Friday, February 09, 2018

I wonder if the FBI grabbed a copy?
Key iPhone Source Code Gets Posted Online in 'Biggest Leak in History'
Update, February 8, 08:27 a.m.: Apple filed a copyright takedown request with GitHub and forced the company to remove the code.
Someone just posted what experts say is the source code for a core component of the iPhone’s operating system on GitHub, which could pave the way for hackers and security researchers to find vulnerabilities in iOS and make iPhone jailbreaks easier to achieve.
The GitHub code is labeled “iBoot,” which is the part of iOS that is responsible for ensuring a trusted boot of the operating system. In other words, it’s the program that loads iOS, the very first process that runs when you turn on your iPhone.

Poor management! Still no ‘requirement,’ but we’ll fine you anyway?
Sean Tassi reports:
Until recently, colleges and universities that experienced a data breach had no unique reporting obligations to the U.S. Department of Education. Institutions were expected to analyze security incidents under applicable federal and state laws and, when appropriate, notify affected individuals and appropriate federal and state agencies. Because the Family Educational Rights and Privacy Act (FERPA) does not contain a breach reporting obligation, ED had taken the position that a report directly to ED was optional.
ED, however, has now changed its stance and has started levying Cleryesque fines — up to $56,789 per violation — against institutions that fail to report a data breach directly to ED. The importance of data security and the prevention of cybercrimes are unquestioned, but ED’s new stance on breach reporting raises practical problems.
Read more on Campus Technology.
[From the Article:
ED has taken an informal approach to notifying institutions about its new breach reporting expectations. Instead of publishing official guidance, ED is notifying institutions about the new obligations at Federal Student Aid conferences and via webinars (such as the Nov. 14, 2017 webinar available here.) Attendees are taking the mandate back to their campuses, but the change is being met with resistance from administrators and practitioners — in large part, because the new expectations contradict ED's previous written guidance in documents like the Data Breach Response Checklist published by ED's Privacy Technical Assistance Center in 2012 (which was still available on the PTAC's website as of the date that this article was written). ED's informal approach to notification means that some institutions likely do not know that ED's reporting expectations have changed and, more importantly, institutions will continue to be confused in 2018.

A long and detailed post. I’ve pulled some bits and pieces...
Camille Fischer writes:
This week, Senators Hatch, Graham, Coons, and Whitehouse introduced a bill that diminishes the data privacy of people around the world.
The Clarifying Overseas Use of Data (CLOUD) Act expands American and foreign law enforcement’s ability to target and access people’s data across international borders in two ways. First, the bill creates an explicit provision for U.S. law enforcement (from a local police department to federal agents in Immigration and Customs Enforcement) to access “the contents of a wire or electronic communication and any record or other information” about a person regardless of where they live or where that information is located on the globe. In other words, U.S. police could compel a service provider—like Google, Facebook, or Snapchat—to hand over a user’s content and metadata, even if it is stored in a foreign country, without following that foreign country’s privacy laws.
… This bill would also moot legal proceedings now before the U.S. Supreme Court. In the spring, the Court will decide whether or not current U.S. data privacy laws allow U.S. law enforcement to serve warrants for information stored outside the United States. The case, United States v. Microsoft (often called “Microsoft Ireland”), also calls into question principles of international law, such as respect for other countries territorial boundaries and their rule of law.
… The CLOUD Act would give unlimited jurisdiction to U.S. law enforcement over any data controlled by a service provider, regardless of where the data is stored and who created it. This applies to content, metadata, and subscriber information – meaning private messages and account details could be up for grabs

No comments: