Synthetic Audio Scams a Growing Concern for Businesses

August 17, 2020

With evolving technology come evolving scams. In their White Papers section, managed-intelligence firm Nisos examines a growing trend in, “The Rise of Synthetic Audio Deepfakes.” During a recent investigation, the company analyzed the synthetic audio used in a fraud attempt. The bad actors had mimicked the voice of their client’s CEO, asking an employee to dial a number and “finalize an urgent business deal.” See the write-up for some technical details of that analysis. Fortunately, the worker did not fall for the trick and alerted their legal department instead. Some companies, however, are not so lucky. The article tells us:

“The most famous use of deep fake synthetic audio technology in criminal fraud was a September 2019 incident involving a British energy company. The criminals reportedly used voice-mimicking software to imitate the British executive’s speech and trick his subordinate into sending hundreds of thousands of dollars to a secret account. The managing director of this company, believing his boss was on the phone, followed orders to wire more than $240,000 to an account in Hungary.

“Symantec security researchers reported in February on three cases of audio deepfakes used against private companies by impersonating the voice of the business’s CEO. The criminals reportedly trained machine learning engines from audio obtained on conference calls, YouTube, social media updates and even TED talks, to copy the voice patterns of company bosses. They created audio deepfakes replicating the CEO’s voice and called senior members of the finance department to ask for funds to be sent urgently. There was no additional reporting on which companies these were, whether the techniques were successful, or whether Symantec was able to obtain recordings of the deepfakes themselves.”

As synthetic manipulation gets more sophisticated, these schemes will only get more difficult to recognize. However, they have a distinct weakness—they must manage to trick a subject into taking action. Businesses can protect themselves by adopting certain best practices. If a request seems suspicious, an employee should call the supposed source on a known number to confirm it was them; the technology is not (yet) able to mimic an entire phone call. Predetermined challenge questions, using information not known to the public, are also a good idea. A word to managers and executives—employees may hesitate to “challenge” what sounds like their boss. We advise you assure them you will not get irritated when they do so. (And follow through.)

Cynthia Murrell, August 17, 2020

Predictive Analytics: A Time and a Place, Not Just in LE?

August 17, 2020

The concept seems sound: analyze data from past crimes to predict future crimes and stop them before they happen. However, in practice the reality is not so simple. That is, as Popular Mechanics explains, “Why Hundreds of Mathematicians Are Boycotting Predictive Policing.” Academic mathematicians are in a unique position—many were brought into the development of predictive policing algorithms in 2016 by The Institute for Computational and Experimental Research in Mathematics (ICERM). One of the partners, PredPol, makes and sells predictive policing tools. Reporter Courtney Linder informs us:

“Several prominent academic mathematicians want to sever ties with police departments across the U.S., according to a letter submitted to Notices of the American Mathematical Society on June 15. The letter arrived weeks after widespread protests against police brutality, and has inspired over 1,500 other researchers to join the boycott. These mathematicians are urging fellow researchers to stop all work related to predictive policing software, which broadly includes any data analytics tools that use historical data to help forecast future crime, potential offenders, and victims. … Some of the mathematicians include Cathy O’Neil, author of the popular book Weapons of Math Destruction, which outlines the very algorithmic bias that the letter rallies against. There’s also Federico Ardila, a Colombian mathematician currently teaching at San Francisco State University, who is known for his work to diversify the field of mathematics.”

Linder helpfully explains what predictive policing is and how it came about. The embedded four-minute video is a good place to start (interestingly, it is produced from a pro-predictive policing point of view). The article also details why many object to the use of this technology. Chicago’s Office of the Inspector General has issued an advisory with a list of best practices to avoid bias, while Santa Cruz has banned the software altogether. We’re told:

“The researchers take particular issue with PredPol, the high-profile company that helped put on the ICERM workshop, claiming in the letter that its technology creates racist feedback loops. In other words, they believe that the software doesn’t help to predict future crime, but instead reinforces the biases of the officers.”

Structural bias also comes into play, as well as the consideration that some crimes go underreported, skewing data. The piece wraps up by describing how widespread this technology is, an account that can be summarized by quoting PredPol’s own claim that one in 33 Americans are “protected” by its software.

With physics and other disciplines like Google online advertising based on probabilities and predictive analytics, what’s the scientific limit on real world applications? Subjective perceptions?

Cynthia Murrell, August 17, 2020

The Old and Not-So-Bold Dieblold?

August 16, 2020

Robbing ATMs with specialized hardware is not new. What is new is using the manufacturer’s own software to facilitate the attacks. Ars Technica reports, “Crooks Have Acquired Proprietary Diebold Software to ‘Jackpot’ ATMs.” Say, doesn’t Diebold also make voting machines? Perhaps there are some things that should not be automated.

Jackpotting is a technique in which thieves convince an ATM to spit out cash, sometimes as quickly as 1.7 bills per second. One way to achieve this is to attach a hacking device, or “black box,” to the machine, either by physically breaking into the machine’s face or connecting to its network cables. Not surprisingly, these attacks usually occur on outdoor ATMs. (Another way is by breaking in and swapping out the machine’s hard drive. Then there is the email route: malware is unwittingly installed by a network admin after a successful phishing attempt.) Black boxes mimic the machine’s internal software with a laptop or using Raspberry Pi or Arduino hardware. Now, some thieves are leveraging Diebold’s own proprietary code against it. An advisory from the manufacturer states:

“Some of the successful attacks show a new adapted Modus Operandi on how the attack is performed. Although the fraudster is still connecting an external device, at this stage of our investigations it appears that this device also contains parts of the software stack of the attacked ATM. … The investigation into how these parts were obtained by the fraudster is ongoing. One possibility could be via an offline attack against an unencrypted hard disc.”

For now, most of these attacks appear to be occurring in Europe, particularly on the ProCash 2050xs USB model. It could be worse. Reporter Dan Goodin observes:

“The new attack variation described by Diebold is both good and bad news for consumers. On the one hand, there’s no indication thieves are using their recently acquired software stack to steal card data. The bad news is that attackers appear to have their hands on proprietary software that makes attacks more effective. The recent increase in successful jackpotting ultimately results in higher fees, as financial institutions pass on the costs caused by the losses.”

The write-up concludes with Diebold’s advice to avoid falling victim to a hacked ATM—stick to ATMs at major banks, shield the keypad while entering your PIN, and review each bank statement for suspicious activity. And Diebold “security”? Well.

Cynthia Murrell, August 16, 2020

Thinking about Risk: No Clip On Bow Tie

August 15, 2020

I read “Risk Bow Tie Method.” I worked through the write up, which reminded me of a reading in one of those professor-assembled Kinko’s books students HAD to purchase. The focus is a management procedure for thinking about risk. Today, there are some interesting topics which MBA study groups can consider on a thrilling Zoom call. As I examined the increasingly detailed diagrams, the procedure seemed familiar. I ratted through my files and, yes, I had a paper (maybe I snagged it at a non-Zoom conference in England in the 1990s) called “Lessons Learned from Real World Application of Bow Tie Method.” There’s version of this document available at this link.

The idea is that something happens like Covid, serial financial crashes, social unrest, private enterprise controlling information flows, etc. None of these is too serious. The idea is to make a diagram that looks like this one from the 1990s Risktec person’s write up:

image

If you want to be a consultant, you need a diagram without explanations. The idea is to bring discipline to a group of people who would rather check out TikTok videos, browse Facebook, or fiddle with their Robinhood account. But a job is a job, whether in person or on a Zoom call.

The advisor systematically works through the “logic” of figuring out the issues related to the minor risk an organization faces; for example, an enterprise search vendor failing to meet its financial goal for the quarter as cash burns and employees “work” from home. Yep, fill in that logical diagram.

Exercises like this are a gold mine to a consulting firm. Blue chip outfits focus on these “big picture” methods. Mid tier consulting firms and sol practitioners with a Wix Web site and Instaprint plastic stick on sign for their automobile may have trouble landing enough work to pay for working through the Bow Tie Method.

So blue chip consulting firms embrace these types of fill-in-the-blank exercises. The consultant gets to “know” the participants and can set the stage for recruiting an insider to function as a cheerleader absent pom poms. The “report” allows the consulting team to identify which options are better for the company with the data presented created by the … wait for it … the employees who participated in the Bow Tie Method process. To be fair, the consulting team has to create a PowerPoint or similar presentation. Some consulting firms just write an “Executive Memo” and move to selling follow on work.

I must admit I thought of the popular song by Stevie Wonder with these lyrics. Note: I modified the last line to match my reaction to the attempted rejuvenation of the Bow Tie Method:

His father works some days for fourteen hours
And you can bet he barely makes a dollar
His mother goes to scrub the floor for many
And you’d best believe she hardly gets a penny
Living just enough, just enough for the consulting.

Several observations:

  1. Is the Bow Tie Method the correct one for our interesting times? Plug in Covid, fill in the boxes, discuss options, and what do you end up with?
  2. Is the Bow Tie Method and other thought frameworks matched to today’s management climate? Twitter, Facebook Google, Amazon, and other FAANG outfits create risks, and I am not convinced that objective consideration of the risks to these organizations are top of mind for the top managers at this time. It seems as if the consulting frameworks have to be designed for thumbtypers and consumers of Instagram and Snap apps, not old-school frameworks from who knows where.
  3. The time and cost to work through a full Bow Tie Methods may increase risk for the company. Here’s how that works. The leadership of a company or country changes direction. Mixer from Microsoft. Hey, kill that dog. A Google API? No reason to provide that any more. A tweet from the White House changes the social media influencer landscape. As these here-and-now events blaze on digital devices, the time for the Bow Tie and the time for dealing with here-and-now is out of joint.

Net net: Traditional consulting methods, regardless of the fancy graphics and with-it explanations seem to be like exhibits in the British Museum. Who knew the Elgin marbles were sitting in a dark room?

Stephen E Arnold, August 15, 2020

Modern Technology Reporting: The New York Times Is Now a Pundit Platform

August 14, 2020

I was not sure if I would document my reaction to the August 13, 2020, page B5, as “Instagram Reels? No. Just No” and online under the title “We Tested Instagram Reels, the TikTok Clone. What a Dud.”

I reflected on an email exchange I had with another “real” journalist earlier this week. With plenty of time on my hands in rural Kentucky during the Rona Resurgence, I thought, “Yeah, share your thoughts, you Brontosaurian Boomer. “Real” journalists working for big name outfits need to have a social agenda, insights, wisdom, and expertise no other human possesses. Absolutely.

In my 50 year work career, I worked for three outfits with publishing interests. The first was CRM, the outfit which owned Psychology Today (edited by the interesting T. George Harris), Intellectual Digest, and a number of other properties. I did some project work for a marketing whiz who coined the phrase “Fotomat Where your photo matters” and John Suhler (yeah, the Suhler of Veronis Suhler).  At meetings in Del Mar, Calif., a select group would talk and often drag in a so-called expert to hold forth on various topics. However, the articles which were commissioned or staff-written would not quote those at these meetings. Why? I have no idea. It was not a work practice. For me, it was how a reasonably successful magazine company operated.

Then I worked for Barry Bingham, Jr., who with his family owned most of the Courier-Journal & Louisville Times Company. There were other interests as well; for example, successful radio and TV stations, a direct mail operation, one of the first computer stores in Kentucky, a mail order business, and — believe it or not, the printing plant which cranked out the delightful New York Times Sunday Magazine. Plus, the NYT was then a family-owned operation. In my interactions with the NYT, my recollection is that the New York Times shared many of the old-fashioned work processes in use at the Courier-Journal. Was that the reason the Bingham papers won awards? One example is that the editorial writers wrote editorials. These were opinion pieces, personally vetted each day by Barry Bingham, Jr. The news people covered their beats. The reporters listened, gathered, analyzed, and wrote. No one quoted the man or woman across the desk in the alternately crazy and vacant newsroom. Also, the computer people (some of whom were decades ahead of systems people at other companies) did computery things. The printing people printed. Sure, there were polymaths and renaissance men and women, but people stayed in their lane.

My last publishing experience was in the Big Apple. I am not sure how I ended up on Bill Ziff’s radar, but I knew about him. He was variously described to me as a “publishing genius” and “Satan’s first cousin.” Dorothy Brown, the human resources vice president, eased my transition into the company from the Courier-Journal, telling me, “Just present facts. If Mr. Ziff wants your opinion, he will ask for it.” Good advice, Ms. Brown, good advice. (I heard the same thing when I did some consulting work for K. Wayne Smith, General, US Army.) The point is that management did management, which at Ziff included sponsoring a company race car. Advertising people collected money from advertisers dumped money in front of the building on Park Avenue South who wanted to appear in PC Magazine, Computer Shopper, and properties like PC Week. Once again, like the Ziff racing team, everyone stayed in their lanes. That meant that top flight reporters would report; executives dealt facts like Blackjack dealers in Las Vegas.

In these three experiences, I cannot recall an occasion on which the news people at these organizations interviewed one another.

The New York Times’ Brian X Chan interviewed the New York Times’ Taylor Lorenz. Now that’s interesting. Instead of picking up the phone and calling one of the wizards of punditry at a consulting firm, a firm developing short form video content, or an attorney monitoring Facebook’s interaction with regulators — the two ace reporters of “real” news interviewed themselves. Wow, that’s “real” work! Imagine. Scheduling a Zoom meeting.

It is one thing for a blog writer to take shortcuts. It is another thing for a newspaper which once generally tried to create objective news related to an event or issue to repeat office opinions. Was I annoyed? Nah, I think it is another indication that objectivity, grunting through the process of gathering information, sifting it, and trying to present a word picture that engages, illuminates, and explains is over.

In 2020, the New York Times runs inserts which are like propaganda posters stuck to the walls in my second grade classroom in Oxen Hill, Maryland, in 1950. The failure to present an objective assessment of the new Facebook knock off of TikTok was pure opinion. The reason? The New York Times’ “real” journalists see themselves as experts. Even the arrogant masters of the universe at an investment bank or a blue chip consulting firm try like the devil (maybe Bill Ziff) to get outsiders to provide “input.” A journalist may be a reporter, but the conversion of a reporter into an expert takes more than someone saying, “Wow, you guys know more about short form video than any other person within reach of a Zoom call” is misguided and a variant of what I call the high school science club management method. Yes, you definitely know more about Facebook’s short form video than anyone else within reach of a mobile phone or a Zoom connection.

I want to float a radical idea. Do some digging, some work. I think I can with reasonable confidence assert that John Suhler (my boss for my work at Veronis Suhler), Barry Bingham Jr. (the Courier-Journal owner), or Bill Ziff (the kin of Satan, remember?) would have the same viewpoint.

Just a suggestion, gentle reader: If a person wants me to respect their newspaper work as objective, informed, and professional, don’t replicate the filter-bubble, feedback loop of co-worker lunch room yip-yap: Research, sift, analyze, synthesize, and report.

Just my opinion, of course, but even Brontosauri can snort but that snort takes more effort than the energy expended presenting oneself as a wizard. Sorry, you pros are not in Merlin’s league.

Stephen E Arnold, August 14, 2020

Amazon: A Burr under a Presidential Saddle?

August 14, 2020

This may just be an example of how a national scheme plays out on the local level. The Portland Press Herald reports, “Amazon Gets Priority While Mail Gets Delayed, Say Letter Carriers.” Mark Seitz, a Portland postal service veteran and president of the Maine State Association of Letter Carriers and the National Association of Letter Carriers Local 92, filed a complaint on July 13 with the U.S. Postal Service Office of Inspector General. Corroborated by two colleagues, Seitz alleges Portland’s Postmaster James Thornton deliberately delayed first-, second-, and third-class mail by ordering Amazon’s fourth-class packages be sorted first. Willfully delaying mail, it turns out, is a federal offense. Interesting.

Reporter Reuben Schafir informs us:

“Seitz’s complaint says that Thornton had done so on June 29, July 6 and July 13, all Mondays when the volume of mail is especially challenging. Two other carriers say it happens even more frequently. … According to three letter carriers working out of the Portland office, enough mail to fill four to five ‘shark cages’ – 4-by-5-foot bins containing mail – have been left in each of the office’s five units overnight multiple days per week. Carriers estimated that 1,500 to 2,000 first-class and priority packages were delivered late each time this happened. Typically, letter carriers sort a small amount of mail in the morning before they begin their routes. If mail isn’t sorted by the time carriers leave, they return midday to collect it or an assistant carrier would step in and ensure that all the mail is delivered on time. Now, according to letter carriers inside the Portland post office, clerks are told to stop sorting by 8:30 a.m., an hour and a half before most carriers leave for their routes, and are then sent home to cut costs, leaving first-class parcels unsorted in the office overnight.”

See the article for more details. Could this be part of a national effort to slow down the mail for political gain? Some believe so. The agency is already struggling with staff shortages accompanied by delayed route reviews, meaning fewer workers are expected to deliver more and more mail. Another factor is Amazon’s 2013 lopsided contract with the USPS. Through rain, sleet, and bureaucracy, the Amazon packages get through. Will Thornton be held accountable? Will anyone? Will the burr be barred?

Cynthia Murrell, August 14, 2020

China: Getting Serious about Chips?

August 14, 2020

DarkCyber spotted a write up that suggests greater intention in chip design and fabrication. “China Hires over 100 TSMC Engineers in Push for Chip Leadership” reports:

The hirings are aimed at helping Beijing achieve its goal of fostering a domestic chip industry in order to cut China’s reliance on foreign suppliers, the sources said. Quanxin Integrated Circuit Manufacturing (Jinan), better known as QXIC, and Wuhan Hongxin Semiconductor Manufacturing Co., or HSMC, along with their various associate and affiliate companies, are little-known outside the industry. But in addition to employing more than 50 former TSMC employees each, both are also led by ex-TSMC executives with established reputations in the chip world. The two projects are aiming to develop 14-nanometer and 12-nanometer chip process technologies, which are two to three generations behind TSMC but still the most cutting-edge in China.

Two observations:

China’s industrialized training of electrical engineers, material scientists, and physicists is humming along. However, more is needed, and China wants that more to be supplied by hiring professionals from TSMC.

Second, the write up makes clear that China appears to be hiring those who are okay Chinese. Does that mean that employees who say one thing and do another may not realize that when a good opportunity arises, those individuals will seize upon it?

Interesting and significant action underway it seems by China’s big picture thinkers.

Stephen E Arnold, August 14, 2020

Snap: Has the Company Provided a Glimpse of the Future of Software?

August 14, 2020

A brief write-up at MakeUseOf alerts us to a novel approach to applications: “Snap Minis Are Bite-Sized Apps You Use in Snapchat.” Writer Dave Parrack tells us:

“These are miniature apps created by third-party developers that you can use in Snapchat without ever leaving the [Snapchat] app. Which could make Snapchat a solid choice for more than just teenagers. … The apps are all built directly into Snapchat using HTML5. This means you don’t have to leave the comfort of Snapchat to use them, they’re guaranteed to work for all users on all devices, and they don’t even need installing.”

Navigate to the post for details on how to use this feature in Snapchat, what Snap Minis are currently available, and which are in the works. Personally, we are more interested in the tactic itself. Parrack notes:

“This is part of a major effort by Snapchat to encourage developers to give users more to do inside Snapchat. Which should boost levels of engagement. The developers also gain access to millions of users who may then be tempted to install their full-featured apps. Making it a win-win for both parties. Snap clearly wants to make Snapchat a ubiquitous app you cannot afford not to have installed on your phone. Even if you aren’t interested in seeing what you would look like as a pug.”

Will Snapchat succeed in achieving ubiquity? Perhaps. Either way, the app-within-an-app concept offers new angles for platforms and developers alike.

Cynthia Murrell, August 14, 2020

Google and Global Surveillance

August 14, 2020

DarkCyber noted “Android Users Could Detect Earthquakes Soon As Google Is Planning to Turn Them into Seismometers.” The write up describes a global system to note perturbations in the earth’s crust. Yep, earthquake warning on a global scale. The write up states:

the internet giant plans on using the built-in accelerators of Android devices to turn them into a network of makeshift seismometers, and while they won’t be able to predict these quakes, the long-term goal is that Android users affected by a tremor will receive push notifications as soon as it happens. Based on the report, Android users would have to opt-into the new system for it to work. Additionally, the phone would have to be plugged in and motionless to detect a nearby quake and send an alert to the user.

Useful data for the Google? That’s a good question. If one assumes the data are valid, what can these seismic data reveal? Ads for products needed in the aftermath of a natural disaster? Hints about investment opportunities? Fine grained surveillance of mobile phone users’ behavior when disaster strikes?

What use cases are possible? What about the location of a mobile device in an area in which looting is occurring? Any others come to mind?

Stephen E Arnold, August 14, 2020

Object Detection AI Offers Deal

August 13, 2020

Object detection AI are currently big projects in the technology community. AI developers are teaching computers using large datasets how to learn and reason like a human infant. It his hard to imagine that AI object detection software is available for consumers, but Product Hunt recently ranked Priceless AI as a number one product of the day.

Priceless AI describes itself as an, “‘all-you-can-eat’ image object detection at a fixed monthly price.” What is astonishing is how cheap Priceless AI is compared to its counterparts AWS Rekognition and Google Cloud Vision. AWS Rekognition starts at $5/month for 10,000 monthly predictions heading all the way to $8,200 for 10,000,000 images predictions. Google Cloud Vision, on the other hand, starts at $20 then goes up to $18,700. These prices are outrageous when Priceless AI stays at a simple $99 for any amount of image predictions a month.

How can they do this?

“How do you offer such a cheaper alternative to AWS Rekognition and Google Cloud Vision?

We do clever low-level optimization allowing us to make a more efficient use of the hardware.”

Priceless AI allows its customers to have more than one concurrent request and they can be used on as many clients/devices as wanted. The devices/clients need to be synchronized, because only the number of concurrent purchases are allowed.

Priceless AI wants to be as transparent as possible with customers, but they do keep some things secret:

“What model are you using to run object detection?

We can’t disclose the exact model, but we can tell you it’s a state-of-the-art deep convolutional neural network.”

Companies do need to try to keep the their secrets.

Whitney Grace, August 13, 2020

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta