The National Institute of Standards and Technology (“NIST”) has released its report for Machine Learning for Access Control Policy Verification.  It is a very technical document but useful for those interested in machine learning.

A machine learning classification algorithm is particularly efficient for system model verification  because it does not require comprehensive or complex test cases or oracle, which are needed for  traditional model verification methods. Read the rest of this entry »

In Psyche’s Our evolved intuitions about privacy aren’t made for this era the authors posit the theory that our evolved intuitions about privacy are out of sync with the modern era.  That does explain the significant tension and our mutually contradictory revulsion but also embrace of runaway technology which excel in surveilling our purchases, work, finances and much of our life. An intriguing quote is that ‘we have palaeolithic emotions; medieval institutions; and god-like technology’.

It is well Read the rest of this entry »

A confluence of reports highlights the dismal state of security preparedness in Australia in particular and throughout the developed world generally.

It governance calculates that in August there were 84 cyber attacks which results in 60,865,828 records being breached.  Of that number T Mobile suffered a hack which affected 53 million records.

Yesterday the Australian Cyber Security Centre (ACSC) released its Annual threat report for 2020 – 2021 which reports that over 67,500 cyber crime reports were made in the last 12 months. And the ACSC acknowledges that the figure could, and probably is, higher.  Probably Read the rest of this entry »

The High Court in Fairfax Media Publications Pty Ltd v Voller; Nationwide News Pty Limited v Voller; Australian News Channel Pty Ltd v Voller [2021] HCA 27 with a 5:2 majority rejected an appeal by media outlets against a ruling that they were liable for comments to their articles on a Facebook page.

FACTS

The appellants each maintain a public Facebook page on terms of use agreed with Facebook which:

• is used to share content and connect with Facebook users.
• is publicly accessible to users, who are able to view and comment on content posted to that page [5].

The use of the Facebook pages usually involves:

• the posting of a hyperlink to a news story,
•  a headline,
• a comment
• an image.
• readers being invited to:
  • “Like”,
  • “Comment”  which are made by users appear on the page and are available to be seen by all Facebook users who can see the page
  • “Share” the post [6]

 Facebook Page administrator

• could:
  • prevent, or
  • block,

the posting of comments by third parties

• could not block all posts on a public Facebook page  [7].
• could delete comments after they were posted but this would not prevent publication
• could “hide” most comments, through the application of a filter, which would prevent publication to all except the administrator which could then be assessed by an administrator [7]

The trial judge found the appellants were publishers.

DECISION

MAJORITY

KIEFEL CJ, KEANE AND GLEESON JJ

Their Honours, as did all judges in this decision, undertook a very comprehensive review Read the rest of this entry »

The adjective “Orwellian” is both overused and misused.  It is often tagged onto a complaint which does not describe a situation, idea, or societal condition that George Orwell identified as being destructive to the welfare of a free and open society. It is commonly used by someone to label an argument or, often government, proposal which he or she finds disagreeable.  Unfortunately the South Australian Governments use of an app to geo locate and have facial recognition is for those in quarantine is Orwellian. And how this trial became reality demonstrates the dismal state of policy development and exclusion of any input from the community. 

It is relevant to note that South Australia has no Privacy Act.  There is no regulator to deal with privacy breaches, of which this app has the potential for many.  It is a dismal failure of public policy and panic over prudence.  That there has been no outcry from the polity within Australia is a poor reflection on the state of debate here.  The Civil Society’s response has been inconsistent but largely ineffectual.  The New South Wales Council for Civil Liberties has criticised it on the basis that safeguards are not in place (SA facial recognition app trial should not go ahead without safeguards). It is a weak response that accepts that “..it was possible for facial verification to be conducted safely and appropriately, with the right safeguards.”  Really!  There is more than a few well regarded privacy and other experts who wouldn’t even accept that proposition.  It is a weak and unimpressive Read the rest of this entry »

On 17 September 2019 the Sun published a story about the murder suicide of Ben Stokes mother’s ex husband 31 years previously in New Zealand.  The story is no longer available on line.  The murder was of his mother’s two children. This tragic event occurred before Ben Stokes, a prominent English cricketer, was born.  At the time Ben Stokes reacted furiously to the story describing it as disgusting and immoral.  The Guardian ran a detailed piece with Ben Stokes attacks ‘despicable’ Sun story about family tragedy.  The next month Ben Stokes and his mother, Deborah, issued proceeding in the UK Court of Chancery.  The Particulars of Claim was served on 22 January 2020 with the Defence filed on 16 April 2020. 

The nub of the defence was that, first, the story about the murders were covered by the New Zealand media and, secondly, the Sun obtained an on the record interview with the family and had approached Ben Stokes for comment.

At the time, and subsequently, there was a lively debate about whether the report was one of free expression and/or a legitimate story to report versus privacy.  On 18 September 2019 the independent came out in support of the Sun.  At the time the Conversation in Ben Stokes v The Sun: gross intrusion or simple reportage? How media privacy law works highlighted some of the issues, such whether a privacy claim can be brought when the information is in the public domain, and whether a claim can be made by a person when it relates to inter related parties. 

There was no trial on the merits.  The Sun and Stokes settled on favourable terms to Stokes. The Stokes’ solicitors released a statement confirming Read the rest of this entry »

Poly Network a finance platform based in China which specialises in cryptocurrency transfers on the Binance, Ethereum and Polygon blockchain = has lost $600 million worth of crypto currency to a data breach.  The hacker exploited a vulnerability in the _executeCrossChainTx function between contract calls and was able to pass in data to modify the keeper of the EthCrossChainData contrac.  That let the intruder to declare themselves as the owner of any funds processed through the platform. Clever.  It also shows that coding errors can be fatal and part of cyber security should be to take steps to test and review coding.

Using repeated calls to the attacked contract, the hacker was able to exfiltrate funds from the Poly Network and then transfer them Read the rest of this entry »

Zoom has reached a $85 million settlement arising out of a lawsuit, IN RE: ZOOM VIDEO COMMUNICATIONS, INC. PRIVACY LITIGATION (5:20-cv-02155),  which claimed its violated its clients’ privacy rights by sharing personal data with Facebook, Google and Linked In.  The claim also alleged that Zoom’s security practices were unsatisfactory as they let hackers zoom meetings.  That practice has become so notorious that it has a term, zoom bombing. There has been extensive coverage with reports it itnews,  abc, BBC.   The Reuters coverage provides Read the rest of this entry »

Red Canary has released its 122 page 2021 Threat Detection Report.  It is useful in identifying the most prevalent techniques and threats and considers best ways to detect and mitigate specific threats and techniques. It is a highly technical document.

The top techniques are:

• T1059 Command and Scripting Interpreter (24%)
  
• T1218 Signed Binary Process Execution (19%)
  
• T1543 Create and Modify System Process (16%)
  
• T1053 Scheduled Task / Job (16%)
• T1003 OS Credential Dumping (7%)
  
• T1055 Process Injection (7%)
• T1027 Obfuscated Files or Information (6%)
• T1105 Ingress Tool Transfer (5%)
  
• T1569 System Services (4%)
  
• T1036 Masquerading (4%)
  

The report also noted:

• Command-line parameters are by far the most efficacious for detecting
  potentially malicious PowerShell behavior
• attackers use Windows Command Shell One by the use of  cmd to call native commands and redirect the output of those commands to a file on the local admin share.
• to detect adverseries it is necessary to focus on the uncommon patterns of execution and patterns of execution  commonly associated with malice

It is a comprehensive report and worthy of a close read by not only technical operators but those who get involved with cyber security issues.

The Thales report is more a strategic overview Read the rest of this entry »

In today’s Age the National Children’s Commissioner in TikTok: Time’s up to protect children’s privacy highlights the alarming privacy invasive practices of Tik Tok as well as the cumulative data collecting on children through social media and other sources.  While the impetus of the story was on Tik Tok’s focus on children there is not much new to Anne Hollands’ piece.  Social media sites have been in the business of collecting personal information since their inception. Google’s business model is predicated on collecting and aggregating data through alogorithms so as to sell targeted advertising.

Hollands’ concern about Tik Tok and other sites collecting personal information without proper consent is well placed.  The ACCC has similar concerns.  The potential problem is part of her solution, to have provisions in the Privacy Act requiring anyone collecting children’s data to have some form of best interests of children provision relating to the collection and use of that data. The problem with this approach is that it creates additional protections for specific types of data.  The resulting danger is that there will be silos of strong protection amidst weak protection overall.  That is what happens in the United States of America.  There the Children’s Online Privacy Protection Act (“COPPA”).  COPPA sets stringent requirements on websites or services directed at children,  strong health records protections with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and even protections over records of video renting with the Video Privacy Protection Act of 1988.  But many other areas of activity in the USA have weak privacy protections at the Federal level.

The chronic problem is weak privacy protections Read the rest of this entry »