Tag Archives: CISA

December 18, 2020 · 17:11

Not for minors

OK, this is not the most subtle article I have ever written, but at times subtle just doesn’t do the story any justice, it happens. So this is a question to parents “If you have a daughter between 22-32, and she looks like Laura Vandervoort, Olivia Wilde, or Alexina Graham. Can I please fuck the bejesus out of her vagina?” To be honest, I don’t really need to, but it has been a while, so there. 

Are we all awake now? So consider ‘Facebook and Apple are in a fight. Your browsing history is in the middle’ (at https://www.nbcnews.com/tech/tech-news/facebook-apple-are-fight-your-browsing-history-middle-n1251612), apart from all the hackers getting access through Microsoft, we see another stage develop. The headline might not get you on board, so perhaps the by-line will “Facebook on Thursday ran its second full-page newspaper advertisement in as many days, attacking Apple’s plans to tell iPhone and iPad users when apps are tracking them online”, which implies that Facebook does NOT want you to know that apps are tracking your every move, and Apple does. It seems to me that Apple is in a stage to put awareness and security at the centre of your digital life, Facebook not so much. Now, I have no problems with Facebook keeping track of my actions ON FACEBOOK, but dos their ‘free’ service imply that they are allowed to do that anywhere I am? I believe that this is not the case and the money Facebook is getting is starting to feel tight around my digital profile, their actions had already made it important to delete Facebook software from my mobile phone (it was draining my battery), but the stage is larger and that is seen in the NBC News article (and a few others too).

So as the quote “Facebook on Thursday ran its second full-page newspaper advertisement in as many days, attacking Apple’s plans to tell iPhone and iPad users when apps are tracking them online” is given, how many of you are considering the following:

  1. A full page ad in the newspapers is pretty expensive.
  2. Facebook is seemingly untouched that multiple apps are following us.
  3. We are seemingly not allowed to know all the facts!

This is the big one “attacking Apple’s plans to tell iPhone and iPad users when apps are tracking them online”, so why are we not allowed to know what is being done to us, that we are being followed in a digital way and Facebook does not want us to be aware? This is where we see my (not so) subtle hint regarding your daughter and “fuck the bejesus out of her vagina”, how many fathers will be slightly less than enthusiastic? I get it, your little princess (your consenting and adult) little princess needs a knight on a white horse and always bring flowers and chocolates, have honourable intentions and to set your mind at ease keeps your daughter a virgin until the day she marries. It is not realistic, but parents are allowed to be overly protective of their princes and princesses. Yet Facebook seemingly does not want you to be in that park, they want you to be unaware of what is going on, and Apple drive it to the surface. So when we see “Apple is planning to roll out a new feature on its devices that will alert people when an app such as Facebook is trying to “track your activity across other companies’ apps and websites.” People will have options such as “Ask App not to Track” or “Allow.””, they did something really clever, if Microsoft (after they resolve all their hacks) does not follow suit, Microsoft stands to lose a massive slice of the consumer pie and that will not make them happy. I for the most am completely on the Apple side when we see “Users should know when their data is being collected and shared across other apps and websites — and they should have the choice to allow that or not”, I personally am realistic enough to see that Apple has an additional side to this, not sure what yet, but this is about a lot more than mere advertisements, I am however not too sure about what that is. When we see “Facebook uses data such as browsing history to show people ads they’re more likely to want to see, and to prove to marketers that its ads are working”, we need to realise that I would have no issues with any link opened within Facebook towards whatever we were going to in any advertisement. For example, if Facebook opens up a browser window, within Facebook and tracks the clicker, I would not completely be opposed to it, but Facebook realises that the data it I tracking is a much larger stage and I feel that this is not merely about “prove to marketers that its ads are working”, I believe that these trackers keep tabs on a lot more, keep tabs on what we do, where we do it and how we do it. I believe that it is a first step in the overly effective phishing attacks we face, Facebook might not be part to that, but I reckon the phishing industry got access to data that is not normally collected and I personally believe that Facebook is part of that problem, I also believe that this will turn from bad to worse with all the ‘via browser gaming apps’ we are currently being offered. I believe that these dedicated non console gaming ‘solutions’ will make things worse, it might be about money for players like Epic (Fortnite), but the data collected in this will cater to a much larger and optionally fairly darker player in this, I just haven’t found any direct evidence proving this, in my defence, I had no way of seeing the weakness that SolarWinds introduced. It does not surprise me, because there is always someone smarter and any firm that has a revenue and a cost issue will find a cheaper way, opening the door for all the nefarious characters surfing the life of IoT, there was never any doubt in this.

And in this, it was for them NEVER directly about the money, in this look at the ‘victims’:
The US Treasury Department, The US Department of Commerce’s National Telecommunications and Information Administration (NTIA), The Department of Health’s National Institutes of Health (NIH), The Cybersecurity and Infrastructure Agency (CISA), The Department of Homeland Security (DHS), The US Department of State, The National Nuclear Security Administration (NNSA) (also disclosed today), The US Department of Energy (DOE) (also disclosed today), Three US states (also disclosed today), City of Austin (also disclosed today) (source: ZDNET). It was about the information, the stage of a more complete fingerprint of people and administrations. It gives the worry, but it also gives the stage where we can see that Apple has a point and we need to protect ourselves, because players like Microsoft will not (no matter what they claim). In this I name Microsoft, but they are not alone, anyone skating around margins of cost are potential data leaks and that list is a hell of a lot larger than any of us (including me) thinks it is.

So whilst we look and admire the models, actors and actresses and we imagine whatever we imagine, consider that they are not a realistic path, a desirable one, but not a realistic one and that is the opening that organised crime needs to claimingly give you ‘access’ to what you desire whilst taking your data. It is the oldest game in the book, all wars Arte based on deception and you need to wake up, the moment your data is captures and categorised you are no longer considered an interesting party, you are sold and they move onto the next target. So whilst you get trivialised, consider that Apple has a plan, but whatever they plan, it seems you are better off on that side, than the one Facebook is planning. When was the last time that you were better off staying in the dark on what happens to your data, on what happens when others keep tabs on you?

And in this consider “Facebook is making a last-ditch effort to persuade Apple to back off or compromise with industry standard-setters.With offline ads in newspapers such as The Washington Post and The Wall Street Journal, the social networking company is trying to rally to its side the millions of small businesses who buy ads on Facebook and Instagram”, so in that quote where do we see any consideration on the people or us as the consumers? When we see “millions of small businesses who buy ads on Facebook and Instagram” where is the consideration that they should have for the customers who walk into their business? When you get in any shop what do you hear? How can I be of service? Or do you hear: What do you want? I let you consider that whilst you consider the position Facebook needs to have and consider that non digital advertisement never kept track of what other newspapers you were reading. 

We seemingly forgot that there is a price for the presence of IoT, Apple is making us aware of that. I am not silly enough that Apple is holier than though, but at least they created the awareness and the greed driven players are not looking too good today, are they?

1 Comment

Filed under IT, Law, Media, Science

Tagged as , , , , , , , , , , , , , , , , , , ,

October 4, 2015 · 12:00

CISA and Privacy are not opposites

There is a view that many hold, this view is not educated. A view which was given to us from the moment we spawned as a living person. Some got this knowledge as they went to their church or temple. They were told about good and evil. When we started to go to school we got to learn about order and chaos. This last one matters, you see, the opposite that order and chaos represent has been used in books, in videogames, in TV shows and in movies. In the Avengers movie ‘Age of Ultron’, near the end of the film we hear a quote from Vision, played by Paul Bettany that matters: “Humans are odd. They think order and chaos are somehow opposites“.

You might not realise it but the gem that we have here is in the foundations of many issues that have been plaguing us in several ways. Let’s take a look at this in two parts. The first is a Guardian article (at http://www.theguardian.com/world/2015/oct/01/blackphone-release-data-protection-privacy-surveillance) called ‘Blackphone: privacy-obsessed smartphone aims to broaden its appeal‘. The very first paragraph is a quote that shows issues on more than one side “Privacy company Silent Circle has released a second version of its signature handheld, a smartphone designed to quell the data scraping and web tracking that’s become such an integral part of the digital economy in the last few years (and whose results might well end up with the NSA, if the Cybersecurity Information Sharing Act passes)“, now I have no issue with the data scraping part and for the most the term ‘whose results might well end up with the NSA’ is less of an issue, but the overall taste is about privacy, I have no issue with this. The next quote is an interesting one, which will matter soon enough “In the beginning, Janke said, the Blackphone project was just a way for people working for his security firm SOC, since sold, to call home without having their communications intercepted“.

You see, there is no issue with the message shown here, but what is linked to all this is the message that is not shown here. You see, this device should now be regarded as the most excellent tool for hedge funds managers, organised crimes and all other kinds of non-mentioned criminals, who will now get to do with ease and freedom the things they had to steeplechase around the block for. This device will allow financial advisors to take certain steps that they were too scared to do, all out of fear of getting caught. This device will be opening doors.

There is no issue with the approach Janke had, he was submerged (read: drowning) in a world where any slip up could mean the death of him, his comrades and perhaps even his family. So his need for security was a given. There is a need for such a device. I have written about the need for this device as early as 2009, so the fact that someone picks this up is not a surprise, so why are we looking at this?

You see, it is the mention of CISA that is part of all this. CISA or better stated the Cybersecurity Information Sharing Act is sponsored by Republican Senator Richard Burr (North-Carolina). Why would anyone oppose ‘the bill makes it easier for companies to share cyber threat information with the government‘? Let’s be clear this is about dealing with Cyber Threats!

So what is a Cyber Threat? A Cyber threat is defined as ‘a malicious attempt to damage or disrupt a computer network or system‘, so we have the fact that this is about malicious attempts! So why would there be an issue? Well, there is because people and as it seems to be especially criminals, terrorists and Organised Crime seem to be allowed a lot more privacy than their victims, so in all this I see little issues pop up all over the place. This sounds all emotional, but what does the official text state? Well, the complete text is at https://www.congress.gov/bill/114th-congress/senate-bill/754, so let’s take a look at some parts.

Permits state, tribal, or local agencies to use shared indicators (with the consent of the entity sharing the indicators) to prevent, investigate, or prosecute offenses relating to: (1) an imminent threat of death, serious bodily harm, or serious economic harm, including a terrorist act or a use of a weapon of mass destruction; or (2) crimes involving serious violent felonies, fraud and identity theft, espionage and censorship, or trade secrets“, How can we be opposed to this? Is this not the foundation of growing fair play?

Well, that is partially the question. You see, the issue is in part the language. Consider this paraphrase which remains correct in light of the previous statement: “Permits local agencies to use shared indicators (with the consent of the entity sharing the indicators) to prosecute offenses relating to serious economic harm“. Which is now the floodlight of all this.

Now we get to the second part in all this, which is offenses relating to serious economic harm. Serious economic harm tends to be seen as pure economic loss, but it is not limited to that. For this we can look at the element ‘Loss of production suffered by an enterprise whose electricity supply is interrupted by a contractor excavating a public utility‘, which we see in Spartan Steel & Alloys Ltd v Martin & Co (Contractors) Ltd. In here the legislatively famous Lord Denning raised the issue of ‘Duty to mitigate loss’. Yet today, in the world of data and digital media, how can we measure that element? Let me show this through an exaggerated fictive example.

Microsoft raises the issue that as they required an investigation into acts that are causing serious economic harm to Microsoft. Unique software has been released that directly negatively impacts they trademarked business. The CISA could now be in effect to investigate data and data sources, but who minds that store? Who has that knowledge? Now consider that the person investigated would be Markus Persson, because his program ‘Minecraft’ is now stopping all people who are part of the Microsoft Gaming brand to continue.

So who will make that call? You might think that this is a ludicrous example, but is that so? Microsoft ended up paying more than 2 billion for it, so someone implying ‘Serious Economic Harm’ is not that far-fetched. This now becomes an issue for a timeline. What timeline is in effect here? With an imminent threat of death this is a simple matter, with serious economic harm that matter is far from simple, moreover will the claim be valid? I used the ludicrous Minecraft and Microsoft Games brand. Yet what happens when this is a lot more ‘grey’, what happens when this is Raytheon versus the Belgium based TTN Verhaert? A Technology Transfer Network (TTN) that has innovated the latest classified satellite navigation systems. Is it still a clear call as to what constitutes serious economic harm?

This act opens up a can of intellectual property, the one can everyone wants to swim in and the elected official channels do not even have a fraction of the minimum required insight to make such a call.

Section 9 gives us “Directs the DNI to report to Congress regarding cybersecurity threats, including cyber-attacks, theft, and data breaches. Requires such report to include: (1) an assessment of current U.S. intelligence sharing and cooperation relationships with other countries regarding cybersecurity threats to the U.S. national security interests, economy, and intellectual property; (2) a list of countries and non-state actors that are primary threats; (3) a description of the U.S. government’s response and prevention capabilities; and (4) an assessment of additional technologies that would enhance U.S. capabilities, including private sector technologies that could be rapidly fielded to assist the intelligence community

When we consider both A and B, we should look at ‘U.S. SEC drops Onyx insider trading lawsuit against Dubai men’ (at http://finance.yahoo.com/news/u-sec-drops-onyx-insider-230111643.html) from September 15th. The quote here is “Smith said the Newman decision was ‘helpful,’ but that the SEC ‘never had a tipper’ or evidence that his clients received inside information”, one would think that this is where CISA could now step in. Alas, apart from the side that is implied by the CISA text: ‘assessment of additional technologies that would enhance U.S. capabilities, including private sector technologies that could be rapidly fielded to assist the intelligence community’, which according to Blackphone is not an option, we now see that this opens a door to ‘patsy management’ on how two unsecured parties, could be set-up through the use of Blackphone through encrypted conversations and when the two unsecured parties talk, they could be setting each other up thanks to the other two parties that were using a Blackphone. Blackphone here has no blame whatsoever, they would be offering the one part criminals desperately want, a secured phone. This now sets a dangerous precedence, not a legal one, because Blackphone is behaving itself as it should, the provider of secure communications, it is what people do with it that matters that part cannot be guaranteed by the Cybersecurity Information Sharing Act. In addition, S. 754 has one additional flaw. That flaw is seen in the definitions, where we see that the earlier mentioned definition ‘serious economic harm’ is not specified in the definitions at all, so what definition applies?

Beyond that, we see the definition of a cybersecurity threat. In here it is important to take a look at part A and part B.

part a gives us: “IN GENERAL.—Except as provided in subparagraph (B), the term “cybersecurity threat” means an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system” and part B gives us “EXCLUSION.—The term “cybersecurity threat” does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement“, which sounds nice, yet how does it help stem cybersecurity threats?

You see, when you consider the letter send by UCLA to Chairman Dianne Feinstein in June last year, we see: “CISA’s inadequate use limitations risk turning the bill into a backdoor for warrantless use of information the government receives for investigations and prosecutions of crimes unrelated to cybersecurity“, which could be regarded as the biggest failure, but it is not, it is the part we see in “CISA requires that cyber threat indicators shared from the private sector with the Department of Homeland Security (DHS) be immediately disseminated to the Department of Defense, which includes the NSA and U.S. Cyber Command. This new flow of private communications information to NSA is deeply troubling given the past year’s revelations of overbroad NSA surveillance“. It is the ‘be immediately disseminated to the Department of Defense’ that comes into play now. When we consider ‘Overbroad Liability Protection‘, which can now hide by giving that function to an intern so that “good faith” reliance remains is a potential risk that could be pushed by big business to hide behind the ‘dope’ who acts in ‘good faith’.

Is that truly the blackness we face? Well, that is hard to say, the fact that this act relies on ambiguity and is lacking certain rules of restraint, or at least certain safeguards so that data cannot leave the intelligence office is reasons enough to have a few more discussions on this topic. What is interesting is that CISA would create a fear, which Black phone addresses, yet in similar method other players will now receive an option allowing them to play large dangerous games whilst not becoming accountable, that new Blackphone could address several issues the shady commercial interest guy is very happy to exploit.

The question becomes, how does any of this make us any safer?

So now we get back to the Age of Ultron line. As we see that crime is becoming an orderly event, the fact that we tend to hide in chaos the issues that should be open for all is part of the dilemma we now face. Again we are confronted with laws that remain inadequate to deal with the issues that needed to be dealt with. CISA takes in my view a chaotic approach to keep a level of order that was delusional from the very start, from missing definitions to application of methodology. It is a cog not linked to any machine, proclaiming soon to be of use to all machines and in the end, as I see it will only hinder progress on many levels, mainly because it tries to circumvent the accountability of some. And this is not just an American issue. In that regard laws and the protection of the victims have been an issue for a longer time. We only need to look to the Tesco grocery store on the corner to comprehend that part of the equation.

 

 

1 Comment

Filed under IT, Law, Military, Politics, Science

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , ,