Wednesday, August 08, 2018

Pay me now or pay me later.
At $17 million, Atlanta network recovery six times more expensive than estimated
The SamSam ransomware attack on the city of Atlanta in March is probably one of the most expensive security incidents, with the recovery cost adding up to some $17 million of taxpayers’ money, according to a seven-page “confidential and privileged” report accessed by The Atlanta Constitution-Journal and Channel 2 Action News. City officials had already secured $6 million for the recovery project, while initial forecasts said it would cost about $3 million. Now, it seems, the project will cost an extra $11 million.
After years of repeated warnings from the city’s auditor about its security vulnerabilities and lack of disaster recovery plans, the city of Atlanta didn’t invest much effort in upgrading infrastructure security.
… After refusing to pay a $51,000 ransom in bitcoin following the breach, the city is now looking at a very expensive outlay that involves paying for improved security services, software upgrades, as well as purchasing new desktops, laptops, smart phones and tablets.
… When the Department of Transportation in Colorado was hit by ransomware, by comparison, the estimated recovery cost was $2 million.




Might be amusing to have my students “compare and contrast” the responses from the various players.
Apple responds to Congress' letter on data security and privacy
Apple has just responded to Congress' inquiry on how it protects user privacy.
The House Committee on Energy and Commerce last month sent letters to Apple CEO Tim Cook and Alphabet CEO Larry Page asking about the companies' data security and privacy practices. The five-page letter to Cook asked detailed questions about how Apple collected user data and what it used it for.
In a response Tuesday, Apple reiterated that it collects as little data as possible as a practice.




An interesting tool from Programmers You Might Know…
Last year, we launched an investigation into how Facebook’s People You May Know tool makes its creepily accurate recommendations. By November, we had it mostly figured out: Facebook has nearly limitless access to all the phone numbers, email addresses, home addresses, and social media handles most people on Earth have ever used. That, plus its deep mining of people’s messaging behavior on Android, means it can make surprisingly insightful observations about who you know in real life—even if it’s wrong about your desire to be “friends” with them on Facebook.
In order to help conduct this investigation, we built a tool to keep track of the people Facebook thinks you know. Called the PYMK Inspector, it captures every recommendation made to a user for however long they want to run the tool. It’s how one of us discovered Facebook had linked us with an unknown relative. In January, after hiring a third party to do a security review of the tool, we released it publicly on Github for users who wanted to study their own People You May Know recommendations.




Would this apply to any violent rally?
Subpoena for app called ‘Discord’ could unmask identities of Charlottesville white supremacists
… Discord, which was started in 2015 as a secure chat app for videogamers, also happened to be conducive for white supremacists, white nationalists, neo-Nazis and other members of the alt-right movement who sought to keep their identities secret.
… Attorneys for the counterprotesters have argued that these Discord messages and hundreds of others are central to proving that Unite the Right organizers “conspired to commit acts of violence, intimidation and harassment” against people in Charlottesville that weekend. The attorneys filed a subpoena for Discord, seeking to obtain the messages and account information of more than 30 anonymous users who appear to have participated in the Unite the Right rally.
But one anonymous woman, the one called “kristall.night,” filed suit seeking to quash the subpoena that could unmask her and dozens of other users. She claimed the counterprotesters were intentionally seeking to “out” her as a member of the alt-right movement, putting her in fear of her own safety. Revealing her identity, her attorney argued, would infringe on her First Amendment rights to engage in “anonymous speech” and to associate with a politically unpopular group.
On Monday, however, a magistrate in California disagreed.
U.S. Chief Magistrate Judge Joseph C. Spero declined to fully quash the Discord subpoena, finding that the plaintiffs’ interest in discovering her identity as a possible witness or co-conspirator behind the Unite the Right rally outweighed her right to speak anonymously on the Internet.
… Spero agreed to quash the portion of the subpoena seeking the contents of the messages, saying it violates the Stored Communications Act.




Perspective. Why would anyone decide to give up an audience? Is compliance that expensive? Perhaps this is an opportunity for someone to provide the tools for a nominal fee?
More than 1,000 U.S. news sites are still unavailable in Europe, two months after GDPR took effect
Websites had two years to get ready for the GDPR. But rather than comply, about a third of the 100 largest U.S. newspapers have instead chosen to block European visitors to their sites.
… The GDPR requires websites to obtain consent from users before collecting personal information, explain what data are being collected and why, and delete a user’s information if requested. Violating the GDPR can draw a hefty fine — as much as 4 percent of a company’s annual revenue.
Websites had two years to get ready for the GDPR. Rather than comply, about a third of the 100 largest U.S. newspapers have opted to block their sites in Europe. They include the Chicago Tribune, New York Daily News, Dallas Morning News, Newsday and The Virginian-Pilot.
… GateHouse and Tronc did not respond to requests for comment about the GDPR. Lee Enterprises has no plans to comply. Company spokesperson Charles Arms said Lee’s websites wouldn’t draw enough visitors from the more than 30 countries in the EU and the European Economic Area to justify compliance.
“Internet traffic on our local news sites originating from the EU and EEA is de minimis, and we believe blocking that traffic is in the best interest of our local media clients,” Arms said.
From a financial standpoint, that position is justified, according to Alan Mutter, who teaches media economics at the University of California at Berkeley. He said international web traffic might benefit The New York Times, Wall Street Journal and Washington Post but “ads served in Paris, Palermo, or Potsdam don’t help advertisers in Peoria.”
But being available in Europe can help customer relations. And about 16 million Americans visited Europe last year.
… “It is naive and wholly irresponsible to think that U.S. news holds no relevance beyond U.S. borders,” Toporoff said. “U.S. brands should be better at knowledge sharing with their European counterparts and learn how to serve audiences within the GDPR’s parameters. Not to do so is quite undemocratic.”


(Related) Perhaps EU readers are worth something after all?
This year Instapaper celebrated its tenth birthday and, now that we are an independent company, we’ve been thinking a lot about the next ten years of Instapaper and beyond.
To ensure Instapaper can continue for the foreseeable future, it’s essential that the product generates enough revenue to cover its costs. In order to do so, we’re relaunching Instapaper Premium today.
As a reminder, Instapaper Premium is a subscription for $2.99/month or $29.99/year
… Additionally, today we are bringing back Instapaper to European Union users. Over the past two months we have taken a number of actions to address the General Data Protection Regulation, and we are happy to announce our return to the European Union.
We are very sorry for the extended downtime and, as a token of our apology, we are giving six months of Instapaper Premium to all EU users affected by the outage.
We’ve updated our privacy policy to include the rights afforded to EU users under the General Data Protection Regulation (GDPR). Additionally, in the interest of transparency, we are posting our privacy policy to GitHub where you can view a versioned history of all the changes to our privacy policy.


(Related) Action from the beginning...
Onwards and Upwards: Our GDPR Journey and Looking Ahead
For the better part of the last two years, Imperva has laid the foundation for our compliance with the EU General Data Protection Regulation (GDPR). At roughly ninety pages with 173 recitals and 99 articles, it’s a massive regulation that fundamentally shifts the data privacy and data protection universe.


No comments: