At Long Last, a Sensible Internet of Things Security Bill Has Been Introduced in the Senate; Slate, August 3, 3017

Josephine Wolff, Slate; At Long Last, a Sensible Internet of Things Security Bill Has Been Introduced in the Senate

"On Aug. 1, a group of senators introduced a bill, the Internet of Things Cybersecurity Improvement Act of 2017, that could make some strides toward securing the ever-growing number of online devices that, generally, comprise the so-called “Internet of Things.”

The bill would require that any such devices sold to the U.S. government must be patchable (i.e., allow for security updates), not have any known security vulnerabilities, and permit users to change their default passwords. The bill leans heavily on the considerable technical expertise of the National Institute of Standards and Technology, the nonregulatory government agency that develops standards for different technologies."

To Protect Voting, Use Open-Source Software; New York Times, August 3, 2017

R. James Woolsey and Brian J. Fox, New York Times; To Protect Voting,Use Open-Source Software

"If the community of proprietary vendors, including Microsoft, would support the use of open-source model for elections, we could expedite progress toward secure voting systems.

With an election on the horizon, it’s urgent that we ensure that those who seek to make our voting systems more secure have easy access to them, and that Mr. Putin does not."

The privacy risk of using a digital home assistant; KSL.com, July 6, 2017

Sloan Schrage, KSL.com

KSL TV

The privacy risk of using a digital home assistant

"“For the machine to know you’re talking to it, it has to be taking that voice information that it’s recording and sending it back and processing,” said [cyber security expert Sean Lawson. "The technology is really cool, especially if you grew up watching ‘The Jetsons’ or ‘Star Trek.’ The problem is, I also know how they work and the privacy implications. The costs versus the benefits of what this device will do for me is just not worth paying in terms of the privacy you give up. But everyone needs to make that decision for themselves.”"

Cisco wants to balance privacy with security; SFGate, June 20, 2017

Marissa Lang, SFGate; Cisco wants to balance privacy with security

"It’s a common trade-off in cybersecurity: Do you want privacy, or do you want protection?

To be more secure, businesses typically have to accept some level of surveillance, inviting third-party companies to track traffic and monitor network data for intruders, threats or malicious software.

Cisco wants to do away with that choice."

Target to Pay $18.5M to States Over Data Breach; Inside Counsel, May 24, 2017

P.J. D'Annunuzio, Inside Counsel; 

Target to Pay $18.5M to States Over Data Breach

"Deterrence was a major theme brought up by many of the attorneys general who released statements about the agreement.

The $18.5 million settlement with the states, coupled with the $10 million consumer class action settlement approved last week, may seem like a drop in the bucket for a retail juggernaut like Target, but according to Lambiras, the deterrent effect lies in the residual legal and public relations costs companies incur following a data breach.

In a statement Tuesday, Connecticut Attorney General George Jepsen said the settlement should serve as a wake-up call to companies to tighten their data security. He also gave kudos to Target for working with authorities after the breach."

Boy, 11, hacks cyber-security audience to give lesson on 'weaponisation' of toys; Agence France-Presse via Guardian, May 16, 2017

Agence France-Presse via Guardian; 

Boy, 11, hacks cyber-security audience to give lesson on 'weaponisation' of toys

"“Most internet-connected things have a Bluetooth functionality ... I basically showed how I could connect to it, and send commands to it, by recording audio and playing the light,” [Reuben Paul] told AFP later.

“IOT home appliances, things that can be used in our everyday lives, our cars, lights refrigerators, everything like this that is connected can be used and weaponised to spy on us or harm us.”

They could be used to steal private information such as passwords, as remote surveillance to spy on kids, or employ GPS to find out where a person is, he said. More chillingly, a toy could say “meet me at this location and I will pick you up”, Reuben said."

Consumer Reports: Your kid's online privacy: Connected toys; Consumer Reports via WSAW, May 16, 2017

Consumer Reports via WSAW; 

Consumer Reports: Your kid's online privacy: Connected toys

"It’s no secret that sharing personal information online comes with risk. But what if toys were also making it possible for hackers to access both you and your children’s information? Consumer Reports has some stern warnings about a new generation of toys."

The World Is Getting Hacked. Why Don’t We Do More to Stop It?; New York Times, May 13, 2017

Zeynep Tufekci, New York Times; 

The World Is Getting Hacked. Why Don’t We Do More to Stop It?

"There is also the thorny problem of finding money and resources to upgrade critical infrastructure without crippling it. Many institutions see information technology as an afterthought and are slow in upgrading and investing. Governments also do not prioritize software security. This is a sure road to disaster.

As a reminder of what is at stake, ambulances carrying sick children were diverted and heart patients turned away from surgery in Britain by the ransomware attack. Those hospitals may never get their data back. The last big worm like this, Conficker, infected millions of computers in almost 200 countries in 2008. We are much more dependent on software for critical functions today, and there is no guarantee there will be a kill switch next time."

'Risk' Is A Messy, Ambitious Portrait Of WikiLeaks Founder Julian Assange; NPR, May 5, 2017

John Powers, NPR; 

'Risk' Is A Messy, Ambitious Portrait Of WikiLeaks Founder Julian Assange

"Assange clearly believes that the world's power elite maintains control by doing things the public never gets to see. By leaking documents, he thinks, WikiLeaks is revealing how the world actually works — for instance, how Democratic National Committee big shots actually were conspiring to help Hillary Clinton beat Bernie Sanders.

Yet here's the problem. Just as most of us don't want our government secretly hoarding people's private information, we also don't want the release of sensitive documents to be controlled by a handful of leakers who answer to no one.

In last year's election, WikiLeaks didn't just leak things to damage Clinton — whom Assange considered a personal threat. The leaks failed to redact personal info about Clinton donors, like credit-card numbers, a violation of privacy called out by Snowden himself, though ignored by Poitras.

I don't trust Assange or any other unvetted source — and there will be more — to decide which documents from Russian hackers or NSA leakers get put on the web."

Ex-CIA operative Valerie Plame talks nuclear, cyber threats at CMU; Pittsburgh Post-Gazette, April 22, 2017

Courtney Linder, Pittsburgh Post-Gazette; Ex-CIA operative Valerie Plame talks nuclear, cyber threats at CMU

"Ms. Plame, who worked to prevent the proliferation of nuclear weapons, referred to the Science and Security Board’s “Doomsday Clock” in her keynote speech at Carnegie Mellon University on Friday, prefacing a panel on inclusivity in STEM — or science, technology, engineering and math — for students and faculty.

In her hour-long discussion of nuclear threats and cybersecurity, Ms. Plame kept the conversation solutions-oriented, rather than dwelling on the high-profile “Plamegate” scandal that ended her espionage career."

Trump Is President. Now Encrypt Your Email.; New York Times, March 31, 2017

Max Read, New York Times; Trump Is President. Now Encrypt Your Email.

"As lawyers and civil libertarians point out, federal criminal law is so vast and complicated that it is easy to unwittingly violate it, and even innocent conversation can later be used to build a criminal case. Encrypting your communication isn’t a matter of hiding criminal activity; it’s a matter of ensuring innocuous activity can’t be deemed suspicious by a zealous prosecutor or intelligence agent. Telling a friend that a party is really going to “blow up” when you arrive is less funny when it’s being entered into evidence against you."

FBI Arrests Hacker Who Hacked No One; Daily Beast, March 31, 2017

Kevin Poulsen, Daily Beast; FBI Arrests Hacker Who Hacked No One

"Now free on bond, Huddleston, 26, is scheduled to appear in a federal courtroom in Alexandria, Virginia on Friday for arraignment on federal charges of conspiracy and aiding and abetting computer intrusions.

Huddleston, though, isn’t a hacker. He’s the author of a remote administration tool, or RAT, called NanoCore that happens to be popular with hackers. NanoCore has been linked to intrusions in at least 10 countries, including an attack on Middle Eastern energy firms in 2015, and a massive phishing campaign last August in which the perpetrators posed as major oil and gas company. As Huddleston sees it, he’s a victim himself—hackers have been pirating his program for years and using it to commit crimes. But to the Justice Department, Huddleston is an accomplice to a spree of felonies.

Depending on whose view prevails, Huddleston could face prison time and lose his home, in a case that raises a novel question: when is a programmer criminally responsible for the actions of his users?"

WikiLeaks’ latest release of CIA cyber-tools could blow the cover on agency hacking operations; Washington Post, March 31, 2017

Ellen Nakashima, Washington Posr; WikiLeaks’ latest release of CIA cyber-tools could blow the cover on agency hacking operations

"WikiLeaks’ latest disclosure of CIA cyber-tools reveals a technique used by the agency to hide its digital tracks, potentially blowing the cover on current and past hacking operations aimed at gathering intelligence on terrorists and other foreign targets.

The release Friday of the CIA’s “Marble Framework” comes less than a month after the WikiLeaks dumped onto the Internet a trove of files — dubbed “Vault 7” — that described the type of malware and methods the CIA uses to gain access to targets’ phones, computers and other electronic devices...

WikiLeaks, founded by Julian Assange, has sought to position itself as a champion of transparency and defender of privacy rights. It described the Marble Framework as “the digital equivalent of a specialized CIA tool to place covers over the English language text on U.S. produced weapons systems before giving them to insurgents secretly backed by the CIA.”"

With WikiLeaks Claims of C.I.A. Hacking, How Vulnerable Is Your Smartphone?; New York Times, March 7, 2017

Steve Lohr and Katie Benner, New York Times; 

With WikiLeaks Claims of C.I.A. Hacking, How Vulnerable Is Your Smartphone?

"If the documents are accurate, did the C.I.A. violate commitments made by President Barack Obama?

In 2010, the Obama administration promised to disclose newly discovered vulnerabilities to companies like Apple, Google and Microsoft. But the WikiLeaks documents indicate that the agency found security flaws, kept them secret and then used them for surveillance and intelligence gathering.

Why is it so hard to keep these cyberweapons under wraps?

Unlike nuclear weapons, which can be guarded and protected, cyberweapons are “just computer programs which can be pirated like any other,” WikiLeaks notes. “Since they are entirely comprised of information they can be copied quickly with no marginal cost.”

There is a growing black market dedicated to trading these weapons, and government agencies from around the world will pay well for their discovery."

Ethics And Hacking: What You Need To Know; Forbes, March 6, 2017

Forbes Technology Council, Forbes; 

Ethics And Hacking: What You Need To Know

"The term hacking gets bandied about a great deal in both the industry and in the media. Some stories carry the image of bored tweens, building skills while bragging about tearing up someone else’s hard work. Other stories talk more about offshore groups using server farms to mass phish for information.

The kinds of damage that hackers can cause is as varied as functions of a computer or device: Lost finances, trade secrets, and files swapped or erased are only the tip of what could be done to a person or company. Sometimes, just being one of the few people aware that different companies are talking to each other about business can mean opportunities for the unethical.

So the question gets raised: Can the arts of hacking be used to improve lives on a broader scale, or is it a purely destructive activity? Below, Forbes Technology Council members weigh in on ethics and hacking."

Second Internet of Things National Institute; American Bar Association, Washington, DC, May 10-11, 2017

Second Internet of Things National Institute

"A game-changer has emerged for businesses, policymakers, and lawyers, and it's called the "Internet of Things" (IoT). It's one of the most transformative and fast-paced technology developments in recent years. Billions of vehicles, buildings, process control devices, wearables, medical devices, drones, consumer/business products, mobile phones, tablets, and other "smart" objects are wirelessly connecting to, and communicating with, each other - and raising unprecedented legal and liability issues.

Recognized as a top new law practice area, and with global spending projected to hit $1.7 trillion by 2020, IoT will require businesses, policymakers, and lawyers (M&A, IP, competition, litigation, health law, IT/outsourcing, and privacy/cybersecurity) to identify and address the escalating legal risks of doing business in a connected world. Join us in Washington, D.C., on May 10 - 11, 2017, for our second IoT National Institute, which will feature:

Overviews and demos of the powerful technology driving the legal and liability issues

Practical guidance and the latest insights on the product liability, mass tort, big data, privacy, data security, intellectual property, cloud, and regulatory issues raised by IoT

Dynamic new additions: a mock trial, a tabletop exercise, a corporate counsel roundtable, and niche issue mini-updates.

Two full days of CLE credit (including ethics credit), plus two breakfasts, two lunches (with keynote speakers), and a cocktail reception.

Our distinguished faculty includes prominent legal and technical experts and thought-leaders from companies, government entities, universities, think-tanks, advocacy organizations, and private practice. Organized by the American Bar Association's Section of Science & Technology Law, the IoT National Institute offers an unparalleled learning and networking opportunity. With billions of devices and trillions of dollars in spending, IoT is a rapidly growing market that everyone wants to get in on."

'This is the new reality': Panelists speak for Pitt cyber security institute; Pittsburgh Post-Gazette, 2/3/17

Chris Potter, Pittsburgh Post-Gazette; 

'This is the new reality': Panelists speak for Pitt cyber security institute:

[Kip Currier: This was a fascinating and informative panel at the University of Pittsburgh on February 2, 2017, discussing cyberhacking, efforts to identify hackers and hacker-sanctioning actors/nation states, and responses to hacking threats and incidents.

Two comments (which I'll paraphrase below, without benefit of a transcript) by panelist and Russian journalist Andrei Soldatov, stood out for me:

1. Vladimir Putin's Russia has deftly understood and exploited the distinction between "cybersecurity" and "information security" (the West, Soldatov contends, has focused more on the former).

2. Under Stalin, technical training in Soviet universities and technical institutes did not include study of ethics and the humanities (largely relegated to those in medical professions).]

"The precise identity and motivations of the hackers who leaked sensitive Democratic emails during last year’s presidential election may never be known. But they left fingerprints that were familiar to Andrei Soldatov, a journalist who has written about Russia’s security state for the past 20 years.

Like much of the propaganda back home, Mr. Soldatov said at a University of Pittsburgh panel discussion Thursday, “It’s not about building the positive narrative, it’s about building the negative narrative. … To say everyone is corrupt and no one can be trusted — people will accept this.”

Mr. Soldatov was one of four panelists convened by Pitt’s fledgling Institute of Cyber Law, Policy, and Security and its new director, former U.S. Attorney David Hickton. The discussion drew a few hundred people to the first public event for the center, which focuses on cybercrime and cybersecurity."

Russia’s radical new strategy for information warfare; Washington Post, 1/18/17

David Ignatius, Washington Post; Russia’s radical new strategy for information warfare

"Krutskikh’s comments may have been a precursor of a new doctrine for information operations announced publicly by the Kremlin in December. The senior administration official described the Russian strategy: “They think of information space as a domain of warfare. In the U.S, we tend to have a binary view of conflict — we’re at peace or at war. The Russian doctrine is more of a continuum. You can be at different levels of conflict, along a sliding scale.”...

In Russia’s view, America is pushing just as aggressively in the information space, but denies it. “Things we perceive as free speech, they perceive as aggressive behavior from the West,” noted the senior U.S. official."

Berners-Lee raises spectre of weaponized open data; Naked Security, 11/4/16

Bill Camarda, Naked Security; Berners-Lee raises spectre of weaponized open data:

"Whether data is coming from governments or corporations – and whether it’s formally “open” or simply “widely available” like AP’s Twitter feed – it’s increasingly vulnerable to deliberate falsification.

But, for governments and others who believe in the open data movement, it’s no longer enough to protect privacy when they release data, or even to ensure its quality and consistency – already significant challenges.

From now on, they’ll need to protect it against deliberate sabotage, too."

Lessons from zombie warfare can help us beat hackers at their own game; Quartz, 9/26/16

Patrick Lin, Quartz; Lessons from zombie warfare can help us beat hackers at their own game:

"The current lack of respect for the power and vulnerabilities of our computing devices has helped create the debate over hacking back and other security issues. To be fair, the internet wasn’t designed for security when it was created decades ago, but only for a small group of researchers who trusted one another. That circle of trust has long been breached. We now need more vigilant and prepared users to help prevent cyberattacks from landing in the first place, making moot the decision to hack back.

Therefore, to truly address cybersecurity, we may need to seriously consider requiring computer users to have special training and licensing, or at the very least to keep up with basic hygiene requirements. Firearms and automobiles also have a high potential for misuse, so they require proper training and licensing. The US Federal Aviation Administration just required aerial drones to be registered, similarly recognizing that drone operation can be both recreational and dangerous.

Perhaps this solution is too radical to work. A new report on the ethics of hacking back, released today (Sept. 26) by the Ethics + Emerging Sciences Group based at Cal Poly, explores other possibilities. But a radical change of perspective may be what’s needed to solve such a relentless problem, and the right metaphor may be able to inspire that paradigm shift."