Thursday, October 06, 2016

Very timely since the Privacy Foundation’s topic on October 28 is Encryption and Privacy!  (See the details at: http://www.law.du.edu/index.php/privacy-foundation )  
CRS – Encryption: Frequently Asked Questions
by Sabrina I. Pacifici on Oct 5, 2016
Encryption: Frequently Asked Questions, Chris Jaikaran, Analyst in Cybersecurity Policy. September 28, 2016.
“Encryption is a process to secure information from unwanted access or use.  Encryption uses the art of cryptography to change information which can be read (plaintext) and make it so that it cannot be read (ciphertext).  Decryption uses the same art of cryptography to change that ciphertext back to plaintext.  Encryption takes five elements to work: plaintexts, keys, encryption methods, decryption methods, and ciphertexts.  Data that are in a state of being stored or in a state of being sent are eligible for encryption.  However, data that are in a state of being processed—that is being generated, altered, or otherwise used—are unable to be encrypted and remain in plaintext and vulnerable to unauthorized access.”


As someone who has made “configuration errors” I can sympathize.  There are ways [Best Practices] which significantly reduce the probability of introducing those errors into your network. 
Level 3 blames huge network outage on unspecified configuration error
   Here's the statement issued by the Broomfield, Colo., service provider:

On October 4, our voice network experienced a service disruption affecting some of our customers in North America due to a configuration error.  We know how important these services are to our customers.  As an organization, we’re putting processes in place to prevent issues like this from recurring in the future.  We were able to restore all services by 9:31 a.m. Mountain time.
Social media sites such as Reddit and Twitter erupted on Tuesday morning with inquiries and complaints about the outage from Level 3 customers, as well as customers of other big carriers like AT&T and Verizon that were affected by the outage.


If you are going to do this, stream it from someone else’s account!  (Like a law school professor’s, for example.)
AP reports on this story out of Indonesia:
Indonesian police say a man they arrested for broadcasting pornography on an electronic billboard in the country’s capital gained access to the system after it displayed its log-on credentials. [Not very secure, that.  Bob]
Jakarta Police Chief Muhammad Iriawan said Wednesday that the suspect, 24-year-old Samudera Al Hakam Ralial, admits he hacked the IT system of the billboard operator but claims that the broadcast of the porn movie was accidental.
Read more on CBS.


Something for my IT Governance students to discuss.
A “safe” Galaxy Note 7 caught fire on an airplane
   Earlier today, a Southwest Airlines flight that was due to depart for Baltimore was evacuated.  The reason: a passenger’s Galaxy Note 7 became incredibly hot and started belching out greenish-gray smoke.  Brian Green, who owned the Note 7 that grounded the plane, confirmed that it was most definitely a replacement device.
Green also offered up photographic proof: a picture of the box that his new Note 7 came in when he made the exchange at an AT&T store.  Right there on the label next to the model number SM-N930A is a small black box.  That box was one of the ways Samsung told us we could reassure ourselves that we weren’t in possession of a pocket-sized incendiary device.
   So what’s going on here?  Does Samsung not actually know which Galaxy Note 7s are safe?  Are there really any that are safe?  They just had a report of one catching fire in China — after previously announcing that all Note 7s sold in China were fine because they were a different production run.
Now that a replacement Note 7 has gone up in smoke, you really have to wonder.  Maybe the investigation will reveal a different cause for the failure in Green’s phone, but it’s hard to give Samsung the benefit of the doubt at this point.


Another Governance consideration.
In a recent white paper I co-authored with Protenus, Inc., we noted the significant risks of a breach involving a vendor or business associate.  In following up in a subsequent post, I also included a “pop quiz” for readers to use to test their understanding about the terms of any contract they have in terms of responsibilities following a breach.
Now Scott Nonaka and Kevin Rubino have written a more lawyerly analysis about contractual clauses that may be very important in determining who pays for what in the event of a breach involving a cloud service.  Here’s part of their article:
Although much is at stake, the answer to the question is not always clear because allocating costs will usually depend on the terms of the cloud services contract, which in most cases will contain a limitation of liability clause that is commonplace in contracts for the sale of goods and services.  Standard clauses usually state that, in the event of a breach, neither party will be responsible for the other party’s “consequential damages,” thereby limiting their potential liability to “direct damages.”  While the clause may seem clearly worded, the meaning of the term “consequential damages” is by no means clear, let alone in the context of a cloud services contract.  Below, we identify some issues to consider when negotiating and drafting a limitation of liability clause so as to provide greater clarity and predictability in allocating risk and costs.
[…]
At this time, and for the foreseeable future, it will be difficult to predict with great certainty how courts will decide whether any particular harm arising from a data breach is direct or consequential damages.  Given this uncertainty, as well as the potentially massive costs associated with a data breach, both consumers and providers of cloud services would be well-advised not to rely on standard, boilerplate language in limitation of liability clauses that simply waives consequential damages to allocate their potential liability.  They should instead address the issue of potential future costs associated with a data breach in detail at the outset of their relationship by bargaining for and expressly assigning or excluding those costs in their agreement.
Read more on Bloomberg BNA.


IoT hacking for fun (and profit?)
   With a little work, Dash Buttons can actually be modified to perform a variety of tasks without ever contacting Amazon.  If you’ve got some new Dash Buttons sitting around or want to spend just $5 to dip your toe into the Internet of Things, here are some of the coolest hacks we’ve found.
Note that beyond the initial setup, setting up these hacks requires a bit of programming knowledge.  As a matter of scope, we won’t be going in-depth into any code.  Instead, we’ll be linking to the best setups — their developers have provided instructions for replicating them on your own devices, so it shouldn’t be too hard to get going.


Alternatives are good.
   Slack’s success is built upon a simple understanding — life is all about communication.  And email is no longer appropriate for fast-paced working environments.
That isn’t to say there is no place for email.  But email conversation threads often become disjointed, tangled messes with multiple respondents.  Why waste time when there is simply a better option available?


More free stuff.  I use a couple of these myself.


For my researching students.
SSRN launches beta of new features and full text search
by Sabrina I. Pacifici on Oct 5, 2016
Follow up to previous posting – SSRN Acquired by Elsevier – “At the beginning of Summer, we promised to share our evolving technology roadmap.  With new resources for design and development, we are reimagining SSRN’s possibilities.  First, we implemented our long-awaited full-text search.  Now we’re sending a portion of our users to a Beta version of the new site.  Go to the Home page and you may be lucky enough to get a sneak peak (visitors are being randomly sent to the new site) so do try your luck.  Here’s a little more information on what we’re planning.  We’re excited to share a cleaner, simpler site with easier navigation.  The new Home page design is the first of a series of new pages we’ll be rolling out over the next few months.  We hope you like the new look and, more importantly, that it makes it easier for you to find what you need on SSRN…”


Me: Look at all this wonderful free stuff I find for you!
My students: We don’t need no stinking notes!
My students, after the Midterm Exam: Ah. What were those note taking Apps again? 
7 Best Note Taking Apps


For any of my students so inclined. 
Internships, Fellowships, and Other Work Experience Opportunities in the Federal Government
by Sabrina I. Pacifici on Oct 5, 2016
CRS report via FAS – Internships, Fellowships, and Other Work Experience Opportunities in the Federal Government. Christina Miracle Bailey, Senior Research Librarian; Jennifer E. Manning; Senior Research Librarian. September 30, 2016.
“While there are many opportunities in the federal government for internships, fellowships, and other work experience, there is no comprehensive source to assist in locating these opportunities.  This report describes Internet resources for prominent and popular opportunities for internship, fellowship, and work experience programs within the federal government.  The report is intended as a selective guide for students of all levels: high school, undergraduate, graduate, and postgraduate.  It provides information on legislative, executive, and judicial branch opportunities and links to several aggregators of jobs data.  The introduction provides a number of insights to assist applicants on understanding terminology, timing applications, and expectations for types of work involved.”

No comments: