Thursday, March 23, 2017

This is a really bad idea.  You do not want to get into a contest of skills with the world of hackers.
Proposed Legislation Would Give Legal Right to Hack Back
Hacking back is a perennial and contentious issue.  Its latest instance comes in the form of a 'Discussion Draft' bill proposed by Representative Tom Graves (R-GA): The Active Cyber Defense Certainty Act.  Graves claims it is gaining bipartisan support, and he expects to present it to the House of Representatives for vote within the next few months.
The Draft Bill (PDF) is an amendment to the Computer Fraud and Abuse Act (CFAA).
   It is discussed in detail and expanded in the study titled Into the Grey Zone: The Private Sector and Active Defense against Cyber Threats published by the George Washington University in October 2016.
   So, two immediate problems with allowing hacking back is that a lack of expertise could either compromise forensic evidence, or accidentally cause actual harm to the attackers' supposed computers.  Without adequate expertise, the supposed servers might not even be the attackers' servers.  "Because of (compromised) proxies," comments F-Secure's security advisor Sean Sullivan, "hacking back/active defense is complicated and it's quite unlikely that the US Congress would be able to properly define what should be allowed or not."


This would be interesting.  “Cut off our hard currency with sanctions and we’ll just rob your banks?”   
North Korea Said to Be Target of Inquiry Over $81 Million Cyberheist
Federal prosecutors are investigating North Korea’s possible role in the theft of $81 million from the central bank of Bangladesh in what security officials fear could be a new front in cyberwarfare.
The United States attorney’s office in Los Angeles has been examining the extent to which the North Korea government aided and abetted the bold heist in February 2016, according to a person briefed on the investigation who was not authorized to speak publicly.
   News of the criminal investigation into North Korea’s role in the Bangladesh bank attack was reported earlier on Wednesday by The Wall Street Journal.  It was not clear whether any charges from the investigation were imminent.

(Related).
JOHN MCCAIN: There's a 'crazy fat kid' running North Korea


I’ll have to find an article with more details, but the idea of government mandated minimum standards is interesting. 
Dror Halavy reports:
The Knesset Law and Constitutional Committee has approved measures that will require companies and groups that collect data on Israelis to protect the information from hackers.  The new rules, which supply specific criteria to organizations on the types of security needed, will apply equally to government and private sector organizations.
The measures are based on research done by the Justice Ministry, and recently completed at the behest of Justice Minister Ayelet Shaked.  Under the measures, organizations will determine whether the data they hold is of low, medium, or high sensitivity for privacy; for example, medical information will be considered as part of the latter category, while membership in a store club might be listed in the former categories.
Each level of sensitivity will require more severe cyber-security strictures and standards.  Organizations will have to apply specific approved solutions that meet standards described in the measures.  Failure to do so could leave them subject to civil or criminal actions in the event of a security breach.
Read more on Hamodia.


Mission creep? 
Joe Cadillic writes:
Imagine driving down the road and being stopped by a Border Patrol agent for speeding.  Imagine Border Patrol agents responding to domestic abuse calls at people’s homes.  Imagine the Border Patrol responding to trespassing calls and detaining motorists with K-9’s.  
You can stop imagining, because it’s happening in New York, Vermont, Maine and now New Hampshire.  House Bill 1298 gives DHS’s Border Patrol agents police powers in NH.
Read more on MassPrivateI.
[From the article: 
Americans can forget about DHS's 100 mile border zone inside the U.S., because now the Border Police Patrol has arrest powers throughout entire states!


A boarder search going the other direction?
Mar. 20 – Cause of Action Institute (“CoA Institute”) today filed an amicus curiae brief in support of Defendant Hamza Kolsuz who in February, 2016 was arrested at a Virginia airport attempting to board a plane bound for Istanbul, Turkey.
   The brief states:
At the time of the search, neither Mr. Kolsuz nor his smartphone were in the process of crossing any border.  The Government was not furthering any interest in prohibiting the entry or exit of contraband, enforcing currency control, levying duties or tariffs, or excluding travelers without the property documentation to enter the country…
The full brief is available here.


A different take.  Why would this be illegal?  Isn’t it similar to using a dashboard camera?  They are looking at cars on a public road and using technology available at any high school (for measuring the speed of baseballs).  The letter reads as if they were trespassing on state controlled land (the highway). 
The state of Virginia is not happy that the Insurance Institute for Highway Safety (IIHS) set up speed cameras on Virginia highways without any authority to do so.  State officials sent a warning letter to the industry lobbying group in October.
“We recently received a concern claiming your organization set up equipment on property controlled by the Virginia Department of Transportation (VDOT),” Northern Virginia District Administrator Helen Cuervo wrote.  “In reviewing our records, it does not appear that your organization had a legal permit to do so.
Read more on TheNewspaper.com.  So they get to keep the data they illegally obtained and then used to lobby for changes that would benefit their industry?  They should be made to destroy the data.


If venture capital was easy to find, everyone would be entrepreneurs!
US Tech Startups’ China money spooks Pentagon
A new white paper commissioned by the US defense department says Beijing isn’t just investing in critical technologies at home, they are doing it in the US as well.  The New York Times reports that some tech startups working on projects with military applications have received money from state-run Chinese firms.  Lawmakers calling for stricter oversight of Chinese investments note that the scope of the interagency Committee on Foreign Investment in the US (Cfius) does not include smaller investments, such as those into tech startups.  Despite the increased scrutiny, many firms say the Chinese investors are their only option.


Clearly, Tillerson does not like people looking over his shoulder.  Apparently, they failed to inform the Records Retention people that he was using an alias.  (But just for one year near the end of that period?) 
Exxon admits it lost up to a year's worth of Rex Tillerson's 'Wayne Tracker' emails
Exxon Mobil lost up to a year's worth of emails sent by former CEO and current Secretary of State Rex Tillerson under the pseudonym "Wayne Tracker," court documents show.
Exxon is under investigation by New York State Attorney General Eric T. Schneiderman for allegedly misleading shareholders and investors about risk-management issues related to climate change.
Tillerson used the Wayne Tracker alias to communicate with Exxon officials about "risk-management issues related to climate change." Tillerson — whose middle name is Wayne — allegedly used the alias for a period of seven years, between 2008 and 2015, according to Schneiderman's office.

No comments: