This new offensive is tentatively slated to begin with the launch of iOS 15—almost certainly in mid-September—with the devices of its US user-base designated as the initial targets. We’re told that other countries will be spared, but not for long.
You might have noticed that I haven’t mentioned which problem it is that Apple is purporting to solve. Why? Because it doesn’t matter.
Having read thousands upon thousands of remarks on this growing scandal, it has become clear to me that many understand it doesn’t matter, but few if any have been willing to actually say it. Speaking candidly, if that’s still allowed, that’s the way it always goes when someone of institutional significance launches a campaign to defend an indefensible intrusion into our private spaces. They make a mad dash to the supposed high ground, from which they speak in low, solemn tones about their moral mission before fervently invoking the dread spectre of the Four Horsemen of the Infopocalypse, warning that only a dubious amulet—or suspicious software update—can save us from the most threatening members of our species. <snip>
Existing internet protocols leak sensitive data that can be used without users knowledge — Nym is developing the infrastructure to prevent this data leakage by protecting every packet’s metadata at the network and application layers.
Run Nym Nodes
Early 90’s Philip Agre reviewed my site, giving it a thumbs up and encouraged my work. This was published on the Educational CyberPlayGround, Inc. http://www.edu-cyberpg.com
#T-Mobile, #Apple, #Blackberry are disgusting surveillance tools
Engadget: T-Mobile confirms data breach affects over 47 million people.
As part of its ongoing data breach investigation, T-Mobile has confirmed the enormity of the stolen information. Roughly 47.8 million current and former or prospective customers have been affected by the cyberattack on its systems, the carrier confirmed on Wednesday. Of that number, about 7.8 million are current T-Mobile postpaid accounts and the rest are prior or potential users who had applied for credit, the company added in a press release. https://www.engadget.com/t-mobile-data-breach-affected-people-103104868.html
Researchers fooled AI into ignoring stop signs using a cheap projector. “A trio of researchers at Purdue today published pre-print research demonstrating a novel adversarial attack against computer vision systems that can make an AI see – or not see – whatever the attacker wants. https://thenextweb.com/news/researchers-tricked-ai-ignoring-stop-signs-using-cheap-projector
Apple stunned the tech industry on Thursday by announcing that the next version of iOS and macOS will contain a neural network to scan photos for sex abuse. Each photo will get an encrypted ‘safety voucher’ saying whether or not it’s suspect, and if more than about ten suspect photos are backed up to iCloud, then a clever cryptographic scheme will unlock the keys used to encrypt them. Apple staff or contractors can then look at the suspect photos and report them.
Apple is now scanning your phone before anything gets to their server. It does not matter if you put it in the Icloud they also do this without internet using meshnet.
iPhone Neural Hash – SHOCKING AI Tech
We built a system like Apple’s to flag child sexual abuse material — and concluded the tech was dangerous
Our research project <https://www.usenix.org/conference/usenixsecurity21/presentation/kulshrestha> began two years ago, as an experimental system to identify CSAM in end-to-end-encrypted online services. As security researchers, we know the value of end-to-end encryption, which protects data from third-party access. But we’re also horrified that CSAM is proliferating on encrypted platforms. And we worry online services are reluctant to use encryption without additional tools to combat CSAM.
We sought to explore a possible middle ground, where online services could identify harmful content while otherwise preserving end-to-end encryption. The concept was straightforward: If someone shared material that matched a database of known harmful content, the service would be alerted. If a person shared innocent content, the service would learn nothing. People couldn’t read the database or learn whether content matched, since that information could reveal law enforcement methods and help criminals evade detection.
Our system could be easily repurposed for surveillance and censorship. The design wasn’t restricted to a specific category of content; a service could simply swap in any content-matching database, and the person using that service would be none the wiser.
We spotted other shortcomings. The content-matching process could have false positives, and malicious users could game the system to subject innocent users to scrutiny.
We were so disturbed that we took a step we hadn’t seen before in computer science literature: We warned against our own system design, urging further research on how to mitigate the serious downsides. We’d planned to discuss paths forward at an academic conference this month.
“It’s something we believe is too dangerous to do,” Apple explained <https://www.apple.com/customer-letter/answers/>. “The only way to guarantee that such a powerful tool isn’t abused … is to never create it.” That worry is just as applicable to Apple’s new system.
Apple has also dodged on the problems of false positives and malicious gaming, sharing few details about how its content matching works.
Apple could implement stronger technical protections, providing public proof that its content-matching database originated with child-safety groups. We’ve already designed a protocol <https://twitter.com/jonathanmayer/status/1426540534517182464> it could deploy. Our conclusion, though, is that many downside risks probably don’t have technical solutions.
Apple is making a bet that it can limit its system to certain content in certain countries, despite immense government pressures. We hope it succeeds in both protecting children and affirming incentives for broader adoption of encryption. But make no mistake that Apple is gambling with security, privacy and free speech worldwide.
Apple settled its federal lawsuit Tuesday against Corellium, the maker of tools that allow security researchers to find software flaws in iPhones, according to court records.
BlackBerry resisted announcing major flaw in software powering cars, hospital equipment
BlackBerry resisted announcing major flaw in software powering cars, hospital equipment
The former smartphone maker turned software firm resisted announcing a major vulnerability until after federal officials stepped in.
By BETSY WOODRUFF SWAN and ERIC GELLER
08/17/2021 02:42 PM EDT
A flaw in software made by BlackBerry has left two hundred million cars, along with critical hospital and factory equipment, vulnerable to hackers — and the company opted to keep it secret for months.
On Tuesday, BlackBerry announced that old but still widely used versions of one of its flagship products, an operating system called QNX, contain a vulnerability that could let hackers cripple devices that use it. But other companies affected by the same flaw, dubbed BadAlloc, went public with that news in May.
Two people familiar with discussions between BlackBerry and federal cybersecurity officials, including one government employee, say the company initially denied that BadAlloc impacted its products at all and later resisted making a public announcement, even though it couldn’t identify all of the customers using the software.
The back-and-forth between BlackBerry and the government highlights a major difficulty in fending off cyberattacks on increasingly internet-connected devices ranging from robotic vacuum cleaners to wastewater-plant management systems. When companies such as BlackBerry sell their software to equipment manufacturers, they rarely provide detailed records of the code that goes into the software — leaving hardware makers, their customers and the government in the dark about where the biggest risks lie.
BlackBerry may be best known for making old-school smartphones beloved for their manual keyboards, but in recent years it has become a major supplier of software for industrial equipment, including QNX, which powers everything from factory machinery and medical devices to rail equipment and components on the International Space Station. BadAlloc could give hackers a backdoor into many of these devices, allowing bad actors to commandeer them or disrupt their operations.
Microsoft security researchers announced in April that they’d discovered the vulnerability and found it in a number of companies’ operating systems and software. In May, many of those companies worked with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to publicly reveal the flaws and urge users to patch their devices.
BlackBerry wasn’t among them.
Privately, BlackBerry representatives told CISA earlier this year that they didn’t believe BadAlloc had impacted their products, even though CISA had concluded that it did, according to the two people, both of whom spoke anonymously because they were not authorized to discuss the matter publicly. Over the last few months, CISA pushed BlackBerry to accept the bad news, eventually getting them to acknowledge the vulnerability existed.
Then BlackBerry said it didn’t intend to go public to deal with the problem. The company told CISA it planned to reach out privately to its direct customers and warn them about the QNX issue.
Technology companies sometimes prefer private vulnerability disclosures because doing so doesn’t tip off hackers that patching is underway — but also because it limits (or at least delays) any resulting public backlash and financial losses.
But that outreach would only cover a fraction of the affected companies, because BlackBerry also told CISA that it couldn’t identify everyone using its software in order to warn them.
That’s because BlackBerry licenses QNX to “original equipment manufacturers,” which in turn use it to build products and devices for their customers, just as Microsoft sells its Windows operating system to HP, Dell and other computer makers. BlackBerry told the government it doesn’t know where its software ends up, and the people using it don’t know where it came from. Its known customers are a comparatively small group.
“Their initial thought was that they were going to do a private advisory,” said a CISA employee. Over time, though, BlackBerry “realized that there was more benefit to being public.”
The agency produced a PowerPoint presentation, which POLITICO reviewed, stressing that many BlackBerry customers wouldn’t know about the danger unless the federal government or the original equipment manufacturers told them. CISA even cited potential risks to national security and noted that the Defense Department had been involved in finding an acceptable timing for BlackBerry’s announcement.
CISA argued that BlackBerry’s planned approach would leave out many users who could be in real danger. A few weeks ago, BlackBerry agreed to issue a public announcement. On Tuesday, the company published an alert about the vulnerability and urged customers to upgrade their devices to the latest QNX version. CISA issued its own alert as well.
In a statement to POLITICO, BlackBerry did not deny that it initially resisted a public announcement. The company said it maintains “lists of our customers and have actively communicated to those customers regarding this issue.”
“Software patching communications occur directly to our customers,” the company said. “However, we will make adjustments to this process in order to best serve our customers.”
QNX “is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly-sensitive systems,” Eric Goldstein, the head of CISA’s cyber division, said. “While we are not aware of any active exploitation, we encourage users of QNX to review the advisory BlackBerry put out today and implement mitigation measures, including patching systems as quickly as possible.”
Goldstein declined to address CISA’s conversations with BlackBerry but said the agency “works regularly with companies and researchers to disclose vulnerabilities in a timely and responsible manner so that users can take steps to protect their systems.”
Asked about whether the company originally believed QNX was unaffected, Blackberry said its initial investigation into affected software “identified several versions that were affected, but that list of impacted software was incomplete.”
BlackBerry is hardly the first company to disclose a bug in widely used industrial software, and cybersecurity experts say such flaws are to be expected occasionally in highly complex systems. But resolving the QNX problem will be a major task for BlackBerry and the government.
In a June announcement about QNX’s integration into 195 million vehicles, BlackBerry called the operating system “key to the future of the automotive industry” because it provides “a safe, reliable, and secure foundation” for autonomous vehicles. BlackBerry bragged that QNX was the embedded software of choice of 23 of the top 25 electric vehicle makers.
The QNX vulnerability also has the Biden administration scrambling to prevent major fallout. Vulnerabilities in this code could have significant ripple effects across industries — from automotive to health care — that rely heavily on the software. In some cases, upgrading this software will require taking affected devices offline, which could jeopardize business operations.
“By compromising one critical system, [hackers] can potentially hit thousands of actors down that line globally,” said William Loomis, an assistant director at the Atlantic Council’s Cyber Statecraft Initiative. “This is a really clear example of a good return on investment for those actors, which is what makes these attacks so valuable for them.”
After analyzing the industries where QNX was most prevalent, CISA worked with those industries’ regulators to understand the “major players” and warn them to patch the vulnerability, the agency employee said.
Goldstein confirmed that CISA “coordinated with federal agencies overseeing the highest risk sectors to understand the significance of this vulnerability and the importance of remediating it.”
CISA also planned to brief foreign governments about the risks, according to the PowerPoint presentation.
BlackBerry is far from unique in knowing little about what happens to its products after it sells them to its customers, but for industrial software like QNX, that supply-chain blindness can create national security risks.
“Software supply chain security is one of America’s greatest vulnerabilities,” said Andy Keiser, a former top House Intelligence Committee staffer. “As one of the most connected societies on the planet, we remain one of the most vulnerable.”
But rather than expecting vendors to identify all of their customers, security experts say, companies should publish lists of the types of the code included in their software, so customers can check to see if they’re using code that has been found to be vulnerable.
“BlackBerry cannot possibly fully understand the impact of a vulnerability in all cases,” said David Wheeler, a George Mason University computer science professor and director of open source supply chain security at the Linux Foundation, the group that supports the development of the Linux operating system. “We need to focus on helping people understand the software components within their systems, and help them update in a more timely way.”
For years, the Commerce Department’s National Telecommunications and Information Administration has been convening industry representatives to develop the foundation for this kind of digital ingredient list, known as a “software bill of materials.” In July, NTIA published guidance on the minimum elements needed for an SBOM, following a directive from President Joe Biden’s cybersecurity executive order.
Armed with an SBOM, a car maker or medical device manufacturer that learned of a software issue such as the QNX breach could quickly check to see if any of its products were affected.
SBOMs wouldn’t prevent hackers from discovering and exploiting vulnerabilities, and the lists alone cannot tell companies whether a particular flaw actually poses a risk to their particular systems. But these ingredient labels can dramatically speed up the process of patching flaws, especially for companies that have no idea what software undergirds their products.
“Buying software is only the start of the transaction. It is not the end,” said Trey Herr, director of the Atlantic Council’s Cyber Statecraft Initiative.
“It’s not a new problem,” Herr added. “It’s not a problem that’s going away, and what we are doing right now is insufficient for the scale of that problem.”
Q: This question comes up a lot. How do you respond when a company asks for your previous salary or expected salary when you don’t want to give out a number?
A: @blenster Tell them they don’t need to compete with the company that’s losing you; they need to compete with the other companies trying to gain you.
BROADBAND – FIBER
5/16/2021 This morning, California Governor @GavinNewsom unveiled an audacious budget whose crown jewel is a plan to pump $7B into medium-haul fiber links that will link every community in the state, no matter how remote or rural. The plan uses state money to bring fiber to the town limits, then creates a pool of low- cost, long-term loans – repayable over 30-40 years – that local governments tap to build their local fiber grids, according to their local needs, under local management and ownership.
Stagg Newman of the FCC Broadband discussion with the Educational CyberPlayground.
I hope you’re proud of yourselves.” BROADBAND GCHQ’s BEYOND https://edu-cyberpg.com/Internet/Broadband.html
K12 E-rate Education SuperHighway enables high-speed Internet in every classroom. every classroom. EducationSuperHighway.com AFFORDABLE BROADBAND https://edu-cyberpg.com/Teachers/E-rate.html
Universal Telephone Service: telco tricks do not provide telephone or broadband…
This is a critical utility.” Moving to wireless broadband “ https://edu-cyberpg.com/Teachers/telephone.html
THE HISTORY OF THE INTERENT: AND THERE IS ALWAYS MUCH MORE CURATED CONTENT THAT HAS BEEN ADDED OVER THE PAST 28 YEARS!
PRIVACY
WhatsApp will gradually stop you calling or messaging contacts if you don’t agree to its new privacy policy. DUMP WhatsApp immediately if you haven’t done this already.
There is Nothing Private about Switzerland
Swiss spy chief exits after reports of row over CIA-linked firm
Switzerland’s spy chief will leave his post, the government said on Wednesday, after a newspaper reported he had fallen out with the defence minister over his handling of a scandal involving a cryptography firm linked to the CIA.
For decades, the Swiss company sold encryption devices while being secretly owned by the U.S. Central Intelligence Agency and Germany’s intelligence service, which could freely read what it encrypted. But new details emerged in early 2020 when Swiss authorities said they were investigating reports that the CIA and the German BND spy service had used Crypto’s encryption technology to crack other nations’ top-secret messages, stirring an outcry in officially neutral Switzerland.
SECURITY
President Signs Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks. Biden signs executive order designed to strengthen federal digital defenses Explains
Colonial Pipeline paid $5 million in ransom to get its systems back online. The company paid the hefty ransom in untraceable cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities.
Remember: HIPPA is a health privacy pretend law that exists on Twitter only.
It protects any information about health, like if a business asks your vaccination status. Or if a politician steered fast COVID tests to supporters/family.
‘HIPAA” on the other hand is the actual US law that applies to doctors, health insurance, pharmacies (and other covered entities) restricting who and how they can share or use certain information like your medical record, conversations with a doctor, billing information.
Summary – fake law, HIPPA.
In US “health information” is not protected, unless actually covered by HIPAA.
Caveat: New California law gives an opt-out right for sale (and some inconsistent secondary uses) and VA law has an opt-in) for broad health information. (scope yet unclear)
Sure “HIPPA” is fake but there are literally tens of thousands of government documents that reference “HIPPA” but not “HIPAA” – the confusion around “covered entities” & it being written to encourage electronic transfers notwithstanding, a unique problem! https://twitter.com/thezedwards/status/1393977689594241025
Insurer AXA hit by ransomware after dropping support for ransom payments
Branches of insurance giant AXA based in Thailand, Malaysia, Hong Kong, and the Philippines have been struck by a ransomware cyber attack.
As seen by BleepingComputer yesterday, the Avaddon ransomware group claimed on their leak site that they had stolen 3 TB of sensitive data from AXA’s Asian operations.
Additionally, BleepingComputer observed an ongoing Distributed Denial of Service (DDoS) against AXA’s global websites making them inaccessible for some time yesterday.
The compromised data obtained by Avaddon, according to the group, includes customer medical reports (exposing their sexual health diagnosis), copies of ID cards, bank account statements, claim forms, payment records, contracts, and more.
The announcement from the group comes roughly a week after AXA stated that they would be dropping reimbursement for ransomware extortion payments when underwriting cyber-insurance policies in France.
< – >
If you think bitcoin uses a lot of energy, wait until you hear that “always-on” devices in America, like the TV you’re not watching right now, use 12x more.
K12 Students Privacy rights across the nation need you help. Wish you would direct someone to take on the K12 Department of Education.
THERE ARE NO CHIEF PRIVACY OFFICERS IN K-12 EDUCATION
The big biz of spying on little kids
Google’s Apps for Education contracts with schools suffer from gaping student privacy protection loopholes. School Administrators signed a contract that does NOT protect their students from data collection for the ultimate purposes of monetization as Google represents.
Who is senior-level official who is responsible for the organization’s privacy policies and data governance in your school district?
Teachers and School Districts MUST follow the law and protect children’s privacy!!!
Statewide Longitudinal Data Systems, or SLDS.
https://nces.ed.gov/programs/slds/
That marked the entrance of big data into education, enabled by the leaps forward in the ability to store and process information on remote servers “in the cloud.”
Imagine being the school administrator when you realize that one of your student’s parents is in charge of privacy at the NSA and isn’t happy with your video recording policies for remote learning.
Rebecca “Becky” Richards joined the National Security Agency as its first Director of Civil Liberties and Privacy in February 2014. Her primary job is to provide expert advice to the Director and oversee NSA’s civil liberties and privacy activities. She is also responsible for developing measures to further strengthen NSA’s privacy and civil liberties protection.
There had been a short discussion of recording classes followed by an even shorter discussion of the fact that the school is in a two-party consent state. So I didn’t think much more of the discussion until this consent to record showed up quietly the Friday of Labor Day weekend, taunting me, poking at me, gnawing at me and eventually just outright leading me to the outrage that someone thought it was a good idea to write a legally compliant consent that had a threat at the end.
So, I decided to apply my day job as the civil liberties and privacy officer at the U.S. National Security Agency to my parenting job. Though not something I had expected, it seemed to me this was an important teachable moment for the school and kids about how to make thoughtful choices for privacy, civil liberties and teaching.
There may be times particularly with older children or adults during which recording the sessions makes sense, but when we are working with K-8 that needs are necessarily different. So I started a conversation with my school and refused to sign the consent.
I expressed concerns that the consent was very broad and protective of the institution but had no protections in place for the children. There were no stated controls on who would use the recordings or why they were being done beyond operational uses and instances when a child was having a one-on-one conversation with a teacher and no parent was available.
Classes were not recorded when they were in person, so why should they be now? Just because you can, does not mean you should. If there was a benefit to this, why did not we do it earlier during in-person classes?
What are the benefits of recording a class? Are they available for students and parents at a later date, if the material wasn’t understood, more review was needed or a child was out of class? Perhaps they are available for administration to review to improve teaching and/or provide feedback on the teaching or accountability for one-on-one meetings between the child and the teacher.
What are the risks of recording a class? Children may be less willing to participate, children become acclimated to always being recorded (or surveilled), a misstep in class is now caught on camera and available for all to see rather than it being a one-time misstep. Without proper access controls, those not normally in the class could access the sessions and take teaching and interactions out of context. These are “windows” into families’ private lives, into our homes, and potentially capturing others collaterally having nothing to do with the school. If it was just the teacher and audio of the students, that would be less intrusive but still concerning.
And alas, I always have to ask, “Is it muted?” Which is concerning, given I’m asking an 11-year-old if it is OK to talk in my own house. What precedent are we setting for our children for acceptable behavior?
While cellphones, cameras and recordings seem to be pervasive, they are not the full solution to concerns with what is happening in a school, class or society. They are one piece of the puzzle, and we need to treat them as such.
I appreciate that perhaps there wasn’t time to think through how these videos will be used, but it is incumbent upon the school to have this all thought through before starting the recordings.So I decided to provide them input on how they could use this policy as an opportunity to build trust through civil liberties and privacy protections and be more transparent.
Here are some of the examples of improved civil liberties and privacy protections I offered, which you may find helpful if you are finding that your kids’ classes are being recorded:
Videos are available for a shorter time (say one week) so that children in the class can review them in case they missed the class.
Only families who have children in the class can view the videos rather than the entire school.
If there is a one-on-one meeting with a child, perhaps this is recorded and then, upon review by the family, is deleted rather than being kept for long periods of time.
No recordings should be done for religious activities.
Clearly written notices describing the practices that will be taking place.
The school has been listening since I approached them and were very quick to respond that their intention wasn’t to record everything or surveil the students, but none of that was in the policy — it only protected the school and told parents that we couldn’t use the recordings for any purposes at all.
After a lengthy discussion with the school, they agreed to issue a policy that teachers will only record themselves, no student interactions; one-on-one interactions without a parent will be recorded and retained for seven days, and the parent will be asked to review to ensure there is no concerning behavior; no religious activities will be recorded; any recordings of parent meeting will start with a notification that the event is being recorded, and individuals should turn off their cameras if they do not wish to be recorded. This creates good civil liberties and privacy protections and transparency about the policy for all.
As we concluded the call, our head of school noted she appreciated the conversation and the outcome, but this was not anything covered in her training to be a teacher or school administrator.
It seems like it is time to start adding these to the curriculum for everyone.
Rebecca Richards is the director of civil liberties and privacy at the U.S. National Security Agency.
IAPP @PrivacyPros
We are the #IAPP, your global #privacy community & resource. Tweets generated from the IAPP social media team. For breaking news, follow
U.S. National Security Agency Director, Civil Liberties, Privacy, and Transparency Office
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.AcceptRejectRead More
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
K12, Ed TECH, Superintendents, Parents