic Theory
Thorstein Veblen was a cranky economist of Norwegian descent who coined the phrase “conspicuous consumption” and theorized that certain products could defy the economic laws of gravity by stoking more demand with superhigh prices.
His 1899 book, “Theory of the Leisure Class,” made him famous in his time and more than a century later his ideas are embodied in products like Hermès handbags, Bugatti cars and Patek Philippe watches.




For my students? Probably not…
Borrow, Read, and Listen - The Open Library
The Open Library is a part of the Internet Archive. The Open Library is a collection of more than one million free ebook titles. The collection is cataloged by a community of volunteer online librarians. The ebooks in the Open Library can be read online, downloaded to your computer, read on Kindle and other ereader devices, and embedded into other sites. Some of the ebooks, like Treasure Island, can also be listened to through the Open Library.
Much like Google Books, the Open Library can be a great place to find free copies of classic literature that you want to use in your classroom. The Open Library could also be a good place for students to find books that they want to read on their own. The audio option, while very electronic sounding, could be helpful if you cannot locate any other audio copies of the book you desire.


(Related). But, just in case…
eBooks and Texts
The Internet Archive offers over 12,000,000 freely downloadable books and texts. There is also a collection of 550,000 modern eBooks that may be borrowed by anyone with a free archive.org account.


Sunday, September 17, 2017

I mentioned yesterday this this ‘problem’ could be true for most social media. Looks like I got one right for a change. Add Snapchat, Bing, Yahoo, and LinkedIn to the list.
All of the anti-Semitic, racist, and xenophobic ad-targeting options offered by Big Tech




Troy gives us a good (as in thoughtful) security summary.
Face ID, Touch ID, No ID, PINs and Pragmatic Security
I was wondering recently after poring through yet another data breach how many people actually use multi-step verification. I mean here we have a construct where even if the attacker has the victim's credentials, they're rendered useless once challenged for the authenticator code or SMS which is subsequently set. I went out looking for figures and found the following on Dropbox:
"less than 1% of the Dropbox user base is taking advantage of the company’s two-factor authentication feature": http://krebsonsecurity.com/2016/06/dropbox-smeared-in-week-of-megabreaches/




Looks like I’ll need to brush up on my AI and Robotics skills to teach this class. Suppose they will pay me $200,000 to teach? (Me neither.)
Pittsburgh's self-driving car boom means $200,000 pay packages for robotics grads
There's a war for talent in Pittsburgh's booming autonomous car market.
It started with Uber and now includes Argo AI, which is majority owned by Ford, and a start-up called Aurora Innovation. With so much hiring, it's a good time to be at the city's prized academic institution, Carnegie Mellon University.
Andrew Moore, the dean of Carnegie Mellon's computer science school, said that computer vision graduates right out of college are commanding pay packages of $200,000, which he described as "unheard of for any role until recently."
In addition to Uber, Argo and Aurora, Moore said there's a fourth self-driving car company in Pittsburgh that's not yet talking publicly.


Saturday, September 16, 2017

“Release the scapegoats!”
Top Equifax Executives Announce Immediate Retirement After Massive Data Breach
Equifax says its chief information officer and chief security officer are leaving the company, following the enormous breach of 143 million Americans' personal information.
The credit data company said Friday that Susan Mauldin, who had been the top security officer, and David Webb, the chief technology officer, are retiring from Equifax immediately. Mauldin, a college music major, had come under media scrutiny for her qualifications in security. Equifax did not say in its statement what retirement packages the executives would receive.


(Related). Is it enough?
Two Equifax executives will retire following massive data breach
… At least two congressional hearings on the Equifax breach have been announced. The first scheduled panel will take place on Oct. 3, when Smith is expected to testify. A bipartisan group of 36 senators have asked the Justice Department and the U.S. Securities and Exchange Commission to investigate reports Equifax executives sold stock after learning about the breach but before it was made public. The Federal Trade Commission took the unusual step of announcing it is conducting a probe into the Equifax breach.
… Senate Minority Leader Charles E. Schumer (D-N.Y.) said on Thursday the company's chief executive and board of directors should step down unless they take five steps to correct their mishandling:
notify affected consumers;
provide free credit monitoring to them for at least 10 years,
offer to freeze their credit for up to 10 years;
remove forced arbitration clauses from their terms of use;
and comply with fines or new standards that come out of investigations.

“It’s only right that the CEO and board step down if they can’t reach this modicum of corporate decency by next week,” he said.


(Related). Scary, if true. I bet Equifax hopes this is “Fake News.”
Wow. Just wow.
Read this. Those suing Equifax are going to find a lot in that report that will undoubtedly be referenced in any complaint alleging negligence.
Update: I should have added to the above that I have no way of knowing if any of it is true or if it is all fabricated. But I can see where people are going to be citing this – unless it’s disproved.
[From the article:
I asked the hackers one last request before disconnecting. I asked, "How did you manage to get the passwords to some of the databases?" Surely the panels had really bad security but what about the other sections to them? Surely there was encrypted data stored within these large archives no? Yes. There was. But guess where they decided to keep the private keys? Embedded within the panels themselves. The picture above shows exactly that, all the keys stored nicely, alongside any sub companies to Equifax. All pwned.




Like the HBO breach? When you just can’t wait to find out what happens next?
Todd Spangler reports:
A notorious hacker group broke into the servers of music-streaming service Vevo, releasing more than 3 terabytes of internal documents and video content online — before removing them later Friday morning at Vevo’s request.
The purloined cache, posted by hacking and security collective OurMine, included videos, a batch of documents labeled “premieres,” as well as marketing info, international social-media documents, and other internal files, as first reported by tech site Gizmodo.
Read more on Variety.




Apple probably wouldn’t like it if I started calling this a “mugshot feature.”
Apple X’s Face ID Feature Places Spotlight on Facial Recognition Technology, Raising Numerous Mobile Privacy and Data Usage Issues
… One issue that I thought was particularly interesting, however, relates to the ability of apps residing on a phone to interact with facial captures. Unless disabled, Face ID could potentially be “always on,” ready to capture facial images to authenticate the unlocking of the phone, and possibly capturing facial images as the user interacts with the unlocked phone. So, clients have asked: Will the apps on the phone be able to access and use those facial captures?
Fascinating question! Imagine the applications. An app would be able to discern all kinds of new demographic information about users, and possibly gauge information about a person’s mood, location, age, and health. Moreover, could an app evaluate on a real-time basis a user’s emotional response to interactions with a particular app or web page?




Should we know who sells those white hoods to the KKK?
Google Appears to Allow Racist Ad Targeting Like Facebook, Says BuzzFeed
Google's advertising platform can be used to create ads targeting racist or bigoted people, according to a report from BuzzFeed News on Friday.
BuzzFeed put in its own keywords which were supplemented by keywords suggested by the Google platform, to create a targeted ad. The news comes a day after ProPublica reported that Facebook algorithms allowed ads targeting anti-semitic audiences.
Such test cases show that the same technology used to sell legitimate products and services can be turned to more nefarious purposes.


(Related). Gee. Maybe all Social Media does this.
Twitter Says It Fixed ‘Bug’ That Let Marketers Target People Who Use the N-Word
… The Daily Beast reported Friday that Twitter Ads returned 26.3 million users who may respond to the term “wetback,” 18.6 million to “Nazi,” and 14.5 million to “n**ger.”




Perspective. Could you tell from looking at the tweet or reading the story that is was machine generated?
It’s been a year since The Washington Post started using its homegrown artificial intelligence technology, Heliograf, to spit out around 300 short reports and alerts on the Rio Olympics. Since then, it’s used Heliograf to cover congressional and gubernatorial races on Election Day and D.C.-area high school football games, producing stories like this one and tweets like this:

… Media outlets using AI say it’s meant to enable journalists to do more high-value work, not take their jobs. The AP estimated that it’s freed up 20 percent of reporters’ time spent covering corporate earnings and that AI is also moving the needle on accuracy. “In the case of automated financial news coverage by AP, the error rate in the copy decreased even as the volume of the output increased more than tenfold,” said Francesco Marconi, AP’s strategy manager and AI co-lead.
… All this goes back to the ad-supported — and stressed — pageview model of journalism. Publishers need to get readers or other groups to pay to support their business models. “Right now, automated journalism is about producing volume. Ultimately, media companies will have to figure out how to go beyond the pageview,” said Seth Lewis, a journalism professor at the University of Oregon whose focuses include the rise of AI in media.
… Right now, the Post can count the stories and pageviews that Heliograf generated. Quantifying its impact on how much time it gives reporters to do other work and the value of that work is harder. It’s also hard to quantify how much engagement, ad revenue and subscriptions can be attributed to those robo-reported stories.




Backstory? A long tale of the FBI’s interest in messaging Apps. Interesting read…
The Crypto- Keepers




“Rudolph the Red Nosed Drone!”
All of the other aircraft
Used to laugh and call them names
They never let poor Rudolph
Join in any aircraft games
Then one day after Irma,
The FAA, the Air National Guard, Customs and Border Protection, insurance companies, And Florida Power and Light came to say,
Rudolph with your nose so bright,
Won't you guide my relief effort tonight

Drones playing critical role in hurricane relief efforts
Drones have been playing an “invaluable” role in Hurricane Irma relief efforts, the Federal Aviation Administration (FAA) said Friday.
After Florida and the Caribbean suffered widespread destruction from Irma’s winds and floodwaters, the FAA issued 132 airspace authorizations for drones to help with recovery and response efforts.
The Air National Guard, for example, is deploying drones that are normally used for combat operations to help perform aerial surveys, assess disaster-stricken areas quickly and decide which need the most assistance.
Customs and Border Protection is using unmanned aircraft systems to help map areas in Key West, Miami and Jacksonville and using radar to survey key geographic points on infrastructure.
In the private sector, commercial drone companies are helping provide clearer images of damaged homes to insurance companies so that they can more quickly act on claims.
And Florida Power and Light is using dozens of drone teams to help restore electricity and air conditioning in the area by sending out drones to survey parts of the state that are still not accessible by vehicles.