Wednesday, May 23, 2018
“Go ahead and lie. Who will they believe, us or a bunch of techies?”
FBI inflated encrypted device figures, misleading public
Contrary to what the FBI told the public, we now know that instead of 7,775 encrypted smartphones proving stumbling blocks to FBI criminal investigations, there are no more than 2,000.
… Wray called this a "major public safety issue", and used it to push a "responsible encryption" mantra – in other words, encryption backdoors.
The FBI denied ZDNet's request for information on these phones. The bureau said the information was exempt from disclosure, as the records "could reasonably be expected to interfere with enforcement proceedings."
Internally though the FBI knew they miscounted the devices as of a month ago. The bureau still doesn't have an accurate count of how many encrypted phones it has from last year.
I guess we don’t want to “fall behind” China.
Amazon is selling police departments a real-time facial recognition system
The Verge: “Documents obtained by the ACLU of Northern California have shed new light on Rekognition, Amazon’s little-known facial recognition project. Rekognition is currently used by police in Orlando and Oregon’s Washington County, often using nondisclosure agreements to avoid public disclosure. The result is a powerful real-time facial recognition system that can tap into police body cameras and municipal surveillance systems. According to further reporting by The Washington Post, the Washington County Sheriff pays between $6 and $12 a month for access to Rekognition, which allows the department to scan mug shot photos against real-time footage. The most significant concerns are raised by the Orlando project, which is capable of running real-time facial recognition on a network of cameras throughout the city. The project was described by Rekognition project director Ranju Das at a recent AWS conference in Seoul…”
There are probably many, many “special circumstances.” No doubt some future AI will deal with them.
Google Under Fire For Revealing Rape Victims' Names
The company's been accused of displaying the names of rape victims through its Autocomplete and Related Search functions – even when the victims have been granted anonymity by the courts.
The problem is that both features use data gathered from previous searches to predict what information the user is looking for and make suggestions. If enough people know a victim's name and use it as one of their search terms, Google's algorithm will provide a helpful prompt to those that don't.
In the US, there's no legal prohibition on publishing the names of rape victims, although the media tend to avoid doing so. In many countries, however, it's against the law. And the UK's Times newspaper has uncovered several cases in which Autocomplete and Related Search have revealed the names of rape victims and others who have official anonymity.
(Related) Somehow, “send us your private porn so we can block your private porn” does not seems to be entirely satisfactory. Imagine the lawsuits if this database leaks!
People shouldn’t be able to share intimate images to hurt others
By Antigone Davis, Global Head of Safety
It’s demeaning and devastating when someone’s intimate images are shared without their permission, and we want to do everything we can to help victims of this abuse. We’re now partnering with safety organizations on a way for people to securely submit photos they fear will be shared without their consent, so we can block them from being uploaded to Facebook, Instagram and Messenger. This pilot program, starting in Australia, Canada, the UK and US, expands on existing tools for people to report this content to us if it’s already been shared.
Tuesday, May 22, 2018
No real chance that customers would win a lawsuit, so why spend money ensuring security?
Comcast website bug leaks Xfinity customer data
… The website, used by customers to set up their home internet and cable service, can be tricked into displaying the home address where the router is located, as well as the Wi-Fi name and password.
… The site returned the Wi-Fi name and password – in plaintext -- used to connect to the network for one of the customers who uses an Xfinity router. The other customer was using his own router – and the site didn't return the Wi-Fi network name or password.
Retaliation is a step to all-out cyberwar.
Inside 'Project Indigo,' the quiet info-sharing program between banks and U.S. Cyber Command
A confidential information-sharing agreement between the Financial Services Information Sharing and Analysis Center (FS-ISAC) and U.S. Cyber Command reveals the blurring line between the country’s public and private sectors as the U.S. government becomes increasingly receptive to launching offensive hacking operations.
… The broad purpose of Project Indigo is to help inform U.S. Cyber Command about nation-state hacking aimed at banks. In practice, this intelligence is independently evaluated and, if appropriate, Cyber Command responds under its own unique authorities.
It’s possible that a bank could tip off the military about a cyberattack against the financial industry, prompting Cyber Command to react and take action. That could include providing unique insight back to FSARC or even taking offensive measures to disrupt the attacker — such as retaliatory hacking — if it’s appropriate and the Pentagon approves it, according to current and former U.S. officials.
Isn’t this what Hillary Clinton said about email servers? Good thing the President doesn’t email…
‘Too inconvenient’: Trump goes rogue on phone security
President Donald Trump uses a White House cellphone that isn’t equipped with sophisticated security features designed to shield his communications, according to two senior administration officials — a departure from the practice of his predecessors that potentially exposes him to hacking or surveillance.
The president, who relies on cellphones to reach his friends and millions of Twitter followers, has rebuffed staff efforts to strengthen security around his phone use, according to the administration officials.
… While aides have urged the president to swap out the Twitter phone on a monthly basis, Trump has resisted their entreaties, telling them it was “too inconvenient,” the same administration official said.
The president has gone as long as five months without having the phone checked by security experts. It is unclear how often Trump’s call-capable phones, which are essentially used as burner phones, are swapped out.
Told ya so!
Explaining Efail and Why It Isn’t the End of Email Privacy
Last week the PGPocalipse was all over the news… Except that, well, it wasn’t an apocalypse.
A team of researchers published a paper(PDF) where they describe how to decrypt a PGP encrypted email via a targeted attack. The research itself is pretty well documented and, from a security researcher perspective, it’s a good paper to read, especially the cryptography parts.
But we here at Hackaday were skeptical about media claims that Efail had broken PGP. Some media reports went as far as recommending everyone turn off PGP encryption on all email clients, but they weren’t able to back this recommendation up with firm reasoning. In fact, Efail isn’t an immediate threat for the vast majority of people simply because an attacker must already have access to an encrypted email to use the exploit. Advising everyone to disable encryption all together just makes no sense.
Aside from the massive false alarm, Efail is a very interesting exploit to wrap your head around. Join me after the break as I walk through how it works, and what you can do to avoid it.
More that TSA on steroids, this is Big Brothering at its best. Any country could do this, including the US.
China's social credit system has blocked people from taking 11 million flights and 4 million train trips
China's social credit system has blocked people from taking 11.14 million flights and 4.25 million high-speed train trips.
The numbers, from the end of April, were included in a report by China's state-run news outlet Global Times, but it is unclear what offenses those targeted in the travel ban have committed.
The social credit system is actually a collection of blacklists, of which there are more than a dozen at the national level. Each list is based on similar offenses — such as misbehavior on planes and trains, or failing to abide by a court judgment — and determines the punishments people face, from throttling internet speeds to blocking loans.
Keeping up with the players in the intelligence game.
… the Directorate for Signals Intelligence, Japan’s version of the National Security Agency.
The directorate has a history that dates back to the 1950s; its role is to eavesdrop on communications. But its operations remain so highly classified that the Japanese government has disclosed little about its work – even the location of its headquarters. Most Japanese officials, except for a select few of the prime minister’s inner circle, are kept in the dark about the directorate’s activities, which are regulated by a limited legal framework and not subject to any independent oversight.
Now, a new investigation by the Japanese broadcaster NHK — produced in collaboration with The Intercept — reveals, for the first time, details about the inner workings of Japan’s opaque spy community. Based on classified documents and interviews with current and former officials familiar with the agency’s intelligence work, the investigation shines light on a previously undisclosed internet surveillance program and a spy hub in the south of Japan that is used to monitor phone calls and emails passing across communications satellites.
… while digital marketers are aware of the strict new regulatory regime, seemingly few have taken active steps to address how it will impact their day-to-day operations.
GDPR will force marketers to relinquish much of their dependence on behavioral data collection. Most critically, it will directly implicate several business practices that are core to current digital ad targeting. The stipulation that will perhaps cause most angst is the new formulation for collecting an individual’s consent to data gathering and processing; GDPR requires that consent be active (as opposed to passive) and represent a genuine and meaningful choice. Digital marketers know that users of internet-based services like Snapchat, Facebook, and Google technically provide consent by agreeing to these companies’ terms of service when they sign up. But does this constitute an active and genuine choice? Does it indicate that the user is willing to have her personal data harvested across the digital and physical worlds, on- and off-platform, and have that data used to create a behavioral profile for digital marketing purposes? Almost certifiably not.
Most GDPR emails unnecessary and some illegal, say experts
… Many companies, acting based on poor legal advice, a fear of fines of up to €20m (£17.5m) and a lack of good examples to follow, have taken what they see as the safest option for hewing to the General Data Protection Regulation (GDPR): asking customers to renew their consent for marketing communications and data processing.
… “Businesses are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR,” Vitale said. “The first question to ask is: which of the six legal grounds under the GDPR should you rely on to process personal data? Consent is only one ground. The others are contract, legal obligation, vital interests, public interest and legitimate interests.
How Human-Computer ‘Superminds’ Are Redefining the Future of Work
The ongoing, and sometimes loud, debate about how many and what kinds of jobs smart machines will leave for humans to do in the future is missing a salient point: Just as the automation of human work in the past allowed people and machines to do many things that couldn’t be done before, groups of people and computers working together will be able to do many things in the future that neither can do alone now.
No doubt this is their strategy to entice kids to write rather than Tweet.
U.S. Postal Service announces first-ever scratch and sniff stamp with popsicle scent
… The U.S. Postal Service said Monday that it will issue its first-ever scratch-and-sniff stamps that will aim to evoke the sweet scent of summer. The 10 different stamp designs each feature a watercolor illustration of two different ice pops on a stick.
There will be one scent for all of the stamps and the secret smell will be unveiled when the Postal Service issues the stamps on June 20, according to U.S. Postal Service public relations representative Mark Saunders.
Monday, May 21, 2018
Are there devices that are not being used by the police?
Potential Spy Devices Which Track Cellphones, Intercept Calls Found All Over DC MD VA
NBC News4 I-Team – Washington, DC – “The technology can be as small as a suitcase, placed anywhere at any time, and it’s used to track cell phones and intercept calls. The News4 I-Team found dozens of potential spy devices while driving around Washington, D.C., Maryland and Northern Virginia. “While you might not be a target yourself, you may live next to someone who is. You could still get caught up,” said Aaron Turner, a leading mobile security expert. The device, sometimes referred to by the brand name StingRay, is designed to mimic a cell tower and can trick your phone into connecting to it instead. The News4 I-Team asked Turner to ride around the capital region with special software loaded onto three cell phones, with three different carriers, to detect the devices operating in various locations. “So when you see these red bars, those are very high-suspicion events,” said Turner. If you live in or near the District, your phone has probably been tracked at some point, he said. A recent report by the Department of Homeland Security called the spy devices a real and growing risk. And the I-Team found them in high-profile areas like outside the Trump International Hotel on Pennsylvania Avenue and while driving across the 14th Street bridge into Crystal City. The I-Team got picked up twice while driving along K Street — the corridor popular with lobbyists. “It looks like they don’t consider us to be interesting, so they’ve dropped us,” Turner remarked looking down at one of his phones. Every cellphone has a unique identifying number. The phone catcher technology can harness thousands of them at a time. DHS has warned rogue devices could prevent connected phones from making 911 calls, saying, “If this type of attack occurs during an emergency, it could prevent victims from receiving assistance.” “Absolutely. That’s a worry,” said D.C. Councilwoman Mary Cheh, adding that the spy technology should be a concern for all who live and work in the District. The I-Team’s test phones detected 40 potential locations where the spy devices could be operating, while driving around for just a few hours…”
I had not considered the benefits to this ‘industry.’
WaPo – Technology has made the repo man ruthlessly efficient
Washington Post – “Technology has made the repo man ruthlessly efficient, allowing this familiar angel of financial calamity to capitalize on a dark corner of the United States’ strong economy: the soaring number of people falling behind on their car payments.”
“…Derek Lewis works for Relentless Recovery, the largest repo company in Ohio and its busiest collector of license plate scans. Last year, the company repossessed more than 25,500 vehicles — including tractor trailers and riding lawn mowers. Business has more than doubled since 2014, the company said. Even with the rising deployment of remote engine cutoffs and GPS locators in cars, repo agencies remain dominant. Relentless scanned 28 million license plates last year, a demonstration of its recent, heavy push into technology. It now has more than 40 camera-equipped vehicles, mostly spotter cars. Agents are finding repos they never would have a few years ago. The company’s goal is to capture every plate in Ohio and use that information to reveal patterns… “It’s kind of scary, but it’s amazing,” said Alana Ferrante, chief executive of Relentless… Repo agents are responsible for the majority of the billions of license plate scans produced nationwide. But they don’t control the information. Most of that data is owned by Digital Recognition Network (DRN), a Fort Worth company that is the largest provider of license-plate-recognition systems. And DRN sells the information to insurance companies, private investigators — even other repo agents. DRN is a sister company to Vigilant Solutions, which provides the plate scans to law enforcement, including police and U.S. Immigration and Customs Enforcement. Both companies declined to respond to questions about their operations… For repo companies, one worry is whether they are producing information that others are monetizing…”
I wonder if I could integrate Fakey into my Computer Security class. (Probably, yes.)
3 new tools to study and counter online disinformation
Indiana University Bloomington: “Researchers at CNetS, IUNI, and the Indiana University Observatory on Social Media have launched upgrades to two tools playing a major role in countering the spread of misinformation online: Hoaxy and Botometer. A third tool Fakey — an educational game designed to make people smarter news consumers — also launches with the upgrades. Hoaxy is a search engine that shows users how stories from low-credibility sources spread on Twitter. Botometer is an app that assigns a score to Twitter users based on the likelihood that the account is automated. The two tools are not integrated so that one can now easily detect when information is spreading virally, and who is responsible for its spread. Hoaxy and Botometer currently process hundreds of thousands of daily online queries. The technology has enabled researchers, including a team at IU, to study how information flows online in the presence of bots. Examples are a study on the cover of the March issue of Science that analyzed the spread of false news on Twitter and an analysis from the Pew Research Center in April that found that nearly two-thirds of the links to popular websites on Twitter are shared by automated accounts. Fakey is a web and mobile news literacy game that mixes news stories with false reports, clickbait headlines, conspiracy theories and “junk science.” Players earn points by “fact-checking” false information and liking or sharing accurate stories. The project, led by IU graduate student Mihai Avram, was created to help people develop responsible social media consumption habits. An Android app is available, and an iOS versions will launch shortly…”
Soon, all chatbot speech will be indistinguishable from human speech.
Microsoft acquires conversational AI startup Semantic Machines to help bots sound more lifelike
Microsoft announced today that it has acquired Semantic Machines, a Berkeley-based startup that wants to solve one of the biggest challenges in conversational AI: making chatbots sound more human and less like, well, bots.
Perspective. What is a good number? How much do we spend to predict/prevent school shootings?
The Unknown Cost of America’s Counterterrorism Efforts
A Stimson Center working group released a study last week on the costs of America’s counterterrorism efforts, and it found about what you’d expect: nearly 17 years after 9/11, we still don’t know exactly how much we have spent, but it’s a ton. Over $2.8 trillion, at least. The staggering numbers grabbed headlines on Wednesday, as they should. With this struggle closing in on the two-decade mark, we need to have a frank accounting of the threats we face and how much spending is enough to keep Americans safe. But beyond the matter of raw dollars spent, the report raises deeper questions about what counts as counterterrorism and whether our funding matches our strategy.
… What at first glance might appear to be a bean counting exercise is anything but. At a deeper level, this is about our strategy and priorities in what we once aptly called the long war. For example, my working group colleague John Mueller sees the terrorist threat as dramatically less severe than I do, but he nonetheless makes strong points, grounded in economic analysis, to argue that we are overspending compared to the threat. In Mueller’s estimation, our counterterrorism efforts would need to have saved at least 250,000 lives to justify the expenditures we have made. These are direct costs only. Mueller goes further in arguing that the indirect economic costs of, for example, longer lines at airports and border crossings and increased security at high profile venues have cost us many billions more dollars.
Perspective. The latest infographic.
How Much Data Do We Create Every Day? The Mind-Blowing Stats Everyone Should Read
The amount of data we produce every day is truly mind boggling. There are 2.5 quintillion bytes of data created each day at our current pace, but that pace is only accelerating with the growth of the Internet of Things (IoT). Over the last two years alone 90 percent of the data in the world was generated.
(Related) and this is just the UK.
Public can now search UK government’s entire digital archive
BusinessCloud: “The British government’s entire online presence comprising billions of web pages has been indexed and digitally archived to the cloud for the first time. Manchester tech firm MirrorWeb has devised an all-new indexing to create an accessible, searchable and user-friendly resource for the public. The National Archives’ gigantic 120TB web archive encompasses billions of web pages – from every government department website and social media account – from 1996 to the present. It took MirrorWeb – named among our 101 Rising Stars of the UK Start-up Scene last year – just two weeks to transfer the data from 72 hard drives at The National Archives to internal hard drives before transferring and digitally archiving more than two decades of government internet history to the cloud. As part of a four-year contract, MirrorWeb was tasked with both moving the data to the cloud using Amazon Web Services as well as indexing it. Indexing the data meant that MirrorWeb had to write a complete replacement for the UK Government Web Archives’ previous search functionality. As a result, 1.4bn documents were indexed and are now accessible and searchable to researchers, students and the members of the public who need to use them, enabling them to view websites and social media content in their original form as well as search for content on specific topics. John Sheridan, digital director of The National Archives, said: “We are preserving 1,000 years of British history and a big part of that is preserving the digital record of government today…”
One must choose nicknames carefully…
Sunday, May 20, 2018
Hackers will read this looking for tips & tricks.
The Reconnaissance General Bureau, North Korea’s equivalent to the CIA, has trained up the world’s greatest bank-robbing crews. In just the past few years, RGB hackers have struck more than 100 banks and cryptocurrency exchanges around the world, pilfering more than $650 million. That we know of.
… These thieves also have one distinct advantage over other syndicates: They are absolutely confident that they’ll never be charged. So it goes when your own country sponsors your criminal mischief.
Interesting but inconclusive.
Germany Acts to Tame Facebook, Learning From Its Own History of Hate
… Spread over five floors, hundreds of men and women sit in rows of six scanning their computer screens. All have signed nondisclosure agreements. Four trauma specialists are at their disposal seven days a week.
They are the agents of Facebook. And they have the power to decide what is free speech and what is hate speech.
This is a deletion center, one of Facebook’s largest, with more than 1,200 content moderators. They are cleaning up content — from terrorist propaganda to Nazi symbols to child abuse — that violates the law or the company’s community standards.
This could be useful.
‘My Data Request’ lists guides to get data about you
GDPR is right around the corner, so it’s time to prepare your personal data requests. If you live in the European Union, tech companies have to comply with personal data requests after May 25th. And there’s a handy website that helps you do just that.
Some companies, such as Facebook, LinkedIn, Twitter, Google, Tinder and Snapchat have made that easy as they have created a page on their website to download a zip archive with all your personal data.
… For most companies (including Amazon), you’ll have to email them yourself. My Data Request has created handy email templates. You just have to copy the message, put your name and contact information and send the email. The email addresses are listed on My Data Request’s site too.
Perspective. Will Chatbots need to be customized for each industry/company? Possibly. Will I have to remember dozens of different names to get anything done? (Or will there be an App for that?)
Bank of America debuts its AI-powered assistant, Erica
Bank of America on Friday officially introduced Erica, an AI-powered virtual assistant for its 25 million mobile customers.
Erica, which Bank of America began rolling out to customers in March, can help people conduct banking via voice commands, text or with gestures from within the Bank of America app. She can currently help customers with a variety of tasks:
Searching for past transactions, such as checks written or shopping activity
Accessing key information, such as routing numbers or the closest ATM
Scheduling face-to-face meetings at a Bank of America financial center
Viewing bills and scheduling payments
Locking and unlocking debit cards
Transferring money between accounts or sending money to friends with Zelle
Saturday, May 19, 2018
Let this be a lesson to my Computer Security students.
Mark Satter reports:
The nation relies on teachers to educate our children and help them when they make mistakes. But when it comes to protecting students’ data, it is often the teachers and school staff who mistakenly let bad actors in to school computer systems, officials say.
In a hearing Thursday before the House Committee on Education and the Workforce, a panel of educators, privacy experts and U.S. Department of Education officials pointed to accidental online errors by school staff as the main threat to protecting school data.
In the state of Kentucky, which experienced more than 4 billion attempted attacks on the computer systems of K-12 services last year, the greatest number of data breaches were the result of staff who fell for email phishing scams, according to David Couch, CIO for the Kentucky Education Technology System (KETS) at the Kentucky Department of Education.
“By far the greatest vulnerability to our systems is internal staff who fall victim to phishing attempts,” Couch said during the hearing.
Read more on EdScoop.
(Related) Perhaps a class or two on Ethics?
Violet Ikonomova reports:
Leave it to kids in one of Michigan’s best school districts to have figured out how to hack the district’s grading system and (presumably) give themselves A’s.
A message posted to the Bloomfield Hills Schools website alerts parents that “a couple” students made “some poor choices lately,” hacking into the district’s student information system and manipulating their personal grades, attendance, and lunch balance information. The data base houses all of the district’s student and family data, the notice says.
The students are in high school and modified the information of their own accounts and others high schoolers, Bloomfield Hills Schools Superintendent Robert Glass says in a video message elsewhere on the website. A total of 20 students saw changes made in the form of improved grades, improved attendance, and reduced lunch balances.
Read more on Detroit Metro Times.
Aggregating data for resale.
200 Million Sets of Japanese PII Emerge on Underground Forums
A dataset allegedly containing 200 million unique sets of personally identifiable information (PII) exfiltrated from several popular Japanese website databases emerged on underground forums, FireEye reports.
Advertised by a Chinese threat actor at around $150, the dataset contained names, credentials, email addresses, dates of birth, phone numbers, and home addresses, and was initially spotted in December 2017.
The data appears sourced from a variety of Japanese websites, including those in the retail, food and beverage, financial, entertainment, and transportation sectors, and FireEye believes that the cybercriminals obtained it via opportunistic compromises.
“It’s cheaper (for the state) if you have no rights!”
Gavin Reinke of Alston & Bird writes:
The Georgia Court of Appeals recently reaffirmed its prior conclusion that there is no duty to safeguard personal information under Georgia law. In McConnell v. Ga. Dep’t of Labor, — S.E.2d —-, 2018 WL 2173252 (Ga. App. May 11, 2018), the Court of Appeals addressed whether a plaintiff whose social security number and other personal identifying information (“PII”) had allegedly been negligently disclosed by an employee of the Georgia Department of Labor stated a negligence claim in connection with the unauthorized disclosure.
In urging that the Court of Appeals should recognize such a duty, the plaintiff in McConnellrelied on the Georgia Personal Identity Protection Act (the “GPIPA”). The plaintiff argued that the GPIPA supported recognizing a duty to safeguard PII because the statute reflects the General Assembly’s “intent to protect citizens from the adverse effects of disclosure of personal information and created a general duty to preserve and protect personal information.” McConnell, 2018 WL 2173252.
Read more on Privacy & Data Security Blog.
You have no ‘right to be forgotten.’
All of Mugshots.com’s alleged co-owners arrested on extortion charges
Two alleged owners of Mugshots.com—Sahar Sarid and Thomas Keesee—have been arrested in south Florida on a recently issued California warrant. The notorious website publishes mugshots and then demands payment for their removal.
… "This pay-for-removal scheme attempts to profit off of someone else's humiliation," said Attorney General Becerra in a statement. "Those who can't afford to pay into this scheme to have their information removed pay the price when they look for a job, housing, or try to build relationships with others. This is exploitation, plain and simple."
… The 29-page affidavit provides a lengthy explanation of what prosecutors call a "business permeated with fraud."
(Related) For all my students!
I sometimes think people don’t realize the amount of time and passion Joe Cadillic dedicates to informing you all of surveillance issues and online threats to our privacy. We’ll get back to that later in this post, but for now:
This week, one of the links he sent me to share with you all is a treasure.
Michael Bazzell writes:
Posted on May 15th, 2018
I received an email today from a reader of the latest edition of my privacy book Hiding from the Internet. In the book, I include an entire chapter of opt-out links for removing personal information from people-search, data-mining, marketing, and data broker websites. The reader asked if I maintained a digital version of the workbook with active hyperlinks for easy navigation. While I try to maintain a page for hyperlinks from the book, it did not quite replicate the workbook model that is in the official publication. Today, I am releasing the entire workbook in PDF format for free. I hope it helps the process of cleaning up unwanted online details. The direct link is below.
Computers and the Constitution.
EPIC has filed a “friend of the court” brief, joined by forty-four technical experts and legal scholars (members of the EPIC Advisory Board), in the OPM Data Breachcase. The case concerns the data breach at the US Office of Personnel and Management in 2015 that affected 22 million federal employees, their friends, and family members. In the brief to the federal appeals court, EPIC said that “when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained.” In a 2011 case NASA v. Nelson, EPIC urgedthe Supreme Court to limit data collection by federal agencies, citing the growing risk of data breach in the federal government.
Adding ‘touch’ to Tech. Hand holding for people not comfortable with e-commerce?
Walmart has quietly launched Jetblack, a ‘members-only’ personal shopping service for affluent city moms
Code Eight, a stealthy personal-shopping startup incubated inside of Walmart, has rebranded itself as Jetblack, Recode has learned.
In job listings, the service is described as a “members-only personal shopping and concierge service that combines the convenience of e-commerce with the customized attention of a personal assistant.”
Visitors to Jetblack.com are greeted by a landing page that says, “Nice work, you found us!”
“Jetblack is currently in beta in Manhattan,” the site says. It gives visitors an option to request early access.
A new Walmart subsidiary, called Code Eight, has recently started testing a personal shopping service for “busy NYC moms,” according to multiple sources, with the goal of letting them get product recommendations and make purchases simply through text messaging.
The target customer of Code Eight is described in an online job listing as a “high net worth urban consumer” — translation: A rich city dweller — certainly not the historical sweet spot for Walmart’s main business.
Household items are delivered for free within 24 hours; other purchases are delivered within two business days. Returns are picked up for free at a customer’s apartment building or house.
Friday, May 18, 2018
Here is how the pros do it. I wonder if anyone has recommended an App to President Trump?
North Korea-tied hackers used Google Play and Facebook to infect defectors
Researchers said a team of hackers tied to North Korea recently managed to get the Google Play market to host at least three Android apps designed to surreptitiously steal personal information from defectors of the isolated nation.
The three apps first appeared in the official Android marketplace in January and weren’t removed until March when Google was privately notified. That’s according to a blog post published Thursday by researchers from security company McAfee. Two apps masqueraded as security apps, and a third purported to provide information about food ingredients. Hidden functions caused them to steal device information and allow them to receive additional executable code that stole personal photos, contact lists, and text messages.
The apps were spread to selected individuals, in many cases by contacting them over Facebook. The apps had about 100 downloads when Google removed them. Nation-operated espionage campaigns frequently infect a small number of carefully selected targets and keep the number small in an attempt to remain undetected. Thursday’s report is the latest to document malicious apps that bypassed Google filters designed to keep bad wares out of the Play market.
… In January, McAfee reported finding malicious apps targeting North Korean journalists and defectors. Some of the Korean words found in the control servers weren’t used in South Korea but were used in North Korea. The researchers also found a North Korean IP address in a test log file of some Android devices that were connected to accounts used to spread the malware. McAfee said the developers didn’t appear to be connected to any previously known hacking groups. The researchers named the group Sun Team after finding a deleted folder called “sun Team Folder.”
Just one of millions of the tiny errors that hacker exploit.
Cell phone tracking firm exposed millions of Americans' real-time locations
… The company, LocationSmart, is a data aggregator and claims to have "direct connections" to cell carriers to obtain locations from nearby cell towers. The site had its own "try-before-you-buy" page that lets you test the accuracy of its data. The page required explicit consent from the user before their location data can be used by sending a one-time text message to the user. When we tried with a colleague, we tracked his phone to a city block of his actual location.
But that website had a bug that allowed anyone to track someone's location silently without their permission.
"Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," said Robert Xiao, a PhD student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call.
"The implication of this is that LocationSmart never required consent in the first place," he said. "There seems to be no security oversight here."
It’s a start...
DHS Publishes New Cybersecurity Strategy
The U.S. Department of Homeland Security (DHS) this week published its long-delayed Cybersecurity Strategy. It had been mandated by Congress to deliver a strategy by March 2017, and did so on May 15, 2018.
The strategy is defined in a high-level document (PDF) of 35 pages. Its scope is to provide "the Department with a framework to execute our cybersecurity responsibilities during the next five years to keep pace with the evolving cyber risk landscape by reducing vulnerabilities and building resilience; countering malicious actors in cyberspace; responding to incidents; and making the cyber ecosystem more secure and resilient."
… Of necessity, however, the five pillars and seven goals are defined in very basic terms. They define objectives, sub-objectives and outcomes – but with little on methods. For example, goal #1 (the risk identification pillar) is to assess evolving cybersecurity risks. This will be achieved by working with "stakeholders, including sector-specific agencies, nonfederal cybersecurity firms, and other federal and nonfederal entities, to gain an adequate understanding of the national cybersecurity risk posture, analyze evolving interdependencies and systemic risk, and assess changing techniques of malicious actors."
However, nobody was able to predict, detect or prevent Russian meddling in the 2016 presidential election, nor the WannaCry and NotPetya outbreaks. The implication is that something new and beyond just increased interagency cooperation needs to be done to achieve genuine risk identification.
Another failed IT project?
US federal immigration officials have abandoned pursuit of a controversial machine-learning technology to help with "extreme vetting" of foreign visitors
Sort of a multi-generational Big Brother to guide the entire human race. You can’t say they don’t think big.
Google's Hypothetical 'Selfish Ledger' Imagines Collecting All Your Data to Push You to Change Society
A couple of years ago, Alphabet’s X “moonshot factory” conjured up a concept that describes how total and absolute data collection could be used to shape the decisions you make. And now a video about that concept has leaked online.
The video was obtained and published on Thursday by The Verge. It describes a so-called “Selfish Ledger” that would collect all of your data, including actions you make on your phone, preference settings, and decisions you make, and not just keep it there for future evaluation. Instead, the ledger, which would be designed and managed by Google, would interpret that information and guide you down a path towards reaching a goal, or on a broader scale, doing your part to help solve poverty or other societal problems.
20 years of the Laws of Cyberspace
20 years of the Laws of Cyberspace – Harvard’s Berkman Klein event celebrates how Lawrence Lessig’s groundbreaking paper provided structure to the Center’s field of study.
What if an architecture emerges that permits constant monitoring; an architecture that facilitates the constant tracking of behavior and movement. What if an architecture emerged that would costlessly collect data about individuals, about their behavior, about who they wanted to become. And what if the architecture could do that invisibly, without interfering with an individual’s daily life at all? … This architecture is the world that the net is becoming. This is the picture of control it is growing into. As in real space, we will have passports in cyberspace. As in real space, these passports can be used to track our behavior. But in cyberspace, unlike real space, this monitoring, this tracking, this control of behavior, will all be much less expensive. This control will occur in the background, effectively and invisibly. -Lawrence Lessig, “The Laws of Cyberspace,” 1998
My cousin, the crook?
DNA Data From 100 Crime Scenes Has Been Uploaded To A Genealogy Website — Just Like The Golden State Killer
The remarkable sleuthing method that tracked down the Golden State Killer was not a one-off. A company in Virginia is now working with several law enforcement agencies to solve cases using the same “genetic genealogy” approach that led investigators in California to arrest Joseph James DeAngelo.
The company, Parabon NanoLabs, has already loaded DNA data from about 100 crime scenes into a public genealogy database called GEDmatch. And in about 20 of these cases, the company says, it has found matches with people estimated to be the suspect’s third cousins or even closer relatives.
“We were actually pretty surprised,” Ellen Greytak, Parabon’s director of bioinformatics, told BuzzFeed News. With those known genetic connections, she said, investigators have a good chance of using genealogical research to draw family trees and identify possible suspects. Some arrests could come quickly, she suggested. “I think there is going to be press around this very soon.”
… At Microsoft, Horvitz helped establish an internal ethics board in 2016 to help the company navigate potentially tricky spots with its own AI technology. The group is cosponsored by Microsoft’s president and most senior lawyer, Brad Smith. It has prompted the company to refuse business from corporate customers, and to attach conditions to some deals limiting the use of its technology.
Horvitz declined to provide details of those incidents, saying only that they typically involved companies asking Microsoft to build custom AI projects. The group has also trained Microsoft sales teams on applications of AI the company is wary of.
Google … promised that it would require a new, hyperrealistic form of its voice assistant to identify itself as a bot when speaking with humans on the phone. The pledge came two days after CEO Sundar Pichai played impressive—and to some troubling—audio clips in which the experimental software made restaurant reservations with unsuspecting staff.
What Google isn't telling us about its AI demo
… Axios asked Google for the name of the hair salon or restaurant, in order to verify both that the businesses exist and that the calls were not pre-planned. We also said that we'd guarantee, in writing, not to publicly identify either establishment (so as to prevent them from receiving unwanted attention).
A longtime Google spokeswoman declined to provide either name.
We also asked if either call was edited, even perhaps just cutting the second or two when the business identifies itself. And, if so, were there other edits? The spokeswoman declined comment, but said she'd check and get back to us. She didn't.
Perspective. But all the political journalists do.
Very Few Voters Actually Read Trump’s Tweets
… since politicians are known for boring, repetitive, long-winded speeches, what could be a better political platform than one that literally forbids using more than 280 characters at a time? Twitter seems good for Trump, too: As his allies often say, it gives the president a way to speak directly to the American electorate, getting around the media’s filter. Trump’s Twitter account is followed by 52 million people, not that far off from the nearly 63 million who voted for him in 2016.
But some data released this week should give Trump and his supporters pause about the power of his Twitter account in directly reaching American voters — and push the media to think carefully about its coverage of Trump’s tweets. Only 8 percent of U.S. adults say they follow Trump’s Twitter account (@realDonaldTrump), and only 4 percent say they follow his account and regularly read the president’s tweets, according to a new Gallup poll.
Zillman makes large and useful collections. Always worth a careful read!
New on LLRX – 2018 New Economy Resources and Tools
Via LLRX.com – 2018 New Economy Resources and Tools – This guide by Marcus Zillman provides researchers in multiple disciplines – law, economists, academia, government, corporate, and journalism – the latest, most reliable web resources for discovering sources to meet the multifaceted needs of time sensitive, specific, actionable work product. The global economic landscape is rapidly changing as transparency, big data and the ability to access data from new and now accessible databases are increasingly available through portals and sites around the world. Understanding how to locate and leverage new economy analytics, resources and alerts will provide you with keep tools and techniques to expand access to requisite knowledge that you can apply daily in your work place.
Could be handy for my researchers…
Thursday, May 17, 2018
If a hacker hacks another hacker, is that like “the enemy of my enemy is my friend?”
Joseph Cox reports:
Last week, Motherboard reported that a vigilante hacker had stolen data from a hacking group that researchers say is a government-linked cyberespionage unit. The data included GPS locations, text messages, and phone calls that the group had taken from their own victims. Now, that hacker has seemingly published the stolen data online for anyone to download.
Read more on Motherboard.
Could make for an interesting discussion in my Software Architecture class.
A global interpretation of US v Microsoft? “If you want access to our data, we want access to your data.” Whose laws must I obey?
Digital Free for All Part Deux: European Commission Proposal on E-Evidence
The European Commission has released a proposal to enable EU-member states’ law enforcement authorities to access digital information regardless of where that data is stored. It shares several of the practical and human rights problems as the similar piece of U.S. legislation known as the CLOUD Act, as well raising fresh concerns of its own.
The proposal, labelled “E-evidence – cross-border access to electronic evidence” is now heading to the European Parliament and Council for debate. The EU institutions should review this measure closely before amplifying the errors of the CLOUD Act and raising new problems for cross-border access to electronic evidence. Left unchanged, the Commission proposal will make a difficult situation worse.
What Does the Proposal Mean for Digital Rights?
There will be a lot to debate in the Commission’s proposal as it winds through the EU legislative process. However, two initial areas of concern should be addressed swiftly by EU institutions. First is the fact that this proposal could usher in paradigm shift in the system cross-border access to data in criminal investigations, risking a digital free for all and eliminating critical junctures for judicial review of law enforcement requests for data. The second concern centers around the proposal’s failure to adequately safeguard human rights. We at EPIC pointed to precisely these risks in our amicus brief in the now mooted United States v. Microsoft case concerning U.S. law enforcement access to data stored in Ireland.
Not quite tossing the baby with the bathwater, but then this is only one example.
Deleted WHOIS Data: An Unintended Consequence of GDPR
… As security professionals, next week we can expect to see another example of an unintended consequence when the General Data Protection Regulations (GDPR) goes into effect. There are actually a few unintended consequences from these new regulations, but one of the most concerning is the upcoming response that domain registrars are discussing through the global body the Internet Corporation for Assigned Names and Numbers (ICANN). As the name suggests, ICANN is responsible for maintaining the rules for WHOIS data – essentially, a telephone directory-like structure that contains detailed information on who signed up for a specific Internet domain, including their name, address, email address and telephone number. Such data is subject to the GDPR’s privacy requirements for protection. As a result, under current proposals, many of the businesses that register domains will remove key elements of information from the system. In effect, on May 25 the system will “go dark” until alternative preparations are made, which ICANN representatives expect won’t start being implemented until December 2018.
… Without access to this critical resource, combatting criminal behavior on the Internet becomes much more difficult. To make matters worse, during the intervening months before an alternative solution for GDPR-compliant access is available, attackers will be able to exploit this new-found anonymity to their advantage. We may see an uptick in spam and, more generally, in criminal activity. As we alter our methods for data handling, we could be exposing the very individuals we are striving to protect, to additional risk.
I wonder what information Google gathers from this?
Google Offers Free DDoS Protection for U.S. Political Organizations
Jigsaw, an incubator run by Google parent Alphabet, this week announced the availability of Project Shield – which offers free distributed denial of service (DDoS) protections – for the U.S. political community.
Opened in February 2016 to independent, under-resourced news sites, Project Shield helps protect free speech by fending off crippling DDoS assaults.
… In March last year, Google and Jigsaw announced a partnership to offer Protect Your Election, tools that would help news organizations, human rights groups, and election monitoring sites fend off not only DDoS assaults, but also phishing and account takeover attempts.
This week, Jigsaw revealed that Project Shield is now available for free to “U.S. political organizations registered with the appropriate electoral authorities, including candidates, campaigns, section 527 organizations, and political action committees.”
Is the system smart enough to recognize that the plate does not match the car?
Law enforcement can identify your vehicle by make, model, year, color, features via new software
News release: “Leonardo’s ELSAG ALPR solutions are used by nearly 4,000 customers in over 25 countries by local, state, and federal law enforcement agencies. Leonardo will introduce two new Automatic License Plate Recognition (ALPR) solutions at the 2018 IACP Technology Conference on May 21-23 in Providence, Rhode Island. The ELSAG MTC and ECSS will be on display during the conference… After years of research and development, Leonardo is proud to introduce Make, Type and Color Recognition feature called ELSAG MTC to their ELSAG Enterprise Operation Center (EOC). Using advanced computer vision software, ELSAG ALPR data can now be processed to include the vehicle’s make, type – sedan, SUV, hatchback, pickup, minivan, van, box truck – and general colour – red, blue, green, white and yellow. The solution actively recognizes the 34 most common vehicle brands on U.S. roads.” [emphasis added]
Virtual digital assistants to overtake world population by 2021
Ovum: “Globally, the native digital assistant installed base is set to exceed 7.5 billion active devices by 2021, which is more than the world population according to the US Census Bureau on May 1, 2017. But fear not – Skynet, from the popular Terminator movies, does not feature among the leading digital assistants. Instead, Google Assistant will dominate the voice AI–capable device market with 23.3% market share, followed by Samsung’s Bixby (14.5%), Apple’s Siri (13.1%), Amazon’s Alexa (3.9%), and Microsoft’s Cortana (2.3%). Ovum’s Digital Assistant and Voice AI–Capable Device Forecast: 2016–21 found that smartphones and tablets clearly lead the voice AI–capable device market, with 3.5 billion active devices in 2016, most of which use Google Now and Apple Siri. However, the use of AI in conjunction with other devices greatly increases consumer engagement and is set to unlock new opportunities, particularly in the home. Ovum expects an exponential uptake of voice AI capabilities among new devices, including wearable, smart home, and TV devices, with a combined installed base of 1.63 billion active devices in 2021, a tenfold increase on 2016. Despite all the hype that surrounds AI-capable connected speakers, TV devices (i.e. smart TVs, set-top boxes, and media streamers) offer a larger opportunity, accounting for 57% of that installed base in 2021…”
(Related). If Alexa starts talking to itself in eight voices, can it order itself to ‘kill the humans?’
Alexa developers get 8 free voices to use in skills, courtesy of Amazon Polly
Now Alexa’s voice apps don’t have to sound like Alexa. Amazon today is offering a way for developers to give their voice apps a unique character with the launch of eight free voices to use in skills, courtesy of the Amazon Polly service. The voices are only available in U.S. English, and include a mix of both male and female, according to Amazon Polly’s website.
… To use an Amazon Polly voice instead, developers would use Structured Speech Markup Language (SSML) and then specify which voice they want with the “voice name” tag. This makes it easier to adjust what is said, as developers could just change the text instead of having to re-record an mp3.
Different cultures. Contrast with the NY subway system.
Japanese train firm apologises for leaving 25 seconds early
A Japanese rail company has apologised for one of its trains leaving a station 25 seconds early, terming the incident as a great inconvenience placed upon customers which was truly inexcusable. What is more concerning to the Japanese, is that, in the past months, this is not the first time this has happened with West Japan Railways, also known as JR West. In November, a train left 20 seconds early. The train pulled away from the Notogawa Station platform at the 35th second of 7:11a.m. instead of the scheduled 7:12a.m. after the conductor allegedly saw nobody on the platform and figured that nobody would be affected by the 25 second difference. However, one of the stranded passengers escalated their complaint to the HeadQuarters.
My students seem eager to get rid of their textbooks…
BookScouter helps you sell textbooks and used books for the most money by comparing offers from over 35 book buyback vendors with a single search.