Friday, April 19, 2019


Hiding in the weeds.
Mueller report sheds new light on how the Russians hacked the DNC and the Clinton campaign
The Mueller report contains new information about how the Russian government hacked documents and emails from Hillary Clinton’s presidential campaign and theDemocratic National Committee.
At one point, the Russians used servers located in the U.S. to carry out the massive data exfiltration effort, the report confirms.
The operatives working for the Russian intelligence directorate, the GRU, sent dozens of targeted spearphishing emails in just five days to the work and personal accounts of Clinton Campaign employees and volunteers, as a way to break into the campaign’s computer systems.
By stealing the login details of a system administrator who had “unrestricted access” to the network, the hackers broke into 29 computers in the ensuing weeks, and more than 30 computers on the DNC.
In all, some 70 gigabytes of data were exfiltrated from Clinton’s campaign servers and some 300 gigabytes of data were obtained from the DNC’s network.
I hope you’re able to find the 30,000 emails that are missing,” said then-candidate Trump at a press conference, referring to emails Clinton stored on a personal email server while she headed the State Department. Mueller’s report said “within approximately five hours” of those remarks, GRU officers began targeting for the first time Clinton’s personal office.




Big, but not a record.
Remember what I said earlier today about India being a data protection mess? Here’s another example. Mohit Kumar reports:
An unprotected database belonging to JustDial, India’s largest local search service, is leaking personally identifiable information of its every customer in real-time who accessed the service via its website, mobile app, or even by calling on its fancy “88888 88888” customer care number, The Hacker News has learned and independently verified.
Founded over two decades ago, JustDial (JD) is the oldest and leading local search engine in India that allows users to find relevant nearby providers and vendors of various products and services quickly while helping businesses listed in JD to market their offerings.
Rajshekhar Rajaharia, an independent security researcher, yesterday contacted The Hacker News and shared details of how an unprotected, publicly accessible API endpoint of JustDial’s database can be accessed by anyone to view profile information of over 100 million users associated with their mobile numbers.
Read more on The Hacker News,




Completely foreseeable. Outages will identify organizations that didn’t monitor the growth of the routing table.
Some internet outages predicted for the coming month as '768k Day' approaches
An internet milestone known as "768k Day" is getting closer and some network administrators are shaking in their boots fearing downtime caused by outdated network equipment.
The fear is justified, and many companies have taken precautions to update old routers, but some cascading failures are still predicted.
The term 768k Day comes from the original mother of all internet outages known as 512k Day.
512k Day happened on August 12, 2014, when hundreds of ISPs from all over the world went down, causing billions of dollars in damages due to lost trade and fees, from a lack of internet connectivity or packet loss.
The original 512k Day took place because routers ran out of memory for storing the global BGP routing table, a file that holds the IPv4 addresses of all known internet-connected networks.
Many legacy routers received emergency firmware patches that allowed network admins to set a higher threshold for the size of the memory allocated to handle the global BGP routing table.
Most network administrators followed documentation provided at the time and set the new upper limit at 768,000 – aka 768k.




Another swing of the pendulum.
Nathan Sheard and Jennifer Lynch of EFF write:
Thanks to a recent ruling by Fairfax County Circuit Court Judge Robert J. Smith, drivers in Fairfax County, Virginia need not worry that local police are maintaining ALPR records of their travels for work, prayer, protest or play.
Earlier this month, Judge Smith ordered an injunction against the use of the license plate database, finding that the “passive” use of Fairfax County Police Department’s Automated License Plate Reader (ALPR) system violated Virginia’s Government Data Collection and Dissemination Practices Act (Data Act).
Read more on EFF.




People are responsible for Privacy Policies? What a concept!
Federal investigation of Facebook could hold Mark Zuckerberg accountable on privacy, sources say
Federal regulators investigating Facebook for mishandling its users’ personal information have set their sights on the company’s chief executive, Mark Zuckerberg, exploring his past statements on privacy and weighing whether to seek new, heightened oversight of his leadership.
The discussions about how to hold Zuckerberg accountable for Facebook’s data lapses have come in the context of wide-ranging talks between the Federal Trade Commission and Facebook that could settle the government’s more than year-old probe, according to two people familiar with the discussions. Both requested anonymity because the FTC’s inquiry is confidential under law.
Often, the FTC does not target executives in cases where it finds a company’s business practices have violated web users’ privacy. But critics said that targeting Zuckerberg could send a message to other tech giants that the agency is willing to hold top executives directly accountable for their firms’ repeated data misdeeds.
The days of pretending this is an innocent platform are over, and citing Mark in a large scale enforcement action would drive that home in spades,” said Roger McNamee, an early investor in the company and one of Zuckerberg's foremost critics.


(Related) How to bury bad news.
Facebook perfects the art of the news dump
On the Thursday before a major holiday weekend, and an hour before the much-anticipated Mueller report was released to the public, Facebook updated a month-old blog post titled "Keeping Passwords Secure" with a few lines of italicized text.
"Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users," says the update.
The original post revealed Facebook stored passwords for hundreds of millions of its Facebook users and "tens of thousands" of Instagram users as plain text in a database that could be accessed by its staff.




Almost three years now and some people still haven’t read it?
GDPR Article 27 … The ‘Unknown Obligation’ of Appointing a Nominated European Representative
… Whilst the GDPR is a European regulation, many organizations outside of Europe will be unaware that they are required to appoint a Nominated European Representative under certain conditions (as per Article 27 of the GDPR).


(Related) Dead because tech companies had input?
Hunton Andrews Kurth writes:
The much-discussed Washington Privacy Act, Senate Bill 5376 (“SB 5376”), appears to have died after failing to receive a House vote by an April 17, 2019 deadline for action on non-budget policy bills. Though the bill could be revived before the regular session ends on April 28, 2019, Washington lawmakers expressed doubt.




I’m detecting a strong anti-AI bias…
Some AI just shouldn’t exist
Human bias can seep into AI systems. Amazon abandoned a recruiting algorithm after it was shown to favor men’s resumes over women’s; researchers concluded an algorithm used in courtroom sentencing was more lenient to white people than to black people; a study found that mortgage algorithms discriminate against Latino and African American borrowers.
The tech industry knows this, and some companies, like IBM, are releasing “debiasing toolkits” to tackle the problem. These offer ways to scan for bias in AI systems — say, by examining the data they’re trained on — and adjust them so that they’re fairer. [A great entry point for hackers. Bob]
But that technical debiasing is not enough, and can potentially result in even more harm, according to a new report from the AI Now Institute.
The three authors say we need to pay attention to how the AI systems are used in the real world even after they’ve been technically debiased. And we need to accept that some AI systems should not be designed at all.
In other words, ensuring that an AI system works just as well on everyone does not mean it works just as well for everyone.




Attempts to have AI interpret politicians caused the AI to stroke out.
A neural network can read scientific papers and render a plain-English summary
… a form of artificial intelligence (AI) ... can read scientific papers and render a plain-English summary in a sentence or two.
Even in this limited form, such a neural network could be useful for helping editors, writers, and scientists scan a large number of papers to get a preliminary sense of what they're about.




Interesting. Managers don’t want to listen to their lawyers?
The Rise of Risk Management in Financial Institutions – Diminution of Legal Function
Business Law Today – The Rise of Risk Management in Financial Institutions and a Potential Unintended Consequence – The Diminution of the Legal Function By: Thomas C. Baxter, Jr. After the global financial crisis, a highly respected group of financial supervisors from the industrialized world convened to consider what might have caused the worst financial crisis experienced since the Great Depression. This group – aptly named the “Senior Supervisors Group” – concluded that a material contributing cause was what they characterized as a “colossal failure of risk management.” The Senior Supervisors Group was not alone. Many other bodies have taken up the same topic and reached a similar conclusion. In the 10 years since the global financial crisis ended, the financial community has responded to the identified causes of the financial crisis, adopting lessons learned and significantly reforming the financial system. This work has resulted in a financial system with individual institutions that are demonstrably more safe and more sound than before, and a much more resilient banking system overall. In contrast to what existed on the eve of the crisis – early 2007 – today’s financial system has considerably higher capital and liquidity, as government officials and other commentators have observed. In addition, and perhaps even more importantly if we accept the conclusion of the Senior Supervisors Group, there has been a revolution in the discipline of risk management and in the “build-out” of processes and procedures for identifying, measuring, monitoring, and controlling risk. In the United States, for example, one may witness the Dodd-Frank Wall Street Reform and Consumer Protection Act, which President Obama signed into law on July 21, 2010 (the “Dodd-Frank Act”). The Dodd-Frank Act introduced varied and different requirements for risk management, including a series of “enhanced prudential standards,” as well as governance directed at risk management requirements, like the requirement for a risk committee of the board of directors….
This article will discuss whether the rise of the risk management function has had one very specific unintended consequence – the diminution of the legal function. To place such an important question in a proper context, this article will focus on the potential inverse relationship – it is not only that the legal function has declined in importance, but it is also that the decline has come as the direct result of the rise in risk.



No comments: