Yeah, expensive breaches. Yeah, people are a
problem. Now, how do you fix it?
Adam Levin reports:
For the first time, according to a recent study, criminal and state-sponsored hacks have surpassed human error as the leading cause of health care data breaches, and it could be costing the industry as much as $6 billion. With an average organization cost of $2.1 million per breach, the results of the study give rise to a question: How do you define human error?
[…]Wetware is a term of art used by hackers to describe a non-firmware, hardware or software approach to getting the information they want to pilfer. In other words, people. (The human body is more than 60% water.) Wetware intrusions happen when a hacker exploits employee trust, predictable behavior or the failure to follow security protocols. It can be a spearphishing email, a crooked employee on the take or a file found while Dumpster diving—and, of course, all stripe of things in between. Whatever it is, there’s a human being involved.
Read more on Forbes.
We missed the live stream, but Fordham was nice
enough to record the sessions so we can watch them via LiveStream.
Fordham Law Center on Law and Information Policy (CLIP) Ninth Law and Information Society Symposium. Trends in the global processing of data, developments in new technologies, privacy enforcement actions and government surveillance put international privacy at the center of the global law and policy agenda. Government regulators, policymakers, legal experts, and industry players need to find solutions to cross-border conflicts and to the issues presented by innovative technologies. This conference seeks to create a robust, but informal dialog that will explore possible solutions to current questions arising from the international legal framework, infrastructure architecture and commercial practices. The conference will use a unique format. Each panel will start with a short presentation on the technological and business context to set the stage. The panel will be an informal, moderated roundtable discussion with a select group of experts followed by a question and answer session from the audience.
Government in action: Told that a national drone
program was ineffective and inefficient, they now want to create 50
independent programs!
Joe Cadillic writes:
The Illinois State Police announced that the FAA has authorized what it calls its ‘Unmanned Aircraft System Program’.
It’s a F***ING surveillance drone program! My god, DHS/Police are trying to mask what it really is by calling it an ‘Unmanned Aircraft System Program’.
There’s even a UAS news website where you can follow all the latest surveillance drone news.
Read more on MassPrivateI.
It doesn't bother the kids. How do we change
that?
This quote from an article in the Chicago
Tribune seems to say it all:
“It’s a new crisis,” O’Shea said. “Girls all are sending nude photographs of themselves all over the place.”
So what should parents and schools do when
attempts to educate kids about privacy do not appear to be
sufficient? Enacting state laws on sexting and child pornography are
likely ineffective in really preventing impulsive acts or helping a
child resist any peer pressure to to do what others are doing.
So here’s a novel thought: you wouldn’t give
the keys to your car to a 9-year-old, would you? Of course not,
because they don’t have the skills or judgement to drive safely.
The safety risks (apart from the legal jeopardy) are obvious.
So if your child doesn’t have the judgment to
use a cellphone safely, why are you giving them one? Are you
deluding yourself that your child – whose brain won’t be fully
developed for a few more decades – has the maturity to resist
impulses or peer pressure?
Are you even preventing them from downloading apps
that facilitate impulsive and poor decisions?
Yes, kids need privacy and we
don’t want our kids to be social outcasts because they don’t have
all the cool toys their friends do. [Teach
them to be leaders, not followers. Bob] But our first
job as parents is to keep them safe. If you’re not prepared to do
that, just hand them a phone, kid yourself that they’ll make good
choices all the time, and while you’re at it, go ahead and hand
them the keys to the car.
(Realted) Not sure what prompted this, but it is
a reminder to the schools, not the students. (Presumably, not in the
nude)
(13 May 2015) In response to the concern about the
alleged unconsented uploading of video clips of secondary school
students online, the Office of the Privacy Commissioner for Personal
Data (“PCPD”) reminds the public of the privacy and legal issues
associated with the collection and use of personal data, and calls
for data users to respect the privacy rights of individuals.
We are particularly concerned about the incident
as it involves youngsters and their rights to privacy in the cyber
world. Any complaints made to the PCPD would be handled in
accordance to established procedures. If there is a prima facie case
of any contravention of the data protection principles or other
provisions under the Personal Data (Privacy) Ordinance, the PCPD may
initiate a formal investigation into the matters.
Based on the information in the media and other
information gathered by the PCPD so far, the following data
protection principles may be relevant to the incident:-
Data Protection Principle 1 (Data
Collection Principle)
This Data Collection Principle requires the data
user to collect personal data in a lawful and fair way, and for a
purpose directly related to its function or activity. All
practicable steps shall be taken on or before collecting the data to
notify the data subjects of the purpose of data collection and the
classes of persons to whom the data may be transferred.
An organisation may collect personal data directly
related to its functions or activities. However, the collection
should be in accordance with the above requirements.
Data Protection Principle 3 (Data Use
Principle)
This Data Use Principle requires personal data to
be used for the purpose for which the data is collected or a directly
related purpose, unless voluntary and explicit consent is obtained
from the data subject.
Hence, an organization, before using or publishing
any personal data collected, needs to ascertain if such use or
publication is for the purpose for which the data is collected or a
directly related purpose, unless voluntary and explicit consent is
obtained from the data subject.
Cyber-bullying
Any improper use or sharing of personal data,
online or otherwise, could be far reaching and long lasting,
especially when the data is related to youngsters who are vulnerable
to harassment and disparaging comments. Schools and parents need to
educate youngsters about their privacy rights and responsibilities,
when the latter dealt with threatening and harassing messages on the
Internet. If youngsters suspect that their privacy rights relating
to personal data are being abused, they should seek help from their
parents or legal guardian, and make a complaint to the PCPD.
Cyber-bullying inflicts harm on the victims that
can have devastating effects. People’s lives offline may also be
adversely affected as a result. In October 2014, the PCPD published
a leaflet entitled “Cyber-bullying – What you need to know”1
to remind the public of the privacy and legal issues associated with
cyber-bullying, and called for internet users to respect the right to
privacy in the cyber world.
The PCPD will continue to closely monitor the
situation, and take follow up action as appropriate in light of
further developments.
Doesn't the “without paying” bit have
something to do with the firing?
Jamie Williams writes:
We’ve said it before and we’ll say it again: violating a computer use restriction is not a crime. That’s why today EFF filed an amicus brief urging the Oregon Supreme Court to review a troubling opinion by the Oregon Court of Appeals in State v. Nascimento, finding an employee committed a computer crime for violating her employer’s computer use restrictions.
Caryn Nascimento worked as a cashier at the deli counter of a convenience store. As part of her job, she was authorized to access a lottery terminal in the store to sell and validate lottery tickets for paying customers. Store policy prohibited employees from purchasing lottery tickets for themselves or validating their own lottery tickets while on duty. After a store manager noticed a discrepancy in the receipts from the lottery terminal, it was discovered that Nascimento had printed lottery tickets for herself without paying for them. She was ultimately convicted not only of first-degree theft, but also of computer crime on the ground that she accessed the lottery terminal “without authorization.”
Read more on EFF.
(Related) When is authorization not
authorization? Are we authorizing access or actions?
Orin Kerr writes:
The Second Circuit held oral argument Tuesday in United States v. Valle, widely known as the “Cannibal Cop” case. There was a ton of media attention about this case at trial, including the trial judge’s decision to overturn the jury verdict for conspiracy to commit kidnapping on the ground that it was all a fantasy. HBO has already made a documentary about the case.
Amidst all this attention, the part of Valle that I care about — and that worries me — has flown under the radar. I’m referring to the defendant’s appeal from the one count on which Valle was convicted: A violation of the computer hacking statute, the Computer Fraud and Abuse Act.
Read more on The
Volokh Conspiracy.
[From
the article:
The fact that Valle had to enter in an identifying
number and a PIN to access the government database doesn’t change
the analysis, for reasons I explain in
this draft on page 36-37. Valle was fully authorized to access
his account, and violating the written restrictions on access doesn’t
render his authorized access unauthorized any more than federal
employees or people with the middle name “Ralph” are
violating the CFAA when they visit the Volokh Conspiracy. His CFAA
conviction should be overturned.
I confuse too easily to be a lawyer. So it's
legal to collect metadata and it's not legal to collect metadata.
In the excitement over the Second Circuit’s
ruling on the NSA’s bulk collection program, another very
significant appellate decision that was issued last week has been
largely overlooked: the Eleventh Circuit’s en banc
decision in United
States v. Davis. A
majority of the eleven judge panel held that the government did not
need a warrant to collect 67 days’ worth of cell site
location information on Quartavious Davis, who was suspected of
involvement in several armed robberies.
On first glance, the panel’s holding appears to
answer in the negative the question that the Second Circuit punted:
whether telephony metadata receives protection under the Fourth
Amendment. On closer examination, however, the fractured ruling, with
its many separate opinions, highlights a fundamental lack of
consensus over the reach of the third party doctrine.
Writing for the court, Judge Hull concludes that
the case is controlled by United
States v. Miller (1976) and Smith
v. Maryland (1979), which together stand for the proposition
that a person has no reasonable expectation of privacy in information
that he or she voluntarily conveys to a third party.
An indication that the world is coming together?
Or does WalMart view Amazon as more of a competitor than Alibaba?
(How do you say “merger” in Chinese?)
Wal-Mart to
accept Alipay in a bid for growth in China
Wal-Mart Stores is teaming up with Alibaba to roll
out the Alipay mobile payment service in China — its latest move to
increase sales in a tough, but potentially lucrative international
market.
Ant Financial, a financial affiliate of Alibaba,
said on Wednesday that the partnership with the world’s biggest
retailer would start with 25 stores in Shenzen, including one of its
Sam’s Club locations, and be accepted at all 410 Wal-Mart stores in
China by the end of the year.
So is that really the Loch Ness Monster? (Digest
Item #4)
Wolfram
Website Identifies Images
Stephen Wolfram, the genius behind Wolfram Alpha
and other amazing technologies, has launched ImageIdentify,
a new website which can automagically
identify objects from images. You simply add an image of
something you need to identify, and the Wolfram Language does the
hard work.
Millions of images were used to train
ImageIdentify, and while it still doesn’t get it right 100 percent
of the time, it learns every time you use it. So, right now it’s
more fun that useful, but in time it could become an essential tool
for anyone seeking to identify
anything or anyone in an image.
Might amuse my students while I enter their
assignments... (Digest Item #5)
Type
Drummer Turns Words Into Music
Type
Drummer turns your words into music, quite literally. In this
simple writing tool, each letter of the alphabet has been assigned a
percussion sound. So, whatever you write creates a unique drum beat
that repeats once you reach the end of your sentence.
It’s definitely fun
for five minutes, but it could also be used to beat
writer’s block by giving you a reason to write. You can also
share beats with friends, so if you stumble across a particularly
funky groove, you can save it for posterity.
Something my researching students might use?
To more than one
pundit,
last week’s election
in the United Kingdom looked like it would be the closest in a
generation. But at SurveyMonkey’s Palo Alto, California,
headquarters, thousands of miles away, things looked very different:
Respondents to an online poll conducted by the Internet survey
company from April 30 to May 6 showed the Conservatives, led by Prime
Minister David Cameron, as poised for an unexpectedly comprehensive
electoral triumph.1
… Cohen had intended the most recent survey to
serve as an internal experiment, not be released to the public.
… It was a potential coming-of-age moment at a
time when many traditional pollsters think it’s inevitable that
online polls will become the industry norm. SurveyMonkey’s
decision to enter the fray of a heavily polled, high-profile election
created a big test for its methods, unusual even by online pollsters’
standards. In this instance, those methods worked well. But what
does that mean? That its kind of online polling is ready to compete
with, and beat, more traditional methods? Or that this poll was just
a fluke?
Interesting from many perspectives, not just for
my Ethical Hacking students.
A group of conservative techies released an “app
store” on Wednesday to help campaigns adopt tech tools.
Lincoln Labs, which launched in 2013, has
published a list of tools that campaigns can use. The site covers
areas like internal communication, email marketing, technical
infrastructure, databases, analytics, fundraising and contact
management.
All of the tools are publically available and
range from those used by the average user — like Gmail — to more
campaign-specific tools like advertising platform provider Targeted
Victory.
No comments:
Post a Comment