Sunday, February 07, 2016

For my Computer Security students. Some Privacy can be risky.
Wildly Popular App Kik Offers Teenagers, and Predators, Anonymity
… law enforcement officials say Kik — used by 40 percent of American teenagers, by the company’s own estimate — goes further than most widely used apps in shielding its users from view, often making it hard for investigators to know who is using it, or how. (Yik Yak is another popular app under fire for its use of anonymous messages.)
“Kik is the problem app of the moment,” said David Frattare, commander of the Ohio Internet Crimes Against Children Task Force, which includes hundreds of law enforcement agencies. “We tell parents about Kik, and to them it’s some earth-shattering news, and then it turns out it’s been on their kid’s phone for months and months. And as a law enforcement agency, the information that we can get from Kik is extremely limited.”
Kik’s appeal to young people goes far beyond anonymity. Teenagers like its special emoji and other features. It offers free and unlimited texting. And like AOL Instant Messenger and MySpace before it, Kik is a space that parents are unlikely to know about. But it is also place where inappropriate sexual content and behavior can flourish.
… Founded in 2009 and based in Canada, Kik aspires to become the Western version of WeChat, the hugely successful messaging service in China that offers free texting, e-commerce and content delivery. Its main appeal is privacy and anonymity: The app is free, and allows people to find strangers and communicate with them anonymously, through a user name.
… The company is taking a variety of steps, including sponsoring an annual conference on crimes against children and posting a law enforcement guide on its website, to “assist in preventing child exploitation,” said Lisa van Heugten, who was hired two years ago and helped form a special Kik division devoted to fielding law enforcement requests.
… Unlike some competing apps, Kik says it does not have the ability to view written messages between users, or to show them to the police. It can view pictures and videos, but retains them only until the recipient’s device has received the message. Those practices are legal.

Does anyone explain the technology before we open the can of worms? Did the FBI look at what was 'eventually' returned to him? (His IP address)
Joshua Kopstein writes:
The judge who authorized the FBI to hack 1,300 dark web users under a single warrant seems to be pretty confused about how the anonymity software Tor works. Newly unsealed documents suggest that the confusion stems from the US Department of Justice’s own arguments.
In the documents, the DOJ argues that Tor users have no reasonable expectation of privacy when it comes to their IP address. This is the same argument that the judge used to justify the FBI implanting malware onto a dark web site in order to grab user IP addresses. It’s also a counterintuitive point to make given that masking a computer’s IP address is the whole point of using Tor.
Read more on Motherboard.
[From the 'confused' article:
To prove this, the judge bizarrely argued that Tor doesn't give its users complete anonymity because a user has to give their IP address to their Internet Service Provider to connect to the Tor network. Therefore, he concluded, Michaud's IP address was “public information, like an unlisted telephone number” that “eventually could have been discovered.”
This makes no sense to anyone with a basic understanding of how Tor works. Just like with any website or service, Tor users do reveal their IP address to an ISP when initially connecting to the Tor network, through an entry point called a guard node. But since Tor bounces data between random nodes located around the world, neither the ISP nor anyone intercepting traffic can correlate which IPs are accessing which sites.
Nevertheless, the judge ruled that Michaud had “no reasonable expectation of privacy” in his IP address because it was technically revealed at some point before entering the Tor network—even though there was no way for the FBI to discover that IP by looking at those connecting to the hidden site.

Have they made improvements in their internal security?
OPM to issue new requirements for personnel background investigations by contractors
by Sabrina I. Pacifici on Feb 6, 2016
Via Nextgov: “Contractors that conduct background investigations for the federal government will have to report information security incidents to the Office of Personnel Management within half an hour, are required to use smartcards as a second layer of security when logging on to agency networks and must agree to let OPM inspect their systems at any time. Those are new requirements OPM has written into draft contracting documents released last month that govern how the personal, often sensitive, information gleaned during background investigations should be stored on contractors’ computer systems…”

Because we've been kind of following this one.
I’ve been relatively quiet on this blog recently about FTC v. LabMD, but having read the latter’s answering brief to FTC’s appeal of Judge Chappell’s initial decision, I would encourage everyone to read LabMD’s brief, uploaded to this site. It really hits all the points/issues that have concerned me since the FTC first announced enforcement action against LabMD:
  1. The absence of any guides or standards for HIPAA-covered entities in 2007-2008 that would have informed us what, besides HIPAA, we needed to do to be compliant.
  2. The absence of any evidence that there was even a single victim or injured consumer by the accidental exposure of the “1718 File” during the period of months the file was exposed and for the seven years thereafter.
  3. FTC’s argument that LabMD should have notified patients of the accidental exposure when they were not required to notify anyone under HIPAA as it was in 2008.
  4. FTC’s argument that a “significant risk of concrete harm” itself causes substantial consumer injury within the meaning of Section 5(n) – not “could cause,” but “causes.”
  5. FTC’s total failure to ask even a single expert to actually evaluate LabMD’s infosecurity program and compare it to what was within the range of customary and usual for an entity of its size and purpose in 2007-2008. Not only did FTC fail to ask for an actual expert assessment of LabMD’s infosecurity by 2007-2008 standards, it actually instructed its expert witnesses to assume that the security was inadequate.
  6. FTC’s failure to introduce any evidence as to the risk of harm from a file-sharing incident in 2007-2008. While I agree that they didn’t not need mathematical precision, bringing in witnesses who talked about rates and statistics in 2013-2014 was absurd, at best.
  7. FTC’s total failure to locate even one victim of the “daily sheets” incident or to even attempt to link the paper records to LabMD’s computer network.
  8. FTC’s egregious claim that by denying LabMD’s initial motion to dismiss, that became the law of the case.
When all is said and done, this case boiled down to an employee violating policy and (stupidly) using P2P software and thereby exposing LabMD files. It was, as LabMD counsel argues, a case about what might have happened, but didn’t happen. While I think Judge Chappell erred in some respects, I think that his overall decision to dismiss the case was a correct one. Unless FTC is going to go after every entity where an employee screws up and violates policy, enforcement action and offering a 20-year monitoring plan is an extreme over-reaction.
There has just been so much wrong with FTC’s case that I cannot understand why they ever pursued this, why they ignored one of their own commissioner’s warnings about pursuing the case and/or relying on Tiversa’s testimony, why they didn’t drop the friggin’ case when it became clear via Rick Wallace’s testimony that the entire basis for this case was unreliable, and why they don’t just admit that they have become bullies and are wielding their authority in ways Congress did not envision – against SMB’s who are the lifeblood of our economy and who can be wiped out financially if they have to defend against overzealous federal regulators.
C’mon, FTC, I’m a fan, and if you’ve failed to convince me that there’s any justification for your conduct, you’ve lost good will. How about surprising us and dropping your appeal with a statement that you don’t agree with some of Judge Chappell’s reasoning and interpretation of Section 5, but you’ll fight that another time in another case and are dropping this one in the interests of basic fairness?
CORRECTION: This post was edited post-publication to indicate that the LabMD employee used the P2P software. The previous version had incorrectly stated that the employee had downloaded it and used it.

Still crazy after all these years…
North Korea rocket launch: Why did Kim fire missile now?
… These sources also suggest that the range of this new missile may be as much as 13,000km (8,000 miles) compared with the roughly 10,000 km range of the Unha 3. Further analysis is required to confirm these estimates.
But if these numbers are true, this new missile is a major advance for North Korea. A missile fired from North Korea with a 13,000km range can reach any location in the continental United States.
… It apparently takes days to prepare such a missile, time during which it could be destroyed if North Korea threatened hostile use. Destroying such a missile on a large launch pad should be relatively easy once conflict begins.
… But the bigger question is why now?
Because of North Korean secrecy, we do not know for sure. But it seems likely that Kim Jong-un is seeking clear successes before his important Seventh Party Congress in May when he wants to appear to be the all-powerful leader of North Korea.
But he has been experiencing major appearances of weakness. For example, in the last three years China has had six summit meetings with South Korea, suggesting that South Korea is an important country and its president, Park Geun-hye, is a great leader.
But China has had no summit meetings with North Korea, suggesting that, for Beijing, North Korea is not a significant country and that Kim Jong-un is a weak leader.
North Korea may also be experiencing political instability resulting from the many purges of Kim Jong-un and various regime failures.

For my Data Miners, Forensics and Computer Security students.
GCHQ’s data-mining techniques revealed in new Snowden leak
A "Data Mining Research Problem Book" marked "top secret strap 1" has been leaked that details some of the key techniques used by GCHQ to sift through the huge volumes of data it pulls continuously from the Internet.
Originally obtained by Edward Snowden, the 96-page e-book has been published by Boing Boing, along with a second short document entitled "What's the worst that can happen?" Boing Boing describes this as "a kind of checklist for spies who are seeking permission to infect their adversaries' computers or networks with malicious software."
The data mining handbook was written by researchers from the Heilbronn Institute for Mathematical Research in Bristol, a partnership between GCHQ and the University of Bristol.

For those of us interested in military history.
SCAMPI database – search guide to military operations and history data
by Sabrina I. Pacifici on Feb 6, 2016
“The Joint Forces Staff College Ike Skelton Library is a specialized military library, focusing on research in joint and multinational operations, military history and naval science, operational warfare, and operations other than war. Library staff members regularly scan the weekly news magazines, monthly and bimonthly journals such as Military Review, Armed Forces Journal, and quarterly publications, including NATO’s Nations and Partners for Peace, RUSI Journal, and the Naval War College Review. Miscellaneous reports from RAND and the General Accounting Office are also indexed for SCAMPI. The resulting database serves as a guide to articles on military and naval art and science, operational warfare, joint planning, national and international politics, and other areas researched by JFSC faculty, staff, and students. The SCAMPI database covers the period from 1985 thru the present. The Defense Technical Information Center (DTIC) hosts this web-based version of the SCAMPI. Several of the journals indexed in SCAMPI have independent Internet web sites. Please feel free to visit the individual journal home pages to see exactly what each publication makes available since many do provide.”

Perhaps the change has started in Academia.
Women Made Incremental Progress in Tech the Past Few Years (Infographic)

No comments: