"[W]hat Logan's findings show us is that vulnerabilities were not just hypothetical as the state had been claiming. Now we know that it was a very real risk, but what we don't know is just how bad did it get. And the public deserves to know," she said. Georgia used the server to distribute critical election and voter registration files to counties throughout the state. However, the state has insisted that it never distributed files to program voting machines through the server. Instead, it delivered these files to counties physically. But if the server was compromised, it could have been a vehicle to distribute malware to any county election worker who connected to it. Georgia's secretary of state, Brad Raffensperger, did not respond immediately to a request for comment. Kemp served as secretary of state at the time of the 2016 election, before being elected governor in 2018. The Center for Election Systems at Kennesaw State University, which was responsible for programming all of the voting machines in Georgia before every election, owned and operated the server in question. That server was already known to have security issues. As POLITICO first reported, months before the 2016 election, Lamb discovered that the KSU server was improperly secured so that anyone could access sensitive election data stored on it, and it also had an unpatched vulnerability in so-called Drupal software the server used, which would have allowed attackers to take control of the server and alter or delete data on it, or to post malware that could have infected the computers of election officials accessing the server. Logan made the discovery by chance when he visited the Center for Election Services website to learn more about their role in programming voting machines for Georgia. After the POLITICO story published in June 2017, the plaintiffs filed their lawsuit and sought to obtain the server for evidence supporting their contention that Georgia's election systems are not secure and could have been tampered with in the 2016 election. But officials at Kennesaw wiped the server clean shortly after the plaintiffs filed their suit. The FBI had a mirror image of the server, which had been made in March 2017, but state officials fought to prevent the plaintiffs from obtaining it to examine. They lost that fight last year. Only recently was Lamb able to examine the server for evidence of tampering. In his affidavit, Lamb said the server appears to have been compromised in December 2014, using an unpatched vulnerability called *Shellshock* that had been publicly revealed and widely reported three months earlier. The Shellshock vulnerability is different from the Drupal one Lamb discovered when he visited the Center's website in 2016. Both the Shellshock and Drupal vulnerabilities had been publicly exposed around the same time, but despite both receiving extensive media coverage and even a Department of Homeland Security alert in the case of Shellshock, officials at the Center for Election Systems failed to apply a patch to close either of them when the patches were released.
WASHINGTON (Reuters) - The National Highway Traffic Safety Administration (NHTSA) said Friday it will review a petition asking the agency to formally investigate and recall 500,000 Tesla Inc vehicles over sudden unintended acceleration reports. https://www.reuters.com/article/us-tesla-probe-idUSKBN1ZG1IL
https://www.comparitech.com/blog/information-security/microsoft-customer-service-data-leak/ "Over the New Year, Microsoft exposed nearly 250 million Customer Service and Support (CSS) records on the web. The records contained logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019. All of the data was left accessible to anyone with a web browser, with no password or other authentication needed."
EXCERPT: Internet Explorer is dead, but not the mess it left behind. Microsoft earlier today issued an emergency security advisory warning millions of Windows users of a new zero-day vulnerability in Internet Explorer (IE) browser that attackers are actively exploiting in the wild -- and there is no patch yet available for it. The vulnerability, tracked as CVE-2020-0674 and rated moderated, is a remote code execution issue that exists in the way the scripting engine handles objects in memory of Internet Explorer and triggers through JScript.dll library. <https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001> A remote attacker can execute arbitrary code on targeted computers and take full control over them just by convincing victims into opening a maliciously crafted web page on the vulnerable Microsoft browser. "The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user," the advisory says. "If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights." Microsoft is aware of `limited targeted attacks' in the wild and working on a fix, but until a patch is released, affected users have been provided with workarounds and mitigation to prevent their vulnerable systems from cyberattacks. The affected web browsing software includes—Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11 running on all versions of Windows 10, Windows 8.1, and the recently-discontinued Windows 7. Workarounds: Defend Against Attacks Until A Patch Arrives. [...] https://thehackernews.com/2020/01/internet-explorer-zero-day-attack.html https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001
Author writes: IoT and Our Low-Powered Sensor Future There are, by some measures, more than 30 billion Internet of Things (IoT) devices in use around the world. Virtually all of them live on Wi-Fi and cellular networks, but a small number, mostly tracking devices, are communicating in essentially a third way, on a LongFi network powered by Helium's small, consumer hot spots. And if Helium has its way, the LongFi network will change the way millions of low-powered devices communicate and how widely-distributed networks are built. Even though Helium has been around for 6 years, I'd never heard of it and hesitated to accept a CES meeting with CEO and Co-Founder Amir Haleem. The concept, though—a peer-to-peer wide-area wireless network with a crypto-currency angle—was intriguing. Plus, the company was co-founded by Napster founder Shawn Fanning. [...] Building such a network, even without the infrastructure overhead of LTE or 5G is not easy, but Helium cooked up an unusual solution. The company encourages consumers to put a Helium Hotspot in their home by making them a participant in the economics of the network, which is where Blockchain comes in. In addition to helping create the LongFi network, the Helium Hotspots are cryptocurrency mining systems and, depending on how third parties use the encrypted network, their hotspots may mine cryptocurrency in the form of Helium Tokens. The cryptocurrency collection is tracked in the Helium app. Granted, a Helium Token currently has no value, but someday, possibly depending on the scale of the Helium LongFi network, it may. That pitch was, somewhat surprisingly, enough to attract a couple hundred crypto enthusiasts in Austin, Texas (the network went live last summer). Haleem told me they also had no trouble finding takers enmeshed in the IoT world. https://www.lifewire.com/is-longfi-the-next-wireless-revolution-4782141 Risk? IoT + blockchain?
A fictitious industrial company with phony employees personas, website, and PLCs sitting on a simulated factory network fooled malicious hackers—and raised alarms for at least one white-hat researcher who stumbled upon it. EXCERPT: For seven months, researchers at Trend Micro ran a legitimate-looking phony industrial prototyping company with an advanced interactive honeypot network to attract would-be attackers. The goal was to create a convincing-looking network that attackers wouldn't recognize as a honeypot so the researchers could track and study attacks against the phony factory in order to gather intel on the real threats to the industrial control system (ICS) sector today. The faux company's factory network, which they purposely configured with some ports exposed to the Internet from May through December of last year, was mostly hit with the same types of threats that IT networks face: ransomware, remote access Trojans (RATs), malicious cryptojacking, and online fraud, as well as botnet-style beaconing malware that infected its robotics workstation for possible lateral movement. But there also were a few more alarming incidents with shades of more targeted intent. In one attack on 25 Aug 2019, for instance, an attacker worked its way around the robotics system, closed the HMI application, and then powered down the system. Later that month, an attacker was able to start up the factory network, stop the phony conveyer belt - and then shut down the factory network. Attackers via the HMI shut down the factory and locked the screen, while another opened the log view of the robot's optical eye. [...] https://www.darkreading.com/threat-intelligence/elaborate-honeypot-factory-network-hit-with-ransomware-rat-and-cryptojacking/d/d-id/1336842
/This story has been updated on Friday, Jan. 17 at 9:30 a.m. to indicate that some NFC employees have received larger paychecks than usual./ https://federalnewsnetwork.com/pay/2020/01/recent-paychecks-are-smaller-for-some-feds-due-to-national-finance-center-error/ ...well, then it's OK, that balances things.
A little-known start-up helps law enforcement match photos of unknown people to their online images—and "might lead to a dystopian future or something," a backer says." This application scraps social media for its database of images, approximately 3 billion photographs. It claims it can recognize individuals wearing hats and glasses, also faces in profile. Its efficacy and accuracy have not been independently tested, yet it is in increasing use by police departments nationally. https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html
Police in the British capital are set to deploy automated facial recognition technology across the city, it was announced today. “The use of live facial recognition technology will be intelligence-led and deployed to specific locations in London,'' the Metropolitan Police Service said in a statement, arguing that this “will help tackle serious crime, including serious violence, gun and knife crime, child sexual exploitation and help protect the vulnerable.'' <http://news.met.police.uk/news/met-begins-operational-use-of-live-facial-recognition-lfr-technology-392451> Democratic governments in the West are increasingly following the example of authoritarian regimes in deploying the technology, which allows them to scan faces in crowds, compare the results with stored data and identify individuals in real time. Civil rights advocates have warned that such *live* or *automated* facial recognition systems pave the way for mass surveillance on an unprecedented scale, but in a landmark case earlier this year, a U.K. court ruled that South Wales Police had used similar technology lawfully. <https://www.politico.eu/article/uk-court-backs-police-in-facial-recognition-lawsuit/> Earlier today, German news wire DPA reported that the German interior ministry dropped plans to roll out similar technology at over a hundred train stations across the country, following warnings by legal experts that the use would likely infringe the country's constitution.
- The world's 2,153 billionaires have more wealth than 4.6 billion people combined, Oxfam's latest report on inequality found. - The richest 1% are more than twice as wealthy as 6.9 billion people, or nearly 90% of the human population, the report estimated. - A key driver of the wealth gap is that women and girls put in 12.5 billion hours of unpaid care work every day, the Oxfam researchers argued. - Their recommendations include investing in national care, passing laws to protect and pay care workers, and ending extreme wealth. EXCERPT: The world's 2,153 billionaires are richer than 4.6 billion people—60% of the global population—combined, according to "Time to Care <https://oxfamilibrary.openrepository.com/bitstream/handle/10546/620928/bp-time-to-care-inequality-200120-en.pdf>," Oxfam's latest report on inequality. "Our broken economies are lining the pockets of billionaires and big business at the expense of ordinary men and women," Oxfam India CEO Amitabh Behar said in a press release <https://www.oxfam.org/en/press-releases/worlds-billionaires-have-more-wealth-46-billion-people> ahead of this week's World Economic Forum in Davos, an annual gathering of business, academic, and political leaders. "No wonder people are starting to question whether billionaires should even exist," Behar added. The richest 1% are more than twice as wealthy as 6.9 billion people, or nearly 90% of the human population, the report's authors found. The 22 wealthiest men in the world, led by Amazon CEO Jeff Bezos and Microsoft cofounder Bill Gates, possess more wealth than all the women in Africa put together, they added. The Oxfam researchers highlighted a key driver of the issue: women and girls put in 12.5 billion hours of unpaid care work every day, contributing $10.8 trillion to the global economy each year—more than triple the size of the global tech industry, by their estimates. "This great divide is based on a flawed and sexist economic system that values the wealth of the privileged few, mostly men, more than the billions of hours of the most essential work—the unpaid and underpaid care work done primarily by women and girls around the world," they said. The authors made several recommendations to narrow the gap: Invest in national care to lessen the burden of care work shouldered by women and girls, pass laws to protect carers' rights and pay care workers a living wage, give carers a say in relevant decisions, challenge regressive and sexist norms, and ensure businesses value care work... [...] https://markets.businessinsider.com/news/stocks/2153-billionaires-richer-than-4-6-billion-people-combined-oxfam-2020-1-1028829249
Deals with Microsoft, IBM and Google reveal the power medical providers have in deciding how patients' sensitive health data is shared Melanie Evans, *WSJ*, 20 Jan 2020 https://www.wsj.com/articles/hospitals-give-tech-giants-access-to-detailed-medical-records-11579516200
[PGNed Via Geoff Goodfellow] - The Navy says it has material about UFOs that, if released, "would cause exceptionally grave damage to the National Security of the United States." - The Navy said it "discovered certain briefing slides that are classified TOP SECRET" in response to a freedom-of-information request, which asked about a series of videos that showed pilots baffled by mysterious, fast objects in the sky. - The Navy previously confirmed it was treating these objects as UFOs -- which means they are being treated as unexplained but not necessarily extraterrestrial. - One of the videos was published by published by The New York Times in 2017, and pilots told *The Times* they saw the objects accelerate, stop, and turn in ways that went beyond known aerospace technology. <https://www.nytimes.com/2019/05/26/us/politics/ufo-sightings-navy-pilots.html>, EXCERPT: The Navy has said it has top-secret information about unidentified flying objects that could cause "exceptionally grave damage to the National Security of the United States" if released. A Navy representative responded to a Freedom of Information Act request sent by a researcher named Christian Lambright by saying the Navy had "discovered certain briefing slides that are classified TOP SECRET," Vice reported last week. <https://www.vice.com/en_us/article/wxe54z/the-navy-has-secret-classified-video-of-an-infamous-ufo-incident> But the representative from the Navy's Office of Naval Intelligence said "the Original Classification Authority has determined that the release of these materials would cause exceptionally grave damage to the National Security of the United States." The person also said the Navy had at least one related video classified as "SECRET." Vice said it independently verified the response to Lambright's request with the Navy. <https://www.vice.com/en_us/article/wxe54z/the-navy-has-secret-classified-video-of-an-infamous-ufo-incident> Lambright's request for information was related to a series of videos showing Navy pilots baffled by mysterious, fast objects in the sky. <https://ufos-documenting-the-evidence.blogspot.com/2020/01/office-of-naval-intelligence-oni-admits.html> The Navy previously confirmed it was treating these objects as UFOs... https://www.businessinsider.com/navy-says-release-files-into-ufo-sightings-would-damage-security-2020-1
*The New York Times*, 17 Jan 2020 SAN FRANCISCO ” It has become common wisdom that too much time spent on smartphones and social media is responsible for a recent spike in anxiety, depression and other mental health problems, especially among teenagers. But a growing number of academic researchers have produced studies that suggest the common wisdom is wrong. The latest research, published on Friday by two psychology professors, combs through about 40 studies that have examined the link between social media use and both depression and anxiety among adolescents. That link, according to the professors, is small and inconsistent. "There doesn't seem to be an evidence base that would explain the level of panic and consternation around these issues," said Candice L. Odgers, a professor at the University of California, Irvine, and the lead author of the paper, which was published in the Journal of Child Psychology and Psychiatry. https://www.nytimes.com/2020/01/17/technology/kids-smartphones-depression.html
https://www.straitstimes.com/world/spore-updates-ai-governance-model-with-real-world-cases The voluntary framework can be found here: https://www.imda.gov.sg/AI. It establishes fundamentally aspirational guidelines for organizations that adopt AI-based technology into their operations and/or products. The framework emphasizes these two key values: 1) "Decisions made by AI should be EXPLAINABLE, TRANSPARENT & FAIR" 2) "AI systems should be HUMAN-CENTRIC" That the framework conditionally expresses these progressive values reveals their portentous consequence were they applied as law and regulation. AI capabilities subject to demonstrate "EXPLAINABLE, TRANSPARENT & FAIR" operation and outcome, without exemption, would likely impose undue commercial liability and risk burden. Imagine if the AI capability was investigated, and shown (via logfile, transaction stream, sequence structures, judicial review proceedings, etc.) to render biased data processing results that a business uses for human capital management and hiring decisions, or performs loan approval, or authorizes medical expense payment? The consequences would likely be costly to both brand and valuation—a result that strongly resonates with for-profit organizations. Some forms of bias are benign—product material choice affects color-blind individuals, but might be unavoidable. If the product label clearly discloses this fact (not fit for use if color-blind, in black-and-white), the manufacturer is likely free from liability. Employment bias attributed to age, gender, ethnicity, etc. is not benign. AI-hiring bots need to transparently disclose their justification for candidate employment approval or rejection. Automatic trust is not merited in this case. Human review and oversight of AI conclusions are required to double-check machine outcome. Malcolm Gladwell's "Talking to Strangers: What We Should Know about the People We Don't Know," teaches that human trust between humans hinges on the "Truth Default" concept. By default, humans believe their peers. He explores and discusses conditions that contribute to trust determination. He explains the elusive nature of human deception, and the challenges that burden experienced interrogators (judges, detectives, counter-intelligence agents, etc.) attempting to identify it. AI algorithm decisions might one day be automatically judged for bias if an international reference standard existed for this context. This "bias reference standard" would be analogous to the kilogram, meter, or second, but it would apply to AI algorithm bias detection and context. It is doubtful that a software stack, especially one using conditional Boolean logic, can serve in this reference capacity. It is unlikely that a human can engineer it directly. Perhaps an artificial generalized intelligence can evolve to serve humans in this magnanimous capacity. Until a universal bias reference standard emerges, a bias-free AI algorithm, or equivalent computation structure hosted via quantum, neuromorphic, and/or analog computers, appears unlikely to materialize. Unless governments tighten regulations and toughen enforcement, criminals and scurrilous interests will exploit AI at the public's expense. Scam surveillance programs, enhanced malware detection platforms, may comprise the next technological disruption that entrepreneurs and startups pursue. How will their unbiased trust be earned and shown to serve the public interest? Will they yield explainable, transparent, and fair outcomes that can withstand legal scrutiny?
EXCERPT: What if a stranger could snap your picture on the sidewalk then use an app to quickly discover your name, address and other details? A startup called Clearview AI <https://clearview.ai/> has made that possible, and its app is currently being used by hundreds of law enforcement agencies in the US, including the FBI, says a Saturday report in The New York Times. <https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html> The app, says *The Times*, works by comparing a photo to a database of more than 3 billion pictures that Clearview says it's scraped off Facebook, Venmo, YouTube and other sites. It then serves up matches, along with links to the sites where those database photos originally appeared. A name might easily be unearthed, and from there other info could be dug up online. The size of the Clearview database dwarfs others in use by law enforcement. The FBI's own database, which taps passport and driver's license photos, is one of the largest, with over 641 million images of US citizens. The Clearview app isn't currently available to the public, but the Times says police officers and Clearview investors think it will be in the future. [...] https://www.cnet.com/news/clearview-app-lets-strangers-find-your-name-info-with-snap-of-a-photo-report-says/
It seems that hiring companies use AI system to analyze not just CV's, but also video job interviews. Full story: https://edition.cnn.com/2020/01/15/tech/ai-job-interview/?utm_source=join1440&utm_medium=email&utm_placement=etcetera
[via Dave Farber] Bruce Schneier, 20 Jan 2020 The whole point of modern surveillance is to treat people differently, and facial recognition technologies are only a small part of that. https://www.nytimes.com/2020/01/20/opinion/facial-recognition-ban-privacy.html Communities across the United States are starting to ban facial recognition technologies. In May of last year, San Francisco banned facial recognition; the neighboring city of Oakland soon followed, as did Somerville and Brookline in Massachusetts (a statewide ban may follow). In December, San Diego suspended a facial recognition program in advance of a new statewide law, which declared it illegal, coming into effect. Forty major music festivals pledgednot to use the technology, and activists are calling for a nationwide ban. Many Democratic presidential candidates support at least a partial ban on the technology. These efforts are well intentioned, but facial recognition bans are the wrong way to fight against modern surveillance. Focusing on one particular identification method misconstrues the nature of the surveillance society we're in the process of building. Ubiquitous mass surveillance is increasingly the norm. In countries like China, a surveillance infrastructure is being built by the government for social control. In countries like the United States, it's being built by corporations in order to influence our buying behavior, and is incidentally used by the government. In all cases, modern mass surveillance has three broad components: identification, correlation and discrimination. Let's take them in turn. Facial recognition is a technology that can be used to identify people without their knowledge or consent. It relies on the prevalence of cameras, which are becoming both more powerful and smaller, and machine learning technologies that can match the output of these cameras with images from a database of existing photos. But that's just one identification technology among many. People can be identified at a distance by their heart beat or by their gait, using a laser-based system. Cameras are so good that they can read fingerprints and iris patterns from meters away. And even without any of these technologies, we can always be identified because our smartphones broadcast unique numbers called MAC addresses. Other things identify us as well: our phone numbers, our credit card numbers, the license plates on our cars. China, for example, uses multiple identification technologies to support its surveillance state. Once we are identified, the data about who we are and what we are doing can be correlated with other data collected at other times. This might be movement data, which can be used to *follow* us as we move throughout our day. It can be purchasing data, internet browsing data, or data about who we talk to via email or text. It might be data about our income, ethnicity, lifestyle, profession and interests. There is an entire industry of data brokers who make a living analyzing and augmenting data about who we are -- using surveillance data collected by all sorts of companies and then sold without our knowledge or consent. There is a huge—and almost entirely unregulated—data broker industry in the United States that trades on our information. This is how large internet companies like Google and Facebook make their money. It's not just that they know who we are, it's that they correlate what they know about us to create profiles about who we are and what our interests are. This is why many companies buy license plate data from states. It's also why companies like Google are buying health records, and part of the reason Google bought the company Fitbit, along with all of its data. The whole purpose of this process is for companies—and governments—to treat individuals differently. We are shown different ads on the internet and receive different offers for credit cards. Smart billboards display different advertisements based on who we are. In the future, we might be treated differently when we walk into a store, just as we currently are when we visit websites. The point is that it doesn't matter which technology is used to identify people. That there currently is no comprehensive database of heart beats or gaits doesn't make the technologies that gather them any less effective. And most of the time, it doesn't matter if identification isn't tied to a real name. What's important is that we can be consistently identified over time. We might be completely anonymous in a system that uses unique cookies to track us as we browse the internet, but the same process of correlation and discrimination still occurs. It's the same with faces; we can be tracked as we move around a store or shopping mall, even if that tracking isn't tied to a specific name. And that anonymity is fragile: If we ever order something online with a credit card, or purchase something with a credit card in a store, then suddenly our real names are attached to what was anonymous tracking information.
Stock traders are accused of siphoning $60 billion from state coffers, in a scheme that one called `the devil's machine'. Germany is the first country to try to get its money back. https://www.nytimes.com/2020/01/23/business/cum-ex.html
Wonderful and scary story about Y2038. It's here, now. https://twitter.com/jxxf/status/1219009308438024200 Summary: a batch script that does financial projections 20 years out, dies on January 19, 2018. No one knew what was wrong at first. This batch job had never, ever crashed before, as far as anyone remembered or had logs for. The person who originally wrote it had been dead for at least 15 years, and in any case hadn't been employed by the firm for decades. [Unix Redux. 2034 seemed fairly far ahead when Ken Thompson chose that end date. Unix systems will still be around, and we will here more beforehand, and then after the fixes don't last, just like Y2K. PLAN AHEAD means different things to different folks. PGN]
... sending messages within LinkedIn with dodgy links. No reason LinkedIn accounts would be immune, so be alert. Plenty of previous reports: https://www.google.com/search?client=firefox-b-1-d&q=linkedin+account+hacked
Your Recent Service Experience TMNA_GEO_NAME_ENUM and BP_EXTERNAL_NAME_TXT would like to thank you for choosing a new TMNA_MODEL_NAME_AUTO. We appreciate your business and value you as a customer. About two weeks ago, we sent an email requesting your feedback. The information you provide will help TMNA_GEO_NAME_ENUM, its distributors, its affiliates, and BP_EXTERNAL_NAME_TXT continuously improve customer experiences. If you have already shared your feedback, please disregard this email. This survey will be active through TMNA_SURVEY_EXPIRATION_DATE_TEXT_EMAILS= Please begin by responding to the question below. [...] Please do not reply to this e-mail as we are not able to respond to messages sent to this address.
I spotted this in a newspaper—summary follows https://www.telegraph.co.uk/technology/2020/01/20/dont-expect-return-browser-wars/ *The Telgraph*, 20 January 2020 Don't expect a return to the browser wars. It has been two decades since Microsoft and the US government went to war over the former's efforts to crush challengers to its Internet Explorer web browser. Explorer's market share peaked at around 95pc in 2004 before heading rapidly down with the rise of superior rivals such as Mozilla's Firefox, Opera and then Google's Chrome. Whether Microsoft lost because of intervention or because free market innovation did its job is still a matter of debate. But the firm was relegated to an afterthought in the browser wars. Explorer remains the butt of many jokes. [Edge] runs on Chromium, the engine built by Google for the search company's own Chrome browser. Most net users are unconcerned about which web engines they use but they have been a key part of the battle between major software companies. Microsoft's [IE] browser —once so dominant it triggered monopoly investigations on two continents —managed to become so irrelevant it was not worth working to support. Quite a fall. I had to feel a twinge of sympathy for Microsoft as the EU court case dragged on for years, and when they paid the fine, hardly anybody was still using Internet Explorer anyway...
Please report problems with the web pages to the maintainer