Tuesday, October 21, 2014
This seems to be another “look how I'm protecting you” campaign when in reality it's Congress chasing their tails. Would they make it illegal for anyone to automatically encrypt communications? Then Apple (et al.) would make the software open source while building in a simple “encrypt your own messages” option. If encryption is banned, try working with “code” instead. Could you force me do decrypt, “This message is not encrypted!” (Which would actually mean, “Congress is a bunch of idiots!”)
FBI Director James Comey has launched a new “crypto war” by asking Congress to update a two-decade-old law to make sure officials can access information from people’s cellphones and other communication devices.
The call is expected to trigger a major Capitol Hill fight about whether or not tech companies need to give the government access to their users' data.
… Comey claimed the FBI was not looking for a “backdoor” into people’s devices.
“We want to use the front door with clarity and transparency,” he said.
But for critics, that’s a distinction without a difference.
“The notion that it’s not a backdoor; it’s a front door — that’s just wordplay,” said Bruce Schneier, a computer security expert and fellow at the Berkman Center for Internet & Society at Harvard University. “It just makes no sense.”
(Related) Statements like this make me wonder if the FBI would rather hold a press conference than solve a crime.
FBI: ‘No indication’ JPMorgan was hacked because of sanctions against Russia
FBI officials on Monday said there was no evidence that the hack of JPMorgan Chase and other U.S. banks’ networks was payback for western sanctions against Russia. [Aside from a letter from Putin, what would be evidence of motive? Bob]
… Officials also said that they still have not determined whether it was a foreign government — such as Russia — or criminals who were behind the network intrusions at JPMorgan and other banks. [Typical ass-covering Bob]
(Related) “We need a bigger budget!” (Does the FBI know of any time when someone has “robbed” multiple banks from their basement?)
Erin Kelly reports:
Federal officials warned companies Monday that hackers have stolen more than 500 million financial records over the past 12 months, essentially breaking into banks without ever entering a building.
“We’re in a day when a person can commit about 15,000 bank robberies sitting in their basement,” said Robert Anderson, Jr., executive assistant director of the FBI’s Criminal Cyber Response and Services Branch.
Nearly 439 million records were stolen in the last six months, said Supervisory Special Agent Jason Truppi of the FBI. Nearly 519 million records were stolen in the last 12 months, he said.
About 35 percent of the thefts were from website breaches, 22 percent were from cyber espionage, 14 percent occurred at the point of sale when someone bought something at a retail store, and 9 percent came when someone swiped a credit or debit card, the FBI said.
Read more on USA Today.
[From the article:
"You're going to be hacked," Joseph Demarest, assistant director of the FBI's cyberdivision, told the business leaders. "Have a plan." [Good message, no hype. Bob]
… Congress could help by passing cybersecurity legislation to update surveillance laws and give federal agents greater authority to go after cybercriminals, Pawlenty said. [The party line? Bob]
I wonder how common this has been. Do judges shop at TJMaxx or Target? Apparently not.
David Allison reports:
Some of the lawsuits hitting The Home Depot Inc. over its recent data breach are apparently hitting too close to home for some federal judges in Atlanta.
Home Depot (NYSE: HD) is facing at least 21 lawsuits stemming from the data breach, which reportedly may affect 60 million customers.
More than a dozen of the lawsuits have been filed in U.S. District Court for the Northern District of Georgia, located in Atlanta. Others have been filed in federal courts across the country.
Three judges serving in the Atlanta court have recused themselves or otherwise declined hearing lawsuits related to the data breach.
Read more on Atlanta Business Chronicle.
Dimly lit restaurant, my old eyes, small print menu: “This looks like a job for Flashlight App!”
Robert McMillan reports:
When I downloaded the Flashlight app to my iPhone, I was in a jam. I was camping, I think. Or maybe a pen had rolled under my couch. I remember that smug sense of self-congratulation after I downloaded the software, which converted the iPhone’s LED flash into a steady and bright beam of light.
But I shouldn’t have been so pleased with myself. Though I didn’t realize it at the time, I was potentially handing over a boatload of data to advertisers as well. Even a flashlight app, it turns out, can ask for a shocking amount of user data when you download it, tapping everything from my calendar to my phone’s location engine to my camera. Yes, my camera. This is something you can keep in check, thanks to the privacy controls on today’s iPhone, but the truth is that most people don’t.
Read more on Wired.
Let me state this another way. If my neighbor's house is suddenly surrounded by vehicles with flashing red lights and 'crime scene' tape and everyone inside the perimeter is wearing biohazard suits, it's not going to be difficult to determine who was in contact with an Ebola patient.
Via HIPAA Blog, here are two resources related to the issue of how much PHI covered entities can disclose without patient consent in situations like ebola concerns.
The first is from HHS:
Does the HIPAA Privacy Rule permit covered entities to disclose protected health information, without individuals’ authorization, to public officials responding to a bioterrorism threat or other public health emergency?
Yes. The Rule recognizes that various agencies and public officials will need protected health information to deal effectively with a bioterrorism threat or emergency. To facilitate the communications that are essential to a quick and effective response to such events, the Privacy Rule permits covered entities to disclose needed information to public officials in a variety of ways.
Covered entities may disclose protected health information, without the individual’s authorization, to a public health authority acting as authorized by law in response to a bioterrorism threat or public health emergency.
[Many more examples Bob]
Note that the above does not necessarily mean that the covered entity can disclose the patient’s name to the media or public without the patient’s consent. But my understanding is that public officials can release such information as part of responding to a public health emergency, e.g., if they need to contact and isolate people who may have been in contact with infected patients. If I’m wrong on that, hopefully some lawyer will let me know.
The second resource, also from HHS, is a decision tool to help covered entities with emergency preparedness disclosures.
Update: Later in the day, I was asked who actually disclosed the first Texas patient’s name. Digging into it, I found that the patient was first identified/named by the Liberian government, and it was reported in the New York Times. In terms of the two Texas nurses later affected, their identities were revealed by their families. The hospital was not the source of their names.
This focuses on employees. I checked to be certain. Why wouldn't policies that protect customers also protect employees? Yes the data may be different, but the ethics should be the same.
William Hamilton reports:
Jason R. Baron used his keynote address at the LawTech Euro Conference 2014 in Prague today to call for greater data use transparency from U.S. businesses. Addressing 500+ attendees, Baron asserted that the compelling business need to deploy powerful predictive analytics to effectively accomplish information governance requires a corresponding informed consent from employees.
Baron, of counsel to Drinker Biddle and co-chair of the Information Governance Initiative, argued that European countries are ahead of the U.S. in protecting personally identifying information, but now the inflection point reached with Big Data requires U.S.-based companies to address ethical issues associated with their increasing use of data about employees.
Read more on Law Technology News.
I may not know how to explain copyright, but I know when an article becomes “a teaching moment.” Would that I could have explained that to these “victims.”
Jennifer Lawrence's Hacked Nude Pictures Not Coming Down From The Web Yet Because Of One Legal Loophole
… Even though the pics were stolen from her, she might not be able to get the pics removed because she might not actually have ownership of them!
When her attorney sent off a letter demanding a porn site take down the pics because she owns the copyright, the site fired back that since some of the pics are not selfies, the person who actually took them would most likely own the copyright.
So now, the site has demanded that they're provided with proof that J.Law owns the copyright or be given the name of the person who took the pics.
In case this legal loophole sounds familiar, you might remember that the famous Oscars selfie was put together by Ellen DeGeneres and posted on her Twitter, but it ended up being Bradley Cooper who owned the pic as he snapped it.
Interesting. Reads like they want the government to take on most of the work and give them maximum flexibility. I'll probably have my Computer Security students build a wiki with links to guidelines like this. (as well as laws, regulations, “Best Practices,” etc.)
Financial Industry Group Publishes Recommendations to Guide Development of Cybersecurity Regulations
The Securities Industry and Financial Markets Association [SIFMA] is proposing the formation of a working group of government agenies to review cybersecurity guidance and regulations related to the financial industry.
The proposal was mentioned in a new document entitled 'Principles for Effective Cybersecurity Regulatory Guidance' published today by SIFMA. In the paper, SIFMA lays out ten foundational principles to serve as a framework for regulators to develop plans to review, update and "harmonize" cybersecurity policies, regulations and guidance.
The paper can be read here.
EFF Launches Updated Know Your Rights Guide
“If the police come knocking at your door, the constitution offers you some protection. But the constitution is just a piece of paper—if you don’t know how to assert your rights. And even if you do assert your rights…what happens next? That answer may seem complicated, but protecting yourself is simple if you know your rights. That’s why EFF has launched an updated Know Your Rights Guide that explains your legal rights when law enforcement try to search the data stored on your computer, cell phone or other electronic device. The guide clarifies when the police can search devices, describes what to do if police do (or don’t) have a warrant, and explains what happens if the police can’t get into a device because of encryption or other security measures.”
Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws
CRS – Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws. Charles Doyle, Senior Specialist in American Public Law. October 15, 2014.
“The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030, outlaws conduct that victimizes computer systems. It is a cyber security law. It protects federal computers, bank computers, and computers connected to the Internet. It shields them from trespassing, threats, damage, espionage, and from being corruptly used as instruments of fraud. It is not a comprehensive provision, but instead it fills cracks and gaps in the protection afforded by other federal criminal laws. This is a brief sketch of CFAA and some of its federal statutory companions, including the amendments found in the Identity Theft Enforcement and Restitution Act, P.L. 110-326, 122 Stat. 3560 (2008).”
Some data for my Statistics students to play with.
Explore UNDP Development Data With This Interactive Map
The UN Stat Planet Map allows you to create useful mapped displays of UN development indicators data. There are ten data categories from which you can choose. Within each category there are further refinements possible. You can customize the map to present sharper contrasts between the data indicators, change the indicator symbols, and alter the map legend. To visual the change in data over time, use the time slider at the bottom of the map. Your maps and the data that they represent can be downloaded as PNG and JPEG files for printing.
Simply looking at data spreadsheets or graphs reveal some good development data to students. But for better visual comparisons tied to locations, the UN Stat Planet Map is useful.
For my niece, the guitar plucker.
Free Ebook - Music Theory for Musicians and Normal People
Music Theory for Musicians and Normal People is a free ebook created by Toby Rush at the University of Dayton. The ebook covers everything from the basics of reading key signatures to advanced topics in composition.
Music Theory for Musicians and Normal People can be downloaded in parts or in whole. It is released under a Creative Commons license that allows you to use it for instruction.