Saturday, March 09, 2019

How to do security poorly. Build in your own back door.
MyEquifax.com Bypasses Credit Freeze PIN
Most people who have frozen their credit files with Equifax have been issued a numeric Personal Identification Number (PIN) which is supposed to be required before a freeze can be lifted or thawed. Unfortunately, if you don’t already have an account at the credit bureau’s new myEquifax portal, it may be simple for identity thieves to lift an existing credit freeze at Equifax and bypass the PIN armed with little more than your, name, Social Security number and birthday.




Probably nowhere near enough, so what’s next?
Kaori Yoshida reports:
North Korea has used cyberattacks and blockchain technology to circumvent economic sanctions and obtain foreign currency, according to a panel of experts reporting to the U.N. Security Council.
Pyongyang has amassed around $670 million in foreign and virtual currency through cyberthefts and used blockchain technology to cover its tracks, the panel told the Security Council’s North Korea sanctions committee, ahead of the council’s annual report, Nikkei has learned.
Read more on Nikkei Asian Review.




Can organizations keep this information from employees/customers under the GDPR and similar laws?
If you’re not transparent about a breach and people cannot figure out how to protect themselves, you may be almost guaranteeing people will sue you about it or file a grievance.
CBC reports:
The union representing faculty at Algonquin College has filed a grievance against the school after a recent data breach.
Ontario Public Service Employees Union (OPSEU) local 415, which represents faculty at the school, wants Algonquin College to disclose the exact nature of the information that was accessed in last month’s phishing attack — and take steps to protect any faculty whose personal information is used illegally.
The only assurance that the college has given the union is that no social insurance numbers were lost, said Pat Kennedy, the union’s local president.
Read more on CBC.




So, why not use the ‘news’ tag all the time?
YouTube fought Brie Larson trolls by changing its search algorithm
If you searched “Brie Larson” on YouTube a couple of days ago, the top search results were calls for a boycott of Captain Marvel, and angry rants about Larson’s involvement in the Marvel Cinematic Universe. With one small change, YouTube made all of that disappear.
This week, YouTube recategorized “Brie Larson” as a news-worthy search term. That does one very important job: it makes the search algorithm surface videos from authoritative sources on a subject. Instead of videos from individual creators, YouTube responds with videos from Entertainment Tonight, ABC, CBS, CNN, and other news outlets first.
… The noticeable shift in responses speaks to an even bigger conversation about YouTube’s search algorithm: if this is a way to prioritize higher-quality videos when people are searching for a topic, could this be used for non-news topics, too?
Some creators see it as a problem if YouTube favors videos from approved news outlets instead of individuals. On Twitter, some critics and creators called it censorship from YouTube, while others commended the site for taking some kind of action. YouTube has millions of creators on the platform who are fighting to get their videos seen; if traditional news outlets are shown favoritism, it’s a cultural shift that will see immense backlash from a large portion of the creator community.




Apparently lots of US companies have created the notice wall, but are gathering user “agreements” before local versions of GDPR (like California’s) come into effect.
Cookie walls don’t comply with GDPR, says Dutch DPA
Cookie walls that demand a website visitor agrees to their internet browsing being tracked for ad-targeting as the “price” of entry to the site are not compliant with European data protection law, the Dutch data protection agency clarified yesterday.
… So, in other words, a “data for access” cookie wall isn’t going to cut it. (Or, as the DPA puts it: “Permission is not ‘free’ if someone has no real or free choice. Or if the person cannot refuse giving permission without adverse consequences.”)




Anything to avoid the expense of compliance? Wait till you see what non-compliance costs.
From Paper Compliance to Operational Compliance
… With the European Union’s sweeping GDPR regulation having gone into effect last year, additional countries and jurisdictions have taken it upon themselves to create similar legislation that enhances individual privacy rights and holds companies accountable for ensuring that appropriate safeguards are in place to protect data.
… Much of the discussion around the California Consumer Privacy Act (“CCPA”) has centered around whether the law is set to become the “GDPR of the United States.” While GDPR is a more robust, complex data privacy regulation and framework, the CCPA is nevertheless sweeping in scope and impact, and the two acts are underpinned by many of the same data privacy principles. And while comparisons between the two acts have been frequent, not enough has been said about the concrete steps that organizations, specifically those in the financial services space, should be taking to get their processes, people and technology ready for CCPA compliance. These heavily-regulated organizations should be weary (sic) to view the CCPA as simply another law to comply with. In order to avoid scrutiny by the regulators and heavy fines along with potential reputational harm, they will need to shift their approach to data privacy.


(Related)
The Ohio Data Protection Act and the Quiet Revolution
Since the 2018 U.S. state legislative sessions began, at least 12 states have brought into force updated or entirely new cybersecurity legislation.
… As a major privacy trend, several states are introducing data protection legislation in their respective 2019 legislative sessions, and some of these bills incorporate elements of other states’ data protection statutes. This “cross politization” of data protection and the sheer number of bills currently moving through state legislatures, along with 2018’s new legislation, collectively represent a quiet revolution in data protection practice in the U.S.; in doing so, it also represents a uniquely American approach to solving a societal problem.
Looking at Ohio, early in August of 2018, then-governor John Kasich signed into law the Ohio Data Protection Act.1 The law represented a novel approach to data protection:2 it provides an “affirmative defense” to a “covered entity” against tort claims brought against that entity as a result of a breach of personal information if the entity’s cyber security program conforms to industry recognized cybersecurity frameworks or federal regulations cited in the Act.




An un-civil suit?
Craig A. Newman of Patterson Belknap writes:
When we hear about discovery abuses in litigation, we often think of overzealous lawyers using obstructionist tactics. Such behavior, however, rarely involves litigants hacking into the email of an adversary or accessing privileged attorney-client communications that disclose litigation strategies.
But in a unanimous ruling last week, a New York state appeals court found that a litigant’s “improper and willful” misconduct – which included “improperly accessing approximately 12,000 of defendant’s privileged attorney/client communications … [and] deleting relevant documents” – justified the dismissal of an assault and battery lawsuit.
Read more on Data Security Law Blog.




Perspective. Because my students will want to talk about this.
Elizabeth Warren Wants To Break Up Amazon, Google And Facebook; But Does Her Plan Make Any Sense?
This isn't necessarily a big surprise, given that she's suggested this many times over the past few years, but 2020 Presidential candidate Elizabeth Warren has just laid out her plan for breaking up Amazon, Google and Facebook. It's certainly worth reading to understand where she's coming from, and some of the arguments are worth thinking about – but much of it does feel like just grandstanding populism in front of the general "anti-big tech" stance, without enough substance behind it.
Twenty-five years ago, Facebook, Google, and Amazon didn’t exist. Now they are among the most valuable and well-known companies in the world. It’s a great story — but also one that highlights why the government must break up monopolies and promote competitive markets.
I find this a very odd way to open this proposal. I don't see how the first sentence supports the second. Indeed, the first sentence would seem to contradict the second. Twenty-five years ago those companies didn't exist, and if you asked people what tech companies would take over the world, you'd get very different answers. Technology is an incredibly dynamic and rapidly changing world, in which big incumbents are regularly and frequently disrupted and disappear. One of my favorite articles to point people to was a 2007 article warning of the power of a giant monopolistic social network that would never be taken down by competition. That social network? MySpace. The article briefly mentions Facebook, but only to note that it "will always be on MySpace's periphery."




Interesting backgrounder.
What’s Driving the Demand for Data Scientists?
Data analytics is becoming mission-critical to more and more businesses. One of the biggest challenges they face: recruiting data scientists.
“There are very few data scientists out there passing out their resumes,” LinkedIn co-founder Allen Blue said. “Data scientists are almost all already employed, because they’re so much in deman
… Sethi added that he’s noticed many more organizations similarly looking into how to reskill their mid-career people. He observed, “I’ve got to believe that over the next few years, data analytics is going to be [extremely] prevalent. It’s like digital: everyone’s going to need to have a base level understanding of it.”




Self-driving fighter jets?
Here's what you should know about the Air Force's new robot wingman
There's a lot of buzz about the first flight of an unmanned U.S. Air Force drone, designed to accompany manned combat aircraft into battle, that many believe will herald a new age of aerial warfare.
… with its twin tail, curved fuselage and a jet engine that propels it to near-supersonic speed, the XQ-58A looks like a smaller F-35 stealth fighter.
… contract called for a drone with a top speed of Mach 0.9 (691 miles per hour), a 1,500-mile combat radius carrying a 500-pound payload, the capability to carry two GBU-39 small diameter bombs, and costing $2 million apiece when in mass production (an F-35 costs around $100 million).
This sounds like a description not of the clumsy drones we have today, but a real Unmanned Combat Air Vehicle, or UCAV. Put another way, this is a true robot warplane.


No comments: