Yeah, expensive breaches. Yeah, people are a
problem. Now, how do you fix it?
Adam Levin reports:
For the first time, according to a recent
study, criminal and state-sponsored hacks have surpassed human error
as the leading cause of health care data breaches, and it could be
costing the industry as much as $6 billion. With an
average organization cost of $2.1 million per breach, the
results of the study give rise to a question: How do you define
human error?
[…]Wetware is a term of art used by
hackers to describe a non-firmware, hardware or software approach to
getting the information they want to pilfer. In other words, people.
(The human body is more than 60% water.) Wetware
intrusions happen when a hacker exploits employee trust, predictable
behavior or the failure to follow security protocols. It
can be a spearphishing email, a crooked employee on the take or a
file found while Dumpster diving—and, of course, all stripe of
things in between. Whatever it is, there’s a human being involved.
We missed the live stream, but Fordham was nice
enough to record the sessions so we can watch them via LiveStream.
Fordham Law Center on Law and Information
Policy (CLIP) Ninth Law and Information Society Symposium. Trends in
the global processing of data, developments in new technologies,
privacy enforcement actions and government surveillance put
international privacy at the center of the global law and policy
agenda. Government regulators, policymakers, legal experts, and
industry players need to find solutions to cross-border conflicts and
to the issues presented by innovative technologies. This conference
seeks to create a robust, but informal dialog that will explore
possible solutions to current questions arising from the
international legal framework, infrastructure architecture and
commercial practices. The conference will use a unique format. Each
panel will start with a short presentation on the technological and
business context to set the stage. The panel will be an informal,
moderated roundtable discussion with a select group of experts
followed by a question and answer session from the audience.
Government in action: Told that a national drone
program was ineffective and inefficient, they now want to create 50
independent programs!
Joe Cadillic writes:
The Illinois State Police announced that
the FAA has authorized what it calls its ‘Unmanned Aircraft System
Program’.
It’s a F***ING surveillance drone
program! My god, DHS/Police are trying to mask what it really is by
calling it an ‘Unmanned
Aircraft System Program’.
There’s even a UAS
news website where you can follow all the latest surveillance
drone news.
It doesn't bother the kids. How do we change
that?
“It’s a new crisis,” O’Shea said.
“Girls all are sending nude photographs of themselves all over the
place.”
So what should parents and schools do when
attempts to educate kids about privacy do not appear to be
sufficient? Enacting state laws on sexting and child pornography are
likely ineffective in really preventing impulsive acts or helping a
child resist any peer pressure to to do what others are doing.
So here’s a novel thought: you wouldn’t give
the keys to your car to a 9-year-old, would you? Of course not,
because they don’t have the skills or judgement to drive safely.
The safety risks (apart from the legal jeopardy) are obvious.
So if your child doesn’t have the judgment to
use a cellphone safely, why are you giving them one? Are you
deluding yourself that your child – whose brain won’t be fully
developed for a few more decades – has the maturity to resist
impulses or peer pressure?
Are you even preventing them from downloading apps
that facilitate impulsive and poor decisions?
Yes, kids need privacy and we
don’t want our kids to be social outcasts because they don’t have
all the cool toys their friends do. [Teach
them to be leaders, not followers. Bob] But our first
job as parents is to keep them safe. If you’re not prepared to do
that, just hand them a phone, kid yourself that they’ll make good
choices all the time, and while you’re at it, go ahead and hand
them the keys to the car.
(Realted) Not sure what prompted this, but it is
a reminder to the schools, not the students. (Presumably, not in the
nude)
(13 May 2015) In response to the concern about the
alleged unconsented uploading of video clips of secondary school
students online, the Office of the Privacy Commissioner for Personal
Data (“PCPD”) reminds the public of the privacy and legal issues
associated with the collection and use of personal data, and calls
for data users to respect the privacy rights of individuals.
We are particularly concerned about the incident
as it involves youngsters and their rights to privacy in the cyber
world. Any complaints made to the PCPD would be handled in
accordance to established procedures. If there is a prima facie case
of any contravention of the data protection principles or other
provisions under the Personal Data (Privacy) Ordinance, the PCPD may
initiate a formal investigation into the matters.
Based on the information in the media and other
information gathered by the PCPD so far, the following data
protection principles may be relevant to the incident:-
Data Protection Principle 1 (Data
Collection Principle)
This Data Collection Principle requires the data
user to collect personal data in a lawful and fair way, and for a
purpose directly related to its function or activity. All
practicable steps shall be taken on or before collecting the data to
notify the data subjects of the purpose of data collection and the
classes of persons to whom the data may be transferred.
An organisation may collect personal data directly
related to its functions or activities. However, the collection
should be in accordance with the above requirements.
Data Protection Principle 3 (Data Use
Principle)
This Data Use Principle requires personal data to
be used for the purpose for which the data is collected or a directly
related purpose, unless voluntary and explicit consent is obtained
from the data subject.
Hence, an organization, before using or publishing
any personal data collected, needs to ascertain if such use or
publication is for the purpose for which the data is collected or a
directly related purpose, unless voluntary and explicit consent is
obtained from the data subject.
Cyber-bullying
Any improper use or sharing of personal data,
online or otherwise, could be far reaching and long lasting,
especially when the data is related to youngsters who are vulnerable
to harassment and disparaging comments. Schools and parents need to
educate youngsters about their privacy rights and responsibilities,
when the latter dealt with threatening and harassing messages on the
Internet. If youngsters suspect that their privacy rights relating
to personal data are being abused, they should seek help from their
parents or legal guardian, and make a complaint to the PCPD.
Cyber-bullying inflicts harm on the victims that
can have devastating effects. People’s lives offline may also be
adversely affected as a result. In October 2014, the PCPD published
a leaflet entitled “Cyber-bullying – What you need to know”
1
to remind the public of the privacy and legal issues associated with
cyber-bullying, and called for internet users to respect the right to
privacy in the cyber world.
The PCPD will continue to closely monitor the
situation, and take follow up action as appropriate in light of
further developments.
1 “Cyber-bullying – What
you need to know
Doesn't the “without paying” bit have
something to do with the firing?
Jamie Williams writes:
We’ve said it before
and we’ll say it again:
violating a computer use restriction is not a crime. That’s why
today EFF filed an amicus
brief urging the Oregon Supreme Court to review a troubling
opinion by the Oregon Court of Appeals in State
v. Nascimento, finding an employee committed a computer
crime for violating her employer’s computer use restrictions.
Caryn Nascimento worked as a cashier at
the deli counter of a convenience store. As part of her job, she was
authorized to access a lottery terminal in the store to sell and
validate lottery tickets for paying customers. Store policy
prohibited employees from purchasing lottery tickets for themselves
or validating their own lottery tickets while on duty. After a store
manager noticed a discrepancy in the receipts from the lottery
terminal, it was discovered that Nascimento
had printed lottery tickets for herself without paying for them.
She was ultimately convicted not only of first-degree theft, but
also of computer crime on
the ground that she accessed the lottery terminal “without
authorization.”
Read more on EFF.
(Related) When is authorization not
authorization? Are we authorizing access or actions?
Orin Kerr writes:
The Second Circuit held
oral argument Tuesday in United
States v. Valle, widely known as the “Cannibal Cop”
case. There was a ton of media attention about this case at trial,
including the trial judge’s decision
to overturn the jury verdict for conspiracy to commit kidnapping
on the ground that it was all a fantasy. HBO has already
made a documentary about the case.
Amidst all this attention, the part of
Valle that I care about — and that worries me — has
flown under the radar. I’m referring to the defendant’s appeal
from the one count on which Valle was convicted: A violation of the
computer hacking statute, the Computer Fraud and Abuse Act.
[From
the article:
The fact that Valle had to enter in an identifying
number and a PIN to access the government database doesn’t change
the analysis, for reasons I explain
in
this draft on page 36-37. Valle was fully authorized to access
his account, and violating the written restrictions on access doesn’t
render his authorized access unauthorized any more than
federal
employees or people with the middle name “Ralph” are
violating the CFAA when they visit the Volokh Conspiracy. His CFAA
conviction should be overturned.
I confuse too easily to be a lawyer. So it's
legal to collect metadata and it's not legal to collect metadata.
In the excitement over the Second Circuit’s
ruling on the NSA’s bulk collection program, another very
significant appellate decision that was issued last week has been
largely overlooked: the Eleventh Circuit’s
en banc
decision in
United
States v. Davis.
A
majority of the eleven judge panel held that the government did not
need a warrant to collect 67 days’ worth of cell site
location information on Quartavious Davis, who was suspected of
involvement in several armed robberies.
On first glance, the panel’s holding appears to
answer in the negative the question that the Second Circuit punted:
whether telephony metadata receives protection under the Fourth
Amendment. On closer examination, however, the fractured ruling, with
its many separate opinions, highlights a fundamental lack of
consensus over the reach of the third party doctrine.
Writing for the court, Judge Hull concludes that
the case is controlled by
United
States v. Miller (1976) and
Smith
v. Maryland (1979), which together stand for the proposition
that a person has no reasonable expectation of privacy in information
that he or she voluntarily conveys to a third party.
An indication that the world is coming together?
Or does WalMart view Amazon as more of a competitor than Alibaba?
(How do you say “merger” in Chinese?)
Wal-Mart to
accept Alipay in a bid for growth in China
Wal-Mart Stores is teaming up with Alibaba to roll
out the Alipay mobile payment service in China — its latest move to
increase sales in a tough, but potentially lucrative international
market.
Ant Financial, a financial affiliate of Alibaba,
said on Wednesday that the partnership with the world’s biggest
retailer would start with 25 stores in Shenzen, including one of its
Sam’s Club locations, and be accepted at all 410 Wal-Mart stores in
China by the end of the year.
So is that really the Loch Ness Monster? (Digest
Item #4)
Wolfram
Website Identifies Images
Stephen Wolfram, the genius behind Wolfram Alpha
and other amazing technologies, has launched
ImageIdentify,
a new website which can
automagically
identify objects from images. You simply add an image of
something you need to identify, and the Wolfram Language does the
hard work.
Millions of images were used to train
ImageIdentify, and while it still doesn’t get it right 100 percent
of the time, it learns every time you use it. So, right now it’s
more fun that useful, but in time it could become an essential tool
for anyone seeking to
identify
anything or anyone in an image.
Might amuse my students while I enter their
assignments... (Digest Item #5)
Type
Drummer Turns Words Into Music
Type
Drummer turns your words into music, quite literally. In this
simple writing tool, each letter of the alphabet has been assigned a
percussion sound. So, whatever you write creates a unique drum beat
that repeats once you reach the end of your sentence.
It’s definitely
fun
for five minutes, but it could also be used to
beat
writer’s block by giving you a reason to write. You can also
share beats with friends, so if you stumble across a particularly
funky groove, you can save it for posterity.
Something my researching students might use?
To more than
one
pundit,
last week’s
election
in the United Kingdom looked like it would be the closest in a
generation. But at SurveyMonkey’s Palo Alto, California,
headquarters, thousands of miles away, things looked very different:
Respondents to an online poll conducted by the Internet survey
company from April 30 to May 6 showed the Conservatives, led by Prime
Minister David Cameron, as poised for an unexpectedly comprehensive
electoral triumph.
1
… Cohen had intended the most recent survey to
serve as an internal experiment, not be released to the public.
… It was a potential coming-of-age moment at a
time when many traditional pollsters think it’s inevitable that
online polls will become the industry norm. SurveyMonkey’s
decision to enter the fray of a heavily polled, high-profile election
created a big test for its methods, unusual even by online pollsters’
standards. In this instance, those methods worked well. But what
does that mean? That its kind of online polling is ready to compete
with, and beat, more traditional methods? Or that this poll was just
a fluke?
Interesting from many perspectives, not just for
my Ethical Hacking students.
Conservative
techies launch 'app store' for campaigns
A group of conservative techies released an “app
store” on Wednesday to help campaigns adopt tech tools.
Lincoln Labs, which launched in 2013, has
published a list of tools that campaigns can use. The site covers
areas like internal communication, email marketing, technical
infrastructure, databases, analytics, fundraising and contact
management.
All of the tools are publically available and
range from those used by the average user — like Gmail — to more
campaign-specific tools like advertising platform provider Targeted
Victory.
