Monthly Archives: October 2016

I wouldn’t hire James Bond, says real life M16 British spy chief

M16 Real spy chief gives the thumbs down to hiring 007 spy film hero of the silver screen

Actor Daniel Craig poses for photographers on the red carpet at the German premiere of the new James Bond 007 film "Spectre" in Berlin, Germany, October 28, 2015. REUTERS/Fabrizio Bensch/Files

Actor Daniel Craig poses for photographers on the red carpet at the German premiere of the new James Bond 007 film “Spectre” in Berlin, Germany, October 28, 2015. REUTERS/Fabrizio Bensch/Files

Actor Daniel Craig poses for photographers on the red carpet at the German premiere of the new James Bond 007 film ”Spectre” in Berlin, Germany, October 28, 2015. REUTERS/Fabrizio Bensch/Files

Despite his unrivalled record for single-handedly saving the world from disaster while seducing beautiful women along the way, James Bond would not get a job as a British spy, the head of external intelligence agency MI6 has said.

Alex Younger said real spies had to cope with complex moral and physical challenges in the most forbidding environments on Earth, which would rule out the agent known as 007 because he lacked a strong ethical core.

“In contrast to James Bond, MI6 officers are not for taking moral shortcuts,” Younger said in an interview published on Black History Month, a website dedicated to Britain’s annual celebration of its black culture and heritage.


“It’s safe to say that James Bond wouldn’t get through our recruitment process,” said Younger.

He added that while real MI6 spooks shared Bond’s qualities of patriotism, energy and tenacity, they needed additional values not displayed by the hero of “From Russia with Love”, “Goldfinger”, “Dr. No” or more recently “Skyfall” or “Spectre”.

“An intelligence officer in the real MI6 has a high degree of emotional intelligence, values teamwork and always has respect for the law — unlike Mr Bond.”

(Reporting by Estelle Shirbon; editing by Stephen Addison)


Henry Sapiecha


Red Cross data theft: personal info of 550,000 blood donors exposed to the masses

The private lives of half a million Australians – including sexual and medical histories – have been made public in what could be one of the country’s largest data breaches.

Australian Red Cross Blood Service staff are contacting more than 550,000 blood donors whose personal information was contained in a file accidentally placed on an unsecured, public-facing part of their website.

Massive Red Cross breach

A file containing the details of over 550,000 Red Cross blood donors and donor applicants has been leaked. Courtesy ABC News 24.

The information relates to donors from 2010 to 2016 and includes names, addresses and dates of birth as well as sensitive donation eligibility questions concerning sexual activity, drug use, weight and medical conditions.

The Australian Privacy Commissioner will launch an investigation and a human rights lawyer says those affected may be able to make a claim for damages.

red-cross-data-breach image

The breach of data comes from the Australian Red Cross Blood Service and dates back to 2010. Photo: Dallas Kilponen

Australian Red Cross Blood Service image

A text message sent to people potentially affected by the Red Cross data breach. Photo: Supplied

Red Cross Blood Service chief executive Shelly Park blamed human error by a contractor running the organisation’s website for the breach but said the information was considered to have a low risk of direct misuse in the future.

The data was available online since early September and is believed to have been accessed on Monday, October 24.

Investigations are continuing and the Australian Federal Police and Australian Cyber Security Centre have been informed of the breach.

“On October 26, we learnt that a file, containing donor information,which was located on a development website, was left unsecured by a contracted third party who develops and maintains our website,” Ms Park said.

“The issue occurred due to human error. Consequently, this file was accessed by a person outside of our organisation.”

Ms Park said the organisation had engaged cyber security experts to investigate how it was “caught out” and was in the process of notifying donors affected.

Donors affected have been warned there is an increased risk to their online security and that they should be on the look out for phone and email scams.

“We are extremely sorry. We are deeply disappointed to have put our donors in this position,” Ms Park said.

Microsoft employee and technology blogger Troy Hunt, who runs a data breach notification service, reported the person who gained access to the information had contacted him, revealing Mr Hunt’s own personal details and a 1.74GB data file containing the records.

His name, email, gender, date of birth, phone number and date of last donation were disclosed in the file.

This was also the case with his wife, whose file also contained her blood type and their home address.

“The database backup was published to a publicly facing website. This is really the heart of the problem because no way, no how should that ever happen,” he wrote in a blog post.

Mr Hunt said he had deleted his copy of the information and the person who gave it to him had agreed to do the same. The Red Cross said, to their knowledge, “all known copies of the data have been deleted”.

Some exposed data could contain the highly sensitive eligibility questions, including: “In the last 12 months, have you engaged in any at-risk sexual behaviour?”


Donors are also asked if they have ever injected recreational drugs, are on antibiotics, if they are under or overweight and if they have undergone any surgical procedures.

Australian Privacy Commissioner Timothy Pilgrim announced a probe into the breach on Friday afternoon.

“I will be opening an investigation into this matter and will work with the Red Cross to assist them in addressing the issues arising from this incident.

“The results of that investigation will be made public at its conclusion,” he said in a statement.

“My office encourages voluntary notification of data breaches, particularly where there is a risk to an individual as a result of a breach.”

Human Rights lawyer George Newhouse said the privacy commissioner had the power to order damages and apologies.

Adjunct Professor Newhouse also said his office was considering mounting legal action for those affected.

“We’re looking into a class action on behalf of those who have had their data unlawfully accessed,” he said.

“On the basis that they’ve had their privacy breached.”

Even basic personal information could lead to identity fraud but it was worse for anyone who’s sexual or medical history had been compromised, he said.

“This is highly sensitive personal information that could cause enormous embarrassment to people in their personal and work lives. This incident highlights how vulnerable organisations and individuals are to unauthorised access.”

A Health Department spokeswoman said she was confident the blood service would recover.

“The ARCBS is a long-standing institution who are charged with ensuring a viable donor base, safe collection, processing and distribution of blood and blood products,” she said.

“We are confident that the ARCBS will be able to recover from this incident, build the confidence of the donor base and ensure that the safety and security of their systems are robust and compliant with privacy and confidentiality requirements.”

The AFP and the Australian Cyber Security Centre referred questions about their involvement to the Health Department.

If people have privacy concerns about this incident they can contact the privacy commissioner’s office for free confidential advice on or 1300 363 992 or contact the Red Cross Blood Service through a dedicated hotline.


Henry Sapiecha

How to build defenses against the internet’s doomsday of DDoS attacks

Last week assault on Dyn’s global managed DNS services was only the start. Here’s how to fend off hackers’ attacks both on your servers and the internet.

internet-of-things-symbol image

We knew major destructive attacks on the internet were coming. Last week the first of them hit Dyn, a top-tier a major Domain Name System (DNS) service provider, with a global Distributed Denial of Service (DDoS) attack.

As Dyn went down, popular websites such as AirBnB, GitHub, Reddit, Spotify, and Twitter followed it down. Welcome to the end of the internet as we’ve known it.

Up until now we’ve assumed that the internet was as reliable as our electrical power. Those days are done. Today, we can expect massive swaths of the internet to be brought down by new DDoS attacks at any time.

We still don’t know who was behind these attacks. Some have suggested, since Dyn is an American company and most of the mauled sites were based in the US, that Russia or Iran was behind the attack.

It doesn’t take a nation, though, to wreck the internet. All it takes is the hundreds of millions of unsecured shoddy devices of the Internet of Things (IoT).

In the Dyn onslaught , Kyle York, Dyn’s chief strategy officer said the DDoS attack used “tens of millions” devices. Hangzhou Xiongmai Technology, a Chinese technology company, has admitted that its webcam and digital video recorder (DVR) products were used in the assault. Xiongmai is telling its customers to update their device firmware and change usernames and passwords.

Good luck with that. Quick: Do you know how to update your DVR’s firmware?

The attack itself appears to have been made with the Mirai botnet. This open-source botnet scans for devices using their default username and password credentials. Anyone can use it — China, you, the kid next door — to generate DDoS attacks. For truly damaging DDoS barrages, you need to know something about the internet’s architecture, but that’s not difficult.

Or, as Jeff Jarmoc, a Salesforce security engineer, tweeted, “In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.” That’s funny, but it’s no joke.

Fortunately, you can do something about it.


Securing the Internet of Things

First, and this unfortunately is a long-term solution, IoT vendors must make it easy to update and secure their devices. Since you can’t expect users to patch their systems — look at how well they do with Windows — patching must be made mandatory and done automatically.

One easy way to do this is to use an operating system, such as Ubuntu with Snap, to update devices quickly and cleanly. These “atomic” style updating systems make patches both easier to write and deploy.

Another method is to lock down IoT applications and operating systems. Just like any server, the device should have the absolute minimum of network services. Your smart TV may need to use DNS, but your smart baby monitor? Not so much.

That’s all fine and dandy and it needs to be done, but it’s not going to help you anytime soon. And, we can expect more attacks at any moment.

Defending your intranet and websites

First, you should protect your own sites by practicing DDoS prevention 101. For example, make sure your routers drop junk packets. You should also block unnecessary external protocols such as Internet Control Message Protocol (ICMP) at your network’s edge. And, as always, set up good firewalls and server rules. In short, block everything you can at your network edge.

Better still, have your upstream ISP block unnecessary and undesired traffic. For example, your ISP can make your life easier simply by upstream blackholing. And if you know your company will never need to receive UDP traffic, like Network Time Protocol (NTP) or DNS, your ISP should just toss garbage traffic into the bit bin.

You should also look to DDoS mitigation companies to protect your web presence. Companies such as Akamai, CloudFlare, and Incapsula offer affordable DDoS mitigation plans for businesses of all sizes.

As DDoS attacks grow to heretofore unseen sizes, even the DDoS prevention companies are being overwhelmed. Akamai, for example, had to stop trying to protect the Krebs on Security blog after it was smacked by a DDoS blast that reached 620 Gbps in size.

That’s fine for protecting your home turf, but what about when your DNS provider get nailed?

You can mitigate these attacks by using multiple DNS providers. One way to do this is to use Netflix‘s open-source program Denominator to support managed, mirrored DNS records. This currently works across AWS Route53, RackSpace CloudDNS, DynECT, and UltraDNS, but it’s not hard to add your own or other DNS providers. This way, even when a DDoS knocks out a single DNS provider, you can still keep your sites up and running.

Which ones will work best for you? You can find out by using Namebench. This is an easy-to-use, open-source DNS benchmark utility.

Even with spreading out your risk among DNS providers, DNS attacks are only going to become both stronger and more common. DNS providers like Dyn are very difficult to secure.

As Carl Herberger, vice president for security solutions at Radware, an Israeli-based internet security company, told Bloomberg, DNS providers are like hospitals: They must admit anyone who shows up at the emergency room. That makes it all too easy to overwhelm them with massive — in the range of 500 gigabits per second — attacks. In short, there is no easy, fast fix here.

One way you can try to keep these attacks from being quite so damaging is to increase the Time to Live (TTL) in your own DNS servers and caches. Typically, today’s local DNS servers have a TTL of 600 seconds or 5 minutes. If you increased the TTL to say 21,600 seconds or six hours, your local systems might dodge the DNS attack until it was over.


Protecting the internet

While the techniques might help you, they don’t do that much to protect the internet at large. DNS is the internet’s single point of total failure. That’s bad enough, but as F5, a top-tier ISP notes, DNS is historically under-provisioned. We must set up a stronger DNS system.

ISPs and router and switch vendors should also get off their duffs and finally implement Network Ingress Filtering, better known as Best Current Practice (BCP)-38.

BCP-38 works by filtering out bogus internet addresses at the edge of the internet. Thus, when your compromised webcam starts trying to spam the net, BCP-38 blocks these packets at your router or at your ISP’s router or switch.

It’s possible, but unfortunately not likely, that your ISP has already implemented BCP-38. You can find out by running Spoofer. This is a new, open-source program that checks to see how your ISP handles spoofed packets.

So why wasn’t it implemented years ago? Andrew McConachie, an ICANN technical and policy specialist, explained in an article that ISPs are too cheap to pay the small costs required to implement BCP-38.

BCP-38 isn’t a cure-all, but it sure would help.

Another fundamental fix that could be made is response rate limiting (RRL). This is a new DNS enhancement that can shrink attacks by 60 percent.

RRL works by recognizing that when hundreds of packets per second arrive with very similar source addresses asking for similar or identical information, chances are they’re an attack. When RRL spots malicious traffic, it slows down the rate the DNS replies to the bogus requests. Simple and effective.

Those are some basic ideas on how to fix the internet. It’s now up to you to use them. Don’t delay. Bigger attacks are on their way and there’s no time to waste.


Henry Sapiecha

Middle Eastern hackers employ this phishing technique to infect political targets with Trojan malware

‘Moonlight’ group is likely to be involved in cyber espionage, warns Vectra Networks.

White full moon atmosphere with star at dark night sky background

White full moon atmosphere with star at dark night sky background

The hacking group has been dubbed Moonlight due to references in code

A hacking group is conducting cyber espionage against targets in the Middle East by duping politicians, activists and staff at NGOs into clicking links to authentic-looking but fake versions of high-profile websites in the region, and then infecting them with malware.

The operation — dubbed ‘Moonlight’ by cyber security researchers, after the name the attackers chose for one of their command-and-control domains — has generated over two hundred samples of malware over the past two years and targets individuals via their private email accounts instead of their corporate ones, to increase the chances of a successful attack.

The attacks, which are themed around Middle Eastern political issues such as the war in Syria or the conflict in Palestine, have been unearthed by cybersecurity researchers at Vectra Networks, who say the tools and targets are reminiscent of the Gaza Hacker Team, a group of hacktivists said to be aligned with Hamas, the Palestinian militant Islamic group. The attacks are purely centered on Middle Eastern targets, with the text crafted in Arabic.

Moonlight typically delivers an obfuscated version of the widely available H-Worm, a malicious Visual Basic Script-based remote access Trojan. It isn’t sophisticated, but the effort the attackers put into their phishing attacks means that it’s effective.

“They put effort into lovingly crafting the emails, the websites, the documents they’ve created, putting a fair amount of effort and energy into it. But beyond that the underlying tech is off the shelf,” says Oliver Tavakoli, CTO at Vectra Networks, emphasizing how the attackers don’t need sophisticated hacking skills.

“It teaches you about the low degree of skill required to actually pull something like this off,” he adds.

As with other phishing schemes, those behind Moonlight are attempting to entice their target to click on malicious documents, which claim to contain information about issues and events in the Middle East, such as Hamas, Gaza, Syria, Egypt and other topics relevant to audiences in the Arab world.

moonlight-decoy-people-trafficing image

A decoy report on people trafficking.

Image: Vectra Networks

The lure is deployed as an EXE file, but rather than doing nothing but install malware when clicked on, Moonlight presents the victim with a relevant decoy, therefore avoiding suspicion that the document may be malicious.

Another method the attackers use to deploy malware is via malicious links that lead to fake but convincing versions of authentic Middle Eastern media organizations’ websites. Typically deploying the link via a shortened URL, the user is invited to click through to a news article based on current events in the Middle East. While it looks like the real deal, users will find themselves infected with malware.

The end result in each of these two attacks is that the victim — of which there have been hundreds — becomes infected with a Trojan that’s most likely used to conduct espionage. But rather than infecting corporate environments, it’s the personal email addresses and therefore home networks of victims which have been targeted, because they represent more vulnerable targets — and that’s reflected in unsophisticated nature of the malware itself.

“The obscuring that they did wasn’t of network communications, but of the actual exploit and malware they delivered. That leads me to believe that it’s not really targeted at employees of companies, but more at end users — politicians using their private emails or private machines, activists in the Middle East and NGOs,” says Tavakoli.

While the endgame of Moonlight and who is ultimately pulling the strings remains unknown, the group behind it is still active and still targeting individuals interested in political issues in the Middle East.

While those outside the Middle East aren’t likely to be targeted by Moonlight, it serves as a reminder that a well-crafted phishing attack can be almost indistinguishable from a real email. Nonetheless, there are still ways that targeted users and organizations can fight back.


Henry Sapiecha

The Dyn report: What we know so far about the planet’s biggest DDoS attack yet

The Internet of Things has been proven to be just as dangerous as we feared, with an assault from tens of millions of internet addresses & clogging up the works

We don’t know all the answers about the Distributed Denial of Service (DDoS) attack that blew away Dyn and its clients, but here’s what we do know.

close-up black web camera at the laptop

Close-up black web camera at the laptop

That innocent webcam on your desk may have attacked the internet.

First, there was nothing — nothing — surprising about this attack. As Paul Mockapetris, creator of the Domain Name System (DNS), said, “The successful DDoS attack on DYN is merely a new twist on age-old warfare. … Classic warfare can be anticipated and defended against. But warfare on the internet, just like in history, has changed. So let’s take a look at the asymmetrical battle in terms of the good guys (DYN) and the bad guys (Mirai botnets), and realize and plan for more of these sorts of attacks.”

This new twist came from the Internet of Things (IoT). Surprised? Please. We knew all along that not only could the IoT be used to attack networks, it would be used to target the internet.

IoT vendors must improve their security. Or, as Lyndon Nerenberg, an internet engineer, said on the North American Network Operators Group (NANOG), the professional association for internet engineering, architecture, and operations, mailing list, “The way this will get solved is for a couple of large ISPs and DDoS targets to sue a few of these IoT device manufacturers into oblivion.”

IoT vendors know this. Hangzhou Xiongmai Technology, the Chinese technology company that admitted its webcam and digital video recorder (DVR) products were used in the assault and recalled its webcams, is also threatening legal action against those that try to attach blame for the attack to its gear.

Of course, the ISPs and DNS providers deserve much of the blame as well. Their failure to implement Network Ingress Filtering, Best Current Practice (BCP)-38 and response rate limiting (RRL) played a large role in making the attacks possible.

The attacks themselves were in large part, as expected, driven by a Mirai botnet. Kyle York, Dyn’s chief strategy officer, reported, “The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations. We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.”

Let that sink in for a minute. Tens of millions of IP addresses. DDoS attacks of this size were unheard of even six months ago.


The attack itself came in three waves. York stated, “At 7:00 am ET, Dyn began experiencing a DDoS attack. While it’s not uncommon for Dyn’s Network Operations Center (NOC) team to mitigate DDoS attacks, it quickly became clear that this attack was different. Approximately two hours later, the NOC team was able to mitigate the attack and restore service to customers. After restoring service, Dyn experienced a second wave of attacks just before noon ET. This second wave was more global in nature (i.e. not limited to our East Coast [Points of Presence] POPs), but was mitigated in just over an hour; service was restored at approximately 1:00 pm ET. Again, at no time was there a network-wide outage, though some customers would have seen extended latency delays during that time.”

This understates the problem. Globally users reported problems for hours afterward and many Dyn-supported sites were unavailable until the late afternoon.

Finally, “there was a third attack attempted, we were able to successfully mitigate it without customer impact.”

That ended the largest DDoS attack of all time… so far. More will be coming.

As York concluded, “It is said that eternal vigilance is the price of liberty. As a company and individuals, we’re committed to a free and open internet, which has been the source of so much innovation. We must continue to work together to make the internet a more resilient place to work, play and communicate.”

If we don’t, the internet will fail.


Henry Sapiecha

FBI Tells Law Enforcement Police To Hide Phone Tracking of People

sweeping-under-the-carpet image

Your local police may use a controversial piece of technology—ominously dubbed a stingray—to track your phone. But, the FBI is taking pains to make sure you never find out. The agency encourages police to find additional evidence so that stingray technology never comes up in court, according to a new memo.

It’s no secret that law enforcement agencies scattered around the country use such devices—known as IMSCI catchers, or colloquially “stingrays”—which mimic cellphone towers and collect data, like phone numbers and location, from everyone in their vicinity. But that’s not because the FBI isn’t trying to hide that fact. The agency is so keen on keeping the devices from the public that it asks local police departments to sign nondisclosure agreements about their stingrays—leading to some cops trying withdrawing cases that rely on stingrays for evidence.

But thanks to an open records request from the investigative journalism nonprofit Oklahoma Watch, there’s finally evidence that’s the FBI’s specific plan. In a 2014 memo from FBI Special Agent in Charge James Finch to Oklahoma City Police Department Chief William Citty, the bureau issued very specific guidelines.

“Information obtained through use of this equipment is for LEAD PURPOSES ONLY, and may not be used as primary evidence in any affidavits, hearings or trials. This equipment provides general location information about a cellular device, and your agency understands it is required to use additional and independent investigative means and methods, such as historical cellular analysis, that would be admissible at trial to corroborate information concerning the location of the target obtained through use of this equipment.”

The memo reflects the controversial practice known as parallel construction, in which a law enforcement agency collects evidence on a suspect without first bothering with a warrant, as that evidence likely wouldn’t be admissible as evidence in court. Armed with that information, agents or officers build a strong enough case with legally admissible evidence that they don’t need to ever tell the court about that earlier information.

A 2013 Reuters report on the practice, for example, found that the U.S. Drug Enforcement Agency routinely receives intelligence from various intelligence services, including the NSA, about where to find a suspected criminal, and that the DEA would then be expected to work backward from there. “You’d be told only, ‘Be at a certain truck stop at a certain time and look for a certain vehicle.’ And so we’d alert the state police to find an excuse to stop that vehicle, and then have a drug dog search it,” one DEA agent said.

“This is the first time I have seen language this explicitly calling for parallel construction to conceal evidence derived from Stingray use,” Nate Wessler, a staff attorney at the ACLU who specializes in stingray use, told Vocativ.

“[T]his goes the outrageous extra step of ordering police to actually engage in evidence laundering,” he said. “As a result, defendants are denied their right to challenge potentially unconstitutional surveillance and courts are deprived of an opportunity to curb law enforcement abuses.”

Though stingray use in the U.S. has largely existed without much public knowledge, that scenario is quickly changing. In March, an appellate court ruled for the first time that it’s illegal for police to use stingrays without first getting a warrant.

The FBI didn’t respond to request for comment.


Henry Sapiecha

This Algorithm & Robots Decides Crime Cases Almost As Well As A Judge

A Robotic computer program could help relieve the massive backlogs facing the world’s highest courts

justice-scales-gif image

A computer algorithm took on the work of real human judges and did a pretty good job, predicting the decisions of one of Europe’s highest courts with 79 percent accuracy. The finding suggests artificial intelligence could help the world’s busiest courts work through their massive backlog of cases, even if an algorithm isn’t about to take up a digital gown and gavel and start actually deciding cases.

The AI analyzed cases tried before the European Court of Human Rights, which hears cases from people and groups who claim their civil or political rights have been violated in their home countries. An international team of computer scientists worked with a legal scholar to determine just how well AI could predict the court’s ultimate judgement based on how the written decision described the factual background of the case and the arguments of the parties involved. They found it agreed with the judges’ decision four of five times — and that the underlying facts of the case were by far the best predictor of the outcome of a case, rather than any of the more abstract legal arguments.

“The fact that we can get this accuracy, it means that there are some consistent patterns of violations that lead to overturning the [previous court’s] decision,” University of Pennsylvania computer scientist Daniel Preoţiuc-Pietro told Vocativ.

That suggests the court is typically less concerned with parsing philosophical questions of whether a specific instance is a human rights violation than it is determining how that situation fits into their already defined categories of violations. Preoţiuc-Pietro pointed to the example of people who allege mistreatment in prison as a situation that typically led to decisions in those people’s favor. “That’s definitely more likely for the court to actually accept that the state made a mistake and the people involved were actually justified,” he said.

More U.S. Military Wants Robots That Can Explain Themselves

The AI used what’s known as natural language processing to analyze the cases. This particular method involved looking at the text of a decision as a big bag of words, not worrying about any particular word order or grammar. Instead, the AI looked at what individual words and combinations of two, three, or four words appeared most frequently in the text, regardless of order. The AI then looked at all these combinations, known as N-grams, and clustered them into different overall topics.

The court’s decisions include lengthy sections recapping not only the factual background of the cases but also the original arguments made by the parties in the case. This gave the AI a broad sense of what each text was talking about and gave it the context necessary to predict the outcome of the case, which it did correctly in nearly four out of every five cases.

But that doesn’t mean the researchers are hoping to see AI judges anytime soon.

“We’re not advocating for automating any decisions,” said Preoţiuc-Pietro. “Decisions should still be made by the judges.” Where the AI can make a difference is in helping determining which cases make it to the judges in the first place.

More Artificial Intelligence Writes Extremely Bad Harry Potter Fan Fic

In 2015, the researchers found that nearly 85,000 petitions were submitted to the court, of which just 891 were actually decided upon. All the rest were thrown out as inadmissible, meaning the court couldn’t take them on and the previous decision by a lower court would have to stand. The European Court of Human Rights relies both on individual judges and committees to work through all these cases and figure out which are worth bringing to the actual court’s attention. Last year, that meant the entire court apparatus had to process more than 230 cases every single day, making it a huge challenge just to give each petition the human attention it deserves.

Artificial intelligence, by contrast, could zip through 85,000 petitions and decide which were most likely to be worth the court’s time, based on how similar each petition is to the court’s previous cases. Preoţiuc-Pietro suggested the algorithm could separate the cases into three groups based on the court’s prior history: those the court would likely rule on, those it likely would rule inadmissible, and those in a gray area. Committees could then devote more time to examining the cases already identified as being of uncertain status, rather than having them take valuable time doing all their own categorization.

“These committees are time-limited and beyond that very costly, so they can actually look at just the flagged cases which are more likely to be disputed and analyze them more thoroughly,” said Preoţiuc-Pietro, “while the others they can be sent for just individuals and they don’t need to be scrutinized by more people.”

The goal then wouldn’t be to take the human element out of the law, but instead the complete opposite: The European Court of Human Rights and other bodies like it would have more time to focus more time on its most difficult cases, while the AI would separate out the cases that would likely just get thrown out anyway.



Henry Sapiecha


Report: 1 in 2 American Adults are Already In Facial Recognition Network System

DMV records, plus a so-so approach to mugshot databases, puts half of the US in the country’s surveillance system

facial-recognition-network image

Half of all American adults are already in some sort of facial recognition network accessible to law enforcement, according to a comprehensive new study.

Conducted over a year and relying in part on Freedom of Information and public record requests to 106 law enforcement agencies, the study, conducted by Georgetown Law’s Centre on Privacy and Technology, found American police use of facial recognition technology is a scattered, hodgepodge network of laws and regulations.

More Inside The Government Centers Where The FBI Shares Intel With Police

“Looking at the sum total of what we found, there have been no laws that comprehensively regulate face recognition technology, and there’s really no case law either,” Clare Garvie, an associate at the CPT, told Vocativ. “So we find ourselves having to rely on the agencies that are using that technology to rein it in. But what we found is that not every system — by a long shot — has a use policy.”

That so many American adults are in at least one facial recognition database is largely due to the fact that at least 26 states, and likely more, share their Department of Motor Vehicles databases with the FBI, state police, or other law enforcement agencies, the study found. Compounded with that, police often have access to mugshot databases. Garvie’s study found that most law enforcement agencies don’t purge such records, even if the arrested suspect is found not guilty, unless a court orders it. The sole known exception is the Michigan State Police, which does expunge photos after a set amount of time.

facial-recognition-chart image

The report also found that more than one in four law enforcement agencies have access to some sort of facial recognition capability, meaning either that the agency possesses such software or it has some sort of partnership with a police intelligence agency that does. The West Virginia Fusion Center, for example, a Charleston-based coalition of federal and local law enforcement, possesses software that matches individuals in video footage with a database of still photographs. Not only does it share information with the FBI, West Virginia State Police, and city and county departments, it may grant access to 77 other fusion centers across the country.

More NY To Test Facial Recognition Cameras At ‘Crossing Points’

“These systems are used on law-abiding Americans without their knowledge or consent in most cases,” Garvie said.


Henry Sapiecha


Microsoft’s great achievement: AI that’s better than humans at listening… on phone devices

Microsoft’s latest speech-recognition record means pro human transcribers may be the first to lose their jobs to artificial intelligence. AI.

microsoftcortana770x449 image

Microsoft’s speech-recognition AI could eventually be used to enhance Cortana’s accessibility features, say, for deaf people. Image: Microsoft

Microsoft researchers have evolved a system that recognizes speech as accurately as a professional human transcriptionist.

Researchers and engineers from Microsoft’s Artificial Intelligence and Research group have set a new record in speech recognition, achieving a word error rate of 5.9 percent, down from the 6.3 percent reported a month ago.

The word error rate is the percentage of times in a conversation that a system, in this case a combination of neural networks, mishears different words. Microsoft’s system performed as well as humans who were asked to listen to the same conversations.

Microsoft sized its machines up against professional transcribers who were tasked with listening to the same evaluation data over the phone, which included two-way conversation data and a separate set where friends and family have open-ended conversations.

Humans and Microsoft’s automated systems scored 5.9 percent and 11.3 percent error rates, for the respective test data.

The scores are an umbrella figure for the results of three tests, comparing how many times Microsoft’s system and the human transcribers wrongly substituted sounds, dropped a word from a sentence, and or inserted the wrong word.

As Microsoft notes in the paper, humans and the automated system mostly fumbled over the same sounds in the tests, with the exception of “uh-huh” and “uh”.

Microsoft’s system was confused by the sounds “uh-huh”, which can be a verbal nod for someone to go ahead speaking, and “uh”, used as a hesitation in speech. The utterances sound the same but have opposite meanings, which humans had far fewer problems identifying than Microsoft.

chatimity-team-freshdesk image

Freshdesk makes sixth acquisition to build enterprise AI chatbots

Customer engagement software provider Freshdesk has acquired social chat platform Chatimity to strengthen its AI chatbot capabilities.

The transcriptionists, for some reason, frequently dropped the letter ‘I’ from two-way conversations, and did so far more often than Microsoft’s AI.

Overall, Microsoft notes, humans had a lower substitution rate, and higher deletion rate, while both humans and machine produced a low number of insertions.

“The relatively higher deletion rate might reflect a human bias to avoid outputting uncertain information, or the productivity demands on a professional transcriber,” Microsoft speculates.

Still, to achieve parity with a human in this test was an “historic achievement”, said Xuedong Huang, Microsoft’s chief speech scientist.

Improved automated speech-recognition systems could be used in speech-to-text transcription services and enhance Cortana’s accessibility features, say, for deaf people. However, that prospect still appears to be some way off.

Microsoft used 2,000 hours of training data to equip its neural networks for the task. It claims that by parallelizing the data with its AI Computational Network Toolkit on a Linux-based multi-GPU server farm, it was able to cut down training times from months to under three weeks.

Despite the milestone, Microsoft admits it’s still a long way from achieving speech recognition that works well in real-life settings with lots of background noise.

For example, as a live transcription service it’s not yet possible to identify and assign names to multiple speakers who may have different accents, ages, and backgrounds. However, the company says it’s working on the technology, which could open up a whole set of possibilities.

Read more about speech recognition


Henry Sapiecha