Category: Links

Categories
Links

Metadata in Context – An Ontological and Normative Analysis of the NSA’s Bulk Telephony Metadata Collection Program

Abstract:

In the aftermath of the Snowden revelations, the National Security Agency (NSA) responded to fears about warrantless domestic surveillance programs by emphasizing that it was collecting only the metadata, and not the content, of communications. When justifying its activities, the NSA offered the following rationale: because data involves content and metadata does not, a reasonable expectation of privacy extends only to the former but not the latter. Our paper questions the soundness of this argument. More specifically, we argue that privacy is defined not only by the types of information at hand, but also by the context in which the information is collected. This context has changed dramatically. Defining privacy as contextual integrity we are able, in the first place, to explain why the bulk telephony metadata collection program violated expectations of privacy and, in the second, to evaluate whether the benefits to national security provided by the program can be justified in light of the program’s material costs, on the one hand, and its infringements on civil liberties, on the other hand.

A terrific paper from Paula Kift and Helen Nissenbaum.

Categories
Links

How severe will this flu season be?

From the Globe and Mail:

Every year, around February or March, the World Health Organization provides its recommendations on the composition of influenza vaccines for the northern hemisphere for the next flu season, based on its projections of what viruses are likely to be in circulation. But it’s hard to predict just how effective the vaccines will be.

In general, flu vaccines are around 50 per cent effective. But for the 2014-15 season, the vaccine effectiveness against H3N2 was less than 10 per cent. Flu shots are by no means perfect, but they’re still considered the best way of protecting people from getting sick.

The trivalent flu vaccine given this year, which contains three components, is comprised of an H1N1 vaccine component, an H3N2 component, and an influenza B component.

While the H1N1 component in this year’s flu shot has been updated for the coming season, the other two components have remained unchanged from last year’s flu vaccine, Skowronski says. Depending on which is the dominant strain this year, this could spell trouble.

“If it turns out to be a H3N2 season, then that means the vaccine effectiveness is likely to be suboptimal,” she says. That’s because last year, with the identical component, the vaccine effectiveness for H3N2 was around 35 to 40 per cent. And since the viruses are constantly changing and mutating, Skowronski says it’s unlikely the effectiveness of the same vaccine component will be any higher for the coming season. “That’s one of the unfortunate, concerning factors, frankly, from my perspective: that the H3N2 component is unchanged, yet we know the virus is changing.”

Even so, just because this year’s flu shot contains two out of three of the same components as last year’s, don’t think you won’t need to get vaccinated again if you got the shot last year. The updated influenza A component may help protect you in an influenza A outbreak, Warshawsky says. Plus, she adds, “We also know that the duration of protection doesn’t necessarily last well from one year to another. So relying on last year’s vaccine will not necessarily carry over protection to this year.”

The amount of information covered in the Globe and Mail’s article is really, really impressive. I learned a lot about the flu, vaccination, and how different vaccines interact with flu. Highly recommended.

Categories
Links

Data breaches, phishing, or malware? Understanding the risks of stolen credentials

New research from Google:

In this paper, we present the first longitudinal measurement study of the underground ecosystem fueling credential theft and assess the risk it poses to millions of users. Over the course of March, 2016–March, 2017, we identify 788,000 potential victims of off-the-shelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on blackmarket forums. Using this dataset, we explore to what degree the stolen passwords—which originate from thousands of online services—enable an attacker to obtain a victim’s valid email credentials—and thus complete control of their online identity due to transitive trust. Drawing upon Google as a case study, we find 7–25% of exposed passwords match a victim’s Google account. For these accounts, we show how hardening authentication mechanisms to include additional risk signals such as a user’s historical geolocations and device profiles helps to mitigate the risk of hijacking. Beyond these risk metrics, we delve into the global reach of the miscreants involved in credential theft and the blackhat tools they rely on. We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s.

Categories
Links

Intro to Mitigating Contemporary DDOS Attacks

From Cloudflare:

As the capacity of networks like Cloudflare continue to grow, attackers move from attempting DDoS attacks at the network layer to performing DDoS attacks targeted at applications themselves.

For applications to be resilient to DDoS attacks, it is no longer enough to use a large network. A large network must be complemented with tooling that is able to filter malicious Application Layer attack traffic, even when attackers are able to make such attacks look near-legitimate.

The pace of change in how DDOS attacks are being conducted, and efforts to use best and worst security practices alike to threaten Internet-connected resources, is a serious and generally under appreciated problem.

Categories
Links

Confidentiality in an Era of Patient-Doctor-Cop

From The Canadian Press:

Doctors at Royal Columbian Hospital in New Westminster have complained that local police and RCMP officers are routinely recording conversations without consent between doctors and patients who are considered a suspect in a crime.

“They will be present when we are trying to question the patients and trying to obtain a history of what happened,” said Tony Taylor, an emergency physician who practises at the hospital.

“They have now recently started recording these conversations and often they will do that unannounced, which has a number of implications around confidentiality and consent.”

As far as doctors at Royal Columbian are concerned, the police are getting in the way of patient care.

Patients tend to clam up when police officers are present, Dr. Taylor said. “That makes it difficult to get those kind of history details that are critically important,” he said.

The idea that the police are present, and recording interactions between a doctor and patient, is patently problematic from a procedural fairness perspective. In the past the authorities have lost Charter challenges based on their attempts to exploit Canada’s one-person consent doctrine; I’d be very curious to know the legal basis for their recording persons who may be accused of a crime, in a setting clearly designated as deserving heightened privacy protections, and the extent to which that legal theory holds up under scrutiny.

Categories
Links

A Past Life’s Dream Job

Per Wired:

Woods, a 30-year-old with neatly floppy hair, is dressed tonight in a black button-down shirt and jeans. His DM performances—and being a dungeon master is a kind of performance—are often marked by excitable narration and winkingly melodramatic theatrics; at one point during tonight’s game, he gleefully pounds a hand into a fist, mimicking an arrow’s impact on an opponent.

He’s spent nearly three months preparing for this showdown, even hand-building a few model towers out of scrap wood and dowels. It’s one of the most elaborate adventures he’s crafted in his four-year career as a professional DM at schools and homes in Manhattan and Brooklyn. Sometimes, like tonight, the games are run in his apartment, where the bookshelves reach high with graphic novels and board games, and where the walls are decorated with full-color maps from D&D classics like Greyhawk and Isle of Dread.

But while Woods is one of several DMs-for-hire out there, this isn’t his hobby or a side gig; it’s a living, and a pretty good one at that, with Woods charging anywhere from $250 to $350 for a one-off three-hour session (though he works on a sliding scale). For that price, Woods will not only research and plan out your game but also, if you become a regular, answer your occasional random text queries about wizard spells. “He’s worth the money,” says Kevin Papa, a New York City educator (and occasional DM) who’s been part of this Friday-night game for more than a year. “Being a DM requires a lot of brainshare. I don’t know how Timm absorbs it all.”

When I was in high-school or my undergrad, I can see this as the type of job that I’d have loved. Though I think that the idea of a campaign’s length and narrative being based on sessions clients are willing to pay would create some challenging conditions for planning long-term stories; it’d definitely lend itself to a serialized type of play, where each session was like a mini-TV episode, as opposed to early sessions functioning as the opening scenes of a feature film.

Categories
Aside Links

Covernames Versus Code / Strategy Versus Tactics

From the New York Times:

Mr. Snowden’s cascade of disclosures to journalists and his defiant public stance drew far more media coverage than this new breach. But Mr. Snowden released code words, while the Shadow Brokers have released the actual code; if he shared what might be described as battle plans, they have loosed the weapons themselves. Created at huge expense to American taxpayers, those cyberweapons have now been picked up by hackers from North Korea to Russia and shot back at the United States and its allies.

While the revelation of code facilitates a more immediate kind of repurposing and attack, I think that the Shadow Brokers have tended to reveal tactical information versus the strategic information released by Snowden. Few have done the requisite work to actually pull together the comprehensive narratives that emerge in the Snowden documents and, instead, have focused on specific programs or tools. Those few of us who have comprehensively analyzed his documents, however, now possess insights into strategic thinking, decision making, and resource allocation of the Five Eyes intelligence agencies. The long term value of such information is just as, if not more, valuable than code drops.

Categories
Links

USB-C is a Failure

Marco Arment has a scathing and altogether too accurate accounting of the USB-C standard. Anyone who is dealing with the headaches of managing different USB-C cables, hubs, and chargers is all to well aware of the problems associated with the standard, but Marco’s post is the best summation of all the problems in a single location.

Categories
Links

Apathy is Political

On Sidney Crosby’s visit with the Penguins to the Trump White House:

Apathetic white people who groan when athletes of colour get political, or who suggest as Crosby did that politics and sports do not mix, are in need of a reminder that for most, political activism isn’t a choice or a hobby. People don’t usually consider it fun or interesting to put their jobs on the line to speak out against a bigger power. The marginalized do not go looking for politics. It seeks them out. In this context, it sought them out when the President of the United States openly flirted with a racist ideology that would very much like to destroy them.

Exactly.

Categories
Aside Links

Exploited for Advertising

As part of a long-feature for The Guardian:

The techniques these companies use are not always generic: they can be algorithmically tailored to each person. An internal Facebook report leaked this year, for example, revealed that the company can identify when teens feel “insecure”, “worthless” and “need a confidence boost”. Such granular information, Harris adds, is “a perfect model of what buttons you can push in a particular person”.

Tech companies can exploit such vulnerabilities to keep people hooked; manipulating, for example, when people receive “likes” for their posts, ensuring they arrive when an individual is likely to feel vulnerable, or in need of approval, or maybe just bored. And the very same techniques can be sold to the highest bidder. “There’s no ethics,” he says. A company paying Facebook to use its levers of persuasion could be a car business targeting tailored advertisements to different types of users who want a new vehicle. Or it could be a Moscow-based troll farm seeking to turn voters in a swing county in Wisconsin.

Harris believes that tech companies never deliberately set out to make their products addictive. They were responding to the incentives of an advertising economy, experimenting with techniques that might capture people’s attention, even stumbling across highly effective design by accident.

The problems facing many Internet users today are predicated on how companies’ services are paid: by companies doing everything they can to capture and hold your attention regardless of your own interests. If there were alternate models of financing social media companies, such as paying small monthly or yearly fees, imagine how different online communications would be: communities would likely be smaller, yes, but the developers would be motivated to do whatever they could to support the communities instead of advertisers targeting those communities. Silicon Valley has absorbed many of the best minds for the past decade and a half in order to make advertisements better. Imagine what would be different if all that excitement had been channeled towards less socially destructive outputs.