The San Francisco Chronicle has coverage of an issue that has been circulating on faculty email networks at UC Berkeley for a few days. The piece, “Cal professors fear UC bosses will snoop on them,” is behind a paywall. The first sentence reads, “UC Berkeley faculty members are buzzing over news that University of California President Janet Napolitano ordered the installation of computer hardware capable of monitoring all e-mails going in and out of the UC system.” UC’s Chief Operating Officer says “that UC policy “forbids the university from using such data for nonsecurity purposes.” UC Berkeley’s Senate chair replies, “What has upset a lot of the faculty was that the surveillance was put in place without consulting the faculty. In fact, the people installing the system were under strict instructions not to reveal it was taking place.” On the blog’s Facebook page, we’ve had some debate about how new this capability is, with some faculty from various universities saying they’ve always assumed their university email could be monitored at any time, and others saying this is a new level of intrusion.
Monday, February 01, 2016
I always feel smarter when Harvard agrees with me.
For more than two years the F.B.I. and intelligence agencies have warned that encrypted communications are creating a “going dark” crisis that will keep them from tracking terrorists and kidnappers.
Now, a study in which current and former intelligence officials participated concludes that the warning is wildly overblown, and that a raft of new technologies — like television sets with microphones and web-connected cars — are creating ample opportunities for the government to track suspects, many of them worrying.
… The study, titled, “Don’t Panic: Making Progress on the ‘Going Dark’ Debate,” is among the sharpest counterpoints yet to the contentions of James B. Comey, the F.B.I. director, and other Justice Department officials, mostly by arguing that they have defined the issue too narrowly.
[One example from the report:
Metadata is not encrypted, and the vast majority is likely to remain so. This is data that needs to stay unencrypted in order for the systems to operate: location data from cell phones and other devices, telephone calling records, header information in e-mail, and so on. This information provides an enormous amount of surveillance data that was unavailable before these systems became widespread.
It's so simple only simple minded folks would use it. Imagine a default password that you can not change.
Hardcoded Keys Put Westermo Industrial Switches at Risk
Westermo is a Sweden-based company that designs and manufactures industrial-grade communications products for mission-critical systems. The firm’s solutions are used across the world in sectors such as transport, water, energy supplies, mining and petrochemical.
According to ICS-CERT, researcher Neil Smith discovered that the SSL keys used by Westermo industrial switches to secure communications are hardcoded and shared across devices.
Since it cannot be changed, a malicious actors who obtains the key can intercept and decrypt communications via a man-in-the-middle (MitM) attack. An attacker could intercept login credentials and leverage the information to gain access to a vulnerable device.
Suggesting Security was a bit understaffed? Also, some job hunting information for my Computer Security students.
Help Wanted: 1,000 Cybersecurity Jobs At OPM, Post-Hack Hiring Approved By DHS
… The Office of Personnel Management (OPM) suffered the largest cyber attack over the past year, resulting in the theft of contact records on more than twenty million people including those who applied for government security clearances and went through background checks, and nearly two million spouses and domestic partners of those applicants. As the OPM hack news unraveled, it got worse — revealing that hackers stole the digital fingerprints of more than five million people employed by the U.S. federal government… the same fingerprints that are sometimes used for access to so-called locked down buildings and computers.
OPM recently announced it is hiring 1,000 new cybersecurity professionals, which have been approved by the U.S. Department of Homeland Security (DHS). Federal News Radio recently listed the duties the new cyber hires will carry out
… For a bird’s-eye view of cybersecurity jobs throughout the U.S. federal government, you visit the National Initiative for Cybersecurity Careers and Studies (NICCS) website.
Only California would spy on you to protect your privacy?
Read more on UtotheRescue.
[From the article:
The UCOP had this hardware installed last summer.
They did so over the objections of our campus IT and security experts.
The intrusive hardware is not under the control of local IT staff--it sends data on network activity to UCOP and to the vendor. Of what these data consists we do not know.
Might be handy for some of those recurring tasks, like backups.
Create Awesome Life Automations with Multi-Step Zaps
… in the world of online app automation, a typical workflow involves creating a single action from one service, and using it to trigger something in another service. An example — using an incoming email with a specific subject line, to trigger a Google Spreadsheet which loads the subject line and the sender into two fields.
With this fresh update, Zapier has just raised the bar by allowing you to use a single app trigger to kick off a whole laundry-list of actions.
… As your list of actions grow, every new action can draw upon either the original trigger, or the subsequent actions you’ve created.