For my Computer Security students. Some Privacy
can be risky.
Wildly
Popular App Kik Offers Teenagers, and Predators, Anonymity
… law enforcement officials say Kik — used
by 40 percent of American teenagers, by
the company’s own estimate — goes further than most widely
used apps in shielding its users from view, often making it hard for
investigators to know who is using it, or how. (Yik Yak is another
popular app under fire for its use of anonymous messages.)
“Kik is the problem app of the moment,” said
David Frattare, commander of the Ohio Internet Crimes Against
Children Task Force, which includes hundreds of law enforcement
agencies. “We tell parents about Kik, and to them it’s some
earth-shattering news, and then it turns out it’s been on their
kid’s phone for months and months. And as a law enforcement
agency, the information that we can get from Kik is extremely
limited.”
Kik’s appeal to young people goes far beyond
anonymity. Teenagers like its special emoji and other features. It
offers free and unlimited texting. And like AOL Instant Messenger
and MySpace before it, Kik is a space that parents are unlikely to
know about. But it is also place where inappropriate sexual content
and behavior can flourish.
… Founded in
2009 and based in Canada, Kik aspires to become the
Western version of WeChat, the hugely successful messaging
service in China that offers free texting, e-commerce and content
delivery. Its main appeal is privacy and anonymity: The app is free,
and allows people to find strangers and communicate with them
anonymously, through a user name.
… The company is taking a variety of steps,
including sponsoring an annual conference on crimes against children
and posting a law
enforcement guide on its website, to “assist in preventing
child exploitation,” said Lisa van Heugten, who was hired two years
ago and helped form a special Kik division devoted to fielding law
enforcement requests.
… Unlike some
competing apps, Kik says it does not have the ability to view written
messages between users, or to show them to the police. It can view
pictures and videos, but retains them only until the recipient’s
device has received the message. Those practices are legal.
Does anyone explain the technology before we open
the can of worms? Did the FBI look at what was 'eventually' returned
to him? (His IP address)
Joshua Kopstein writes:
The judge who authorized the FBI to hack 1,300 dark web users under a single warrant seems to be pretty confused about how the anonymity software Tor works. Newly unsealed documents suggest that the confusion stems from the US Department of Justice’s own arguments.
In the documents, the DOJ argues that Tor users have no reasonable expectation of privacy when it comes to their IP address. This is the same argument that the judge used to justify the FBI implanting malware onto a dark web site in order to grab user IP addresses. It’s also a counterintuitive point to make given that masking a computer’s IP address is the whole point of using Tor.
Read more on Motherboard.
[From
the 'confused' article:
To prove this, the judge bizarrely argued that Tor
doesn't give its users complete anonymity because a user has to give
their IP address to their Internet Service Provider to connect to the
Tor network. Therefore, he concluded, Michaud's IP address was
“public information, like an unlisted telephone number” that
“eventually could have been discovered.”
This makes no sense to anyone with a basic
understanding of how Tor works. Just like with any website or
service, Tor users do reveal their IP address to an ISP when
initially connecting to the Tor network, through an entry point
called a guard node. But since Tor bounces data between random nodes
located around the world, neither
the ISP nor anyone intercepting traffic can correlate which IPs are
accessing which sites.
Nevertheless, the judge ruled that Michaud had “no
reasonable expectation of privacy” in his IP address because it was
technically revealed at some point before entering the Tor
network—even though there was no way for the FBI to discover that
IP by looking at those connecting to the hidden site.
Have they made improvements in their internal
security?
OPM to
issue new requirements for personnel background investigations by
contractors
by Sabrina
I. Pacifici on Feb 6, 2016
Via Nextgov:
“Contractors that conduct background investigations for the federal
government will have to report
information security incidents to the Office of Personnel
Management within half an
hour, are required to use smartcards as a second layer of
security when logging on to agency networks and must agree to let OPM
inspect their systems at any time. Those are new requirements OPM
has written into draft
contracting documents released last month that govern how the
personal, often sensitive, information gleaned during background
investigations should be stored on contractors’ computer systems…”
Because we've been kind of following this one.
I’ve been relatively quiet on this blog recently
about FTC v. LabMD, but having read the latter’s answering
brief to FTC’s
appeal of Judge Chappell’s initial
decision, I would encourage everyone to read LabMD’s brief,
uploaded
to this site. It really hits all the points/issues that have
concerned me since the FTC first announced enforcement action against
LabMD:
-
The absence of any guides or standards for HIPAA-covered entities in 2007-2008 that would have informed us what, besides HIPAA, we needed to do to be compliant.
-
The absence of any evidence that there was even a single victim or injured consumer by the accidental exposure of the “1718 File” during the period of months the file was exposed and for the seven years thereafter.
-
FTC’s argument that LabMD should have notified patients of the accidental exposure when they were not required to notify anyone under HIPAA as it was in 2008.
-
FTC’s argument that a “significant risk of concrete harm” itself causes substantial consumer injury within the meaning of Section 5(n) – not “could cause,” but “causes.”
-
FTC’s total failure to ask even a single expert to actually evaluate LabMD’s infosecurity program and compare it to what was within the range of customary and usual for an entity of its size and purpose in 2007-2008. Not only did FTC fail to ask for an actual expert assessment of LabMD’s infosecurity by 2007-2008 standards, it actually instructed its expert witnesses to assume that the security was inadequate.
-
FTC’s failure to introduce any evidence as to the risk of harm from a file-sharing incident in 2007-2008. While I agree that they didn’t not need mathematical precision, bringing in witnesses who talked about rates and statistics in 2013-2014 was absurd, at best.
-
FTC’s total failure to locate even one victim of the “daily sheets” incident or to even attempt to link the paper records to LabMD’s computer network.
-
FTC’s egregious claim that by denying LabMD’s initial motion to dismiss, that became the law of the case.
When all is said and done, this case boiled down
to an employee violating policy and (stupidly) using P2P software and
thereby exposing LabMD files. It was, as LabMD counsel argues, a case
about what might have happened, but didn’t happen. While I think
Judge Chappell erred in some respects, I think that his overall
decision to dismiss the case was a correct one. Unless FTC is going
to go after every entity where an employee screws up and violates
policy, enforcement action and offering a 20-year monitoring plan is
an extreme over-reaction.
There has just been so much wrong with FTC’s
case that I cannot understand why they ever pursued this, why they
ignored one of their own commissioner’s warnings about pursuing the
case and/or relying on Tiversa’s testimony, why they didn’t drop
the friggin’ case when it became clear via Rick Wallace’s
testimony that the entire basis for this case was unreliable, and why
they don’t just admit that they have become bullies and are
wielding their authority in ways Congress did not envision –
against SMB’s who are the lifeblood of our economy and who can be
wiped out financially if they have to defend against overzealous
federal regulators.
C’mon, FTC, I’m a fan, and if you’ve failed
to convince me that there’s any justification for your conduct,
you’ve lost good will. How about surprising us and dropping your
appeal with a statement that you don’t agree with some of Judge
Chappell’s reasoning and interpretation of Section 5, but you’ll
fight that another time in another case and are dropping this one in
the interests of basic fairness?
CORRECTION: This post was edited
post-publication to indicate that the LabMD employee used the P2P
software. The previous version had incorrectly stated that the
employee had downloaded it and used it.
Still crazy after all these years…
North Korea
rocket launch: Why did Kim fire missile now?
… These sources also suggest that the range of
this new missile may be as much as 13,000km (8,000 miles) compared
with the roughly 10,000 km range of the Unha 3. Further analysis is
required to confirm these estimates.
But if these numbers are true, this new missile is
a major advance for North Korea. A missile fired from North Korea
with a 13,000km range can reach any location in the continental
United States.
… It apparently takes days to prepare such a
missile, time during which it could be destroyed if North Korea
threatened hostile use. Destroying such a missile on a large launch
pad should be relatively easy once conflict begins.
… But the bigger question is why now?
Because of North Korean secrecy, we do not know
for sure. But it seems likely that Kim Jong-un is seeking clear
successes before his important Seventh Party Congress in May when he
wants to appear to be the all-powerful leader of North Korea.
But he has been experiencing major appearances of
weakness. For example, in the last three years China has had six
summit meetings with South Korea, suggesting that South Korea is an
important country and its president, Park Geun-hye, is a great
leader.
But China has had no summit meetings with North
Korea, suggesting that, for Beijing, North Korea is not a significant
country and that Kim Jong-un is a weak leader.
North Korea may also be experiencing political
instability resulting from the many purges of Kim Jong-un and various
regime failures.
For my Data Miners, Forensics and Computer
Security students.
GCHQ’s
data-mining techniques revealed in new Snowden leak
A "Data Mining Research Problem Book"
marked "top secret strap 1" has been leaked that details
some of the key techniques used by GCHQ to sift through the huge
volumes of data it pulls continuously from the Internet.
Originally obtained by Edward Snowden, the 96-page
e-book has been published by Boing Boing, along with a second short
document entitled "What's the worst that can happen?"
Boing Boing describes this as "a kind of checklist for spies who
are seeking permission to infect their adversaries' computers or
networks with malicious software."
The data
mining handbook was written by researchers from the Heilbronn
Institute for Mathematical Research in Bristol, a partnership between
GCHQ and the University of Bristol.
[What's
the worst that can happen?
https://www.documentcloud.org/documents/2699620-What-Is-the-Worst-That-Can-Happen-March-2010.html
For those of us interested in military history.
SCAMPI
database – search guide to military operations and history data
by Sabrina
I. Pacifici on Feb 6, 2016
“The Joint Forces Staff College Ike Skelton
Library is a specialized military library, focusing on research in
joint and multinational operations, military history and naval
science, operational warfare, and operations other than war. Library
staff members regularly scan the weekly news magazines, monthly and
bimonthly journals such as Military Review, Armed Forces Journal, and
quarterly publications, including NATO’s Nations and Partners for
Peace, RUSI Journal, and the Naval War College Review. Miscellaneous
reports from RAND and the General Accounting Office are also indexed
for SCAMPI. The resulting database serves as a guide to articles on
military and naval art and science, operational warfare, joint
planning, national and international politics, and other areas
researched by JFSC faculty, staff, and students. The SCAMPI database
covers the period from 1985
thru the present. The Defense
Technical Information Center (DTIC) hosts this web-based version
of the SCAMPI. Several of the journals indexed in SCAMPI have
independent Internet web sites. Please feel free to visit the
individual journal home pages to see exactly what each publication
makes available since many do provide.”
Perhaps the change has started in Academia.
Women Made
Incremental Progress in Tech the Past Few Years (Infographic)
No comments:
Post a Comment