Saturday, December 09, 2017

For my Computer Security students.
NIST Publishes Second Draft of Cybersecurity Framework
Introduced in 2014, the framework is designed to help organizations, particularly ones in the critical infrastructure sector, manage cybersecurity risks. Some security firms and experts advise businesses to use the NIST Cybersecurity Framework as a best practice guide. Others, however, believe such static guidelines cannot keep up with the constantly evolving threat landscape, and malicious actors may even use it to devise their attack strategy.
According to NIST, the second draft for version 1.1 of the Cybersecurity Framework “focuses on clarifying, refining, and enhancing the Framework – amplifying its value and making it easier to use.”
The second draft also comes with an updated roadmap that details plans for advancing the framework’s development process.




A nice survey of the field.
How to Encrypt All of the Things
Cryptography was once the realm of academics, intelligence services, and a few cypherpunk hobbyists who sought to break the monopoly on that science of secrecy. Today, the cypherpunks have won: Encryption is everywhere. It’s easier to use than ever before. And no amount of handwringing over its surveillance-flouting powers from an FBI director or attorney general has been able to change that.
Thanks in part to drop-dead simple, increasingly widespread encryption apps like Signal, anyone with a vested interest in keeping their communications away from prying eyes has no shortage of options.




Better locks, not attack tools.
Fighting Back Against the Cyber Mafia
Four distinct groups of cybercriminals have emerged, serving as the new syndicates of cybercrime: traditional gangs, state-sponsored attackers, ideological hackers and hackers-for-hire. This is the central thesis of a new report titled 'The New Mafia: Gangs and Vigilantes'. In this report, the gangs are the criminals and the vigilantes are consumers and businesses -- and the vigilantes are urged to 'fight back'.
The report (PDF) is compiled by endpoint protection firm Malwarebytes. It is designed to explain the evolution of cybercrime from its earliest, almost innocuous, beginnings to the currently dangerous 'endemic global phenomenon'; and to suggest to consumers and businesses they don't need to simply accept the current state. They can fight back.
Fighting back, however, is not hacking back -- or in the more politically acceptable euphemism, active defense.




We should be so lucky!
Howard Solomon reports:
Canadians don’t give up their right to privacy after sending a text message to another person, the country’s top court has ruled. It’s a decision that one privacy lawyer said still means if you want to ensure privacy, encrypt your text messages.
The case involved an Ottawa area man who had his conviction for firearms offences dismissed after the Supreme Court of Canada ruled today that evidence of text messages he sent and found on an alleged accomplice were wrongly admitted as evidence at his trial. Essentially, the court ruled that without a search warrant the accused right to privacy under the Charter of Rights had been violated.
Police in fact had a warrant to search the house of a man the court calls M and the alleged accomplice and seized their cellphones. However, the trial judge ruled that warrant was invalid for technical reasons and the text messages on M’s phone couldn’t be entered as evidence.
Read more on IT World. This is actually quite huge and a slap on the side of the head to the U.S., where third party doctrine would suggest that there is no expectation of privacy. As Solomon reports, in Marakah, the court held:
“An individual does not lose control over information for the purposes of s. 8 of the Charter [the right to privacy] simply because another individual possesses it or can access it,” the court ruled. “Nor does the risk that a recipient could disclose an electronic conversation negate a reasonable expectation of privacy in an electronic conversation. Therefore, even where an individual does not have exclusive control over his or her personal information, only shared control, he or she may yet reasonably expect that information to remain safe from state scrutiny.”




Good arguments make good laws.
Why Microsoft Challenged the Right Law: A Response to Orin Kerr
This coming spring, the Supreme Court will hear arguments in the United States v. Microsoft – a case that will determine the authority of U.S. law enforcement to compel, via a warrant, US-based companies to turn over data held outside the United States. Over at Lawfare, Orin Kerr posits that Microsoft and the government—as well as the numerous lower court judges that have weighed in—have missed the core issue in the case. According to Kerr, the key is the All Writs Act; the parties and lower court judges have, in contrast, all focused on the Stored Communications Act. According to Kerr, only the All Writs Act gives the Supreme Court the necessary latitude to craft the kind of nuanced response that is needed.
This is a more detailed reprise of a claim that Kerr made some two year ago. I disagreed then (see our back and forth here). And I disagree now.




Zig in public, Zag in private? All things are possible?
Trump says fines against Wells Fargo could be increased
… “Fines and penalties against Wells Fargo Bank for their bad acts against their customers and others will not be dropped, as has incorrectly been reported, but will be pursued and, if anything, substantially increased. I will cut Regs but make penalties severe when caught cheating!” Trump wrote.
… The financial industry is hoping regulatory agencies will adopt a less aggressive approach to fines under the Trump administration.
Those hopes were raised when Mulvaney, Trump’s pick to lead the CFPB on a temporary basis, told reporters this week that he was reviewing more than 100 enforcement actions currently in the works, including litigation, cases that are being settled and investigations. Mulvaney said he would delay at least two enforcement actions, without naming them.
“The notion that this administration is or will be tough on Wall Street doesn’t pass the laugh test, and that fact is evident in deeds, not tweets,” said Lisa Donner, the executive director of Americans for Financial Reform, a coalition of groups advocating for tougher oversight of the financial system.




Why the University has really great anti-virus security?


Friday, December 08, 2017

I might like this kind of law, assuming a company can create, maintain, and comply with a written cybersecurity program.” Who gets to say they are in compliance?
William Berglund, Robert J. Hanna and Victoria L. Vance of Tucker Ellis write:
Maintaining robust cybersecurity measures that meet government- and industry-recognized standards will provide businesses operating in Ohio with a legal defense to data breach lawsuits, if a bill recently introduced in the Ohio Senate becomes law.
Ohio Senate Bill No. 220 (S.B. 220), known as the Data Protection Act, was introduced to provide businesses with an incentive to achieve a “higher level of cybersecurity” by maintaining a cybersecurity program that substantially complies with one of eight industry-recommended frameworks. See S.B. 220, Section 1, proposed Ohio Rev. Code §§ 1354.01 to 1354.05.
Compliance Standards To Be Met
Businesses that are in substantial compliance with one of the eight frameworks outlined in S.B. 220 would be entitled to a “legal safe harbor” to be pled as an affirmative defense to tort claims related to a data breach stemming from alleged failures to adopt reasonable cybersecurity measures. S.B. 220, Section 1, proposed Ohio Rev. Code §§ 1354.02(A) and (C), 1354.03; S.B. 220, Section 2(A).
Read more on Tucker Ellis.




This is the kind of article I advise my Computer Security students to share with their employers.
Phishers Are Upping Their Game. So Should You.
Not long ago, phishing attacks were fairly easy for the average Internet user to spot: Full of grammatical and spelling errors, and linking to phony bank or email logins at unencrypted (http:// vs. https://) Web pages. Increasingly, however, phishers are upping their game, polishing their copy and hosting scam pages over https:// connections — complete with the green lock icon in the browser address bar to make the fake sites appear more legitimate.
According to stats released this week by anti-phishing firm Phishlabs, nearly 25 percent of all phishing sites in the third quarter of this year were hosted on HTTPS domains — almost double the percentage seen in the previous quarter.
Lay traps: When you’ve mastered the basics above, consider setting traps for phishers, scammers and unscrupulous marketers. Some email providers — most notably Gmail — make this especially easy.


(Related).
Oof. I read something like this notification below from Boise Cascade Company in Utah, and I wonder if the employees had been regularly trained in avoiding phishing attacks, or if it was just the case that the phishing was done so damned well that the employees fell for it despite their training. In this case, the intrusion was part of a scheme to alter or redirect employees’ payroll direct deposit accounts.
The Company’s investigation determined that a phishing scheme got into its email system on or about October 31, 2017. Our information technology team caught the scheme within minutes of the first phishing email, blocked the email, and notified employees not to click on the link in it or similar emails. Unfortunately, approximately 300 employees clicked on the link anyway. The investigation further revealed that company-wide, 23 employees’ direct deposit instructions were changed.
I’d love to see what that phishing email looked like if 300 people fell for it.




One of the better Security Week articles.
The Cumulative Effect of Major Breaches: The Collective Risk of Yahoo & Equifax
Until quite recently, people believed that a dizzying one billion accounts were compromised in the 2013 Yahoo! breach… and then it was revealed that the real number is about three billion accounts.
That raises the question: so what? Isn’t all the damage from a four-year-old breach already done?
The answer: not at all. For those who have taken control of the compromised accounts, or who possess confidential information about a billion or more individuals, the Yahoo! breach is the gift that will keep on giving.
First of all, the consequences of the breach are not yet fully realized. Criminals have only recently started using compromised email accounts to spread ransomware and spam. As email service providers increasingly use the age of the sending account as an indicator of risk, the value to criminals of long-established but compromised accounts has started to increase. These accounts become a circumvention strategy for criminals wishing to reliably deliver malicious emails. As the value of an established account goes up, the damage that can be done by using the compromised accounts does, too.
Second, criminals have only recently started to mine the contents of compromised accounts to identify promising opportunities – but that is increasingly happening now, and is becoming another source of value to the Yahoo! attackers (and anybody who has already purchased compromised accounts from them.) To a large extent, we are still in the “manual effort” phase of this type of attack, wherein attackers have not yet understood exactly what they are looking for, and therefore, have not yet written scripts to automate the task. Once their understanding matures and they automate the process, the vast volumes of compromised accounts will turn into new criminal opportunities.
And the automated extraction of meaningful content will dramatically increase the yield of the attacks that the criminals will be able to mount. Think of it like this: if your account was compromised, and a good friend or colleague gets an email from you … or rather, your email account … with a malicious attachment, will they open it? If the email is obvious spam, they probably won’t, but if the message makes sense, they will; and if the attacker knows what you and your contact normally talk about, that isn’t difficult to do.
There is also a multiplier effect as the number of major breaches of consumer data rises.
In the recent Equifax breach, criminals made off with information for more than 145 million Americans, including names, mother’s maiden names, social security numbers, addresses, birthdays, and more. But not email addresses, and not banking affiliations and account numbers. A crafty attacker can easily match the names and birthdays of the Equifax breach to the names and birthdays of the Yahoo! breach, automatically generating very powerful combinations. With this combined intelligence, the attacker can contact banks, posing as banking customers, and gain access to accounts.




“Once we figured out how to get paid all other thoughts stopped!”
Thomas Fox-Brewster reports:
Despite the catastrophic 2015 hack that hit the dating site for adulterous folk, people still use Ashley Madison to hook up with others looking for some extramarital action. For those who’ve stuck around, or joined after the breach, decent cybersecurity is a must. Except, according to security researchers, the site has left photos of a very private nature belonging to a large portion of customers exposed.
The issues arose from the way in which Ashley Madison handled photos designed to be hidden from public view. Whilst users’ public pictures are viewable by anyone who’s signed up, private photos are secured by a “key.” But Ashley Madison automatically shares a user’s key with another person if the latter shares their key first. By doing that, even if a user declines to share their private key, and by extension their pics, it’s still possible to get them without authorization.
Read more on Forbes. And no, that wasn’t Forbes’ headline for the story.


Thursday, December 07, 2017

Jobs my students should look at?
Corporate IoT Implementation Struggling, Survey Finds
Remaining competitive is the primary motivation for implementing a corporate 'internet of things' (IoT) strategy; but 90% of those doing so admit the implementation is struggling. Security is the primary concern, holding back 59% of organizations with a current IoT project.
Security is followed by the cost of implementation (46%); competing priorities (37%); an intimidatingly complex IT infrastructure (35%); and funding (32%). The figures come from a survey (PDF) published this week by Vanson Bourne, commissioned by the Wi-SUN Alliance, which questioned 350 IT decision makers from firms in the U.S., UK, Sweden and Denmark that are already investing in at least one IoT project.




Banned technology is not like banned books, is it?
Most U.S. airlines set to limit use of 'smart bags'
"Smart bags, also known as smart luggage, have become more popular over the last few months, and they are expected to be a popular gift this holiday season," said American Airlines. "However, smart bags contain lithium battery power banks, which pose a risk when they are placed in the cargo hold of an aircraft."
The bags generally have USB ports where customers can recharge their phones and other devices. They might also have GPS to track the bag's location in case it gets lost, electronic locks and a weight scale to prevent overpacking. Some even a motor to propel the bags so that they can double as a scooter or just follow their owner around the airport.
Airlines are worried that the batteries could cause a fire in the cargo hold that would go undetected. [Nonsense. The fire would be detected immediately, but suppression is not always possible. Bob]




Perhaps those VW executives should not plan on a vacation in the US?
VW exec gets maximum sentence, fine for Dieselgate role
… Oliver Schmidt, 48, was sentenced to 7 years in prison and fined $400,000 in federal court here for his role in the automaker’s diesel emissions cheating scandal. The German national had pleaded guilty in August to two charges in Volkswagen’s scheme to rig nearly 600,000 diesel cars to evade U.S. pollution standards.
“This crime ... attacks and destroys the very foundation of our economic system: That is trust,” U.S. District Judge Sean Cox said Wednesday in sentencing Schmidt. “Senior management at Volkswagen has not been held accountable.”




I wonder if anyone can keep all this law, regulation, conflicting legal precedent, and political nonsense organized enough to predict an outcome. I gave up long ago. Was Pai betting on this, ignorant of it, or aware but indifferent?
The FCC’s net neutrality plan may have even bigger ramifications in light of this obscure court case
The plan by the Federal Communications Commission to eliminate its net neutrality rules next week is expected to hand a major victory to Internet service providers. But any day now, a federal court is expected to weigh in on a case that could dramatically expand the scope of that deregulation — potentially giving the industry an even bigger win and leaving the government less prepared to handle net neutrality complaints in the future, consumer groups say.
The case involves AT&T and one of the nation's top consumer protection agencies, the Federal Trade Commission. At stake is the FTC's ability to prosecute companies that act in unfair or deceptive ways.
The litigation is significant as the FCC prepares to transfer more responsibility to the FTC for handling net neutrality complaints.
… The FTC has the power to sue misbehaving companies that mislead or lie to the public. But that power comes with an exception: It doesn't extend to a special class of businesses that are known as “common carriers.”
… Thus far, the common carrier exemption has applied to a specific slice of the economy. But the case before the U.S. Court of Appeals for the 9th Circuit, FTC v. AT&T Mobility, could vastly expand the number of companies that qualify for the exemption. In an earlier decision in the lawsuit, a federal judge effectively said that any company that runs a telecom subsidiary is considered a common carrier.
… A company that provides Internet access, such as AT&T, could seek an exemption from FTC net neutrality enforcement by pointing to its voice business and claiming common carrier status under the ruling. At the same time, the ruling could limit AT&T's net neutrality liability under the FCC, because the repeal of the net neutrality rules would mean the FCC would no longer recognize AT&T's broadband business as one that can be regulated like a telecommunications carrier.
In that scenario, neither the FCC nor the FTC would offer consumers robust protections from potential net neutrality abuses, consumer groups say.




One problem with statements like this is that some people will believe them. If public statements reflected the actual policy of North Korea, we would have no choice but to attack.
North Korea Says Nuclear War on the Peninsula Is Inevitable and an 'Established Fact'




A cautionary tale, worth reading.
How Rodrigo Duterte Turned Facebook Into a Weapon—With a Little Help From Facebook


Wednesday, December 06, 2017

What next? Perhaps a 220volt feedback to inattentive students?
Paige Rogers reports:
Turning massive amounts of personal data about public school students to a private corporation without any public input is profoundly disturbing and irresponsible.”
~Donna Lieberman, New York Civil Liberties Union Executive Director
Read more on NOQ Report.
[From the Report:
One company among modernity’s forty-niners is BrainCo, Inc. which has created a headband to measure and collect students’ brain waves, or EEG’s. Data collected will then be sent to a teacher dashboard as part of the company’s FocusEDU program. The company purports the technology measures students’ level of attention, and claims that the EEG data collected will help teachers and administrators determine when each student is paying attention during a lesson and/or activity.




Have I mentioned that I love lists?
BeSpacific – ABA Best 100 Law Blogs 2017 and Expert Witness Best Legal Tech Blog 2017
I am starting this post with a deeply appreciative and respectful Thank You to Robert Ambrogi who has logged 15 years and counting of blogging at his legendary Law Sites. Bob’s unflagging support has been a touchstone for me as I too completed 15 years of blogging here at my site, BeSpacific. In a welcome follow-up to 2016, BeSpacific is again included in the American Bar Association (ABA) Web 100: Best law blogs for 2017. In addition, BeSpacific received more than 600 votes to place a very respectable Third in the 2017 Best Legal Tech Blog category via The Expert Institute’s Best Legal Blog contest – the “annual competition that showcases the very best that the legal blogging world has to offer.” Thank you to all who voted. Reminder, please vote again in 2018!




I’ll take this a confirmation that MoviePass is real.
Cinemark announces $8.99-a-month subscription service to fill more seats — and take on MoviePass
... The Plano, Texas-based company on Tuesday said customers who pay a monthly fee of $8.99 will receive a credit for one movie ticket a month. Subscribers can also buy additional tickets for $8.99 each and get a 20% discount on food and drinks.
Cinemark's offer, dubbed Movie Club, marks the latest move by theater chains to draw customers at a time when cinemas are contending with increased competition from other forms of entertainment, especially streaming services in the home such as Netflix. It's also the cinema industry's first direct answer to MoviePass, a New York start-up that offers unlimited movies in theaters for $9.95 a month.


Tuesday, December 05, 2017

Is Harvard saying we are doomed?
Over three billion credentials were reported stolen last year. This means that cybercriminals possess usernames and passwords for more than three billion online accounts. And that’s not just social media accounts; it’s bank accounts, retailer gift card accounts with cash and credit cards attached, airline loyalty accounts with years of accumulated frequent flyer points, and other accounts with real value.
This statistic is alarming, but in fact it significantly understates the scope of the threat. Because of a form of attack called credential stuffing, tens of billions of other accounts are also at risk. Here’s how that attack works. Because most people have many online accounts (a recent estimate put it at 191 per person on average) they regularly reuse passwords across those accounts. Cybercriminals take advantage of this. In a credential stuffing attack, they take known valid email addresses and passwords from one website breach—for example, the Yahoo breach—and they use those same email addresses and passwords to log in to other websites, such as those of major banks.
… Our network statistics at Shape Security show that a typical credential stuffing attack has up to a 2% success rate on major websites. In other words, with a set of 1 million stolen passwords from one website, attackers can easily take over 20,000 accounts on another website. Now multiply those numbers by the total number of websites where users have reused their passwords, as well as the number of data breaches that have been reported, to get a better sense of the threat. Of course, that still only includes the data breaches we know about. And new research from Google indicates that phishing may be an even larger source of stolen passwords than data breaches, making the scope of the problem even larger.




“Great fleas have little fleas upon their backs to bite 'em,
And little fleas have lesser fleas, and so ad infinitum.”
Eventually, well before “infinitum,” an AI will create an AI that wants to rule the world.
Google's AI made its own AI, and it's better than anything ever created by humans
The Google's Brain team of researchers has been hard at work studying artificial intelligence systems. Back in May they developed AutoML, an AI system that could in turn generate its own subsequent AIs.




For the time being, we’ll use humans. A really good AI will take a while. After all, the rules keep changing.
YouTube to combat abusive content with primitive tool: humans
In this age of machine-learning-artificial-intelligence-driven blah blah blah, the folks at YouTube have decided that to win the battle against violent and racist content they must rely more on good old-fashioned human beings.
In a pair of blog posts today, the company elaborated on its strategy for stemming the rising tide of unsavory video content that has turned services such as YouTube, Facebook, and Twitter into bottomless cesspools of fake news, terrorist propaganda, and Nazi-fueled rage.
Over the summer, YouTube trumpeted investments in machine learning designed to find content that violates the company’s terms of service. That effort will certainly continue.
But YouTube CEO Susan Wojcicki wrote that the machine learning tools will now be complimented by expanded use of carbon-based lifeforms.


(Related). We’ll get to the terrorist stuff later? Meanwhile, we’ll make our own rules.
Instagram will hide people taking selfies with animals amid fears they are encourage abuse
You might accidentally be enabling abuse of animals by taking selfies with them, a new report has warned.
Seemingly innocent animal selfies actually encourages all kinds of exploitation and distress, according to an investigation. And Instagram will now try and alert people to those dangers, while discouraging them from posting such pictures.


On the other hand… Perhaps there are no rules.
Facebook Is Banning Women for Calling Men ‘Scum’




I would agree if all you did was ask.
US says it doesn't need secret court's approval to ask for encryption backdoors
The US government does not need the approval of its secret surveillance court to ask a tech company to build an encryption backdoor.
The government made its remarks in July in response to questions posed by Sen. Ron Wyden (D-OR), but they were only made public this weekend.
The implication is that the government can use its legal authority to secretly ask a US-based company for technical assistance, such as building an encryption backdoor into a product, but can petition the Foreign Intelligence Surveillance Court (FISC) to compel the company if it refuses.




Oh, the horror, the horror! Perhaps they could use it to attract Amazon’s second HQ?
Ireland forced to collect €13bn in tax from Apple that it doesn't want
… The European Commission ruled in August 2016 that the iPhone maker must reimburse the Irish state a record €13bn to make up for what it considered to be unpaid taxes over a number of years.
… Ireland built its economic success on being a low tax entryway for multinationals seeking access to the EU, and is concerned that collecting the back taxes could dent its attractiveness to firms.




Not politically neutral…
Fact check: Net-neutrality claims leave out key context
Seeking to dispel "myths" about net neutrality, the Trump administration's telecom chief instead put out his own incomplete and misleading talking points when he suggested that internet providers had never influenced content available to their customers before neutrality rules took effect in 2015.
Iffy claims have come from the other side of the debate, too, such as the notion that federal regulators had never stepped in to make those providers change their service plans. Although no such cases were brought, the Federal Communications Commission was possibly on track to do so when the new administration stopped the investigation.


Monday, December 04, 2017

Do you have a procedure to handle situations for which you have no procedure? My Computer Security students will be writing one this week.
If you can’t prevent a breach, can’t you at least fake genuine concern? You know, the “At , we take your privacy and security very seriously” bit?
Mark Flamme reports on a Key Bank breach where the bank’s response to notification of a problem is at least as problematic as the breach itself.
After a customer found himself with access to another customer’s complete history and details, he attempted to alert the bank.
“They told me, ‘Don’t worry. Just don’t worry.’ That’s all I can get out of them,” Brito said. “I sat on hold for 45 minutes for, supposedly, a supervisor who said, ‘Don’t worry. We’re taking care of it.’ I can look at a Connecticut man’s bank statements for the past 10 years. How is that a ‘don’t worry’ situation?”
The Sun Journal didn’t have any better luck. A call to a 24-hour hotline was answered by a representative who passed on a number for the Key Bank Corporate Headquarters Customer Complaint Resolution Department. Calls to that number, and to a third number for bank executive relations, were not answered.
A message left at the Complaint Resolution Department was not returned.
Read more on Sun Journal.
Now maybe the employee intended to be reassuring with the “Don’t worry,” response, but that was unsatisfactory to the now-worried customers. Think about what you could say in that situation that might reassure a customer.




A minor, but rather interesting breach.
I should have posted this one a few weeks ago, but better late than never if you care about tracking breaches in the education sector. On November 16, Kara Seymour reported:
Two women, one from Yardley another from New Hope, have been arrested after police say they illegally accessed the Bucks County Community College computer network and changed student grades, Newtown Township Police announced Thursday.
Alesisha Morosco, 30, of New Hope, and Kelly Marryott, 37, of Yardley, were arrested Thursday. Police said Marryott got the personal information of the faculty member at her job at a medical office, and gave it to Morosco, who used it to access the college’s computer network and change grades, including her own.
Read more on Patch.




It seems (to me) that the evidence falls short.
DHS Says Drone Maker DJI Helping China Spy on U.S.
A memo from the U.S. Department of Homeland Security (DHS) warns that China-based Da-Jiang Innovations (DJI), one of the world’s largest drone manufacturers, has been providing information on critical infrastructure and law enforcement to the Chinese government.
The Los Angeles office of Immigrations and Customs Enforcement (ICE), specifically its Special Agent in Charge Intelligence Program (SIP), issued an intelligence bulletin back in August claiming that DJI is helping China spy on the United States.
A copy of the memo, marked “unclassified / law enforcement sensitive,” was published recently by the Public Intelligence project. The document, based on information from open source reporting and a “reliable source” in the unmanned aerial systems industry, assesses with moderate confidence that DJI is providing data on U.S. critical infrastructure and law enforcement to the Chinese government. The authors of the memo provide several examples of law enforcement and critical infrastructure organizations using DJI drones. [No actual examples of data going to China? Bob]
The intelligence bulletin also points to a recent memo of the U.S. Army, which instructs units to stop using DJI drones due to cybersecurity vulnerabilities, and a U.S. Navy memo on the operational risks associated with the use of the Chinese firm’s products. DJI has taken some measures to improve privacy following the Army ban. [Poor security is not espionage. Bob]




This happens with a lot of senior managers. Secretaries reading and filtering emails. PR(?) handling social media accounts. In all cases, the simple solution is to make certain that the politician/executive/celebrity never has access to the password for that account. This article is definitely worth reading.
The Trouble with Politicians Sharing Passwords
Yesterday I had a bunch of people point me at a tweet from a politician in the UK named Nadine Dorries. As it turns out, some folks were rather alarmed about her position on sharing what we would normally consider to be a secret. In this case, that secret is her password and, well, just read it:
Nadine Dorries‏Verified account @NadineDorries
My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!
10:03 AM - 2 Dec 2017


For context, the back story to this is that another British pollie (Damian Green) is presently in hot water for allegedly accessing porn on his gov PC and Nadine is implying it could have been someone else on his PC using his identity. I read this while wandering around in LA on my way home from sitting in front of US Congress and explaining security principles to a government so it felt like a timely opportunity to share my own view on the matter:
Troy Hunt‏Verified account @troyhunt
Troy Hunt Retweeted Nadine Dorries
This illustrates a fundamental lack of privacy and security education. All the subsequent reasons given for why it’s necessary have technology solutions which provide traceability back to individual, identifiable users.


(Related). Thought it never happened here?
Looking for the Linguistic Smoking-Gun in a Trump Tweet
President Donald Trump’s behavior on Twitter routinely drives entire news cycles. This weekend, he showed that a single word within a single presidential tweet can be explosive.
Trump raised alarm bells in his published response to the news that his former national security adviser, Michael Flynn, pleaded guilty to lying to the FBI.
The tweet published to Trump’s account clearly implied that he already knew that Flynn had deceived the Feds when he fired him back in February: “I had to fire General Flynn because he lied to the Vice President and the FBI. He has pled guilty to those lies. It is a shame because his actions during the transition were lawful. There was nothing to hide!”
That unleashed a frenzy of speculation about whether Trump had just admitted to obstructing justice, since it seems he must have known that Flynn had committed a felony when he was pressuring then-FBI director James Comey to ease up on the Flynn case.
But then came word that maybe Trump didn’t write the tweet after all. The Washington Post reported that “Trump’s lawyer John Dowd drafted the president’s tweet, according to two people familiar with the twitter message.” The Associated Press also identified Dowd as the one who “crafted” the tweet, citing “one person familiar with the situation,” though Dowd himself declined to make a comment to the AP.




For my Data Management students: Another criteria for your backup system?
Banks Build Line of Defense for Doomsday Cyberattack
The Sheltered Harbor project is meant to ensure that every U.S. bank has a protected, unalterable backup that can be used to serve customers in case of a major hack
U.S. banks have quietly launched a doomsday project they hope will prevent a run on the financial system should one of them suffer a debilitating cyberattack.
The effort, which went live earlier this year and is dubbed Sheltered Harbor, currently includes banks and credit unions that have roughly 400 million U.S. accounts. The effort requires member firms to individually back up data so it can be used by other firms to serve customers of a disabled bank.




Indicating that my Data Management students might find jobs!
Giangiacomo Oliv writes:
Under the General Data Protection Regulation (GDPR), companies that process large amounts of sensitive personal data or consistently monitor data subjects on a large scale will be required to appoint a data protection officer (DPO).
As discussed in our previous posts, the DPO will have significant responsibilities, including reporting on data to the highest management level. While the DPO debate has so far been focussed on where to place the DPO within company structures, confusion remains over the DPO’s actual responsibilities.
Firstly, the GDPR does not provide for any specific liability for the DPO. However, the Art. 29 Working Party addresses this issue in its Guidelines on Data Protection Officers of 13 December 2016.
Read more on DLA Piper Privacy Matters.




Indicating that the world keeps changing? Does anyone remember when Doctors made house calls?
CVS to Buy Aetna for $69 Billion in a Deal That May Reshape the Health Industry
… The transaction, one of the largest of the year, reflects the increasingly blurred lines between the traditionally separate spheres of a rapidly changing industry. It represents an effort to make both companies more appealing to consumers as health care that was once delivered in a doctor’s office more often reaches consumers over the phone, at a retail clinic or via an app.
… A combined CVS-Aetna could position itself as a formidable figure in this changing landscape. Together, the companies touch most of the basic health services that people regularly use, providing an opportunity to benefit consumers. CVS operates a chain of pharmacies and retail clinics that could be used by Aetna to provide care directly to patients, while the merged company could be better able to offer employers one-stop shopping for health insurance for their workers.




Good to see that someone is thinking about this – even if they only came up with four.
4 Reasons Why Assassinating Kim Jong Un Could Become A Total Disaster
North Korea’s most recent intercontinental ballistic missile (ICBM) test has once again captivated the international community. Much less attention has been paid to how South Korea is responding to its neighbor’s military advances. Firstly, South Korea is acquiring the capabilities to conduct preemptive strikes against North Korea’s nuclear and missile sites under the guise of its “Kill Chain” strategy. Relatedly, Seoul is seeking the capabilities and simulating decapitation strikes against North Korea’s leadership—that is, South Korea wants the ability to assassinate Kim Jong-un and his inner circle.
Both capabilities pose enormous challenges that are not being acknowledged. For both scenarios, Seoul is failing to ask the simple question of whether the United States would back its actions. Washington itself does not appear to be contemplating this essential question, even though it would be directly implicated by South Korea’s policies.


Sunday, December 03, 2017

We haven’t done this in Colorado yet, have we? Perhaps they determined that a similar law would be unenforceable?
Medical Marijuana Users ‘Have 30 Days’ To Turn In Their Guns, Honolulu Police Say
The Honolulu Police Department is ordering legal cannabis patients to “voluntarily surrender” any guns they own because pot is still considered an illegal drug under federal law.
The initiative continues three months after Hawaii’s first medical marijuana dispensary opened for business.
“Your medical marijuana use disqualifies you from ownership of firearms and ammunition,” Honolulu police Chief Susan Ballard wrote in a Nov. 13 letter to one medical marijuana card holder. “If you currently own or have any firearms, you have 30 days upon receipt of this letter to voluntarily surrender your firearms, permit and ammunition to the Honolulu Police Department or otherwise transfer ownership.”




Seems consistent with how Americans vote on anything.
New Study Finds That Most Redditors Don’t Actually Read the Articles They Vote On
It’s probably not at all surprising that most content posted to Reddit is voted on more or less blindly. I’ll cop to liking articles that friends have shared on Facebook without reading, let alone evaluating them. I’d say there’s even sort of an aggregation myth that pervades our view of social media, that buried within discussions of fake news and social media corporate responsibility is this assumption that people are actually reading the articles, or at least that a lot of them are. The data, however, suggests that they aren’t.
According to a paper published in IEEE Transactions on Computational Social Systems by researchers at Notre Dame University, some 73 percent of posts on Reddit are voted on by users that haven’t actually clicked through to view the content being rated. This is according to a newly released dataset consisting of all Reddit activity of 309 site users for a one year period.




This is interesting. Will anyone else do this?
Neil Young’s Massive Online Archive Is Open
Earlier this year, Neil Young announced that he was preparing to launch a massive online archive, featuring all his music, released and unreleased, for free in high quality audio via his new XStream Music streaming service. Today, on the release date of his new album The Visitor, he has launched the site. Indeed, the new Neil Young Archives include a filing cabinet and timeline listing all of his albums up through The Visitor, including several unreleased items like Chrome Dreams, Homegrown, and Toast (which are not yet available to stream). Also listed are his film projects and books. Explore for yourself here, and watch a tutorial video narrated by Young below. “Don’t forget to have a good time,” he instructs users. “And try not to get lost.”




Could this help my International students? (Or help me read their papers?)
Rewordify - A Tool to Help Students Understand Complex Texts
Rewordify is a free site that can help students understand complex passages of text. At its most basic level Rewordify takes a complex passage and rephrases it in simpler terms. Students can adjust Rewordify's settings to match their needs. For example, students can add words to a "skip list" and those words will not be changed when they appear in a passage. Students can also use Rewordify to simply highlight difficult words instead of having them replaced. Watch the video below for a complete overview of how Rewordify works.