Saturday, November 21, 2015

In short, it will probably happen again. ...and hackers can read.
OMB – Federal Information Security Modernization Act Audit FY 2015
by Sabrina I. Pacifici on Nov 20, 2015
“In FY 2015 OPM was the victim of a massive data breach that involved the theft of sensitive personal information of millions of individuals. For many years we have reported critical weaknesses in OPM’s ability to manage its information technology (IT) environment, and warned that the agency was as an increased risk of a data breach. In the wake of this data breach, OPM is finally focusing its efforts on improving its IT security posture. Unfortunately, as indicated by the variety of findings in this audit report, OPM continues to struggle to meet many FISMA requirements. During this audit we did close a long-standing recommendation related to OPM’s information security management structure – [Report Number 4A-CI-00-15-011, November 10, 2015] However, this audit also determined that there has been a regression in OPM’s management of its system Authorization program, which we classified as a material weakness in the FY 2014 FISMA audit report. In April 2015, the Chief Information Officer issued a memorandum that granted an extension of the previous Authorizations for all systems whose Authorization had already expired, and for those scheduled to expire through September 2016. Should this moratorium on Authorizations continue, the agency will have up to 23 systems that have not been subject to a thorough security controls assessment. We continue to believe that OPM’s management of system Authorizations represents a material weakness in the internal control structure of the agency’s IT security program. The moratorium on Authorizations will result in the IT security controls of OPM’s systems being neglected. Combined with the inadequacy and non-compliance of OPM’s continuous monitoring program, we are very concerned that the agency’s systems will not be protected against another attack.”

(Related) And it could happen almost anywhere.
Feds lack method to grade critical infrastructure cybersecurity
Most federal agencies overseeing the security of America’s critical infrastructure still lack formal methods for determining whether those essential networks are protected from hackers, according to a new government report.
Of the 15 critical infrastructure industries examined in the Government Accountability Office (GAO) report — including banking, finance energy and telecommunications — 12 were overseen by agencies that didn’t have proper cybersecurity metrics.

My after-turkey reading.
Stacey Gray writes:
Each year, FPF invites privacy scholars and authors to submit articles and papers to be considered by members of our Advisory Board, with an aim toward showcasing those articles that should inform any conversation about privacy among policymakers in Congress, as well as at the Federal Trade Commission and in other government agencies.
Our top privacy papers for 2015 are, in alphabetical order:
A Design Space for Effective Privacy Notices
Florian Schaub, Rebecca Balebako, Adam L. Durity, and Lorrie Faith Cranor
Anonymization and Risk
Ira S. Rubinstein and Woodrow Hartzog
A Precautionary Approach to Big Data Privacy
Arvind Narayanan, Joanna Huey, and Edward W. Felten
Privacy and Markets: A Love Story
Ryan Calo
Taking Trust Seriously in Privacy Law
Neil Richards and Woodrow Hartzog
Our two papers selected for Notable Mention are:
Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy
Peter Swire (Testimony, Senate Judiciary Committee Hearing, July 8, 2015)
The Transparent Citizen
Joel R. Reidenberg
Congratulations to all those whose work has been recognized!

Start from the premise, “They're all terrorists!”
Because of the difficulties civil litigants have encountered in challenging section 702 of the Foreign Intelligence Surveillance Act (as created by the FISA Amendments Act of 2008), the most realistic forum for judicial review of the constitutionality of section 702 has been through a motion to suppress evidence derived from section 702 in a criminal case (especially once the government actually began disclosing that it was relying upon such evidence). Yesterday, Judge Kane (D. Colo.) issued perhaps the most significant ruling to date on a motion to suppress 702 evidence. In a nutshell, Judge Kane denied the motion, holding that, both on its face and as applied to the defendant, Jamshid Muhtorov, section 702 violates neither the Fourth Amendment nor Article III. In the post that follows, I briefly summarize Judge Kane’s reasoning, and then explain why each conclusion is deeply incomplete — and should raise serious grounds for a post-conviction appeal to the Tenth Circuit. In a nutshell, though, yesterday’s decision may well have raised more questions than it answered.

This could kill the drone stocking stuffer.
Even Some Toy Drones Would Need Registration in U.S. Proposal
Owners of all but the smallest toy drones will have to register them with the U.S. government before the end of the year if the Obama administration adopts proposals being issued by a task force it appointed.
Registration -- designed to make it easier for authorities to track down the growing numbers of illegal flights -- should be free, easy to complete online and permit multiple devices on an owner’s filing, the task force is proposing, according to three people familiar with its recommendations who weren’t authorized to speak about it.
… The task force members, some of whom are still uneasy about elements of the compromise, agreed to include anything weighing more than 250 grams (9 ounces) in the registration program, according to the people who asked not to be named.
The FAA believes that the law requires the agency to charge $5 to register an aircraft and there may be no way to exempt drone owners from the fee, according to one of the people familiar with the task force’s debate.

My industry is funny.
Hack Education Weekly News
… “Texas rejects letting academics vet public school textbooks,” the AP reports.
Via The San Jose Mercury News: “A 17-year-old Lincoln High School student has been criminally cited after he hosted an Instagram account that featured nude photos of underage girls, authorities say, including some from Lincoln.”
… “It Won’t Be Long Now Until Every School Has Internet Access,” Wired trumpets. According to EducationSuperHighway, the schools which meet the FCC’s minimum requirements for Internet speed has jumped from 30% to 77% since 2013. (Mark Zuckerberg also announced this week he’s giving EducationSuperHighway $20 million. While headlines read that the money will help schools get faster Internet, it will actually go towards more staff and consultants for EducationSuperHighway.) Education Week has a good series of stories on how schools are charged outrageous fees for lousy Internet service.
Via NPR: “U.S. Colleges See A Big Bump In International Students.”
Meanwhile… “Northern Virginia Community College’s Extended Learning Institute (ELI) and open courseware provider Lumen Learning announced a collaboration to publish 24 online college courses for two complete degree programs. All courses were developed for zero student cost using open educational resources (OER) (i.e., no textbooks, just public access Internet).” [The future? Bob]
Via Politico: “The Education Department is doing a poor job on everything from responding to cyber attacks to updating its software and hardware, but it’s especially bad at monitoring its computer networks for threats, according to an annual inspector general audit.”
A report from Australia’s National Assessment Programme says that tablets are “eroding” children’s digital skills.

No comments: