Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
“There must be a price to pay for misusing the Internet. New ‘norms’ of behavior must be nourished. Bad behavior must be punished. Up to a point, that's fine. But the commission never really explains how this is to work. One practical problem is the difficulty in identifying the source of a cyberattack.”
Environment drives evolution. Genomes react to environmental stimulus over generations; they adapt enable survival. The Internet's predominate genome suggests business governance is an ideal adaptation candidate.
Each data breach, computer malfunction, viral infection, botnet, bent or malicious insider, and DDoS incurs at least inconvenience, threatens business mortality, and routinely compromises personal privacy. Weak digital hygiene, inadequate training, ineffective content controls, and professional shirking contribute to these chronic conditions. Elevating and enforcing business conduct standards has never been more urgent.
Classified data loss is vigorously prosecuted under Federal law https://www.nytimes.com/2020/02/04/nyregion/cia-leak-wikileaks-trial-Joshua-Schulte.html, https://www.nytimes.com/2017/11/12/us/nsa-shadow-brokers.html)
Businesses entrusted to manage customer data suffer public brand outrage when bulk content is lost through negligence. However, business governance teams and employees are inconstantly found liable in civil courts.
Cyber-liability insurance compensates organizations and customers when justice determines necessity; usually, a settlement is reached before trial commences. Repeat incidents elevate premiums, and insurers mandate enhanced internal remediation to suppress recurrence. Despite repairs, comprehensive efforts to harden infrastructure, train employees, and build resilient processes appears ineffective given their industrial frequency.
Governance “skin in the game” can compel organizational behavior to prioritize customer interests that include data protection and privacy maintenance practices.
Privileges accompany corporate rank. Why not balance them with legally enforceable penalties? Would legislation that establishes financial penalties for business governance teams, including possible imprisonment, accelerate effective digital hygiene hardening and operational deployment?
Enforcement practices can compel business compliance rigor. The Financial crisis of 2007-2008 (see https://en.wikipedia.org/wiki/Financial_crisis_of_2007-2008) forced revisions to the Investment Advisors Act of 1940. Regulations were introduced that required financial advisors to put customer interests first. Rule violators were disciplined. However, regulations have been recently softened to favor business interests. (See https://www.sec.gov/news/press-release/2019-89 and https://www.consumerreports.org/financial-planning/how-to-find-reliable-financial-advice/).
The Cyberspace Solarium Commission (https://www.solarium.gov/report) “urges Congress to give the Cybersecurity and Infrastructure Security Agency (CISA) significantly more resources and additional authorities as the agency works to ensure critical networks can recover quickly from cyberattacks and serves as the ‘central coordinating element to support and integrate federal, state and local, and private-sector cybersecurity efforts.’” This recovery mechanism can facilitate post-attack remediation, but does not expedite proactive and effective deterrence by Internet-based businesses.
Establishing a fair, reliable, and vigilant Internet “cop on the beat,” funded in part from commercial and government data breach/malware fines, could motivate a fundamental change in how Internet-dependent businesses operate custodial data management practices. It is difficult to estimate business enforcement expenses. Operational expenses are usually factored into product prices. Consumers may experience certain pocketbook impact.
For Internet business models that advertise application access as a quid pro quo for consumer data, there's likely very small revenue impact. Other industrial sectors: power distribution, healthcare, chemical, transportation etc. may need to proactively pool revenue (or self-insure).
Government agency executives and employees should be subject to these regulations. They are in business to safeguard public interests, which includes oversight of significant personal identifying information and commercial data.
Mandatory penalties derived from data loss or malware incidents would effectively serve as an “Internet Tax” chartered by government to offset materialized business risks that burden public confidence. A politically-independent, enforceable regulatory structure is necessary to restore the Internet's balance toward public interest.
South Korea's elderly population volunteers for home digital assistant monitoring of searches and voice commands. Suicide, and unattended death generally, is a grave concern for this aging cohort.
SK Telecom is a state-sanctioned surveillance economy titan. Weak consumer privacy protections fuel business thirst for data. Significant government and business embarrassments from largely unrestricted public data exploitation.
Law enforcement has more tools than ever to track your movements and access your communications. Here's how to protect your privacy if you plan to protest.
https://www.wired.com/story/how-to-protest-safely-surveillance-digital-privacy/
“Let's say the President is tweeting out conspiracy theories about Joe Scarborough,” Khanna said, referring to Trump's tweets earlier this week about an unsubstantiated conspiracy theory regarding the death of an aide that worked for the former Florida congressman.
“Well why not allow the widower who doesn't want the president tweeting about his deceased wife, why not give him the opportunity to send a response and that response Twitter could send to every person who clicks on the President's tweets?” Khanna suggested.
“Or why not allow someone to respond to the President's claims about ballot fraud?”
“What I would say is, you defeat speech with speech. But you didn't give one person a huge megaphone and not allow a fair response,” he added.
In 1987, under President Reagan, the Fairness Act was abolished. An updated Fairness Act, tabled for legislative debate, appears overdue.
If Khanna's solution is adopted, tag-tweeted publication latency accrues until rebuttal content materializes. A timer might be established to incentivize response. The tag-tweet process appears to be viable when applied to a single political office.
The labor expense to oversee political content might become significant if the resuscitated Act applied to all levels of government (federal, state, local).
Should a media company be required to sponsor this activity as a public service? Who pays for the speech/rebuttal oversight process? Who defines the rules governing the speech/rebuttal process? Who arbitrates disputes over what is/is-not political speech?
Steganography? Check. Living off the land? Yep. Triple-encoded payloads? Uh-huh.
https://bgr.com/2020/05/30/minnesota-protest-contact-tracing-used-to-track-demonstrators/
In some cities like Minneapolis, though, officials are starting to turn to a familiar tool to investigate networks of protestors. The tool is contact-tracing, and it's a familiar tool in that people have been hearing about it frequently in recent weeks as an important component of a comprehensive coronavirus pandemic response. According to Minnesota Public Safety Commissioner John Harringon, officials there have been using what they describe, without going into much detail, as contact-tracing in order to build out a picture of protestor affiliations — a process that officials in the state say has led them to conclude that much of the protest activity there is being fueled by people from outside coming in.
The now-patched vulnerability could have allowed remote attackers to bypass authentication and take over targeted users' accounts on third-party services and apps that have been registered using ‘Sign in with Apple’ option.
https://thehackernews.com/2020/05/sign-in-with-apple-hacking.html
https://www.nytimes.com/2020/03/07/us/politics/erik-prince-project-veritas.html
[Old news, but still timely. PGN]
George Floyd: Anonymous hackers re-emerge amid US unrest (BBC News) https://www.bbc.com/news/technology-52879000
https://thehackernews.com/2020/06/devsecops-engineers.html
PRIVACY AND THE PANDEMIC (https://epic.org/events/June3/) 3 JUNE 2020, 1 PM - 2 PM EDT
The COVID-19 pandemic is a global health emergency of unprecedented scale, and countries are deploying a wide range of techniques to respond. EPIC is advocating for greater privacy protection to ensure that the public health response protects individuals. These systems should be lawful and voluntary. There should be minimal collection of personally identifiable information. The techniques should be robust, scalable, and provable. And they should only be used during the pandemic emergency.
Our panelists will discuss ways in which governments can protect both public health and privacy, the technology behind digital contact tracing apps, and the Congressional response to privacy and the pandemic.
| Jane Bambauer | Professor of Law at the University of Arizona |
| Alan Butler | Interim Executive Director and General Counsel, EPIC |
| Asad Ramzanali | Legislative Director, Representative Anna Eshoo [D-CA-18] |
| Bruce Schneier | Internationally renowned security technologist |
| Anita Allen | Professor of Law and Professor of Philosophy, University of Pennsylvania Law School; Chair, EPIC Board of Directors |
https://epic.org/epic/about.html
A Fireside Chat with Peter G. Neumann and Rebecca T. Mercuri
Wednesday 3 June 2020 11am PDT
Hosted by the (Becky) Bace Cybersecurity Institute
Flyer and Website
https://www.bacesecurity.org/page/2686
Diana Neuman, Executive Director, Bace Cybersecurity Institute diana.neuman@bacesecurity.org
Special EE380/Asilomar Joint Event (Thu, June 4, 11am-1pm PDT)
Register at http://ee380.stanford.edu/register.html to receive a URL to access the live virtual presentation
Presentation will be published to YouTube shortly after the live event.
Today the data suggests that we are near the beginning of a chaotic mess of global proportions. Things are fairly simple: a global pandemic with no tools to fight the virus, a global economy in disarray, climate change and other existential risks beginning to intrude into our daily lives, and a total lack of a plan as to what to do.
On the other hand, we are at the pinnacle of human capabilities and have, if we so choose, the capability to create a Utopian egalitarian world without conflict or want.
In this 2-hour program, a group of experts will explore the future, focusing on 2030 and 2050.
Where are we now? What is trending? What if anything can be done about it?
You are invited to participate in a virtual conference live using Zoom (version 5.0 or greater), or watch the recorded version when it is published on YouTube. You must REGISTER (
http://ee380.stanford.edu/register.html) to receive a URL to access the live virtual presentation and find the YouTube video of the presentation
| John Markoff* | Stanford Institute for Human Centered AI, ex-NY Times (Moderator) |
| Garrett Banning* | Washington-based strategic thinker and analyst |
| Joy Buolamwini | Algorithmic Justice League | Poet of Code ; Harvard |
| Carole Dumaine | Consultant, NIC, CIA; Co-founder of Futures.org. |
| John Hennessy | Stanford University professor, past President; Alphabet BoD Chair |
| Michael Mann | Earth System Science Center and Professor, Penn State |
| Carmine Medina | Former CIA Deputy Director, Author of Rebels At Work |
| Paul Saffo | Forecaster of technology change, Stanford Engineering Adjunct |
| Megan Smith | CEO shift7, MIT Board, ex-CIO of the US under Obama |
The Asilomar Microcomputer Workshop is one of the iconic gatherings which supported the growth of computing. This is the first mini-conference which replaces the 46th Asilomar Microcomputer Workshop, which was canceled due to the COVID-19 pandemic. http://www.amw.org.
The Stanford EE Colloquium on Computer Systems, EE380, will present the mini-conference as one of its offerings for Spring Quarter 2020. http://ee380.stanford.edu
| Dennis Allison | Program conception and organization |
| Robert Kennedy III | Asilomar Microcomputer Workshop General Chair |
Just published:
“Privacy Threats in Intimate Relationships”
Karen Levy and Bruce Schneier
Journal of Cybersecurity, Volume 6, Issue 1, 2020,.
Abstract: This article provides an overview of intimate threats: a class of privacy threats that can arise within our families, romantic partnerships, close friendships, and caregiving relationships. Many common assumptions about privacy are upended in the context of these relationships, and many otherwise effective protective measures fail when applied to intimate threats. Those closest to us know the answers to our secret questions, have access to our devices, and can exercise coercive power over us. We survey a range of intimate relationships and describe their common features. Based on these features, we explore implications for both technical privacy design and policy, and offer design recommendations for ameliorating intimate privacy risks.
https://academic.oup.com/cybersecurity/article/6/1/tyaa006/5849222
> How long will it be before we see: “iPhone app bug allows anyone to lock > Tesla owners into their cars”?
Never, I suspect. When I saw the original report in 31.87 I was suspect in that Teslas don't have a “remote off” and there is no physical locking mechanism. All “locking” the car does is tell the car to ignore the exterior door handle microswitches. Attempting to duplicate this on my own Tesla Model 3, the interior driver door button always obeyed, but even if I locked it with my phone, and on top of that, there's the mechanical door release which bypasses the electronic lock. And the mechanical release is most like all other vehicle door releases, and is used often by passengers unfamiliar with the vehicle.
I suspect this was a case of someone not knowing how to deal with the differences of how to operate the vehicle. The car has a non-standard way of shifting into drive modes, and will not shift into drive mode without without detecting the phone key/keyfob inside the vehicle. I suspect the carjacker was confused enough for the owner to get out of phone Bluetooth range, and was too impaired to deal with what to do next.
> “Think about all of the servers that are stored around the world that hold repositories of this code. The only way the Arctic vault would be useful is if the entire human civilization was essentially wiped out”
That's what Mersk had thought, before all their servers were hit by NotPetya at once; they were saved only by a server in Ghana which happened to be offline at the time.
The point is, it's not unthinkable that all repositories which belong to the same owner, or relate to the same subject, or contain some specific information, are hit at the same time by a carefully directed attack.
>Losing your 2FA codes can be bad. Having backups stolen can be worse. What to do?
My, what a gratuitous mess. The TOTP codes used by 2FA apps are in fact base32 character strings to be hashed with a timestamp to produce the six-digit codes used for authentication. The QR codes also contain the name of the service and sometimes an image of its logo, but the base32 string is all that matters. Whenever something shows you the QR code, there is invariably a way to get it to show you the string, in case you can't scan the QR code, and the apps have a way to enter the string manually.
Keeping this in mind I can suggest a variety of lowish-tech ways to avoid losing your TOTP strings:
Scan them into more than one app when you get them.
Scan them into apps on more than one device. I use my phone, my tablet, and a python script on my laptop.
Put the strings in a file on a device you leave at home, perhaps a USB stick in a drawer. Print the strings out on a piece of paper and put it in your wallet, with hints that make sense to you about which string goes with which service. (The hints and the strings need not be in the same order so long as you remember the mapping.)
It would take an extremely unusual bad guy to first steal your wallet and then figure out what the scribbles on the paper mean. On the other hand if you lose your phone, you can enter the strings into an app on your new phone by hand and you're ready to go.
This awesome news about Vitamin C is breaking as we …. oh, wait! 71 years old, next month. Clearly it was ignored if not anathematized as impossible by the medical establishment. (I am reminded of heliobacter pylori being ‘unpossible’.)
Dr. Klenner got amazing results against all sorts of viral diseases. The results point to the importance of a healthy immune system as the first line of defence.
Interesting to see that the bureaucracy was already in full force and power back in 1949:
(3) Routine lumbar puncture would have made it obligatory to report each case as diagnosed to the health authorities. This would have deprived myself of valuable clinical material and the patients of most valuable therapy, since they would have been removed to a receiving center in a nearby town.
I had to use some web-fu: 1000 mg of Vitamin C is 20,000 IU. So these were not small doses and delivery seemed to require injection to be useful.
Interesting that it works on shingles. Thanks to Andre Carezia for finding this and passing it on.
Please report problems with the web pages to the maintainer