Wednesday, October 24, 2018

Why would Russia stop these attacks? There are no serious consequences.
Hack of Saudi Petrochemical Plant Was Coordinated From Russian Institute
… A new study of the malicious computer code used in a botched attack on a Saudi petrochemical plant concludes that much of the effort was coordinated from inside a state-owned Russian scientific institute, one of the most direct links between official Russian hackers and a hostile intrusion on a major piece of infrastructure.
The report, issued by FireEye, a major cybersecurity company, identifies the Central Scientific Research Institute of Chemistry and Mechanics, a technical research institute in Moscow with ties to Russian governments reaching back before the 1917 Bolshevik revolution. But it leaves unanswered the question of why Moscow would target a Middle Eastern plant, even given Russia’s rivalry with Saudi Arabia in the petroleum marketplace.
The New York Times identified the facility in March as a Saudi plant, at a time that there was wide consensus that the attack must have been initiated by Iran, Saudi Arabia’s great rival for regional influence.
It still may have been that Iran was behind the attack — but the new research suggests that, if it was, Iran had a lot of Russian help, and that when the malware needed to be fine-tuned, the Russian institute provided the expertise.




Covering up for 2 or three years didn’t buy them much.
Yahoo to pay $50M, other costs for massive security breach
Yahoo has agreed to pay $50 million in damages and provide two years of free credit-monitoring services to 200 million people whose email addresses and other personal information were stolen as part of the biggest security breach in history.
The restitution hinges on federal court approval of a settlement filed late Monday in a 2-year-old lawsuit seeking to hold Yahoo accountable for digital burglaries that occurred in 2013 and 2014, but weren’t disclosed until 2016.
… Yahoo revealed the problem after it had already negotiated a $4.83 billion deal to sell its digital services to Verizon Communications. It then had to discount that price by $350 million to reflect its tarnished brand and the specter of other potential costs stemming from the breach.




Security theater? If you don’t expect to find a weapon, why waste time and money on a search?
My Daughter's Middle School Plans to Teach Her Meek Compliance With Indiscriminate Invasions of Privacy
Friday afternoon, I received a notice from the Plano Independent School District, which runs the middle school our youngest daughter attends in Dallas, describing a new policy authorizing "random, suspicion-less metal detector searches" of students in grades 6 through 12.
… Any student "who refuses to comply with the search process will be removed from campus and subject to disciplinary consequences."
… According to the Supreme Court, targeted searches of public school students require "reasonable suspicion" that contraband will be discovered, which is a lighter burden than the usual standard of "probable cause" but still better than nothing. The constitutional rationale for Plano ISD's new policy, which was unanimously approved by the school board in August, is that the searches are "administrative," meaning there is no reason to believe that any particular student forced to undergo them is carrying a weapon. Perversely, this complete lack of evidence is supposed to make the searches compatible with the Fourth Amendment's ban on unreasonable searches and seizures.




Typical New Jersey. Call it: targeted fake news.
Middletown released residents' email addresses to a mystery third party
On July 10, the Middletown government received a public records request seeking all the names and email addresses of people who had voluntarily turned over this contact information to the town in order to receive emergency alerts and updates on local happenings.
Ten days later, Middletown gave "Watch07748@gmail.com" — the requesting party that provided no name or mailing address — all of those email addresses.
That might have been where the story ended, except that on Sept. 29 an email, purporting to be from a grassroots organization that doesn't appear to exist, landed in the inboxes of seemingly everyone who was on the township's email list.
The email attacked a Democratic candidate for township committee…
… When asked about it at Monday night's committee hearing, Perry said he did not write the email. He did not, however, completely distance his campaign from the email blast, stating that the email addresses were obtained legally.
The New Jersey Election Law Enforcement Commission says that political communications, in whatever form, must include language that identifies who paid to create or distribute that message. Failure to do so could be a violation of election law.


v

No comments: