[continued from previous message]

https://www.channelfutures.com/mssp-insider/dark-web-consequences-increase-from-global-rise-of-police-friendly-laws

------------------------------

Date: Sat, 27 Jul 2019 17:49:36 -0400
From: Dave Farber <farber@gmail.com>
Subject: The Hidden Costs of Automated Thinking (The New Yorker)

https://www.newyorker.com/tech/annals-of-technology/the-hidden-costs-of-automated-thinking

------------------------------

Date: Sat, 27 Jul 2019 09:17:40 -0400
From: Dave Farber <farber@gmail.com>
Subject: We Tested Europe’s New Digital Lie Detector. It Failed.
(The Intercept)

https://theintercept.com/2019/07/26/europe-border-control-ai-lie-detector/

------------------------------

Date: Sun, 28 Jul 2019 10:19:53 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: AI Predictive Policing (Daily Mail)

[From Geoff Goodfellow]

AI experts from top universities SLAM `predictive policing' tools in new statement and warn technology could 'fuel misconceptions and fears that
drive mass incarceration'.

- AI experts say pre-crime algorithms are more magic than reality
- Algorithms designed to predict violent crime may come with
consequences
- Experts say they may vastly overstate the likelihood of pretrial
crime
- They warn its use could fuel mass incarceration and lead to harsher
sentences

EXCERPT:

Prominent thinkers in the fields of artificial intelligence say that
predictive policing tools are not only 'useless,' but may be helping to
drive mass incarceration.

In a letter published earlier this month the experts, from MIT, Harvard, Princeton, NYU, UC Berkeley and Columbia spoke out on the topic in an unprecedented showing of skepticism toward the technology. <https://dam-prod.media.mit.edu/x/2019/07/16/TechnicalFlawsOfPretrial_ML>

'When it comes to predicting violence, risk assessments offer more magical thinking than helpful forecasting,' wrote AI experts Chelsea Barabas,
Karthik Dinakar and Colin Doyle in a New York Times op-ed. <https://www.nytimes.com/2019/07/17/opinion/pretrial-ai.html?utm_source=The+Appeal>

Predictive policing tools, or risk assessment tools, are algorithms designed
to predict the likelihood of someone committing crime in the future.

With rapid advances in artificial intelligence, the tools have begun to find their way into the everyday processes of judges, who deploy them to
determine sentencing, and police departments, who use them to allot
resources and more.

While the technology has been positioned as a way to combat crime
preemptively, experts say its capabilities have been vastly overstated.

Among the arenas most affected by the tools they say, are pretrial
sentencing, during which people undergoing a trial may be detained based on their risk of committing a crime.

'Algorithmic risk assessments are touted as being more objective and
accurate than judges in predicting future violence,' write the
researchers...

https://www.dailymail.co.uk/sciencetech/article-7287341/AI-experts-release-statement-slamming-predictive-policing-digitizing-stop-frisk.html

------------------------------

Date: Sun, 4 Aug 2019 16:50:27 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Guardian Firewall iOS App Automatically Blocks the Trackers on Your
Phone (WiReD)

The data economy has too often betrayed its customers, whether it's Facebook sharing data you didn't even realize it had, or invisible trackers that
follow you around the web without your knowledge. But a new app launching in the iOS App Store today wants to help you take back some control—without making your life harder.

The Guardian Firewall app runs in the background of an iOS device, and
stymies data and location trackers while compiling a list of all the times
your apps attempt to deploy them. It does so without breaking functionality
in your apps or making them unusable. Plus, the blow by blow list gives you much deeper insight than you would normally have into what your phone is
doing behind the scenes. Guardian Firewall also takes pains to avoid
becoming another cog in the data machine itself. You don't need to make an account to run the firewall, and the app is architected to box its
developers out of user data completely.

https://www.wired.com/story/guardian-firewall-ios-app/

Was tempting until $100/year cost.

------------------------------

Date: Tue, 30 Jul 2019 13:36:01 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Google researchers disclose vulnerabilities for 'interactionless'
iOS attacks (ZDNet)

While it is always a good idea to install security updates as soon as they become available, the availability of proof-of-concept code means users
should install the iOS 12.4 release with no further delay.

https://www.zdnet.com/article/google-researchers-disclose-vulnerabilities-for-interactionless-ios-attacks/

------------------------------

Date: Tue, 30 Jul 2019 10:40:55 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Another Breach: What Capital One Could Have Learned from Google's
"BeyondCorp" (Lauren's Blog)

https://lauren.vortex.com/2019/07/30/another-breach-what-capital-one-could-have-learned-from-googles-beyondcorp

Another day, another massive data breach. This time some 100 million people
in the U.S., and more millions in Canada. Reportedly the criminal hacker
gained access to data stored on Amazon's AWS systems. The fault was
apparently not with AWS, but with a misconfigured firewall associated with a Capital One app, the bank whose customers were the victims of this attack.

Firewalls can be notoriously and fiendishly difficult to configure
correctly, and often present a target-rich environment for successful
attacks. The thing is, firewall vulnerabilities are not headline news -- they're an old story, and better solutions to providing network security already exist.

In particular, Google's "BeyondCorp" approach
( https://cloud.google.com/beyondcorp ) is something that every enterprise involved in computing should make itself familiar with. Right now!

BeyondCorp techniques are how Google protects its own internal networks and systems from attack, with enormous success. In a nutshell, BeyondCorp is a
set of practices that effectively puts "zero trust" in the networks
themselves, moving access control and other authentication elements to individual devices and users. This eliminates the need for traditional firewalls (and in most instances, VPNs) because there is no longer a conventional firewall which, once breached, gives an attacker access to all
the goodies.

If Capital One had been following BeyondCorp principles, there would be 100+ million less of their customers who wouldn't be in a panic today.

------------------------------

Date: Wed, 31 Jul 2019 10:30:36 -0700
From: Gene Wirchenko <gene@shaw.ca>
Subject: "A data breach forced this family to move home and change their
names (ZDNet)

Charlie Osborne for Zero Day | 26 Jul 2019

A data breach forced this family to move home and change their names
Sometimes a free credit report in recompense is nowhere near enough. https://www.zdnet.com/article/a-data-breach-forced-this-family-to-move-home-and-change-their-names/

selected text:

In the London Borough of Hackney, a recent case emerged when a data breach
had far more devastating consequences than most of us would ever experience.

As reported by the Hackney Gazette, a family in the area adopted a child and the details of who they were and where they lived were meant to be withheld from the birth parents.

However, during the adoption process in 2016, a solicitor appointed by
Hackney Council mistakenly included an unredacted copy of the application
form. The publication says that the exposed, sensitive data included the couple's names, addresses, phone numbers, dates of birth, and occupations.

The scope of the breach was serious enough that the couple spoke to both the council and police, and ultimately decided that moving home and changing
their names was the safest option for their adopted child.

------------------------------

Date: Thu, 25 Jul 2019 19:51:11 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Brazilian president’s cellphone hacked as Car Wash scandal intrigue
widens (WashPost)

Four men have been arrested on suspicion of breaking into cellphones of hundreds of officials.

https://www.washingtonpost.com/world/the_americas/brazilian-president-bolsonaros-cellphone-hacked-as-carwash-scandal-intrigue-widens/2019/07/25/faab2b86-aee5-11e9-9411-a608f9d0c2d3_story.html

------------------------------

Date: Fri, 26 Jul 2019 10:12:53 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Malicious 'Google' domains used in Magento card card skimmer attacks
(ZDNet)

https://www.zdnet.com/article/malicious-google-domains-used-in-magento-data-skimmer/

------------------------------

Date: Fri, 26 Jul 2019 10:15:08 -0400
From: Monty Solomon <monty@roscom.com>
Subject: MyDoom: The 15-year-old malware that's still being used in phishing
attacks in 2019 (ZDNet)

https://www.zdnet.com/article/mydoom-the-15-year-old-malware-thats-still-being-used-in-phishing-attacks-in-2019/

------------------------------

From: Monty Solomon <monty@roscom.com>
Date: Mon, 5 Aug 2019 08:18:19 -0400
Subject: StockX was hacked, exposing millions ofcustomers'_data (TechCrunch)

https://techcrunch.com/2019/08/03/stockx-hacked-millions-records/

------------------------------

Date: Mon, 5 Aug 2019 10:48:58 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Ikea says sorry for customer data breach (Straits Times)

https://www.straitstimes.com/singapore/ikea-says-sorry-for-customer-data-breach

------------------------------

Date: Thu, 1 Aug 2019 11:47:57 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Refunds for Global Access Technical Support customers
(Consumer Information)

If you paid for technical support services from Global Access Technical
Support (GATS), you’ll be getting a letter or an email from the Federal
Trade Commission about a refund. You might have known the company as Global SConnect, Global sMind, Yubdata Tech, or Technolive.

The FTC sued GATS, alleging that the company lied about partnering with well-known tech companies and tricked people into paying for unnecessary computer repairs. GATS has now paid $860,000 to settle the lawsuit.

The FTC is sending refunds to people who paid money to GATS. If you get a
check from us, cash it within 60 days. We will send refunds via PayPal to customers for whom we do not have a mailing address.

Here’s how the PayPal refunds work: the FTC will send the customer an email from subscribe@subscribe.ftc.gov. Then, within 24 hours, that customer will also get an email directly from PayPal about the refund. If you get those emails, all you have to do is type www.paypal.com into your browser, log in
to your account (or create one), and review and accept the payment. Or
accept payment by logging into the PayPal app.

To avoid scammers who might pretend to be from the FTC or PayPal, follow
these simple steps:

* If you get a refund email that claims to be from the FTC or PayPal, don’t
click on any links in the email. Instead, visit the website by typing the
right URL into your browser: www.ftc.gov/refunds and www.paypal.com.

* Check out FTC refunds at ftc.gov/refunds. Each case on that page has a
phone number you can call to check on refund payments.

* Know that the FTC never asks people to pay money or give sensitive
financial information to get a refund. People who say they are with the
FTC and ask for money are scammers.

https://www.consumer.ftc.gov/blog/2019/08/refunds-global-access-technical-support-customers

------------------------------

Date: Wed, 31 Jul 2019 02:09:55 +0900F
From: "ISHIKAWA,chiaki" <ishikawa@yk.rim.or.jp>
Subject: Business Continuity?: Kyoto Anime recovers digital recordings

I have been a Japanese animation fan since I was a kid growing up in
Japan.  So this is a very prejudiced post in that direction.

The arson of  Kyoto Animation company (Kyoto Anime or KyoAni for short), almost a terrorist attack, which killed 35 people by now has had Kyoto Anime scrambling to recover what remains in the server computer in the building
which burned down.

The arson is now detailed in Wikipedia. https://en.wikipedia.org/wiki/Kyoto_Animation_arson_attack

Since the night of July 29, it has been reported that Kyoto Anime, with the help of experts, could salvage the digital data from the server(s) that remained intact in the building that burned down. (In Japanese: https://www.asahi.com/articles/ASM7Y6H8ZM7YPTIL03K.html )

Luckily the server(s) was on the first floor and was housed in a small space surrounded by concrete walls in the four directions (CI's comment: I wonder where the door was...) and withstood the fire and the water sprayed by firefighters.

cf. Due to the nature of the Japanese languages, I am not sure if the
server referred to is actually a collection of servers (plural).

An earlier Japan Times article in English mentioned that there *was* a
server and the management hoped to recover the data *IFF* the server did not get wet during the firefighting effort. https://www.japantimes.co.jp/news/2019/07/29/national/kyoto-animation-hopes-recover-drawing-storyboard-data-server-arson-attack/

But to me it is hard to believe that 70+ people working on a few animation projects could work with only a single server, but it is not the major contention here.

First of all, I am not sure if all the digital data of anime (animation,
that is) held by that branch was recovered or not. The article mentioned digital data only, and inferred some animation digital drawings were
recovered. An inquiry mind wants to know the answer to "Were all the
relevant data transferred from individual PCs to the server each day?". Individual PCs went up in smoke literally. No hope of recovering data from them.

One thing is crystal clear: ALL THE PAPER-BASED DRAWINGS IN THE BRANCH ARE GONE. PERIOD. (Except for a piece of paper with a hand-drawn illustration
on it: it was n the backside of a whiteboard that remained in the
building. I saw it in a news article.)

When I read the article and some earlier articles, some computer-related
risk keywords popped up in my mind: - off-site backup, - business
continuity, and - human resources.

Here, human resources *IS* actually the most valuable one in this case, and
the loss is felt throughout the media industry all over the world. No amount
of off-site backup or business continuity planning that is created for earthquakes or typhoons (Japan's two biggest natural disasters) will be
enough to counter the type of human-resource damage sustained by Kyoto Anime this time.

Nevertheless, some business schools may create a case study of
disaster-recover planning for business continuity based on the incident.

Yes, to my surprise and many others', Kyoto Animation obviously failed to perform off-site backup (and for that matter, distributed backup of
paper-based illustrations).  That is something to think about for the media company management types in the future.  (So this post *IS* computer risk-related after all.)

At the same time, I personally feel it is a tough time for the management indeed for recovering the business operation especially when I read the comments from the surviving members of the victims such as the one I quote later in this post.

The impact of human toll is really devastating psychologically. Recovering from a crime-initiated disaster is not a purely a computer-risk issue, but wetware (people) issue too, especially so once the hardware, software and
data are recovered.

The following news contains comments regarding the color coordinator,
Ms. Naomi Ishida, who has worked at Kyoto Anime for more than 20 years. A victim of the arson. The article is in Japanese: https://www3.nhk.or.jp/lnews/kyoto/20190725/2010004159.html (Ms. Ishida's background is explained in detail in English in the following URL:) https://www.animenewsnetwork.com/news/2019-07-25/kyoto-animation-colorist-naomi-ishida-passed-away-in-studio-fire/.149318

Since such Japanese news comments are unlikely to be translated into English any time soon, here is my rough translation of that part of the news
article. (I searched for English article that may refer to the comments of
Ms. Ishida's parent, but only ended up with the animenewsnetwork article above.)

My rough translation:

Ms. Naomi Ishida's mother mentioned "The police got in contact with us
because the DNA identification has been over and they wanted to explain
the result to us. When I looked at the remains, I noticed that only a
piece of metal of my daughter's hair accessory remained and all else
melted away. The fire was so severe. The whole ordeal could have been over
in a short while. But it is a real pity she must have suffered a lot
during that time." and she added "I have not known her whereabouts after
the arson. The only consolation now is that I can bring her back home
finally..."

Her father said "I have tough time sleeping thinking about how she must
have suffered in pain at the last moment.  But now I am a bit relieved
when I learned that so many anime fans placed flowers in many places in
appreciation of works to which my daughter contributed. I am now very
proud of her. I hope she will be drawing pictures together with her
colleagues in the Heaven."

Parents of other victims would have similar comments. Surviving victims
need months or even years to heal from the wounds. The psychological
damage is definitely large although hard to estimate. How can a company
restart business operation amid such mental hardship?

Personal comment: Ms. Ishida worked on animations such as Suzumiya Haruhi TV series and others which produced some interesting songs including the
following one that has been played ALMOST 100 MILLION TIMES on youtube.

https://www.youtube.com/watch?v=WWB01IuMvzA

This particular song is in my favorite list and I play the list from time to time in random order during desk work. Next time the song comes up and I
watch the animation images on PC screen whose color coordination Ms. Ishida produced, I would recall the words of her parents. What a pity.  Not just an interesting BGM song anymore...

------------------------------

Date: Fri, 26 Jul 2019 10:15:41 -0400
From: George Mannes <gmannes@gmail.com>
Subject: Colorado gov't. email account for reporting child abuse goes
unchecked for 4 years (WashPost)

From The Washington Post:

https://www.washingtonpost.com/nation/2019/07/15/colorado-didnt-check-an-email-account-child-abuse-neglect-reports-years-five-cases-were-never-investigated/

Colorado didn't check an email account for child abuse reports for
years. Five cases weren't investigated.

By Hannah Knowles July 15
An email account set up by the Colorado government for reports of child
abuse and neglect went unchecked for four years, leaving more than 100
messages about mistreatment concerns unanswered and allowing five cases
that needed follow-up to go without investigation.

The email account was set up in 2015 to support a phone hotline and then forgotten, allowing reports to slip through at a time when the state worked
to increase reporting of child abuse and emphasized a speedy response to concerns through a 24/7 hotline. That phone number received a record number
of calls last year, four years into a public awareness campaign aimed at teaching more Coloradans about the state's resources....

...A May 15 internal audit discovered the problem. By the time the
department looked at the neglected email account, 321 messages had piled
up, including 104 about concerns that children were being abused or
neglected, department spokeswoman Madlynn Ruble told The Washington Post.
Many of those emails were duplicates or had already been addressed through other channels, Ruble said....

------------------------------

Date: Sun, 04 Aug 2019 19:16:33 +0100
From: Chris Drewe <e767pmk@yahoo.co.uk>
Subject: Re: "Mortgage Provider Tells Savers of Zero Balances"

Item about a UK building society (mortgage provider) from this weekend's newspaper -- summary follows with my comments.

Sally Hamilton, The Mail On Sunday, 3 Aug 2019
Panic as Nationwide BS emails 1.3m customers to tell them they have no
money!

https://www.dailymail.co.uk/money/saving/article-7317645/Panic-Nationwide-BS-emails-1-3m-customers-tell-no-money.html

Nationwide Building Society has come under fire for emailing 1.3million
savers with a 'summary' of their accounts showing they all had balances of zero. ... data security rules meant it was unable to provide balances by
email 'because it isn't 100 per cent secure'. The new summary simply shows
the types of accounts savers hold along with the interest rates paid -- and what balance is required to receive it. This showed... ISA accounts pay 1.1
per cent and 1.2 per cent -- on balances of '0+ pounds'.

[Looks like another casualty of data-protection laws, but more
likely a case of a badly-worded message. CD]

------------------------------

Date: Mon, 14 Jan 2019 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 31.35
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)