The niner noteworthy stories of 2017 (week 25)

These are the noteworthy stories, in no particular order, that peaked my interest for this week.

The Guardian view on digital giants: they farm us for the data

This is precisely the problem and very correctly puts the picture out there of the destruction of our society as we knew it or think we did.
So much also for the openness of the Internet as a medium, because that’s the next pillar to fall surely.
One of those tech giants very recently however admitted using it’s platform is bad for your mental health. Hooray! The cure proposed is more of the same social virus according to themselves. I call that delusional.
source: The Guardian (external link)

Euro MPs back end-to-end encryption for all citizens

End2End encryption is certainly a good thing. However the communication channel will never be fully encrypted as some data, notably addresses of sender and certainly intended recipient, wil have to be kept in the clear to actually deliver the messages to the correct address.
See it similarly to a letter you put in an envelope, you can close and seal the envelope so that the contents is not readable from the outside. However you can’t hide the address you are sending it to and possibly your own address on the back so the postal service knows where to return it in case delivery is impossible.
Interestingly another article on the same topic on SC magazine (external link) specifically mentions metadata. The addresses I just described is a form of metadata. Also the number of messages exchanged, the time they were exchanged etc. is considered metadata and extremely useful for traffic analyses. All that information will not be encrypted, at least not on the servers of the digital provider that needs to route the messages and traffic to the correct address.
One other point in this article is that it is also mentioning end2end encryption on electronic mail. Something I would certainly welcome but wuould not be trivial to implement.
source: BBC News (external link)

‘Serious concern’ over exemption of public bodies from data protection fines

There is one very good reason why government bodies are exempt from these punitive fines: the government is writing the law and is exempting itself in the process.
And no that’s not a good idea as specifically those government bodies hold more data then your average company on citizens. As there also is no choice available to go to another, competing, organisation, they also hold a quite significant leverage of power over the data subjects as well.
precisely the reason why consent mechanisms will probably not work in these instances and misuse needs to be checked and fined. The only caveat here is that ironically the data subjects will be hit twice: misuse of data first then paying for thee fines via income or other taxation mechanisms.
That does not mean that government bodies should be exempt though. You only have to look at several incidents of the Dutch tax authorities to know they should be kept under constant surveillance for misuse of personal data because otherwise they will certainly take the opportunity to misbehave.
source: The Irish Times (external link)

Corporate Surveillance in Everyday Life

If you have been following my posts for some time you probably know I am well aware of most or maybe all of these practices. However, when reading this article even I was shocked by the massive extend of the data selling and profiling economy portrait in this report.
Even more then before I believe that the GDPR, as specially article 22 on the prohibition of automatic profiling, can have a massive impact on the worlds’ economy. But if and only if the data protection agencies in Europe work together and launch a massive enforcement scheme on this specific requirement.
Only then can we get our privacy back the way we want to have it as a fundamental human right.
source: Cracked Labs (external link)

Personal details of nearly 200 million US citizens exposed

Interesting note “our systems were not hacked”, well no if you have no access control set then no hack or breach is required to access data publicly available and only secured by obscurity aka those who know the location can access it.
Just to put this data breach in perspective: 138 million people voted in the US presidential elections last year, 143 million records were compromised in the Equifax breach earlier this year, 200 million in this data leak and America counts about 324 million citizens. This just to give you an idea on the scale of data that was publicly available.
The way the republican party obtained most of this data corrolates nicely with the previous article as most data was bought from data brokers.
source: BBC News (external link)

Web Hosting Company Pays $1 Million to Ransomware Hackers to Get Files Back

So old versions of the operating system kernel, Apache webserver, PHP and probably more. On top of that I suspect no backup and recovery strategy and less then optimal security settings and maybe even weak passwords?
Your classic case of putting servers in, sell the service and forget about it. Until it goes all tits-up like in this case.
This btw is also why it is so important to know what the security posture is of the data processors your company uses. Yes even your hosting provider can easily be a data processor for your company if your website processes personal data in e.g. a wbeshop, newsletter or other client facing service.
This is precisely why up-to-date knowledge on both data protection as well as information security gives you the best overall service.
source: The Hacker News (external link)

Parliament hit by ‘sustained’ cyber-attack

So what can we learn from this incident: the UK parliament is not using VPN access for remote workers, all remote access apparently is username plus password only and because they wanted to protect their network they killed remote access as a safeguard.
Secondly we can also determine that there are apparently password strength guidelines in place, but they are not technically enforced it seems. See BBC News (external link).
All I can say here is that there is definitely room for improvement.
source: BBC News (external link)

Cyber attacks: EU ready to respond with a range of measures, including sanctions

Yep, you are under attack and then the EU diplomates are what? Going to talk? Okay I am not a fan of hacking back or other such retaliation measures, but this may be a bit too soft as well.
besides the framework required for this still needs to be designed. Hello! We are in 2017! Hacking networks is not new you know.
In all fairness it is positive that there will be, if all can agree, an EU wide policy and maybe even similar approach to this. But it is all a bit on the late side and knowing the usual timeframes for EU decision making, I may believe that brexit will come before this framework is even half completed.
source: Consilium (external link)

No, really. You can see through walls using drones and Wi-Fi

Interesting article and a bit of light reading to round up this addition as well. Bricks may help in this case as well, if the wall was reinforced concrete then the trouble would have been all the metal in the wall deflecting the WiFi signals (and yes that’s also the problem you may face in your own home with wireless network coverage).
Let’s see what this research may bring. And let’s hope that e.g. the Amazon delivery drones will not be kitted out with this technology when it comes available either.
source: The Register (external link)