Thursday, November 15, 2018

Legacy systems get a break, show that you are working to comply and they go easy. My problem is trying to teach students to build systems that are fully compliant from the start.
Ezra Steinhardt of Covington & Burling writes:
Earlier this year, in the run-up to the General Data Protection Regulation’s (“GDPR”) May 25, 2018 date of application, a major question for stakeholders was how zealously the GDPR would be enforced. Now, as the GDPR approaches its six-month birthday, an answer to that question is rapidly emerging. Enforcement appears to be ramping up significantly. In this post, we set out some of the most prominent regulatory enforcement developments so far — but bear in mind other investigations are also proceeding.
Read more on InsidePrivacy.




Interesting idea, but depends on timely notification. By the time anyone who reuses passwords gets notified, hackers have probably already used your password everywhere they can think of. Still, for those of us who follow breaches, it might flag one we missed.
Natasha Lomas reports:
Mozilla is adding a new security feature to its Firefox Quantum web browser that will alert users when they visit a website that has recently reported a data breach.
When a Firefox user lands on a website with a breach in its recent past they’ll see a pop up notification informing them of the barebones details of the breach and suggesting they check to see if their information was compromised.
“We’re bringing this functionality to Firefox users in recognition of the growing interest in these types of privacy- and security-centric features,” Mozilla said today. “This new functionality will gradually roll out to Firefox users over the coming weeks.”
Read more on TechCrunch.






Great new locks installed on the wrong door?
Chip Cards Fail to Reduce Credit Card Fraud in the US
A new study finds that credit card fraud has not declined since the introduction of chip cards in the US. The majority of stolen card information comes from hacked point-of-sale terminals.
The reasons seem to be twofold. One, the US uses chip-and-signature instead of chip-and-PIN, obviating the most critical security benefit of the chip. And two, US merchants still accept magnetic stripe cards, meaning that thieves can steal credentials from a chip card and create a working cloned mag stripe card.
Boing Boing post.




For Users: Makes signing into a new site very simple. For Hackers: Makes hacking the logon process very desirable.
Hmm. This one could result in big numbers.
A notification from Title Nine about Annex Cloud. Annex Cloud is a service provider that you may never have heard of but may have used many times. The notification explains:
Annex Cloud provides a service that enables individuals to use their user name and password from social media and other websites, like Facebook and Google, to login to merchants’ websites, including www.titlenine.com. Annex Cloud recently informed Title Nine that they had detected and removed unauthorized code that had been inserted into Annex Cloud’s systems that operate its login application. In its report, Annex Cloud identified four periods of time when the unauthorized code was present and could have captured information entered during the checkout process on our website. We removed Annex Cloud’s code from our website and mailed letters to those customers to let them know what occurred.
Despite its first report that only identified four time periods, Annex Cloud informed Title Nine that they had identified additional time periods between December 28, 2017 and July 9, 2018 when the unauthorized code was or could have been present. If present, the unauthorized code could have captured information entered during the checkout process on our website. Through October 25, 2018, Title Nine sought additional information from Annex Cloud to determine the transactions that might be involved, and Annex Cloud supplied additional information about their analysis regarding these periods, including their belief that there are certain times inside these additional periods when it cannot be determined if the unauthorized code was present. Thus, we are notifying you because you entered information during the checkout process during a time period when it is possible the unauthorized code may have been present.
What Information Was Involved
The information entered during the checkout process that the code may have been accessed includes name, address, payment card number, expiration date, and card security code (CVV).
So then today, I saw saw this notification from Stein Mart.
I wonder how many more notifications we will see linked to Annex Cloud.




As an old guy, I can remember working with many senior managers who had never touched a computer. That will never be true for anyone starting out today. You have to ask: Did they hire him to program or manage?
Japan's cyber-security minister has 'never used a computer'
Japan's new cyber-security minister has dumbfounded his country by saying he has never used a computer.
Yoshitaka Sakurada made the admission to a committee of lawmakers.
"Since I was 25 years old and independent I have instructed my staff and secretaries. I have never used a computer in my life," he said, according to a translation by the Kyodo news agency.
The 68-year-old was appointed to his post last month.
… But Mr Sakurada responded that other officials had the necessary experience and he was confident there would not be a problem.
However, his struggle to answer a follow-up question about whether USB drives were in use at the country's nuclear power stations caused further concern.
The disclosure has been much discussed on social media where the reaction has been a mix of astonishment and hilarity, with some noting that at least it should mean Mr Sakurada would be hard to hack.




I wonder if this asks all the required questions? Still, it’s a start.
Mozilla ranks dozens of popular ‘smart’ gift ideas on creepiness and security
If you’re planning on picking up some cool new smart device for a loved one this holiday season, it might be worth your while to check whether it’s one of the good ones or not. Not just in the quality of the camera or step tracking, but the security and privacy practices of the companies that will collect (and sell) the data it produces. Mozilla has produced a handy resource ranking 70 of the latest items, from Amazon Echos to smart teddy bears.




I’m going to look at this carefully before I comment. I had a brief vision of TSA Agents standing next to every computer controlled device in the country. Shudder!
Congress Passes Bill Creating Cybersecurity Agency at DHS
The U.S. House of Representatives this week passed a bill that creates a new cybersecurity agency at the Department of Homeland Security (DHS).
The Cybersecurity and Infrastructure Security Agency (CISA) Act, which passed Senate in October, is headed to the president to be signed into law. Congress passed the legislation unanimously.
The bill reorganizes the National Protection and Programs Directorate (NPPD) into the Cybersecurity and Infrastructure Security Agency (CISA), and puts it in charge of cyber and physical infrastructure security.




Finding a balance must be hard. Facebook is missing some content they should take down and taking down some they should not.
70 of the world's leading human rights groups ask Mark Zuckerberg to create due process for censored content
Pam Cowburn from Article 19 sez, "Over 70 civil society groups have written to Mark Zuckerberg asking for Facebook to review its content removal processes and give all users the opportunity to appeal against content takedowns that they think have been made in error."




It’s a people problem.
Billions spent on armored school doors, bulletproof whiteboards and secret snipers
Washington Post: “Although school security has grown into a $2.7 billion market — an estimate that does not account for the billions more spent on armed campus police officers — little research has been done on which safety measures do and do not protect students from gun violence. Earlier this fall, The Washington Post sent surveys to every school in its database that had endured a shooting of some kind since the 2012 killings of 20 first-graders in Newtown, Conn., which prompted a surge of security spending by districts across the country. Of the 79 schools contacted, 34 provided answers, including Sandy Hook Elementary. Their responses to questions about what they learned — some brief but many rich in detail — provide valuable insight from administrators in urban, suburban and rural districts who, as a group, have faced the full spectrum of campus gun violence: targeted, indiscriminate, accidental and self-inflicted.
When asked what, if anything, could have prevented the shootings at their schools, nearly half replied that there was nothing they could have done. Several, however, emphasized the critical importance of their staffs developing deep, trusting relationships with students, who often hear about threats before teachers do. Only one school suggested that any kind of safety technology might have made a difference. Many had robust security plans already in place but still couldn’t stop the incidents…”




My students were adamant that no one could compete with Amazon.
Amazon Go competitor Standard Cognition raises $40 million to expand its cashierless store solution
Cashierless shopping feels a little bit like magic. There’s something indescribably awesome about being able to grab something from a shelf, stuff it in a coat pocket, and waltz away without having to contend with long lines or busted self-checkout machines. That “coolness” factor — along with the significant cost savings cashierless experiences promise — have given rise to a cottage industry of solutions led by standard-bearer Amazon and its Amazon Go chain.
The space’s startups have been mostly retailer-agnostic so far, and it’s no wonder why — brick-and-mortar space is expensive. San Francisco-based Standard Cognition this summer announced a partnership with Paltac in Japan that will see its autonomous checkout solution deployed in 3,000 stores, along with unnamed retailers in North America and Europe — and it’s impressed investors with its progress.




Perspective. My students have been looking at the wider economic impacts.
How Autonomous Vehicles Will Upend Transportation
Knowledge@Wharton: How will it change the trucking industry?
Burns: When you look at an over-the-road tractor, ask yourself: What parts are on that tractor because there’s a driver in it? The windshield, the doors, the seats, the steering controls, the brakes — you begin to get the picture. In fact, the parts you can take off of that tractor will likely cost more than the parts you’re going to add to make it autonomous.
… After this DARPA Urban Challenge, the only company that really stepped up for public road use application of this was Google. Larry Page and Sergey Brin challenged a small team of the participants in that DARPA challenge to come up with a vehicle that could go on public roads and prove the concept out.
The auto industry was in denial for five or six years. We re-create that in Autonomy. We tell the story of how Google got started into this area, and then how some of the engineers on Google’s team reached out to the auto industry and had the door slammed in their face.




The squeaky wheel(My students would agree.)


No comments: