How to do security poorly. Build in your own back door.
MyEquifax.com
Bypasses Credit Freeze PIN
Most people who have frozen their credit files
with Equifax
have been issued a numeric Personal Identification Number (PIN) which
is supposed to be required
before a freeze can be lifted or thawed. Unfortunately, if you don’t
already have an account at the credit bureau’s new myEquifax
portal, it may be simple for identity thieves to lift an existing
credit freeze at Equifax and bypass the PIN armed with little more
than your, name, Social Security number and birthday.
Probably nowhere near
enough, so what’s next?
Kaori Yoshida reports:
North Korea has used cyberattacks and blockchain technology to circumvent economic sanctions and obtain foreign currency, according to a panel of experts reporting to the U.N. Security Council.
Pyongyang has amassed around $670 million in foreign and virtual currency through cyberthefts and used blockchain technology to cover its tracks, the panel told the Security Council’s North Korea sanctions committee, ahead of the council’s annual report, Nikkei has learned.
Read more on Nikkei
Asian Review.
Can organizations keep this information from
employees/customers under the GDPR and similar laws?
If you’re not transparent about a breach and
people cannot figure out how to protect themselves, you may be almost
guaranteeing people will sue you about it or file a grievance.
CBC reports:
The union representing faculty at Algonquin College has filed a grievance against the school after a recent data breach.
Ontario Public Service Employees Union (OPSEU) local 415, which represents faculty at the school, wants Algonquin College to disclose the exact nature of the information that was accessed in last month’s phishing attack — and take steps to protect any faculty whose personal information is used illegally.
The only assurance that the college has given the union is that no social insurance numbers were lost, said Pat Kennedy, the union’s local president.
Read more on CBC.
So, why not use the ‘news’ tag all the time?
YouTube
fought Brie Larson trolls by changing its search algorithm
If you searched “Brie
Larson” on YouTube a couple of days ago, the top search results
were calls for a boycott of Captain
Marvel, and angry rants about Larson’s involvement in the
Marvel Cinematic Universe. With one small change, YouTube made all
of that disappear.
This week, YouTube
recategorized “Brie Larson” as a news-worthy search term. That
does one very important job: it makes the search algorithm surface
videos from authoritative sources on a subject. Instead of videos
from individual creators, YouTube responds with videos from
Entertainment Tonight, ABC, CBS, CNN,
and other news outlets first.
… The noticeable shift in
responses speaks to an even bigger conversation about YouTube’s
search algorithm: if this is a way to prioritize higher-quality
videos when people are searching for a topic, could this be used for
non-news topics, too?
Some creators see it as a
problem if YouTube favors videos from approved news outlets instead
of individuals. On Twitter, some critics and creators called it
censorship from YouTube, while others commended the site for taking
some kind of action. YouTube
has millions of creators on the platform who are fighting to get
their videos seen; if traditional news outlets are shown favoritism,
it’s a cultural shift that will see immense backlash from a large
portion of the creator community.
Apparently lots of US companies have created the
notice wall, but are gathering user “agreements” before local
versions of GDPR (like California’s) come into effect.
Cookie
walls don’t comply with GDPR, says Dutch DPA
Cookie walls that
demand a website visitor agrees to their internet browsing being
tracked for ad-targeting as the “price” of entry to the site are
not compliant with European data protection law, the Dutch data
protection agency clarified
yesterday.
… So, in other words, a “data for access”
cookie wall isn’t going to cut it. (Or, as the DPA puts it:
“Permission is not ‘free’ if someone has no real or free
choice. Or if the person cannot refuse giving permission without
adverse consequences.”)
Anything to avoid the expense of compliance? Wait
till you see what non-compliance costs.
From Paper
Compliance to Operational Compliance
… With the European Union’s sweeping GDPR
regulation having gone into effect last year, additional countries
and jurisdictions have taken it upon themselves to create similar
legislation that enhances individual privacy rights and holds
companies accountable for ensuring that appropriate safeguards are in
place to protect data.
… Much of the discussion around the California
Consumer Privacy Act (“CCPA”) has centered around whether the law
is set to become the “GDPR of the United States.” While GDPR is
a more robust, complex data privacy regulation and framework, the
CCPA is nevertheless sweeping in scope and impact, and the two acts
are underpinned by many of the same data privacy principles. And
while comparisons between the two acts have been frequent, not enough
has been said about the concrete steps that organizations,
specifically those in the financial services space, should be taking
to get their processes, people and technology ready for CCPA
compliance. These heavily-regulated organizations should be weary
(sic) to view the CCPA as simply another law to comply with.
In order to avoid scrutiny by the regulators and heavy fines along
with potential reputational harm, they will need to shift their
approach to data privacy.
(Related)
The Ohio
Data Protection Act and the Quiet Revolution
Since the 2018 U.S. state legislative sessions
began, at least 12 states have brought into force updated or entirely
new cybersecurity legislation.
… As a major privacy trend, several states are
introducing data protection legislation in their respective 2019
legislative sessions, and some of these bills incorporate elements of
other states’ data protection statutes. This “cross
politization” of data protection and the sheer number of bills
currently moving through state legislatures, along with 2018’s new
legislation, collectively represent a quiet revolution in data
protection practice in the U.S.; in doing so, it also represents a
uniquely American approach to solving a societal problem.
Looking at Ohio, early in August of 2018,
then-governor John Kasich signed into law the Ohio Data Protection
Act.1 The law represented a novel approach to data
protection:2 it provides an “affirmative defense” to a
“covered entity” against tort claims brought against that entity
as a result of a breach of personal information if the entity’s
cyber security program conforms to industry recognized cybersecurity
frameworks or federal regulations cited in the Act.
An un-civil suit?
Craig A. Newman of Patterson Belknap writes:
When we hear about discovery abuses in litigation, we often think of overzealous lawyers using obstructionist tactics. Such behavior, however, rarely involves litigants hacking into the email of an adversary or accessing privileged attorney-client communications that disclose litigation strategies.
But in a unanimous ruling last week, a New York state appeals court found that a litigant’s “improper and willful” misconduct – which included “improperly accessing approximately 12,000 of defendant’s privileged attorney/client communications … [and] deleting relevant documents” – justified the dismissal of an assault and battery lawsuit.
Read more on Data
Security Law Blog.
Perspective. Because my students will want to
talk about this.
Elizabeth
Warren Wants To Break Up Amazon, Google And Facebook; But Does Her
Plan Make Any Sense?
This isn't necessarily a big surprise, given that
she's suggested this many times over the past few years, but 2020
Presidential candidate Elizabeth Warren has just laid
out her plan for breaking up Amazon, Google and Facebook. It's
certainly worth reading to understand where she's coming from, and
some of the arguments are worth thinking about – but much of it
does feel like just grandstanding populism in front of the general
"anti-big tech" stance, without enough substance behind it.
Twenty-five years ago, Facebook, Google, and Amazon didn’t exist. Now they are among the most valuable and well-known companies in the world. It’s a great story — but also one that highlights why the government must break up monopolies and promote competitive markets.
I find this a very odd way to open this proposal.
I don't see how the first sentence supports the second. Indeed, the
first sentence would seem to contradict the second. Twenty-five
years ago those companies didn't exist, and if you asked people what
tech companies would take over the world, you'd get very different
answers. Technology is an incredibly dynamic and rapidly changing
world, in which big incumbents are regularly and frequently disrupted
and disappear. One of my favorite articles to point people to was a
2007 article warning of the power of a giant
monopolistic social network that would never be taken down by
competition. That social network? MySpace. The article briefly
mentions Facebook, but only to note that it "will always be on
MySpace's periphery."
Interesting backgrounder.
What’s
Driving the Demand for Data Scientists?
Data analytics is becoming mission-critical to
more and more businesses. One of the biggest challenges they face:
recruiting data scientists.
“There are very few data scientists out there
passing out their resumes,” LinkedIn co-founder Allen Blue said.
“Data scientists are almost all already employed, because they’re
so much in deman
… Sethi added that he’s noticed many more
organizations similarly looking into how to reskill their mid-career
people. He observed, “I’ve got to believe that over the next few
years, data analytics is going to be [extremely] prevalent. It’s
like digital: everyone’s
going to need to have a base level understanding of it.”
Self-driving fighter jets?
Here's what
you should know about the Air Force's new robot wingman
There's a lot of buzz about the first flight of an
unmanned U.S. Air Force drone, designed to accompany manned combat
aircraft into battle, that many believe will herald a new age of
aerial warfare.
… with its twin tail, curved fuselage and a
jet engine that propels it to near-supersonic speed, the XQ-58A looks
like a smaller F-35 stealth fighter.
… contract called for a drone with a top speed
of Mach 0.9 (691 miles per hour), a 1,500-mile combat radius carrying
a 500-pound payload, the capability to carry two GBU-39 small
diameter bombs, and costing $2 million apiece when in mass production
(an F-35 costs around $100 million).
This sounds like a description not of the clumsy
drones we have today, but a real Unmanned Combat Air Vehicle, or
UCAV. Put another way, this is a
true robot warplane.