All
suggestions are welcome. Apparently, we are not ready for law or
regulation.
https://www.zdnet.com/article/australian-government-releases-voluntary-iot-cybersecurity-code-of-practice/?&web_view=true
Australian
government releases voluntary IoT cybersecurity code of practice
The
Australian government has released a voluntary code of practice for
securing the Internet of Things (IoT) in Australia.
The
voluntary
Code
of Practice: Securing the Internet of Things for Consumers [PDF]
is intended to provide industry with a best-practice guide on how to
design IoT devices with cybersecurity features.
Suggestions
for the Computer Security Budget request.
https://www.bespacific.com/2020-cost-of-a-data-breach-report/
2020
Cost of a Data Breach Report
Via
Bluefin: “IBM and the Ponemon Institute’s long-awaited 2020
Cost of a Data Breach Report has
finally arrived — and with it comes critical insight into the
current landscape of cyber security. For the fifteenth consecutive
year, IBM and the Ponemon Institute have partnered to analyze the
latest breaches at over 500 organizations to uncover trends in
cyberattacks and provide insight on data security practices…”
A
short security backgrounder…
https://www.troyhunt.com/we-didnt-encrypt-your-password-we-hashed-it-heres-what-that-means/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TroyHunt+%28Troy+Hunt%29
We
Didn't Encrypt Your Password, We Hashed It. Here's What That Means:
… the
difference between encryption and hashing is fundamental to how
at-risk your password is from being recovered and abused after a data
breach. I often hear people excusing the mischaracterisation of
password storage on the basis of users not understanding what hashing
means, but what I'm actually hearing is that breached organisations
just aren't able to explain it in a way people understand. So here
it is in a single sentence:
A
password hash is a representation of your password that can't be
reversed, but the original password may still be determined if
someone hashes it again and gets the same result.
P@ssw0rd
here's
what the hash of that password looks like:
161ebd7d45089b3446ee4e0d86dbcf92
This
hash was created with the MD5 hashing algorithm and is 32 characters
long. A shorter password hashed with MD5 is still 32 characters
long. This entire blog post hashed with Md5 is still
32
characters long. This helps demonstrate the fundamental difference
between hashing and encryption: a hash is a representation
of
data whilst encryption is protected
data.
Management
either failed to have a procedure or failed to ensure it was being
followed.
https://hotforsecurity.bitdefender.com/blog/american-payroll-association-forgets-to-patch-web-portal-hackers-skim-credit-cards-and-passwords-off-site-24063.html
American
Payroll Association Forgets to Patch Web Portal, Hackers Skim Credit
Cards and Passwords Off Site
… Embarrassingly,
the APA seems to admit its technicians failed to deploy the necessary
patches at the right time, leading to hackers exploiting known
vulnerabilities in its systems.
Another
world I can never enter because I don’t own a smartphone?
https://www.theatlantic.com/technology/archive/2020/09/pandemic-no-excuse-colleges-surveil-students/616015/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+AtlanticScienceAndTechnology+%28The+Atlantic+-+Technology%29
The
Pandemic Is No Excuse to Surveil Students
Trying
to do so is all but useless.
In
Michigan, a small liberal-arts college is requiring students to
install an app called Aura, which
tracks their location in real time,
before they come to campus. Oakland University, also in Michigan,
announced a mandatory
wearable that
would track symptoms, but, facing a student-led petition, then said
it would be optional. The University of Missouri, too, has an
app that tracks when
students enter and exit classrooms. This practice is spreading: In
an attempt to open during the pandemic, many universities and
colleges around the country are forcing students to download
location-tracking apps, sometimes
as a condition of enrollment.
Many of these apps function via Bluetooth sensors or Wi-Fi networks.
When students enter a classroom, their phone informs a sensor that’s
been installed in the room, or the app checks the Wi-Fi networks
nearby to determine the phone’s location.
Years
ago I worked with two start-ups that conducted hardware and software
inventories. This is not as simple as it sounds!
https://www.databreaches.net/hipaa-covered-entities-and-business-associates-need-an-it-asset-inventory-list-ocr-recommends/
HIPAA
Covered Entities and Business Associates Need an IT Asset Inventory
List, OCR Recommends
Joseph
J. Lazzarotti and Maya Atrakchi of JacksonLewis write:
Last
week, in its Cybersecurity Summer Newsletter, the Office of Civil
Rights (OCR) published
best
practices for creating an IT asset inventory list to assist
healthcare providers and business associates in understanding where
electronic protected health information (ePHI) is located within
their organization, and improve HIPAA
Security Rule compliance.
OCR investigations often find that organizations “lack sufficient
understanding” of where all of their ePHI is located, and while the
creation of an IT asset inventory list is not required under the
HIPAA Security Rule, it could be helpful in the development of a risk
analysis, and in turn and implementing appropriate safeguards –
which are HIPAA Security Rule requirements.
Read
more on Workplace
Privacy, Data Management & Security Report
Pouring
gasoline on an already fiery debate?
https://www.infosecurity-magazine.com/news/dhs-biometric-collection-rules/?&web_view=true
Homeland
Security to Propose Biometric Collection Rules
The
Department of Homeland Security (DHS) is to propose
a standard definition of
biometrics for authorized collection, which would establish a defined
regulatory purpose for biometrics and create clear rules for using
the information collected.
A
proposed expansion would modernize biometrics collection and
authorize expanded use of
biometrics beyond background checks to include identity
verification, secure document production and records management.
(Related)
https://fpf.org/2020/09/03/californias-sb-980-would-codify-strong-protections-for-genetic-data/
California’s
SB 980 Would Codify Strong Protections for Genetic Data
This
week, SB
980 (the
“Genetic Information Privacy Act”) passed the California State
Assembly and State Senate, with near unanimous support (54-10 and
39-0). If signed by the Governor before the Sept. 30 deadline, the
law would become the first comprehensive genetic privacy law in the
United States, establishing significant new protections for consumers
of genetic services.
If
China produces a provably unbiased AI judge, would we be willing to
outsource?
https://www.jdsupra.com/legalnews/law-and-justice-powered-by-artificial-86782/
Law
and Justice Powered by Artificial Intelligence? It's Already a
Reality
Change
happens faster than we predict. It is also happening more frequently.
Consider, China is launching an online AI arbitrator this year. The
United Nations wants to improve access to justice through AI judges
and has been actively working on this for four years. A handful of
firms have built digital assistants to help legal team comply with
case rules to reduce time and expenses that are actually not
billable.
Now
factor in COVID-19. While it has been a pox on our lives, it has
also been a great accelerator for innovation. With physical
courtrooms closed, it accelerated the adoption virtual courtrooms.
Law firms that never though(sic) a remote workforce would be
effective are now wondering why they need huge offices when people
seem to be working more effectively from home. Both the courts and
firms are also turning more to AI-powered solutions to improve
operational collaboration and efficiencies as well as to establish
deeper engagement with petitioners and clients.
More
a summation…
https://hbr.org/2020/09/what-does-building-a-fair-ai-really-entail
What
Does Building a Fair AI Really Entail?
Artificial
intelligence (AI) is rapidly becoming integral to how organizations
are run. This should not be a surprise; when analyzing sales calls
and market trends, for example, the judgments of computational
algorithms can be considered superior to those of humans. As a
result, AI techniques are increasingly used to make decisions.
Organizations are employing algorithms to allocate
valuable resources, design
work schedules,
analyze
employee performance,
and even decide
whether employees can stay on the job.
This
creates a new set of problems even as it solves old ones. As
algorithmic decision-making’s role in calculating the distribution
of limited resources increases, and as humans become more dependent
on and vulnerable to the decisions of AI, anxieties about fairness
are rising. How unbiased can an automated decision-making process
with humans as the recipients really be?
Twilight
or dawn?
https://venturebeat.com/2020/09/03/were-entering-the-ai-twilight-zone-between-narrow-and-general-ai/
We’re
entering the AI twilight zone between narrow and general AI
… there
are experts who believe the industry is at a turning
point,
shifting from narrow AI to AGI. Certainly, too, there are those who
claim we are already seeing an early example of an AGI system in the
recently announced GPT-3
natural
language processing (NLP) neural network. While NLP systems are
normally trained on a large corpus of text (this is the supervised
learning approach that requires each piece of data to be labeled),
advances toward AGI will require improved unsupervised learning,
where AI gets exposed to lots of unlabeled data and must figure out
everything else itself. This is what GPT-3 does; it can learn from
any text.
(Related)
https://thenextweb.com/neural/2020/09/03/the-fourth-generation-of-ai-is-here-and-its-called-artificial-intuition/
The
fourth generation of AI is here, and it’s called ‘Artificial
Intuition’
Artificial
Intelligence (AI) is one of the most powerful technologies ever
developed, but it’s not nearly as new as you might think. In fact,
it’s undergone several evolutions since its inception in the 1950s.
The first generation of AI was ‘descriptive analytics,’
which answers the question, “What happened?” The second,
‘diagnostic analytics,’ addresses, “Why did it happen?” The
third and current generation is ‘predictive analytics,’ which
answers the question, “Based on what has already happened, what
could happen in the future?”
While
predictive analytics can be very helpful and save time for data
scientists, it is still fully dependent on historic data. Data
scientists are therefore left helpless when faced with new, unknown
scenarios. In order to have true “artificial intelligence,” we
need machines that can “think” on their own, especially when
faced with an unfamiliar situation. We need AI that can not just
analyze the data it is shown, but express a “gut feeling” when
something doesn’t add up. In
short, we need AI that can mimic human intuition. Thankfully, we
have it.