Monday, April 03, 2017
How timely! My Computer Security class starts this week.
Leaked records up 566 percent to 4 billion in 2016: IBM Security
In 2016, more than 4 billion records were leaked worldwide, exceeding the combined total from the two previous years, according to a report from IBM Security.
In its IBM X-Force Threat Intelligence Index 2017, Big Blue explained the leaked documents comprised the usual credit cards, passwords, and personal health information, but also noted a shift in cybercriminal strategies, finding a number of significant breaches were related to unstructured data such as email archives, business documents, intellectual property, and source code.
… "While the volume of records compromised last year reached historic highs, we see this shift to unstructured data as a seminal moment. The value of structured data to cybercriminals is beginning to wane as the supply outstrips the demand. Unstructured data is big-game hunting for hackers and we expect to see them monetise it this year in new ways."
Turn off ‘surveillance by default.’
… Right-click on the Start Button and open Device Manager.
In the Device Manager window, expand the Audio inputs and outputs section and you will see your Microphone listed there as one of the interfaces. Right click on Microphone and select Disable.
Paper – Encryption Workarounds
Kerr, Orin S. and Schneier, Bruce, Encryption Workarounds (March 20, 2017). Available at SSRN: https://ssrn.com/abstract=2938033 or http://dx.doi.org/10.2139/ssrn.2938033
“The widespread use of encryption has triggered a new step in many criminal investigations: the encryption workaround. We define an encryption workaround as any lawful government effort to reveal an unencrypted version of a target’s data that has been concealed by encryption. This essay provides an overview of encryption workarounds. It begins with a taxonomy of the different ways investigators might try to bypass encryption schemes. We classify six kinds of workarounds: find the key, guess the key, compel the key, exploit a flaw in the encryption software, access plaintext while the device is in use, and locate another plaintext copy. For each approach, we consider the practical, technological, and legal hurdles raised by its use. The remainder of the essay develops lessons about encryption workarounds and the broader public debate about encryption in criminal investigations. First, encryption workarounds are inherently probabilistic. None work every time, and none can be categorically ruled out every time. Second, the different resources required for different workarounds will have significant distributional effects on law enforcement. Some techniques are inexpensive and can be used often by many law enforcement agencies; some are sophisticated or expensive and likely to be used rarely and only by a few. Third, the scope of legal authority to compel third-party assistance will be a continuing challenge. And fourth, the law governing encryption workarounds remains uncertain and underdeveloped. Whether encryption will be a game-changer or a speed bump depends on both technological change and the resolution of important legal questions that currently remain unanswered.”
Now we need to consider how to make hacking defensible.
New Report Aims to Help Criminal Defense Attorneys Challenge Secretive Government Hacking
“Lawyers at EFF, the ACLU, and the National Association of Criminal Defense Lawyers released a report today outlining strategies for challenging law enforcement hacking, a technique of secretly and remotely spying on computer users to gather evidence. Federal agents are increasingly using this surveillance technique, and the report will help those targeted by government malware—and importantly their attorneys—fight to keep illegally-obtained evidence out of court. A recent change in little-known federal criminal court procedures, which was quietly pushed by the Justice Department, has enabled federal agents to use a single warrant to remotely search hundreds or thousands of computers without having to specify whose information is being captured or where they are. We expect these changes to result in much greater use of the technique, and the guide will arm attorneys with information necessary to defend their clients and ensure that law enforcement hacking complies with the Constitution and other laws…”
Basing an insurance rate on the manufacturer’s programming skills?
Self-Driving Cars Raise Questions About Who Carries Insurance
… Billionaire investor Warren Buffett, whose company, Berkshire Hathaway, owns the insurance giant Geico, told CNBC in a February interview: "If the day comes when a significant portion of the cars on the road are autonomous, it will hurt Geico's business very significantly."
That would seem to make sense. If humans aren't driving the cars, who needs a car insurance policy?
… Right now, insurance rates are calculated mostly based on attributes of drivers — their claims histories, driving records and such. Increasingly, some insurers also use apps or devices that allow them to track speeding and other behaviors. Insurers can then offer discounts as rewards for safe driving.
A driverless car changes that model, shifting the insurance toward automakers, and away from drivers or car owners.
… Right now, Smith says, one of the biggest obstacles for insurers is a lack of data.
"Insurance is a data-based effort to really predict the future based on the past, and when you have dramatically different technologies and new applications for automated driving, it makes predicting the future much harder because you don't have those reliable data about the past and present," he says.
Juliet: "What's in a name? That which we call a rose by any other name would smell as sweet." Romeo and Juliet (II, ii, 1-2)
“If we don’t talk about it, it will go away.” DOE
“No, it won’t!” Al Gore
Energy Department climate office bans use of phrase ‘climate change’
Politico, Eric Wolff – “The Office of International Climate and Clean Energy is the only office at DOE with the words ‘climate’ in its name, and it may be endangered as Trump looks to reorganize government agencies. A supervisor at the Energy Department’s international climate office told staff this week not to use the phrases “climate change,” “emissions reduction” or “Paris Agreement” in written memos, briefings or other written communication, sources have told POLITICO. Employees of DOE’s Office of International Climate and Clean Energy learned of the ban at a meeting Tuesday [March 28, 2017], the same day President Donald Trump signed an executive order [Presidential Executive Order on Promoting Energy Independence] at EPA headquarters to reverse most of former President Barack Obama’s climate regulatory initiatives. Officials at the State Department and in other DOE offices said they had not been given a banned words list, but they had started avoiding climate-related terms in their memos and briefings given the new administration’s direction on climate change…”