Skip to content Skip to navigation

Friday Cyber News, May 26 2017

Cyber technology-related news and links from around the web, for the week of 5/20 - 5/26:

1. NATO published a draft report on IoT security this week, focusing on the military uses of IoT and urging international standards for IoT security and inter-device communication. The EU Agency for Network and Information Security has proposed a similar pan-European security standard for IoT devices. The market will not fix the problem of orphaned, insecure devices, Bruce Schneier notes; if we want refrigerators and cars that last for 10, 15, or 20 years securely, we need policy to make it so. [AFCEA; BitDefender; NY Times] 

2. The Active Cyber Defense Certainty act has been updated (yes, the proposed legislation is the ACDC; yes, we prefer changing the lyric "back in black" to "hacking back" as the appropriate pun reference) and is proposing to exempt companies from hacking laws when the purpose of their actions is to identify the perpetrators of attacks, cut off further attacks, and retrieve or destroy stolen data. Admiral Rogers is skeptical of the act, worrying it would "[put] more gunfighters out there" in the cyber wild west. Representative Graves, who is drafting the act, is wrong that hacking back could have stopped WannaCry(pt), and right to be editing the bill to include notifying law enforcement as a requirement when hacking back. The anti-hacking back position, though, seems to boil down to "you might wreck an innocent victim's botnet-commandeered server" and "you might hack back wrong" (and, I suppose, cause more problems for other victims or overstep your bounds in accessing the adversary's system) neither of which seem to me to be conclusive arguments that no one should be allowed to stand their cyber ground. In other new legislation, Representative Blackburn has introduced the BROWSER act, intending to require ISPs to get opt-in consent to use sensitive data, including browsing data, and prohibiting the conditional provision of services on that consent. [The Hill; FT; Inside Privacy]

3. The co-founder of Twitter and Medium says the internet is broken: it rewards "made you look" content, which trains systems to believe that users want to see clickbait (like a news story with the headline "the internet is broken", sorry for the intra-newsletter recursion) and car crashes, and that more of those should be produced at the expense of thoughtful content. He's also sorry for Twitter's role in the election. [NY Times]

4. Facebook may be coming around to the idea that it is not a mirror or a conduit, but a force actively shaping public discourse; its recent attempts to fight hate speech on its platform include hiring groups engaged in counternarrative, to promote good behavior and communication. Google is also acknowledging the ability of its platform to influence real-world behavior, but in a different direction: they're analyzing credit card transactions to link your in-store purchases with ads its platform has shown you online. A longstanding point in the debate of whether the internet has brought the average user more or less privacy is the opaque nature of online transactions; my Amazon purchases are between me and Jeff Bezos, as opposed to in-person shopping that would allow my neighbor the bookseller to know what I'm reading. But if Jeff now knows what I buy online and in person, my net privacy gain is back to zero. [Bloomberg; Washington Post]

5. Labor markets are strained; large portions of the population are un- or under-employed; digitization is leading to automated jobs but only 0.6% productivity growth; as the remaining 4 billion people in the world who are offline are brought into contact with tech, tech policy needs to be designed to productively accommodate them. [McKinsey Global Institute]

6.​ Estonia wants you to have an entirely online relationship with your government, and its model is being looked at by other countries starting to bring services, like the provision of birth certificates and drivers licenses, online. One straggler is personal bank account issuance, partially due to the more stringent requirements of anti-money laundering laws. [Politico]

7. Are we worrying too much about North Korea's nukes, and not enough about its cyber weaponry and VX nerve agent? North Korea's Unit 180 and its links to the Lazarus group, both hacking teams tied to recent malware attacks (the Sony hack is attributed to the latter, and WannaCry(pt) has been blamed on the former), indicate increasing capabilities. [National Interest; Reuters]

8. Bitcoin passed the $2,000 mark this week, leading to a temporary Coinbase outage due to "unprecedented" levels of trading and activity. Bitcoin crossed the $1,000 threshold in February of this year, making its recent rise particularly impressive. Law enforcement, meanwhile, has spent hundreds of thousands (of dollars, not BTC unfortunately) on tools to track cryptocurrency payments. [Techcrunch; Motherboard]

9. Three Nigerian cyber scammers were sentenced to a collective 235 years in prison this week, but expect more faux princes to follow: Boston College researchers have found evidence that Ross Ulbricht's lengthy Silk Road sentence actually boosted online illegal drug sales. Target has reached an $18.5M settlement with multiple states over the exposure of customer information in its 2013 hack, which hopefully will not serve as an encouraging signal to other loosely secured retailers. [Dark Reading; Wired; The Hill]

10. Legal frameworks for hacked vibrators or digital sexual extortion are inconsistent or non-existent, which isn't stopping the tech from being developed or criminals from using lax statutes to their advantage when finding victims. [Engadget]

Special note: Work with the Cyber Initiative! The Stanford Cyber Initiative is seeking candidates for a full-time one-year fixed-term research position to produce original research and writing on policy-relevant issues that arise from the study of computer security, with a particular focus on either labor and the workforce, financial systems and risk, democracy, internet governance, or the tension between individual security and state security. Learn more and apply here: 
https://stanfordcareers.stanford.edu/job-search?jobId=74870

Thanks for reading,

Allison
Stanford Cyber Initiative

(To suggest an item for this list, please email aberke@stanford.edu. You can view news from past weeks, subscribe, and unsubscribe at https://tinyletter.com/CyberNewsBytes)