Thursday, May 14, 2015

Yeah, expensive breaches. Yeah, people are a problem. Now, how do you fix it?
Adam Levin reports:
For the first time, according to a recent study, criminal and state-sponsored hacks have surpassed human error as the leading cause of health care data breaches, and it could be costing the industry as much as $6 billion. With an average organization cost of $2.1 million per breach, the results of the study give rise to a question: How do you define human error?
[…]Wetware is a term of art used by hackers to describe a non-firmware, hardware or software approach to getting the information they want to pilfer. In other words, people. (The human body is more than 60% water.) Wetware intrusions happen when a hacker exploits employee trust, predictable behavior or the failure to follow security protocols. It can be a spearphishing email, a crooked employee on the take or a file found while Dumpster diving—and, of course, all stripe of things in between. Whatever it is, there’s a human being involved.
Read more on Forbes.

We missed the live stream, but Fordham was nice enough to record the sessions so we can watch them via LiveStream.
Fordham Law Center on Law and Information Policy (CLIP) Ninth Law and Information Society Symposium. Trends in the global processing of data, developments in new technologies, privacy enforcement actions and government surveillance put international privacy at the center of the global law and policy agenda. Government regulators, policymakers, legal experts, and industry players need to find solutions to cross-border conflicts and to the issues presented by innovative technologies. This conference seeks to create a robust, but informal dialog that will explore possible solutions to current questions arising from the international legal framework, infrastructure architecture and commercial practices. The conference will use a unique format. Each panel will start with a short presentation on the technological and business context to set the stage. The panel will be an informal, moderated roundtable discussion with a select group of experts followed by a question and answer session from the audience.

Government in action: Told that a national drone program was ineffective and inefficient, they now want to create 50 independent programs!
Joe Cadillic writes:
The Illinois State Police announced that the FAA has authorized what it calls its ‘Unmanned Aircraft System Program’.
It’s a F***ING surveillance drone program! My god, DHS/Police are trying to mask what it really is by calling it an Unmanned Aircraft System Program’.
There’s even a UAS news website where you can follow all the latest surveillance drone news.
Read more on MassPrivateI.

It doesn't bother the kids. How do we change that?
This quote from an article in the Chicago Tribune seems to say it all:
“It’s a new crisis,” O’Shea said. “Girls all are sending nude photographs of themselves all over the place.”
So what should parents and schools do when attempts to educate kids about privacy do not appear to be sufficient? Enacting state laws on sexting and child pornography are likely ineffective in really preventing impulsive acts or helping a child resist any peer pressure to to do what others are doing.
So here’s a novel thought: you wouldn’t give the keys to your car to a 9-year-old, would you? Of course not, because they don’t have the skills or judgement to drive safely. The safety risks (apart from the legal jeopardy) are obvious.
So if your child doesn’t have the judgment to use a cellphone safely, why are you giving them one? Are you deluding yourself that your child – whose brain won’t be fully developed for a few more decades – has the maturity to resist impulses or peer pressure?
Are you even preventing them from downloading apps that facilitate impulsive and poor decisions?
Yes, kids need privacy and we don’t want our kids to be social outcasts because they don’t have all the cool toys their friends do. [Teach them to be leaders, not followers. Bob] But our first job as parents is to keep them safe. If you’re not prepared to do that, just hand them a phone, kid yourself that they’ll make good choices all the time, and while you’re at it, go ahead and hand them the keys to the car.

(Realted) Not sure what prompted this, but it is a reminder to the schools, not the students. (Presumably, not in the nude)
(13 May 2015) In response to the concern about the alleged unconsented uploading of video clips of secondary school students online, the Office of the Privacy Commissioner for Personal Data (“PCPD”) reminds the public of the privacy and legal issues associated with the collection and use of personal data, and calls for data users to respect the privacy rights of individuals.
We are particularly concerned about the incident as it involves youngsters and their rights to privacy in the cyber world. Any complaints made to the PCPD would be handled in accordance to established procedures. If there is a prima facie case of any contravention of the data protection principles or other provisions under the Personal Data (Privacy) Ordinance, the PCPD may initiate a formal investigation into the matters.
Based on the information in the media and other information gathered by the PCPD so far, the following data protection principles may be relevant to the incident:-
Data Protection Principle 1 (Data Collection Principle)
This Data Collection Principle requires the data user to collect personal data in a lawful and fair way, and for a purpose directly related to its function or activity. All practicable steps shall be taken on or before collecting the data to notify the data subjects of the purpose of data collection and the classes of persons to whom the data may be transferred.
An organisation may collect personal data directly related to its functions or activities. However, the collection should be in accordance with the above requirements.
Data Protection Principle 3 (Data Use Principle)
This Data Use Principle requires personal data to be used for the purpose for which the data is collected or a directly related purpose, unless voluntary and explicit consent is obtained from the data subject.
Hence, an organization, before using or publishing any personal data collected, needs to ascertain if such use or publication is for the purpose for which the data is collected or a directly related purpose, unless voluntary and explicit consent is obtained from the data subject.
Any improper use or sharing of personal data, online or otherwise, could be far reaching and long lasting, especially when the data is related to youngsters who are vulnerable to harassment and disparaging comments. Schools and parents need to educate youngsters about their privacy rights and responsibilities, when the latter dealt with threatening and harassing messages on the Internet. If youngsters suspect that their privacy rights relating to personal data are being abused, they should seek help from their parents or legal guardian, and make a complaint to the PCPD.
Cyber-bullying inflicts harm on the victims that can have devastating effects. People’s lives offline may also be adversely affected as a result. In October 2014, the PCPD published a leaflet entitled “Cyber-bullying – What you need to know”1 to remind the public of the privacy and legal issues associated with cyber-bullying, and called for internet users to respect the right to privacy in the cyber world.
The PCPD will continue to closely monitor the situation, and take follow up action as appropriate in light of further developments.
1 “Cyber-bullying – What you need to know

Doesn't the “without paying” bit have something to do with the firing?
Jamie Williams writes:
We’ve said it before and we’ll say it again: violating a computer use restriction is not a crime. That’s why today EFF filed an amicus brief urging the Oregon Supreme Court to review a troubling opinion by the Oregon Court of Appeals in State v. Nascimento, finding an employee committed a computer crime for violating her employer’s computer use restrictions.
Caryn Nascimento worked as a cashier at the deli counter of a convenience store. As part of her job, she was authorized to access a lottery terminal in the store to sell and validate lottery tickets for paying customers. Store policy prohibited employees from purchasing lottery tickets for themselves or validating their own lottery tickets while on duty. After a store manager noticed a discrepancy in the receipts from the lottery terminal, it was discovered that Nascimento had printed lottery tickets for herself without paying for them. She was ultimately convicted not only of first-degree theft, but also of computer crime on the ground that she accessed the lottery terminal “without authorization.”
Read more on EFF.

(Related) When is authorization not authorization? Are we authorizing access or actions?
Orin Kerr writes:
The Second Circuit held oral argument Tuesday in United States v. Valle, widely known as the “Cannibal Cop” case. There was a ton of media attention about this case at trial, including the trial judge’s decision to overturn the jury verdict for conspiracy to commit kidnapping on the ground that it was all a fantasy. HBO has already made a documentary about the case.
Amidst all this attention, the part of Valle that I care about — and that worries me — has flown under the radar. I’m referring to the defendant’s appeal from the one count on which Valle was convicted: A violation of the computer hacking statute, the Computer Fraud and Abuse Act.
Read more on The Volokh Conspiracy.
[From the article:
The fact that Valle had to enter in an identifying number and a PIN to access the government database doesn’t change the analysis, for reasons I explain in this draft on page 36-37. Valle was fully authorized to access his account, and violating the written restrictions on access doesn’t render his authorized access unauthorized any more than federal employees or people with the middle name “Ralph” are violating the CFAA when they visit the Volokh Conspiracy. His CFAA conviction should be overturned.

I confuse too easily to be a lawyer. So it's legal to collect metadata and it's not legal to collect metadata.
In the excitement over the Second Circuit’s ruling on the NSA’s bulk collection program, another very significant appellate decision that was issued last week has been largely overlooked: the Eleventh Circuit’s en banc decision in United States v. Davis. A majority of the eleven judge panel held that the government did not need a warrant to collect 67 days’ worth of cell site location information on Quartavious Davis, who was suspected of involvement in several armed robberies.
On first glance, the panel’s holding appears to answer in the negative the question that the Second Circuit punted: whether telephony metadata receives protection under the Fourth Amendment. On closer examination, however, the fractured ruling, with its many separate opinions, highlights a fundamental lack of consensus over the reach of the third party doctrine.
Writing for the court, Judge Hull concludes that the case is controlled by United States v. Miller (1976) and Smith v. Maryland (1979), which together stand for the proposition that a person has no reasonable expectation of privacy in information that he or she voluntarily conveys to a third party.

An indication that the world is coming together? Or does WalMart view Amazon as more of a competitor than Alibaba? (How do you say “merger” in Chinese?)
Wal-Mart to accept Alipay in a bid for growth in China
Wal-Mart Stores is teaming up with Alibaba to roll out the Alipay mobile payment service in China — its latest move to increase sales in a tough, but potentially lucrative international market.
Ant Financial, a financial affiliate of Alibaba, said on Wednesday that the partnership with the world’s biggest retailer would start with 25 stores in Shenzen, including one of its Sam’s Club locations, and be accepted at all 410 Wal-Mart stores in China by the end of the year.

So is that really the Loch Ness Monster? (Digest Item #4)
Wolfram Website Identifies Images
Stephen Wolfram, the genius behind Wolfram Alpha and other amazing technologies, has launched ImageIdentify, a new website which can automagically identify objects from images. You simply add an image of something you need to identify, and the Wolfram Language does the hard work.
Millions of images were used to train ImageIdentify, and while it still doesn’t get it right 100 percent of the time, it learns every time you use it. So, right now it’s more fun that useful, but in time it could become an essential tool for anyone seeking to identify anything or anyone in an image.

Might amuse my students while I enter their assignments... (Digest Item #5)
Type Drummer Turns Words Into Music
Type Drummer turns your words into music, quite literally. In this simple writing tool, each letter of the alphabet has been assigned a percussion sound. So, whatever you write creates a unique drum beat that repeats once you reach the end of your sentence.
It’s definitely fun for five minutes, but it could also be used to beat writer’s block by giving you a reason to write. You can also share beats with friends, so if you stumble across a particularly funky groove, you can save it for posterity.

Something my researching students might use?
To more than one pundit, last week’s election in the United Kingdom looked like it would be the closest in a generation. But at SurveyMonkey’s Palo Alto, California, headquarters, thousands of miles away, things looked very different: Respondents to an online poll conducted by the Internet survey company from April 30 to May 6 showed the Conservatives, led by Prime Minister David Cameron, as poised for an unexpectedly comprehensive electoral triumph.1
… Cohen had intended the most recent survey to serve as an internal experiment, not be released to the public.
… It was a potential coming-of-age moment at a time when many traditional pollsters think it’s inevitable that online polls will become the industry norm. SurveyMonkey’s decision to enter the fray of a heavily polled, high-profile election created a big test for its methods, unusual even by online pollsters’ standards. In this instance, those methods worked well. But what does that mean? That its kind of online polling is ready to compete with, and beat, more traditional methods? Or that this poll was just a fluke?

Interesting from many perspectives, not just for my Ethical Hacking students.
Conservative techies launch 'app store' for campaigns
A group of conservative techies released an “app store” on Wednesday to help campaigns adopt tech tools.
Lincoln Labs, which launched in 2013, has published a list of tools that campaigns can use. The site covers areas like internal communication, email marketing, technical infrastructure, databases, analytics, fundraising and contact management.
All of the tools are publically available and range from those used by the average user — like Gmail — to more campaign-specific tools like advertising platform provider Targeted Victory.

No comments: