Friday, December 16, 2016

Interesting.  Can you insure against a breach that happened three years ago?  Don’t be silly.
Yahoo and Other Breaches Drive Surge in Corporate Hacking Insurance
Cyberinsurance is the fastest-growing insurance product in America, fueled by a slate of recent corporate and government hackings.


A very clever illustration of growing breaches.
How data breaches grew to massive proportions in 11 years|


It signals the era in which journalist caught up with security experts.  We have been hacking into individual voting machines for many election cycles.  It is still difficult to “hack an election” because there is still not voting machine standard and a large percentage of the vote is still on paper ballots.  If you want to hack the whole thing, wait until Internet voting is the rule.
Does Russia’s Election Hacking Signal a New Era in Espionage?
This weekend, Michael Morell, the former acting director of the CIA, was asked about the intelligence community’s findings that Russia interfered in the presidential election.  His answer was unequivocal: The country isn’t grasping the magnitude of the story, he told The Cipher Brief.  “To me, and this is to me not an overstatement, this is the political equivalent of 9/11.”
   In spite of the distinctive 21st-century flavor of the digital intrusions, the data breaches that affected Democrats are just a modern example of routine country-on-country spying.  What sets them apart, though, is the high profile of their mark—an American presidential election—and the hackers’ willingness to leak stolen information to influence voters’ opinions.  Altogether, it’s perhaps one of the greatest examples of a successful espionage operation in history.

(Related).  Perhaps this was intended to be an ‘equal opportunity hack’ but the hackers concentrated on their first success?  I find it hard to believe that Republican security was significantly better than Democratic security. 
Republican National Committee Security Foiled Russian Hackers
Russian hackers tried to penetrate the computer networks of the Republican National Committee, using the same techniques that allowed them to infiltrate its Democratic counterpart, according to U.S. officials who have been briefed on the attempted intrusion.
But the intruders failed to get past security defenses on the RNC’s computer networks, the officials said.  And people close to the investigation said it indicated a less aggressive and much less persistent effort by Russian intelligence to hack the Republican group than the Democratic National Committee.  Only a single email account linked to a long-departed RNC staffer was targeted.  


Was no one thinking like a customer?  More likely, they never asked for that type of review. 
Evernote Ditches Privacy Policy Allowing Note Access, Says Sorry To Furious Customers
After many of its customers promised to quit Evernote over an update to its privacy policy that allowed its employees to access user notes, the cloud software provider has decided to backtrack.
FORBES was the first to report the updates to the policy, one described by some customers as "disgusting" and "hard to believe."  Evernote justified the update saying it wanted to test new machine learning features and only vetted staff would e able to see unspecified portions of those notes.  The updated policy was due to go into force in late January, but it'll no longer be implemented.


A casual “we can ignore our policy for the time being?” 
Twitter Cuts Off Fusion Spy Centers’ Access to Social Media Surveillance Tool
   After the ACLU of California discovered the domestic spy centers had access to this tool, provided by Dataminr (a company partly owned by Twitter), Dataminr was forced to comply with Twitter’s clear rule prohibiting use of data for surveillance.
Twitter sent a letter to the ACLU of California this week confirming that Dataminr has terminated access for all fusion center accounts.  The letter also makes clear that Dataminr will no longer provide social media surveillance tools to any local, state, or federal government customer.
   This Twitter and Dataminr announcement applies to all seventy-seven fusion centers (six in California alone) that are currently operating in states across the country.
   Through a public records request, the ACLU of California discovered that the Los Angeles area fusion center, JRIC, was using Dataminr and had access to the company’s powerful Geospatial Analysis Application that enables keyword searches and location-based tracking.


We will won’t will!
Verizon changes its mind and will kill Samsung’s Galaxy Note 7 on January 5th
Verizon has just announced that it plans to roll out Samsung’s upcoming Note 7 update, which permanently stops the recalled smartphone from charging and disables its wireless radios, on January 5th.  Only last week, the leading US carrier took a controversial stance when it said it would “not be taking part in this update because of the added risk this could pose to Galaxy Note 7 users that do not have another device to switch to.”


Always an interesting topic.
Risk and Anxiety: A Theory of Data Breach Harms
by Sabrina I. Pacifici on Dec 15, 2016
Solove, Daniel J. and Citron, Danielle Keats, Risk and Anxiety: A Theory of Data Breach Harms (December 14, 2016). Available for download at SSRN: https://ssrn.com/abstract=2885638
“In lawsuits about data breaches, the issue of harm has confounded courts.  Harm is central to whether plaintiffs have standing to sue in federal court and whether their claims are viable.  Plaintiffs have argued that data breaches create a risk of future injury from identity theft or fraud and that breaches cause them to experience anxiety about this risk.  Courts have been reaching wildly inconsistent conclusions on the issue of harm, with most courts dismissing data breach lawsuits for failure to allege harm.  A sound and principled approach to harm has yet to emerge, resulting in a lack of consensus among courts and an incoherent jurisprudence.  In the past five years, the U.S. Supreme Court has contributed to this confounding state of affairs.  In 2013, the Court in Clapper v. Amnesty International concluded that fear and anxiety about surveillance – and the cost of taking measures to protect against it – were too speculative to constitute “injury in fact” for standing.  The Court emphasized that injury must be “certainly impending” to warrant recognition.  This past term, the U.S. Supreme Court in Spokeo v. Robins issued an opinion aimed at clarifying the harm required for standing in a case involving personal data.  But far from providing guidance, the opinion fostered greater confusion.  What the Court made clear, however, was that “intangible” injury, including the “risk” of injury, could be sufficient to establish harm.  In cases involving informational injuries, when is intangible injury like increased risk and anxiety “certainly impending” or “substantially likely to occur” to warrant standing?  The answer is unclear.  Little progress has been made to harmonize this troubled body of law, and there is no coherent theory or approach.  In this essay, we examine why courts have struggled when dealing with harms caused by data breaches.  The difficulty largely stems from the fact that data breach harms are intangible, risk-oriented, and diffuse.  Harms with these characteristics need not confound courts; the judicial system has, been recognizing intangible, risk-oriented, and diffuse injuries in other areas of law.  We argue that courts are far too dismissive of certain forms of data breach harm.  In many instances, courts should find that data breaches cause cognizable harm.  We explore how existing legal foundations support the recognition of such harm.  We demonstrate how courts can assess risk and anxiety in a concrete and coherent way.”


Twit-in-Chief?
Poll: Most say Trump’s Twitter use ‘reckless and distracting’
Sixty-six percent of registered voters say they find President-elect Donald Trump’s handling of his Twitter account “reckless and distracting,” according to a poll released Thursday
Twenty-one percent in the McClatchy/Marist survey consider it “effective and informative,” while 13 percent remain uncertain.


I haven’t seen a good summary of this meeting.  Still haven’t.
Who said what inside the Trump tech meeting: Immigration, paid maternity leave and becoming the ‘software president’
The leaders of tech were closemouthed about their meeting with President-elect Donald Trump yesterday in New York, saying little about it — before and after, in public and online.  Amazon CEO Jeff Bezos called the confab “very productive” — the verbal equivalent of dead air — but execs including Facebook COO Sheryl Sandberg, Alphabet CEO Larry Page, Apple CEO Tim Cook and SpaceX and Tesla CEO Elon Musk did not comment about what was said in the room, and most of the press reports afterward were very vague.  
   Trump’s three eldest kids were present, which most sources close to the execs (no, I am not saying which ones) thought was inappropriate on a number of levels.
   Microsoft CEO Satya Nadella brought up perhaps the most thorny issue: Immigration and how the government can help tech with things like H-1B visas to keep and bring in more talent.  Nadella pointed out that much of the company’s spending on research and development was in the U.S., even if 50 percent of the sales were elsewhere, so that immigration would benefit those here.
Surprisingly to the group, Trump apparently responded favorably, “Let’s fix that,” he said, without a specific promise, and then asked, “What can I do to make it better?”
Apple CEO Cook brought up a related issue, that of science, technology engineering and math education, which has been a big initiative of President Barack Obama, and also was pushed by Trump’s campaign rival Hillary Clinton.  
   One of the most interesting exchanges was with Alphabet executive chairman Eric Schmidt, who briefly noted that he pondered what he would do if he were president, and then made the point that governmental information-technology programs were antiquated and unsafe, and needed to be upgraded.  
   Amazon CEO Jeff Bezos was apparently very voluble, and aimed many of his points at how U.S. companies had a hard time succeeding in China, and what the government could do about it.  Oracle CEO Safra Catz talked about the cloud, which she characterized as a little hyped (not a surprise from a database company).  IBM CEO Ginni Rometty talked about job creation, having earlier penned an op-ed promising that the company would bring 25,000 more jobs to the U.S.
   Also brought up — but no one would say by whom — was the tax treatment of the repatriation of tech company profits from abroad, which would be a windfall for them.  (And which is why they were all there, IMHO.)

No comments: