Wednesday, November 22, 2017

Probably not the best way to handle a breach. Would you trust hackers to delete the data and never use it? Pinky promise?
Uber Paid Hackers to Delete Stolen Data on 57 Million People
Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.
Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.
At the time of the incident, Uber was negotiating with U.S. regulators investigating separate claims of privacy violations. Uber now says it had a legal obligation to report the hack to regulators and to drivers whose license numbers were taken. Instead, the company paid hackers to delete the data and keep the breach quiet. Uber said it believes the information was never used but declined to disclose the identities of the attackers.

(Related) As inevitable as night follows the day.
New York attorney general launches investigation of Uber’s $100,000 hack cover-up

The sage (unfortunately) continues.
House Committees Get Serious in New Letter to Equifax
The chairpersons of the House Science, Space, and Technology Committee and the House Oversight and Government Reform Committee on Monday sent a new letter (PDF) to Paulino Barros, the interim CEO of Equifax.
The former committee's jurisdiction includes the standards of use for securing personally identifiable information (PII), while the latter committee's jurisdiction covers how data breaches impact the federal workforce and national security. Both are investigating the loss of PII on 145 million Americans announced by Equifax on September 7, 2017.
This is not the first letter to Equifax by chairpersons Lamar Smith (R-Texas) and Trey Gowdy (R-S.C.). They also wrote (PDF) on September 14, 2017 requesting 'all documents' relevant to five specific areas; such as "to and from members of Equifax's corporate leadership", and "relating to the NIST Framework or other cybersecurity standards used by Equifax." That first letter specified no later than September 28, 2017.
It would seem that Equifax has not yet, or at least not yet satisfactorily, fulfilled this first request almost eight weeks after the deadline. "We look forward to Equifax providing all documents in response to the five categories of requested materials in the September 14 request, as well as the requests that were made at subsequent Committee briefings." It adds that the Committees expect to make additional requests in the future.
In the meantime, however, it is clear the committees are beginning to get to grips with the details of both Equifax and the breach. While the first letter requested 'areas' of documents, the second letter is far more specific. For example, it asks for documentation that would allow the identification "of any and all individuals in an executive leadership role", and those who received the DHS email alert "regarding Apache Struts 2".

Actually, he has a few ideas, but it might be amusing to ask my students to prioritize what Congress should hear.
I'm Testifying in Front of Congress in Washington DC about Data Breaches - What Should I Say?
There's a title I never expected to write! But it's exactly what it sounds like and on Thursday next week, I'll be up in front of US congress on the other side of the world testifying about the impact of data breaches. It's an amazing opportunity to influence decision makers at the highest levels of government and frankly, I don't want to stuff it up which is why I'm asking the question - what should I say?

For my Computer Security students.
Cybersecurity: Cybercrime and National Security Authoritative Reports and Resources
CRS Reports & Analysis – Cybersecurity: Cybercrime and National Security Authoritative Reports and Resources. November 14, 2017 (R44408): “As online attacks grow in volume and sophistication, the United States is expanding its cybersecurity efforts. Cybercriminals continue to develop new ways to ensnare victims, whereas nation-state hackers compromise companies, government agencies, and businesses to create espionage networks and steal information. Threats come from both criminals and hostile countries, especially China, Russia, Iran, and North Korea. Much is written on this topic, and this CRS report directs the reader to authoritative sources that address many of the most prominent issues. The annotated descriptions of these sources are listed in reverse chronological order, with an emphasis on material published in the past several years. This report includes resources and studies from government agencies (federal, state, local, and international), think tanks, academic institutions, news organizations, and other sources…”

Google wants to do what Russia did, but Russia denies it ever did what Google says it did, so Google should have just done it and denied it did.
The ominous cloud of doom surrounding the ongoing U.S. investigations into alleged Russian interference in the 2016 federal elections got a little darker on Tuesday, with Russian state communications agency Roskomnadzor allegedly threatening retaliation against Google for suggesting it could lower government-funded outlets RT and Sputnik in search rankings.

Imagine if someone on that list walked into a church in Texas and started shooting people…
Colorado VA Kept Secret List Of Patients Who Wanted Mental-Health Care
A new federal investigation revealed Thursday that VA officials in Colorado broke agency rules by using an off-the-books system to track patients who wanted mental-health therapy — a violation that caused veterans to wait for care and one that recalls past abuses by the U.S. Department of Veterans Affairs.
Investigators with the VA’s internal watchdog found that in three separate facilities — Denver, Golden and Colorado Springs — agency officials did not follow proper protocol when keeping tabs on patients who sought referrals for treatment of conditions such as post-traumatic stress disorder.
The practice hindered proper oversight and made it possible for Colorado veterans to fall through the cracks, wrote officials with the VA Office of Inspector General, which examined care at the facilities between October 2015 and September 2016.

Perspective. “They may look fake to you, but they look Okay to me.”
New York attorney general says the FCC won’t help investigate fake net neutrality comments
New York Attorney General Eric Schneiderman revealed today that his office has been investigating a flood of spam FCC comments that impersonated real people, and criticized the FCC for withholding useful information. In an open letter addressing FCC chairman Ajit Pai, Schneiderman writes that his office has spent six months investigating who submitted hundreds of thousands of identical anti-net neutrality comments under the names and addresses of unwitting Americans. But he says that the FCC has ignored multiple requests for logs and records, offering “no substantive response.”

How Amazon, Apple, Facebook and Google manipulate our emotions

For my students and the Boards of Directors of Uber, Equifax, Wells Fargo, etc.
More than 50 tech ethics courses, with links to syllabi
There has never been a more urgent moment to merge ethics and technology: this shared spreadsheet of 57 (and counting) university courses on ethics and tech includes links to syllabi, moderated by Colorado University information science assistant prof Casey Fiesler, who runs The Internet Rules Lab (hey, grad students, she's hiring!)

Tuesday, November 21, 2017

Harvard seems to agree with me, my Computer Security students will be amazed or amused.
… In analyzing the top breaches over the past few years, it is clear that executives make a set of common mistakes, which is surprising given that so many companies, often led by otherwise effective leaders, fail to learn from the botched responses and mishandled situations of the companies that were breached before them.
Here are the missteps executives make time and again, and advice for avoiding these pitfalls:
Foot dragging
Poor customer service
Not being transparent
Failing to accept accountability

Suggests to me that it is possible to secure data and processes in the cloud.
Amazon launches new cloud storage service for U.S. spy agencies
Amazon’s cloud storage unit announced Monday that it is releasing a new service called the Amazon Web Services Secret Region, a cloud storage service designed to handle classified information for U.S. spy agencies.
The service will be provided to the intelligence community through an existing $600 million contract with U.S. intelligence agencies, which has made Amazon a dominant player in federal IT contracting.
… The announcement comes at a time when Amazon’s business and government customers are under intense scrutiny over whether they are storing data securely in the cloud. Amazon’s cloud-based folders – referred to as “buckets” – have been at the center of several high-profile security incidents in recent months, in which customers inadvertently left sensitive information on an Amazon server in an unprotected format.

Looking forward.
Trends in Technology and Digital Security
“Foreword – On September 14, 2017, the George Washington University Center for Cyber & Homeland Security (CCHS) convened a Symposium on Trends in Technology and Digital Security. Four panels addressed emerging threats and their implications for security policy, with a focus on digital infrastructure protection and anticipatory analysis. In addition, a featured speaker from abroad presented a country-specific case study. In a series of Issue Briefs, compiled herein, CCHS shares the findings and recommendations that emerged from the Symposium, primarily on a not-for-attribution basis. The subject and title of each Brief is as follows:
  • Methods of Analysis and the Utility of New Tools for Threat Forecasting
  • Artificial Intelligence for Cybersecurity: Technological and Ethical Implications
  • Space, Satellites, and Critical Infrastructure
  • Cybersecurity in the Financial Services Sector
  • Israel: The Making of a Cyber Power (Case Study)
This volume is produced in and reflective of the spirit of CCHS’s work, which is to address advanced technologies and emerging (“next generation”) cyber threats, from the standpoint of U.S. policy. CCHS functions as a network of networks, acting as a hub for upcoming companies, emerging technologists, and cutting-edge public policy.”

Note: this is no help in securing the election. Voting machines and the counting process are a whole other thing.
Belfer Center Cybersecurity Campaign Playbook
This Cybersecurity Campaign Playbook was written by a bipartisan team of experts in cybersecurity, politics, and law to provide simple, actionable ways of countering the growing cyber threat. Cyber adversaries don’t discriminate. Campaigns at all levels – not just presidential campaigns – have been hacked. You should assume you are a target. While the recommendations in this playbook apply universally, it is primarily intended for campaigns that don’t have the resources to hire professional cybersecurity staff. We offer basic building blocks to a cybersecurity risk mitigation strategy that people without technical training can implement (although we include some things which will require the help of an IT professional). These are baseline recommendations, not a comprehensive reference to achieve the highest level of security possible. We encourage all campaigns to enlist professional input from credentialed IT and cybersecurity professionals whenever possible…”

So you can’t be someone different (have a public persona) online? Ask yourself: How can they do this? What tools will they use?
Tyler Durden writes:
In perhaps the most intrusive move of social media platforms’ efforts signal as much virtue as possible and appease their potentially-regulating government overlords, Twitter has announced that it is cracking down on what it defines at hate-speech and not just by looking at its own site.
In what amounts to a major shift in Twitter policy, Mashable’s Kerry Flynn reports that the company announced on Friday that it will be monitoring user’s behavior “on and off the platform” and will suspend a user’s account if they affiliate with violent organizations, according to an update to Twitter’s Help Center on Friday.
Read more on ZeroHedge.

Basic economics, right?
Mexican heroin is flooding the US, and the Sinaloa cartel is steering the flow
… Mexican cartels' shift to producing heroin — as well as synthetic drugs like fentanyl — has been driven in part by loosening marijuana laws in the US, and the Sinaloa cartel appears to be the main player in a lucrative market.
… the value of marijuana had fallen considerably — from about $74 a kilo seven years ago to a little over $26 now — due to marijuana legalization in the US. Falling prices led many marijuana growers to shift to opium.

Better emails? Why not!
Have you made email work for you? Do you spend the time and effort to make emails look perfect and professional? There’s an art to it, but it’s not that difficult. Your reward will the response from the person you want an answer from.
...Email templates are freely available on the web. Borrow them and tweak them to your situation.
ProEmailwriter gives you a neat interface to select the right kind of email template and use them in your email. The dropdown menu gives you choices for Topic, Sub-Topic, and Tone. Copy the one you need and customize it to your situation.

For my students who read…
This Chrome Extension Helps You Find Books to Borrow
Library Extension is a free Chrome extension that will show you local library listings for the books that you viewing on Amazon, Google Books, Barnes & Noble, and other popular book retailer websites.
Library Extension currently shows listings from more than 4,000 public library databases in the United States, Canada, UK, New Zealand and Australia.
… One drawback to the extension is that you can only view results from one local library at a time.

Monday, November 20, 2017

Why wait two weeks? The phones are likely not important to the investigation?
Authorities serve Apple a warrant for Texas shooter’s iPhone
Two weeks ago today, 26 people were killed by a gunman at First Baptist Church in Sutherland Springs, Texas. Two phones were discovered at the scene: older push-button LG and what local news described as a “blood spattered” Apple iPhone SE. Now local law enforcement has served Apple with a search warrant in order to retrieve information from the smartphone.
… The Tuesday following the murders, the FBI held a press conference noting the existence of one of two phones, without revealing the make, as it didn’t want to “tell every bad guy out there what phone to buy.”
As reported by The Washington Post, the mystery handset was indeed an iPhone. Apple reached out to law enforcement after the press conference, offering technical assistance in getting onto the device. The company, it seems, could have provided help early on, without much legal wrangling or more software controversial backdoors.

I think this is a really bad idea unless you are highly trained and have some good lawyers on staff. On the other hand, it would open things up for my Ethical Hackers…
For years now, there has been a discussion surrounding the feasibility of active cyber defense, and allowing private entities or individuals to “hack back” against hostile cyber activity, but there has not been a major push in Congress to explicitly authorize such activity, or to propose changes or exceptions under the current legal and statutory framework that would enable it. But a proposal by Representatives Tom Graves (R-GA), Kyrsten Sinema (D-AZ), titled the Active Cyber Defense Certainty Act (ACDC) (H.R. 4036), is starting to change the conversation. The new draft legislation provides an exception to liability under the Computer Fraud and Abuse Act (CFAA) and, in essence, would authorize individuals or organizations to go into networks outside of their own to gather intelligence on hackers for attributional purposes. To date, the proposal has undergone at least three rounds of public scrutiny, after which, to the great credit of Graves’ office, the draft language has been updated, and it now takes into account some legitimate concerns and criticisms. Some of these critiques should be examined carefully, from both a policy and legal perspective, as the bill makes its way through committee.

It’s about time! (Welcome to the 1980s?)
Rising to the risk: Cybersecurity top concern of corporate counsel
“Risk management is not just a compliance exercise but an opportunity to gain a competitive advantage. More than ever, legal departments are playing a significant role in managing risk and monitoring its effectiveness, especially in the critical area of cybersecurity. Grant Thornton and Corporate Counsel magazine recently surveyed over 190 corporate general counsel to assess their views on the keys to business growth. The topics ranged from regulatory risk management and risk assessments to cybersecurity and data analytics. Below are a sampling of insights from Grant Thornton’s 2017 Corporate General Counsel Survey:
  • 58% of legal departments are highly involved in responding to data security risks; nearly a quarter have primary responsibility for the issue
  • Less than a quarter of counsel are very satisfied with their organizaton’s risk assessment
  • Nearly three-quarters of legal departments cite cyber issues as a top risk.
  • Of those very concerned about data security, only about a third feel adequately prepared
As a result of increasing risk concerns, the role of the corporate general counsel continues to evolve to include new, important areas of focus and responsibilities. While maintaining a firm handle on the traditional functions of the legal department, the survey reveals that their role is increasingly concerned with regulation and compliance, as well as data privacy and related cybersecurity issues.”

Apparently, Congress needs a lot more “education” than we thought?
Tech beefs up lobbying amid Russia scrutiny
... Executives from Facebook, Google and Twitter testified before lawmakers this month about Russian actors using their platforms to influence the vote and tried to reassure them they were taking steps to address the issue.
But lawmakers left the hearings frustrated and say they want more details from the companies and concrete steps to prevent interference in the future. Congress is also considering legislation to toughen disclosure rules for online advertisements.
That threat of tougher regulation has tech firms scrambling.

A business model for those who are first to automate what they do well? (As long as we have to do it, can we sell it?)
The newspaper created a platform to tackle its own challenges. Then, with Amazon-like spirit, it realized there was a business in helping other publishers do the same.
… Since 2014, a new Post operation now called Arc Publishing has offered the publishing system the company originally used for as a service. That allows other news organizations to use the Post’s tools for writers and editors. Arc also shoulders the responsibility of ensuring that readers get a snappy, reliable experience when they visit a site on a PC or mobile device. It’s like a high-end version of Squarespace or, tailored to solve the content problems of a particular industry.

How can I stay anti-social?
New on LLRX – The Use and Abuse of Social Media in the Post-Truth Era
Via LLRXThe Use and Abuse of Social Media in the Post-Truth Era – Law librarian and adjunct professor Paul Gatz provides important guidance on social media discourse and information literacy that is especially timely and instructive as we are experiencing an escalating wave of highly questionable news and data through sites such as Facebook.

Sunday, November 19, 2017

I just taught my Computer Security class how to generate RSA public/private keys and encrypt messages. They each generated a unique encryption key and can keep generating unique encryption keys until they run out of random numbers. Would the FBI try to compel me to break that encryption?
Is the Government Waging an Out-of-Sight Fight With Apple on Encryption?
The Justice Department and Apple have been locked in a bitter fight for years over the company’s encryption system, which allows consumers to prevent anyone —including law enforcement—from opening their devices without permission. That’s why a security story this week should be getting more attention than it has.
Titled “Yup: The Government Is Secretly Hiding Its Crypto Battles In The Secret FISA Court,” the story appeared on the well-regarded security blog EmptyWheel, and suggests the Justice Department is using a legal backdoor to force open software backdoors at companies like Apple.
The details are complex and require some familiarity with the FISC, a closed court that oversees top secret intelligence operations, and with Section 702, an amendment to the Patriot Act that permits certain forms of warrantless surveillance. But the gist of the story is this: The Justice Department may be relying on an annual approval process at the FISC to compel “technical assistance” from Apple and others, and this assistance may include the breaking of encryption.
… The over-arching issue raised by EmptyWheel is not whether citizens should have the right to deploy unbreakable encryption (there are good arguments on each side), but instead that the government may be settling the debate in secret. The issue of encryption is too important to be stuffed into secret court proceedings. Let’s hope the Justice Department finds a way to debate this in the open.

“Oh he looks just like you!” Time for plastic surgery?
A 10-Year-Old Used Face ID To Unlock His Mom's iPhone X: Will All Families Have The Same Problem?
… Attaullah Malik uploaded a video that demonstrated how his 10-year-old son, Ammar Malik, was able to unlock the iPhone X of his wife, Sana Sherwani, through the Face ID feature.
According to Apple, there is a roughly one in 1 million chance that a random person will be able to unlock somebody else's iPhone X using their face. However, things are different in the cases of twins, siblings, and children under the age of 13 years old.

Saturday, November 18, 2017

I’m telling my Computer Security students that keeping the default settings is never a good idea.
Pentagon Accidentally Exposes Web-Monitoring Operation
The Department of Defense accidentally exposed an intelligence-gathering operation, thanks to an online storage misconfiguration.
DOD was reportedly collecting billions of public internet posts from social media, news sites, and web forums and storing them on Amazon S3 repositories. But it neglected to make those storage servers private. So anyone with a free Amazon AWS account could browse and download the data, according to Chris Vickery, a security researcher at UpGuard.
Vickery noticed the problem in September. "The data exposed in one of the three buckets is estimated to contain at least 1.8 billion posts of scraped internet content over the past 8 years," UpGuard said in a Friday report.
Much of the data was scraped from news sites, web forums, and social media services such as Facebook and Twitter. The information includes content relating to Iraqi and Pakistani politics and ISIS, but also social media posts made by Americans.
… The Defense Department isn't the only one to commit the security slip-up with AWS cloud storage. Earlier this year, UpGuard found that Verizon and Dow Jones made the same mistake, effectively exposing their private customer data to the public.

How to victimize victims. (And another federal agency that’s clueless when it comes to security breaches.)
Rachel Polansky reports:
Dozens of Southwest Floridians are sick and tired of waiting for answers from FEMA after being hit by Hurricane Irma and then, identity thieves.
A month after the NBC2 Investigators exposed a major scheme involving criminals stealing local identities to defraud the federal government, the NBC2 Investigators are finally getting answers from FEMA.
Read more on NBC-2.
[From the article:
… the agency couldn't confirm this earlier because they wanted to protect the integrity of the investigation.

This probably happens here and goes unreported. (undetected?)
Reuters reports:
Italian police are investigating a hack into the email accounts of government employees by activist group Anonymous, which then published documents it had extracted.
On its Italian blog Anonymous uploaded a screenshot of an email purportedly sent from a government email address to an employee of the prime minister’s office containing the names of a security detail that would accompany an official inspection at a site Prime Minister Paolo Gentiloni is due to visit this week.
Read more on Reuters. See also is not linking to Anonymous’s blog post so as not to facilitate leaking of the allegedly hacked data.

Oh they’re getting serious. They wrote a letter!
House panel hits Equifax with long list of investigation demands
The House Energy and Commerce Committee has sent Equifax a long list of questions related to the breach that compromised more than 100 million people's personal information.
The letter, dated Friday, contains seven pages of document requests and questions as part of the panel's investigation, nearly a full page of which is devoted to documents.
Click here to read the full letter.

Good intent? Bad outcome. Of course it could never happen here…
Germany: Please Destroy Your Child's Smartwatch
A German regulator is banning the sale of certain smartwatches designed for children because they can be used for spying. Parents who own such products should destroy them, the country's Federal Network Agency said in a Friday notice.
These watches include a listening function that lets parents monitor their child over a mobile app on a smartphone. However, that same feature can let them secretly eavesdrop on any surrounding conversation close to the watch—like listening to a teacher in a classroom. German law prohibits this kind of function, the Federal Network Agency said.

For my Computer Security students.
Why the Entire C-Suite Needs to Use the Same Metrics for Cyber Risk
When it comes to cybersecurity, the chains of communication that exist within an organization, if they exist at all, are often a mess. Multiple conversations about cyber risks are happening across a multitude of divisions in isolation. At the same time, members of the C-suite are measuring their potential impact using different metrics — financial, regulatory, technical, operational — leading to conflicting assessments. CEOs must address these disconnects by creating a culture that promotes open communication and transparency about vulnerabilities and collaboration to address the exposures.

Tips for your business plan?
Surviving in an Increasingly Digital Ecosystem
Every large and ambitious company today should be trying to figure out how to become a destination for its customers.

Worth getting my students thinking about their searches.

Something for the Movie club?
MoviePass Launches Annual Subscription Plan For Under $8 A Month: That’s Lower Than The Average Movie Ticket Price
For a limited time, MoviePass is offering a one-year subscription plan for a flat fee of $89.95, which translates to $7.50 a month (that price already includes a $6.55 processing fee). That price is under this year’s 3Q average movie ticket, which the National Association of Theater Owners pegged at $8.93.

Friday, November 17, 2017

No surprise. They do, we do, everybody do.
China May Delay Vulnerability Disclosures For Use in Attacks
The NSA and CIA exploit leaks have thrown the spotlight on US government stockpiles of 0-day exploits -- and possibly led to this week's government declassification of the Vulnerabilities Equities Policy (VEP) process used to decide whether to disclose or retain the exploits it discovers.
There is no doubt that other nations also hold stockpiles of exploits; but there has been little public information on this. While not being a stockpile per se, Recorded Future has today published research suggesting that China delays disclosure of known critical vulnerabilities, sometimes to enable their immediate use by APT groups with probable Chinese government affiliation.
[Yesterday’s Whitehouse announcement:

I think it’s much as you would expect. You don’t need to be a security expert, you can hire all the expertise you need.
The Board’s Role in Managing Cybersecurity Risks
… Corporate boards of directors are expected to ensure cybersecurity, despite the fact that most boards are unprepared for this role. A 2017-2018 survey by the National Association of Corporate Directors (NACD) found that 58% of corporate board member respondents at public companies believe that cyber-related risk is the most challenging risk they are expected to oversee. The ability of companies to manage this risk has far-reaching implications for stock prices, company reputations, and the professional reputations of directors themselves.

Privacy ain’t easy? About time you figured that out.
Beyond GDPR: The Challenge of Global Privacy Compliance
TechPrivacy – Daniel Solove: “For multinational organizations in an increasingly global economy, privacy law compliance can be bewildering these days. There is a tangle of international privacy laws of all shapes and sizes, with strict new laws popping up at a staggering speed. Federal US law continues to fade in its influence, with laws and regulators from abroad taking the lead role in guiding the practices of multinational organizations. These days, it is the new General Data Protection Regulation (GDPR) from the EU that has been the focus of privacy professionals’ days and nights …and even dreams. As formidable as the GDPR is, only aiming to comply with the GDPR will be insufficient for a worldwide privacy compliance strategy. True, the GDPR is one of the strictest privacy laws in the world, but countries around the world have other very strict laws. The bottom line is that international privacy compliance is incredibly hard. This is what Lothar Determann focuses on. For nearly 20 years, Determann has combined scholarship and legal practice. In addition to being a partner at Baker & McKenzie, Lothar has taught data privacy law at many schools including Freie Universit├Ąt Berlin, UC Berkeley School of Law, Hastings College of the Law, Stanford Law School, and University of San Francisco School of Law. He has written more than 100 articles and 5 books, including a treatise about California Privacy Law. Hot off the press is the new third edition of Lothar Determann’s terrific guide, Determann’s Field Guide to Data Privacy Law: International Corporate Compliance. Determann has produced an incredibly useful synthesis of privacy law from around the globe. Covering so many divergent international privacy laws could take thousands of pages, but Determann’s guide is remarkably concise and practical. With great command of the laws and decades of seasoned experience, Determann finds the common ground and the wisest approaches to compliance. This is definitely an essential reference for anyone who must navigate privacy challenges in the global economy…”

Where President Trump goes the other way and creates a more outrageous tweet for journalists to spend their time commenting on…
China is perfecting a new method for suppressing dissent on the internet
The art of suppressing dissent has been perfected over the years by authoritarian governments. For most of human history, the solution was simple: force. Punish people severely enough when they step out of line and you deter potential protesters.
But in the age of the internet and “fake news,” there are easier ways to tame dissent.
A new study by Gary King of Harvard University, Jennifer Pan of Stanford University, and Margaret Roberts of the University of California San Diego suggests that China is the leading innovator on this front. Their paper, titled “How the Chinese Government Fabricates Social Media Posts for Strategic Distraction, Not Engaged Argument,” shows how Beijing, with the help of a massive army of government-backed internet commentators, floods the web in China with pro-regime propaganda.
What’s different about China’s approach is the content of the propaganda. The government doesn’t refute critics or defend policies; instead, it overwhelms the population with positive news (what the researchers call “cheerleading” content) in order to eclipse bad news and divert attention away from actual problems.

Better artificial than none at all?
How Artificial Intelligence Will Affect the Practice of Law
Alarie, Benjamin and Niblett, Anthony and Yoon, Albert, How Artificial Intelligence Will Affect the Practice of Law (November 7, 2017). Available at SSRN:
“Artificial intelligence is exerting an influence on all professions and industries. We have autonomous vehicles, instantaneous translation among the world’s leading languages, and search engines that rapidly locate information anywhere on the web in a way that is tailored to a user’s interests and past search history. Law is not immune from disruption by new technology. Software tools are beginning to affect various aspects of lawyers’ work, including those tasks that historically relied upon expert human judgment, such as predicting court outcomes. These new software tools present new challenges and new opportunities. In the short run, we can expect greater legal transparency, more efficient dispute resolution, improved access to justice, and new challenges to the traditional organization of private law firms delivering legal services on a billable hour basis through a leveraged partner-associate model. With new technology, lawyers will be empowered to work more efficiently, deepen and broaden their areas of expertise, and provide more value to clients. These developments will predictably transform both how lawyers do legal work and resolve disputes on behalf of their clients. In the longer term, it is difficult to predict the impact of artificially intelligent tools will be, as lawyers incorporate them into their practice and expand their range of services on behalf of clients”

Looking for a complete toolkit?

Thursday, November 16, 2017

It’s not lying, it’s not volunteering the truth. (I don’t see this on
Trump administration releases rules on disclosing cyber flaws
The Trump administration publicly released on Wednesday its rules for deciding whether to disclose cyber security flaws or keep them secret, in an effort to bring more transparency to a process that has long been cloaked in mystery.

(Related). Possibly?
Microsoft Patches 17 Year-Old Vulnerability in Office
Microsoft on Tuesday released its November 2017 security updates to resolve 53 vulnerabilities across products, including a security bug that has impacted all versions of its Microsoft Office suite over the past 17 years.
Tracked as CVE-2017-11882, the vulnerability resides in the Microsoft Equation Editor (EQNEDT32.EXE), a tool that provides users with the ability to insert and edit mathematical equations inside Office documents.
The bug was discovered by Embedi security researchers as part of very old code in Microsoft Office. The vulnerable version of EQNEDT32.EXE was compiled on November 9, 2000, “without essential protective measures,” the researchers say.
Although the component was replaced in Office 2007 with new methods of displaying and editing equations, Microsoft kept the vulnerable file up and running in the suite, most likely to ensure compatibility with older documents.
The component is an OutPorc COM server executed in a separate address space. This means that security mechanisms and policies of the Office processes do not affect exploitation of the vulnerability in any way, which provides an attacker with a wide array of possibilities,” Embedi notes in a research paper (PDF).

Perhaps a war game rather than a Final exam?
Companies Turn to War Games to Spot Scarce Cybersecurity Talent
A major shipping company is under attack. With help from a corrupt executive, an international hacking syndicate called Scorpius, has penetrated the computer networks of Fast Freight Ltd. The hackers have taken control of servers and compromised the systems that control Fast Freight’s vessels and its portside machinery. The company’s cybersecurity consultants have 48 hours to uncover the breach and repulse the attackers before they cripple Fast Freight’s business and cause serious economic damage.
It sounds like the plot to a blockbuster thriller. But this was the fictional scenario 42 budding computer security experts faced at the annual U.K. Cyber Security Challenge competition earlier this week in London. With demand for cybersecurity expertise exploding, but qualified people in short supply, war-gaming competitions like this have become key recruiting grounds for companies and government security agencies.
… There are about 1 million unfilled cybersecurity jobs globally, according to an estimate from Cisco.
… It’s this gap that Cyber Security Challenge U.K., a non-profit organization set up by the British government with support from corporations and universities, is supposed to help fill.

Includes some tips for defense attorneys…
EFF’s Street-Level Surveillance Project Dissects Police Technology
“Step onto any city street and you may find yourself subject to numerous forms of police surveillance—many imperceptible to the human eye. A cruiser equipped with automated license plate readers (also known as ALPRs) may have just logged where you parked your car. A cell-site simulator may be capturing your cell-phone data incidentally while detectives track a suspect nearby. That speck in the sky may be a drone capturing video of your commute. Police might use face recognition technology to identify you in security camera footage.
EFF first launched its Street-Level Surveillance project in 2015 to help inform the public about the advanced technologies that law enforcement are deploying in our communities, often without any transparency or public process. We’ve scored key victories in state legislatures and city councils, limiting the adoption of these technologies and how they can be used, but the surveillance continues to spread, agency by agency. To combat the threat, EFF is proud to release the latest update to our work: a new mini-site that shines light on a wide range of surveillance technologies, including ALPRs, cell-site simulators, drones, face recognition, and body-worn cameras….”

This headline is distressing…
Google Docs went down for ‘a significant’ number of users for over an hour
Google Docs went down for a little over an hour today for what Google says was a “significant subset of users.” For a product with a user base that reaches into the hundreds of millions at a minimum, that’s certain to mean a huge number of people who experienced a disruption.
Oddly, the outage was limited only to Google Docs — other portions of Drive and G Suite were still working for everyone. And for the people who were still able to access Docs, there didn’t seem to be any problems at all.

(Related) This headline causes real panic!
Google Docs just ate your homework

What causes people to ignore procedure?
Body searches of 900 Georgia students by sheriff’s office leads to $3 million settlement
In April, law enforcement from Georgia’s Worth County descended on a high school and, without a warrant, conducted body searches on an estimated 900 students, touching some students’ genitals and breasts. They said they were searching for drugs. They found none.
A class-action federal lawsuit soon followed, and the sheriff and two deputies were indicted in October in the raid on Worth High School in Sylvester, which is about 170 miles south of Atlanta. On Tuesday, a legal advocacy group, the Southern Center for Human Rights, said a proposed $3 million settlement had been reached in the lawsuit, pending a judge’s approval.
Earlier this week, Gov. Nathan Deal suspended Sheriff Jeff Hobby by executive order pending the outcome of his legal case or until the expiration of his term of office, whichever comes first. Hobby faces charges of sexual battery, false imprisonment and violation of oath of office, the Atlanta Journal-Constitution reported.

I think this covers all the bases and will certainly work, if we can get anyone to take the time to find and read all the information. See the examples!
The Trust Project brings news orgs and tech giants together to tag and surface high-quality news
Thursday marks the launch of The Trust Project, an initiative three years in the making (but feeling oh-so-relevant right about now) that brings together news outlets such as The Washington Post, The Economist, and the Globe and Mail, as well as Facebook, Google, Twitter, and Bing, in a commitment to “provide clarity on the [news organizations’] ethics and other standards, the journalists’ backgrounds, and how they do their work.”
… A team of representatives from dozens of media companies worldwide came up with eight “core indicators”:
Best Practices: What Are Your Standards? Who funds the news outlet? What is the outlet’s mission? Plus commitments to ethics, diverse voices, accuracy, making corrections and other standards.
Author Expertise: Who Reported This? Details about the journalist who wrote the story, including expertise and other stories they have worked on.
Type of Work: What Is This? Labels to distinguish opinion, analysis and advertiser (or sponsored) content from news reports.
Citations and References: For investigative or in-depth stories, greater access to the sources behind the facts and assertions.
Methods: Also for in-depth stories, information about why reporters chose to pursue a
story and how they went about the process.
Locally Sourced? Lets people know when the story has local origin or expertise.
Diverse Voices: A newsroom’s efforts to bring in diverse perspectives.
Actionable Feedback: A newsroom’s efforts to engage the public’s help in setting coverage priorities, contributing to the reporting process, ensuring accuracy and other areas.
… You can check out this Trello board for links to how the Indicators are being incorporated onto various parts of participating publishers’ sites, from “About” pages to author bios to citations and references. And here’s a mockup of an article that contains all of the Indicators.

Excellent collection. I probably would not drop all of this on my website students at one time.
U.S. Web Design Standards + DigitalGov “We’re excited to announce that the U.S. Web Design Standards has moved over to the Office of Products and Platforms (OPP) and joined the new DigitalGov team, effective October 1, 2017. Over the last 10 years, has become an authoritative destination to learn about the methods, practices, policies, and tools needed to create effective digital services in government. It’s where government goes to learn from experience: building, working, communicating, and adapting to the evolving needs of our digital nation. Our mission has been to help people deliver smart, effective digital services in the government. Going forward, we aim to set an example for how government learns, builds, delivers, and measures digital services in the 21st century. The Standards provides an increasingly important service to government modernization. By moving the Standards to OPP under DigitalGov, we are providing the Standards with the financial, organizational, and communications support needed to focus on delivering a high-quality design system and supporting framework for government sites… ”

Perspective. In short, you better get some digital skills. My spreadsheet students should take note!
Report – Digitalization and the American workforce
New analysis by the Brookings Metropolitan Policy Program of more than 500 occupations reveals the rapid pace of their “digitalization” since 2001, suggesting the acquisition of digital skills is now a prerequisite for economic success for American workers, industries, and metropolitan areas.
The report, “Digitalization and the American workforce,” provides a detailed analysis of changes in the digital content of 545 occupations representing 90 percent of the workforce in all industries since 2001, rating each occupation on a digital content scale of 0-100. While the digital content of virtually all jobs has been increasing (the average digital score across all occupations rose 57 percent from 2002 to 2016) occupations in the middle and lower end of the digital skill spectrum have increased digital scores most dramatically. Workers, industries,and metropolitan areas benefit from increased digital skills via enhanced wage growth, higher productivity and pay, and a reduced risk of automation, but adaptive policies are still needed. The report offers recommendations for improving digital education and training while mitigating its potentially harmful effects, such as worker pay disparities and the divergence of metropolitan area economic outcomes. Mark Muro, a senior fellow at Brookings and the report’s author, said, “We definitely need more coders and high-end IT professionals, but it’s just as important that many more people learn the basic tech skills that are needed in virtually every job. That’s the kind of digital inclusion we need. In that respect, not everybody needs to go to a coding bootcamp but they probably do need to know Excel and basic office productivity software and enterprise platforms.”

Perspective. Are my students binge watching in class?
People watch Netflix unabashedly at work (and in public toilets, too)
… About 67% of people now watch movies and TV shows in public, according to an online survey it commissioned of 37,000 adults around the world. It was conducted between late August and early September.
The most popular public places to stream are on planes, buses, or commuting, the survey found. But 26% of respondents also said they’ve binged shows and movies at work.
… Another 17% were so engrossed in a show or movie that they missed their stop on their commute (hopefully not while driving). And 45% said they’d caught someone spying on their screens; 11% said they had a show spoiled after looking on another person’s screen. Only 18% said they felt embarrassed about watching in public.

Think there might be a big market for these?
Profane anti-Trump sticker sparks free-speech debate in Texas
A Texas sheriff reportedly threatened to bring disorderly conduct charges against a truck driver for displaying a profane anti-Trump sticker on the rear window of the vehicle.
Sheriff Troy Nehls in Ford Bend County told the Houston Chronicle that he had received many complaints about the sticker, which read: “F--- TRUMP AND F--- YOU FOR VOTING FOR HIM.”
Nehls posted a photo of the truck and the offending sticker on his Facebook page
… Meanwhile, Nehls’ message on Facebook drew criticism from the ACLU of Texas, which posted on its Facebook page: “Memo to @SheriffTNehls: You can’t prosecute speech just because it contains the word “----” The owner of this truck should contact @ACLUTx”

I’d just like my students to read!
Article – Why doesn’t everyone love reading e-books?
Myrberg, C., (2017). Why doesn’t everyone love reading e-books?. Insights. 30(3), pp.115–125. DOI:
“Why do many students still prefer paper books to e-books? This article summarizes a number of problems with e-books mentioned in different studies by students of higher education, but it also discusses some of the unexploited possibilities with e-books. Problems that students experience with e-books include eye strain, distractions, a lack of overview, inadequate navigation features and insufficient annotation and highlighting functionality. They also find it unnecessarily complicated to download DRM-protected e-books. Some of these problems can be solved by using a more suitable device. For example, a mobile device that can be held in a book-like position reduces eye strain, while a device with a bigger screen provides a better overview of the text. Other problems can be avoided by choosing a more usable reading application. Unfortunately, that is not always possible, since DRM protection entails a restriction of what devices and applications you can choose. Until there is a solution to these problems, I think libraries will need to purchase both print and electronic books, and should always opt for the DRM-free alternative. We should also offer students training on how to find, download and read e-books as well as how to use different devices.”


...and I’m still trying to convince my students to get to class on time. I miss Japan.
Apology after Japanese train departs 20 seconds early
A rail company in Japan has apologised after one of its trains departed 20 seconds early.
Management on the Tsukuba Express line between Tokyo and the city of Tsukuba say they "sincerely apologise for the inconvenience" caused.