From Behind the X-Ray Specs, the IT Privacy and Security Weekly Update for October 19th 2021


From new and innovative ways to introduce facial recognition, to looking through walls, we have you covered, (or perhaps uncovered)!

We start our journey in subterranean Moscow, move on to a sweetie factory in Chicago, and then into your dentist’s office. From there, AI leaves us spinning before we discover the top 3 locations for mining Bitcoin and a new competitor in the Texan insurance market. We end… outside looking in. listen_tiny

Without another moment’s hesitation, let’s unpack that old Ghostbusters gear, put on the X-Ray specs, and have our best adventure yet!

RU: Privacy fears as Moscow metro Roll out Facial Recognition pay system

The Moscow metro has rolled out what authorities have lauded as the world’s first mass-scale facial recognition payment system, amid privacy concerns over the new technology.

The cashless, cardless, and phoneless system, named Face Pay, launched at more than 240 stations across the Russian capital on Friday.

“Now all the passengers will be able to pay for travel without taking out their phone, metro, or bank card,” the Moscow mayor, Sergey Sobyanin, tweeted on Thursday evening.

To activate Face Pay, Sobyanin said, passengers will need to connect their photo, bank card, and metro card to the service through the metro’s mobile app. “It will be enough just to look at the camera to pass through the turnstiles,” Sobyanin said.

The Moscow authorities, who expect up to 15% of metro passengers will use Face Pay regularly in the next three years, said the system would quicken the flow of people, particularly at busy times.

Moscow recently expanded its facial recognition technology across the capital, with a network of more than 175,000 surveillance cameras.

Human rights activists said the cameras were used to identify protesters who attended rallies in support of the jailed opposition politician Alexei Navalny. Facial recognition was also used to enforce Covid-19 quarantines during Russia’s two-month lockdown in spring 2020.

So what’s the upshot for you? The Russian metro with more than 6 million daily passengers is certainly a substantial addition to the surveillance already in place.

Global: LightBasin: A Roaming Threat to Telecommunications Companies

CrowdStrike Services has investigated multiple intrusions within the telecommunications sector from a sophisticated actor tracked as the LightBasin activity cluster, also publicly known as UNC1945. Active since at least 2016, LightBasin employs significant operational security measures, primarily establishing implants across Linux and Solaris servers, with a particular focus on specific telecommunications systems. CrowdStrike identified evidence of at least 13 telecommunication companies across the world compromised by LightBasin dating back to at least 2019

Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control, and utilizing scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata. The nature of the data targeted by the actor aligns with information likely to be of significant interest to signals intelligence organizations.

This research emerges amid escalating competition between the Chinese and U.S. governments in all manner of geopolitics: military power, cyberspace, trade, and science. The CIA recently announced that it was reorganizing to focus more on understanding Chinese activities around the world, as the country continues to exert itself technologically and the US government grapples with major questions about what it truly knows about Chinese capabilities, and whether the U.S. efforts are keeping pace.

So what’s the upshot for you? Mobile phones are not magic. They need hard infrastructure to run on and that is the point of compromise in this case. Perhaps your calls are not as private as you thought.

Global: NFT Use Cases That Could Go Mainstream

NFTs are here. They’re no longer fringe.

Specifically, art and collectible NFTs have gone mainstream with breathtaking speed – faster than even the most starry-eyed, to-the-moon crypto bull could have dreamed. We now have a better idea of why. NFTs (especially art and collectibles) are fun, visualizable, culturally relevant and they’re easy to understand in a way that many blockchain concepts are not.

  • Gaming. Every day, there are 2 million people who play with the little blobs of Axie Infinity, which now has a valuation of $3 billion. “Gaming is really exciting, as you already have billions of people who are buying digital goods inside of games,”

  • Fashion and wearables. “Luxury brands are coming to the NFT space." A new brand called Auroboros, which describes itself as “the first fashion house to merge science and technology with physical couture,” unveiled a line of digital apparel that you “wear” using augmented reality (AR). For perspective, this was not at a crypto conference. This happened at London Fashion Week.

  • DeFi NFTs. Let’s say you blew your last $5 million on a CryptoPunk NFT, but now – oops! – you forgot that you need to pay your rent. No problem. You can use that CryptoPunk as collateral for a loan at NFTfi. When you hand over the CryptoPunk as collateral, you automatically get it back when you pay off your debt. And if you default? Thanks to the wizardry of smart contracts, the NFT gets transferred to the lender, eliminating the need for debt collection and bounty hunters.

  • Events and ticketing. Another hypothetical: Your fav. band has an upcoming concert, and you want to go. Tickets are $100. Now imagine the ticket you buy is actually an NFT, and your NFT does the following things:

    • It’s emblazoned with some artwork from a designer you like.
    • It serves as concert memorabilia. So it might even be worth something someday, like old ticket stubs to Beatles concerts.
    • Inside the venue, you can use the NFT as a means of getting snacks or beers.
    • Thanks once again to the magic of smart contracts, the revenue from your NFT automatically pays the performer 40%, the DJ 10%, the lighting crew 2%, the janitors 1%, and on and on. No middle-person is needed to orchestrate the payments, which means you pay almost nothing in fees.
    • If you bought the VIP ticket, the NFT unlocks your access to visit the performer backstage.
  • The metaverse… a place to store and appreciate NFT art, a hub for gaming, or a place to buy virtual land. the sky is the limit.
    and finally:

  • Everything. Digitalization of everything physical. “We’re already spending most of our waking hours online, we’re going to have a lot of digital goods.” In the future, if someone buys a cool pair of Air Jordans (physical ones that go on your feet), they’ll want its NFT companion. They’ll want the NFT so they can flaunt it, flex it, and perhaps use it in a metaverse.

So what’s the upshot for you? It seems like the natural evolution: digital and physical equivalents. Maybe that sounds far-fetched. But only a year ago, so did the idea of mainstream NFTs for art and collectibles.

US: OK this Ransomware Gig has gone Far Enough. Don’t mess with Halloween.

Ferrara, which makes Brach’s Candy Corn, as well as brands like Nerds, Laffy Taffy, Keebler, and Famous Amos, said it discovered a hack, which encrypted some of its systems, on Oct. 9. The company is working with law enforcement and outside specialists to restore those systems and get back to operating at full capacity.
“We have resumed production in select manufacturing facilities, and we are shipping from all of our distribution centers across the country, near to capacity. We are also now working to process all orders in our queue,” Ferrara said.

So what’s the upshot for you? Several of its brands are Halloween staples, but Ferrara said consumers shouldn’t worry about shortages. Those products are shipped to retailers in early August and should already be on shelves, the company said.

US: Data Breach Hits US Dental Patients

A cyber-criminal used a phishing attack to gain access to the computer systems of North American Dental Management between March 31 and April 1, 2021.

Following the security breach, PDA notified patients that an unauthorized individual may have accessed some of their protected health information (PHI).

The information that may have been exposed was stored in email accounts that the attacker was able to breach. “The full extent of the potentially affected personal information is not yet known and will vary between persons, but it may include the following: name, address, email address, phone number, dental information, insurance information, Social Security Number, and/or financial account numbers.”

The breach was reported to the DHS’s Office for Civil Rights as impacting 125,760 patients in Connecticut, Florida, Georgia, Illinois, Indiana, Massachusetts, Michigan, New York, Texas, and Tennessee.

So what’s the upshot for you? Not a good day for those big, bright, smiles!

US: The Pentagon Wants AI to Predict Events Before They Occur

During the 1980s, the KGB wanted to predict the start of nuclear war as much as six months to a full year in advance from a wide variety of indicators—e.g., physical locations of U.S. nuclear warheads and monitored activities at American embassies and NATO, unplanned movement of senior officials, FEMA preparations, military exercises and alerts, scheduled weapons maintenance, leave policies for soldiers, visa approvals and travel information, and U.S. foreign intelligence activities. They even considered the removal of documents related to the American Revolution from public display as a potential indicator of war.

Massive amounts of data were fed into a computer model to “calculate and monitor the correlation of forces, including military, economy, and psychological factors, to assign numbers and relative weights.” The findings from RYaN contributed to Soviet paranoia about a pending U.S. nuclear attack in 1983 and nearly led their leaders to start a nuclear war.

Though such an idea came long before its time, today’s machine learning technologies are now capable of detecting subtle patterns in seemingly random data and could start making accurate predictions about adversaries in the near term. Amidst the wellspring of enthusiasm for AI-enabled decision tools, U.S. defense leaders are hoping to deflect any concerns by insisting that their adoption will be responsible, humans will remain in the loop, and any systems that produce unintended consequences will be taken offline.

In July 2021, the North American Aerospace Defense Command (NORAD) and U.S. Northern Command (NORTHCOM) conducted the third series of tests called the Global Information Dominance Experiments (GIDE), in collaboration with leaders from 11 combatant commands. The first and second series of tests took place in December 2020 and March 2021, respectively. The tests were designed to occur in phases, each demonstrating the current capabilities of three interlinked AI-enabled tools called Cosmos, Lattice, and Gaia. Together, these decision tools are supposed to anticipate what adversaries will do ahead of time, allowing U.S. military leaders to preempt the actions of adversaries before kinetic conflict arises and deny them any perceived benefits from taking any predicted actions. Such tools are particularly attractive to U.S. defense leaders as they prepare for compressed decision times in the future due to greater use of AI.

These AI-enabled platforms are expected to go beyond merely providing enhanced situational awareness and better early warning to offer U.S. military leaders what is considered the holy grail of operational planning—producing strategic warning of adversarial actions in the gray zone (i.e., the competition phase), prior to any irreversible moves having been made. Such an advancement would allow decision-makers to formulate proactive options (rather than the reactive ones of the past) and enable much faster decisions.

It is unclear whether any proactive actions taken in response to predicted adversarial behavior might be perceived by the other side as aggressive and end up catalyzing the war we sought to avoid in the first place.

So what’s the upshot for you? Assembling a truly unbiased dataset designed to predict specific outcomes remains a major challenge, especially for life and death situations and in areas of sparse data availability such as a nuclear conflict. What could possibly go wrong?

Global: Facebook Uses AI Math to Hide Its Hate Speech Problem

In public, Facebook seems to claim that it removes more than 90 percent of hate speech on its platform, but in private internal communications, the company says the figure is only 3 to 5 percent. Facebook wants us to believe that almost all hate speech is taken down when in reality almost all of it remains on the platform.

“We removed about 12 million pieces of content in Groups for violating our policies on hate speech, 87 percent of which we found proactively.” In nearly every quarterly transparency report, Facebook proclaims hate speech moderation percentages in the 80s and 90s like these. Yet a leaked document from March 2021 says, “We may action as little as 3-5% of hate … on Facebook.”

So where is the truth? Let’s look at the numbers.

The 94 percent is the number that Facebook has publicly touted is the “proactive rate,” the number of hate speech items taken down that Facebook’s AI detected, divided by the total number of hate speech items taken down.

What matters is the amount of hate speech that is not removed from the platform.

The best way to capture this is the number of hate-speech takedowns divided by the total number of hate speech instances. This “takedown rate” measures how much hate speech on Facebook is actually taken down—and it’s the number that Facebook tried to keep secret. According to internal documents, more than 95 percent of hate speech shared on Facebook remained in place.

Zuckerberg boasted to Congress that Facebook took down 12 million pieces of hate speech in Groups, but based on the leaked estimate, we now know that around 250 million pieces of hate speech were likely left up.

Content moderation is an incredibly challenging problem, and we need to admit that AI is very far from the solution some suggest it as being. Quoting numbers from the relatively small quantity that AI effectively recognized is like putting a lightbulb in a closet and saying it lights 97% of the room when the rest of the home is in the dark.

So what’s the upshot for you? Facebook did not technically lie or “misstate” the truth, as the recent Haugen complaint alleges, it just gave an answer to a different question.

Global: Mining Where? The new Bitcoin Top 3 and the Accompanying Concerns.

The CBECI, which is produced by the Cambridge Centre for Alternative Finance, tracks the geographic distribution of computing power used for mining Bitcoin - receiving data from a number of commercial Bitcoin mining pools.

The latest data, which covers the four months to the end of August, suggests that most Bitcoin mining (35.4%) is now US based, with Kazakhstan (18.1%) second and Russia (11%) third.

The decline of China as a crypto mining powerhouse has been unexpected and rapid after the government put its ban in place.

So what’s the upshot for you? More of a worry is the CO2 emissions and the electronic waste because the computers used become rapidly obsolete. The first worry could be improved over time with alterations in power sources, but the second could still be an issue, especially in places like Kazakstan where there is no national legislation on e-waste.

US: Tesla officially launches its insurance using ‘real-time driving behavior,’ starting in Texas

“Tesla offers insurance using real-time driving behavior. This is currently available to all Model S, Model 3, Model X and Model Y owners in Texas.”

The automaker wrote about the policy’s differentiating factor: “Unlike other telematics or usage-based insurance products, Tesla does not require an additional device to be installed in your vehicle. Tesla uses specific features within the vehicle to evaluate your premium based on your actual driving. You will make monthly payments based on your driving behavior instead of traditional factors like credit, age, gender, claim history, and driving records used by other insurance providers.”

In the fine print, Tesla insists that it will not use age or gender to calculate your insurance premium or whether or not you have had any car accidents.

The automaker says that the “safety score,” which was first introduced for Full Self-Driving Beta testers last month, will be the main factor. And it’s made up of these:

  • Forward Collision Warnings per 1,000 Miles
  • Hard Braking
  • Aggressive Turning
  • Unsafe following distance
  • Forced Autopilot disengagement

The automaker says that it expects those deemed “average” drivers by the safety score should save 20% to 40% on their premium compared to competitors, and those with the safest scores could save between 30% to 60%.

So what’s the upshot for you? Everyone starts with a score of 90 and the premium fluctuates with the number of scoring events picked up (or not). Sounds great right?
The only issue is that apparently the insurance still costs more than the competition on a good day.

Global: Heavyweights Lead New Supply Chain Security Initiative

The Trusted Computing Group (TCG) is a non-profit organization that develops, defines, and promotes open and vendor-neutral industry specifications and standards for trusted computing platforms, including the widely used Trusted Platform Module.

The organization this week announced a new workgroup focusing on supply chain security. Representatives of Microsoft, Intel, and Goldman Sachs will lead the new group, which will work on developing guidance for supply chain security standards.

The new group has two main objectives: provisioning (ensuring that devices are genuine) and recovery (helping organizations recover after a cyberattack).

So what’s the upshot for you? It’s early days yet, but this sounds like a sensible initiative and something that even government initiatives can dovetail into.

IL: Israel Develops Tech to look through Walls

Israeli technology firm Camero-Tech has developed a military device that can detect live objects hiding behind walls from over 50 meters (164 feet) away.

Dubbed the Xaver™ LR40, the portable system can accurately identify the presence and number of objects moving behind walls in real-time, thereby helping soldiers in standoff situations or covert operations where a safe distance from targets must be maintained.

According to company official Ilan Abramovich, the long-range of the new equipment makes it unique and different from other “see through walls” devices developed by other firms. He explained that the Xaver LR40 is based on radio signals with ultra-wideband range, allowing it to send continuous pulses and penetrate through multiple material walls. However, he pointed out that the technology cannot see through walls made of solid metal where radio signals are blocked.

So what’s the upshot for you? Abramovich did want to make the point that rebar and wire mesh will still let the signals through.

That’s it for this week. Let’s put those x-ray specs away for now and get back to the clearly visible. listen_tiny

Thanks for joining us. Stay kind, be safe, stay secure and we will see you in a see-through se7en.

1 Like