The Northwest Immigrant Rights Project is helping here in Washington State. If interested you can donate here:
Https://nwirp.org
We can fight. And fight we will.
=> More informations about this toot | View the thread
Heads up, InfoSec friends in the US - HIPAA
It is hard to believe that the HIPAA rule was passed almost 30 years ago. And, to me, it is surprising that the folks at HHS/OCR are just now getting around to correcting one fundamental mistake in the security rules. If you follow this regulatory area, you know that some of the security rules are mandatory and some of them are “addressable”. What does addressable mean? It means you should do it, but you don’t have to. In the security world we know what that means. If you don’t have to do it, you probably won’t. And that’s exactly what happened – health care data breaches have just increased over time. Recently we saw the massive Change Healthcare breach with about 100 million (!) records lost.
HHS/OCR is now planning on an update to HIPAA security rules related to encryption and some other areas. This Notice of Proposed Rulemaking (NPRM) just arrived in my inbox this week:
https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html
It takes time for this to work through the bureaucratic process, but given the history of losses of Protected Health Information (PHI and ePHI), I think this will eventually become the rule. Notice that the distinction between “mandatory” and “addressable” is going away. Also notice the focus on encryption of data at rest.
Most health organizations (Covered Entities and Business Associates in HIPAA lingo) have done work to encrypt laptops but that is not where the juicy stuff resides. It’s in those big medical application databases. So, this will be a big change.
If you provide IT and/or security expertise to an organization covered by HIPAA, I suggest the following initial steps:
· Map the healthcare data flows. You will need this to implement an encryption strategy, and it will be required under the proposed rules.
· Start talking to your software vendors. Companies like Epic and Cerner (from Oracle) will address this through software updates and you will need to know their proposed schedules. In my experience it is the smaller software vendors who will need prodding. Make a list and give them a call.
· Assess the impact on your hardware environment. Encryption may require upgrades to handle increased demand on CPUs.
· Encryption key management with a proper KMS is probably the biggest challenge to an encryption strategy. Understand best practices in this area and be sure your vendors line up. Getting this right at the beginning will save a lot of headaches later.
· Start talking to management right now. This will be a significant change and they should get prepared.
Yes, I know – encryption is not a perfect solution. No security solution that we deploy is perfect. But it can substantially reduce the loss of unprotected healthcare data.
I will try to post more about this as the proposed rule-making proceeds.
[#]HIPAA #InfoSec #Security #IT #MSP #MSSP
=> More informations about this toot | View the thread
For some unknown reason, snowberries always make me happy in the winter. This is from the riparian forest area at Billy Frank Jr. Nisqually National Wildlife Refuge.
=> More informations about this toot | View the thread
We InfoSec and IT folks need to get our shit together. There are going to be a lot of people targeted for oppression. Immigrants, LGBTQ+, POC, women needing reproductive care, NeuroDiverse, and many many others.
They are going to need help with privacy and securing their devices. Small organizations are going to need help with IT infrastructure. Getting backups done the right way will be important. I think it is going to be a big job. Are we ready for this?
I imagine small, locally organized IT and InfoSec volunteers who can respond quickly. Is there a model for organizing like this?
Let's get Signal and VPN installed and configured correctly, and donate to Signal. Let's make a donation to our Mastodon instances (infosec.exchange is my favorite). Let's start making playbooks.
We are NOT helpless. We must do what we can with the talents we have. We did not ask for this fight, but here we are. We must rise to the occasion.
I would love to hear what others think.
[#]IT #InfoSec #Security #Trump #ItsOurFight
=> More informations about this toot | View the thread
Yoel Roth talk on moderation and federation
I just watched a recording of Yoel Roth's (@yoyoel) talk at the University of Washington that he gave a couple of weeks ago. I highly recommend it for anyone interested in the challenges of social media moderation and especially the challenges for decentralized social media like Mastodon. It is about 50 minutes long and is on YouTube at this link:
https://www.youtube.com/watch?v=en-klmjQ6vc
I liked the fact that he is excited about Mastodon and other decentralized frameworks, and sees their emergence as an indication of a potential technological flexion point. He does not minimize the many challenges that they face and does a good job of outlining them.
if you are involved in social media technology in any way, this is a good place to start on the issues we face.
I was sorry that I could not attend in person. The UW is just up the road and is a beautiful campus.
[#]SocialMedia #Moderation #Mastodon
=> More informations about this toot | View the thread
I am always amazed at the work of Molly White (https://hachyderm.io/@molly0xfff). An critical expert in the areas of cryptocurrency and Web3 technologies, a technologist with a moral compass, a journalist, and an all around guiding light for our time. And there's humor! I think you would enjoy and benefit from a paid subscription. I have. You can find her here:
Mastondon: @molly0xfff
Web:
https://www.citationneeded.news/
=> More informations about this toot | View the thread
Nuclear power
This is personal for me. I remember the Three Mile Island meltdown. I was not in that location, but I remember how close it came to a major disaster that would have impacted a wide area. Before that meltdown I remember listening to nuclear energy "experts" exclaiming how safe and clean nuclear energy is.
Then Chernobyl happened. We were living in southern Germany downwind of that disaster. Our daughter was 11 months old and vulnerable. Unless you've lived this you cannot imagine what it is like to fear invisible radioactive fallout and the danger to your family. You keep your family inside, off the grass, out of the parks, away from pets, and you can't get information about the danger. We were lucky and were able to return to the US shortly after. But you never forget the experience.
And then Fukushima.
You get the idea. I don't want to hear any BS about how safe nuclear power is.
Or any BS about how clean it is. Uranium mining is not environmentally safe or clean and there is no clean way to dispose of nuclear waste.
I know there is a climate catastrophe in progress right now. I just don't believe we should be activating nuclear power stations to power AI or anything else.
[#]AI #Nuclear #Radioactive #Climate #Microsoft
=> More informations about this toot | View the thread
AI and company liability
I rarely read Axios articles about AI but a recent one caught my eye. All of us in the InfoSec space know how hard it is to get our customers and management to commit resources to security. And it is rare to find understanding about legal liability around security, cloud and technology in general.
So this Axios article about AI and company liability is interesting:
https://www.axios.com/2024/09/16/companies-liability-ai-nyu-law-journal
The article points to this rather good piece by the NYU Journal of Legislation and Public Policy on areas of legal concern:
https://www.equalai.org/assets/docs/Vogel_et_al_Sep_13_2024.pdf
You can bet the AI companies are limiting their legal liability around use of their software. All while they pile AI into all of their products. So I think companies are exposed. I doubt that we will hear much in the near term about lawsuits against company users of AI, but I think this will happen. Knowledge and preparation are needed. And I would be very careful about opting into AI applications unless you really need AI and you really know the risks.
Disclaimer: I am not a lawyer.
[#]AI #Legal #Law #Technology
=> More informations about this toot | View the thread
Broadcom acquisition of VMware disaster
I feel badly for small businesses and non-profits who are suffering from the huge price increases in VMware products and support after the Broadcom acquisition. So many of our SMB customers use the VMware suite of products. There is really no other platform that is easily available for migration.
We partnered with VMware before the acquisition and they were just a great team to work with. I guess all of that is pretty much gone.
Of all the risks that organizations plan for this type of disruption is rarely on the radar. And no one plans for the financial costs.
Show some love to your favorite FOSS solution.
[#]VMware #SMB #Virtualization #Broadcom #FOSS
=> More informations about this toot | View the thread
Ants are just incredible. These large ants have created their own super highway through the moss that covers the volcanic detritus. Photo taken on the Hummocks Trail, Mt. St. Helens, Washington State.
[#]ants #pnw
=> More informations about this toot | View the thread
I just received my copy of Autocracy Inc by Anne Applebaum. I am just beginning my read but I can already tell this is an outstanding work. Already finding it illuminating on what motivates autocrats and the connections between them. Just a great read and I recommend it.
I'm not sure if Anne Applebaum is on Mastodon, but her substack is here:
https://anneapplebaum.substack.com/
[#]Autocracy #Applebaum #Books
=> More informations about this toot | View the thread
Just in case you don't think you need to pay attention to EU regulations (GDPR, DMA, etc.) Meta is facing a huge fine. You don't want this to happen to your spiffy tech company. Fines can be up to 10 percent of your total global annual revenue. And can be much higher on repeated violations. Get this right from the beginning. This is not a FAFO opportunity.
https://www.voanews.com/a/meta-risks-fines-over-pay-for-privacy-model-breaking-eu-rules/7679003.html
[#]EU #GDPR #DMA #Regulations
=> More informations about this toot | View the thread
Wow, HHS/OCR steps up to protect reproductive health care information. If you are a hospital or health care provider you don't mess with HIPAA. Nice work HHS!
"The HIPAA Privacy Rule to Support Reproductive Health Care Privacy
Final Rule is Effective Today
On April 26, 2024, the Biden-Harris Administration, through the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published a Final Rule, entitled the HIPAA Privacy Rule to Support Reproductive Health Care Privacy. The Final Rule strengthens the Health Insurance Portability Act of 1996 (HIPAA) Privacy Rule by prohibiting the use and disclosure of protected health information (PHI) in certain circumstances. The Final Rule includes the following changes:
“OCR encourages HIPAA covered entities and business associates to begin implementing the new Privacy Rule requirements today,” said OCR Director Melanie Fontes Rainer. “Patients deserve to have these privacy protections in place as soon as possible.”
The effective date of the Final Rule is June 25, 2024. This is the date that HIPAA covered entities and their business associates may begin implementing the new requirements. Covered entities and business associates are not required to comply with the new requirements until December 23, 2024, except for the new changes to the HIPAA Notice of Privacy Practices which has a compliance date of by February 16, 2026.
The Final Rule may be viewed here.
https://www.federalregister.gov/documents/2024/04/26/2024-08503/hipaa-privacy-rule-to-support-reproductive-health-care-privacy
The Fact Sheet may be viewed here (corrected link).
https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html
If you believe that your (or someone else’s) health information privacy rights or other Privacy, Security, or Breach Notification rules have been violated, you may file a complaint with the HHS Office for Civil Rights at: https://www.hhs.gov/hipaa/filing-a-complaint/index.html."
[#]HIPAA #HealthCare #ReproductiveRights #HHS #OCR
=> More informations about this toot | View the thread
GDPR and the Right To Be Forgotten (RTBF) and other Rights
A bit of a longer read.
I recently had the opportunity to engage a bit here on Mastodon on the question of data privacy and the EU General Data Protection Regulation (GDPR). I’ve had a chance to think about this a bit more and am providing the following thoughts. This is not a complete analysis of data privacy under GDPR, but I hope it will be helpful for organizations or agencies who fall under this regulation. I appreciate those who commented previously (references below).
First, some disclaimers:
- I am not a lawyer. I recommend you talk to one if you are developing software that handles private information or are simply storing or sharing private information.
- I have read the entire GDPR and recitals, but I am not current on recent legal refinements.
- I have also read other data compliance regulations such as CCPA and at one point I read all of the data privacy regulations of all 50 US states.
- Why did I do this? My company was subject to GDPR and a number of other privacy regulations and we were selling a data security solution. Our customers had a reasonable expectation that we would help them meet compliance regulations.
- We developed internal policies and procedures to comply with GDPR.
- We honored all GDPR requests related to RTBF.
- We consciously designed systems that supported and enabled GDPR compliance.
- We invested in and partnered with a blockchain start up and designed and developed for IPFS.
Some definitions might be helpful. GDPR refers to individuals (individual people like you and me) as Data Subjects. The rights granted are granted to individual users and consumers. Organizations that collect private information about Data Subjects are Data Controllers. When we stored information in our CRM we were a Data Controller as defined by GDPR. It takes a bit of reading to get used to these definitions, but they are fairly straightforward.
Context is important when understanding a regulation like GDPR.
I benefited from my time living in and starting a business in Europe (West Germany, in the 1980s). This part of the world had experienced unspeakable horrors during WWII and were living very close to the repression that existed just across the border in eastern Europe. Repressive regimes abuse confidential information and weaponize secrecy in order to exert control over others. My colleagues from Germany, Italy, France, the UK and Poland understood this in a fundamental, human way. I see GDPR as a natural expression of their desire to protect their nations, their communities, their families and themselves. This is why I deeply respect the EU’s right to promulgate these privacy regulations.
Under GDPR the individual becomes the ultimate owner of their private information. There is no implied ability of a Data Controller to override that right (with some exceptions, see below), or to assume that any rights granted to a Data Controller by an individual are permanent and immutable. An individual can give a Data Controller permission to store their private information, and, importantly, an individual can revoke that permission. This is a fundamental difference with how we in the US tend to think of privacy. It is very important to fully grasp this concept if you are planning to do business in the EU.
The Right To Be Forgotten (sometimes called the Right To Deletion) gives the individual the right to ask for their data to be removed from a Data Controller’s system and for that to occur in a timely fashion. But it is only one right defined under GDPR. There are others:
- Right to opt in or out of data sharing.
- Right to change data sharing permissions.
- Right to know with whom data has been shared.
- Right to correct data.
- Right to assume data is pseudonymized, usually with encryption.
- Right to be informed in a timely way of any data beach.
This is not a complete list of the rights and responsibilities conferred under GDPR, but these are probably the most well-known, and probably where many organizations fail to implement proper controls.
Of course, there are exceptions to data privacy rights under GDPR. Some of them are:
- Legal requirements to retain data (tax history, etc.).
- Some freedom of information requirements.
- Some public knowledge aspects.
- General public health and safety.
Please note that GDPR does not provide an exception to the rules because your technology prevents you from meeting RTBF deletion requests (looking at you, blockchain and IPFS). There is no programming around these requirements and clever developers do not get a magical pass to ignore them.
It is also important to understand that RTBF is still being refined. This is a bubbling pot of legal activity. In my opinion the direction seems to be in favor of protecting Data Subject’s privacy rights and enforcing RTBF.
GDPR applies to the EU countries and to anyone doing business in the EU. There are lots of other privacy regulations that are similar to GDPR. In the US, there is the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act of 2020 (CPRA). The UK, Australia, New Zealand and many other countries also have privacy regulations that are similar in intent. Once you start absorbing the requirements of these regulations you start to think of private information in a new way.
Ok, now for some recommendations:
If you are a software developer creating that killer app and the next big Unicorn, build in GDPR support right from the beginning. We know how difficult it is to “bolt on” security after the fact. It is equally hard to re-engineer applications to meet GDPR. So, get it right from the beginning and avoid some angst as you approach an IPO or a global rollout.
If you are a business and have dreams of scaling your business beyond your local community, think about how you collect, store and share information about individual consumers. It is almost certain you are going to run into some flavor of GDPR at some point and you will want to be prepared. If you are not covered by GDPR, CCPA or other privacy regulations now, you may soon be.
If you are using social media platforms as a part of your marketing strategy (who isn’t ???) be sure you understand how your social media provider meets GDPR. Sharing sensitive data with social media and big data brokers can be a GDPR nightmare. Make sure your social media partner has processes in place to meet GDPR data deletion requests.
It was previously mentioned here that developer tools like git and Gitlab would likely not come under GDPR controls. I think the point was that tools like git and Gitlab are not typically used to collect information on individuals, and I think that is correct. It is not that GDPR exempts developer tools from its compliance scheme (it doesn’t), it is just that it is rare to use developer tools to store a lot of personal information. One caution: be careful about test data that you might store as a part of automated testing routines. Don’t store test data with information about real people! Anonymize or tokenize the data before adding it to git.
What about Web3 technologies?
Web3 technologies like blockchain and IPFS can make it extremely difficult (nearly impossible) to meet GDPR requirements for RTBF. If your application ingests data to blockchains and/or IPFS, or provides a public gateway to allow this type of data ingestion, I would recommend implementing application logic to prevent sensitive personal data from being added. I’ve built blockchain and IPFS applications and there is no effective delete function. If you have to store sensitive data, I would recommend against using these technologies.
Lastly, remember that you will probably need proper legal advice (that is not me!) related to GDPR and other compliance regulations. Governance and compliance are proper components of a business plan and software design process.
Here are some resources that may be helpful:
EU General Data Protection Regulation (lots of resources here):
https://gdpr.eu/
https://gdpr.eu/right-to-be-forgotten/?cn-reloaded=1
EU General Data Protection Regulation recitals:
https://gdpr-info.eu/recitals/
California Consumer Privacy Act:
https://oag.ca.gov/privacy/ccpa
The newer California Privacy Regulation Act (If you enjoy reading legislation – I do!). Not the official site and be aware that CPRA is still undergoing implementation discussion:
https://thecpra.org/
UK Data Protection Law. Good resources here:
https://ico.org.uk/
Acknowledgements and appreciation:
Demi Marie Obenour (@alwayscurious)
Gabriel Svelto (@gabrielesvelto)
Andi McClure (@mcc)
And many others!
[#]GDPR #CCPA #CPRA #Compliance #Security #BlockChain #IPFS #Software #SoftwareDevelopment #Programming
=> More informations about this toot | View the thread
Privacy and Crime and Molly White
As long as I've been working in the encryption privacy space (argh, over 25 years) there has always been a tension between cryptography for legitimate privacy needs and cryptography to hide crime. The problem is: the same cryptography is used for both.
My first foray into cryptographic security started with a phone conversation with Phil Zimmermann, the creator of Pretty Good Privacy (PGP) encryption. At the time he was under a legal cloud because the US government classified encryption as a munition (really). And there were export controls related to munitions. That cloud lifted not too long after, but it goes to show a bit about the tension.
Ever since that time a number of nation-state actors have been trying to undermine the core parts of the security model of encryption to serve law enforcement and national security interests.
Molly White (@molly0xfff) has a pretty good, nuanced piece on a recent incident that falls in this area. You can read it here:
https://www.citationneeded.news/tornado-cash/
Personally I don't think there is a way to weaken cryptography used by criminals without putting us non-criminals in a lot of danger. Also, my conversations with law enforcement convince me that encryption is not the barrier that many think it might be.
Anyway, hope you enjoy Molly's article. Besides being an awesome techno nerd she writes really well. Most of us can't pull that off.
=> More informations about this toot | View the thread
I asked Kia to delete my personal information. Here is the response:
"Thank you for your email. At this time, under applicable law, privacy requests relating to personal information are not provided to residents in your state. For information on our general business practices regarding the collection, maintenance, and sharing of personal information, please see Kia’s Privacy Policy.
Sincerely,
Kia America"
So, basically, FU. We don't have to, so we aren't going to do it.
You really, really do NOT want to read their privacy policy. Absolutely no respect for your preferences regarding private information that they collect. And, wow, are they aggressive about collecting data on you.
I am pretty sure that Kia is not alone in this type of abuse. We really need better privacy law. With teeth.
[#]Security #Privacy #Kia #PII
=> More informations about this toot | View the thread
Conboy Lake National Wildlife Refuge
Spent a wonderful day at this somewhat remote national wildlife refuge. Located on the southern side of Mt Adams (great views of the volcano) in Washington State. There is an easy 2 mile hike along the recovering marsh and wooded area. Lots of bird life - migrating sandhill cranes stop here on their journey.
There is an amazing success story here. Riley, Adam and the other members of the team have been successful in the recovery of the endangered oregon spotted frog. The populations of the frog at this location have almost fully recovered. It is worth spending a little time in the small visitor center chatting with the biologists.
A link to the wildlife refuge web page:
https://www.fws.gov/refuge/conboy-lake
A link to the Mt. Adams Resource Stewards (a non-profit):
https://mtadamsstewards.org/
[#]PNW #ESA #Nature #Science #Frogs
=> More informations about this toot | View the thread
@mcc Thank you for a link to your video on merkle tree aggregation! It was enlightening and helped open my mind related to merkle implementations. I found the 2009 white paper on this also through your links. A bit dense for me, but it explained a lot.
My focus recently has been on the IPFS implementation. Unlike MTAs I don't think IPFS supports editing or deletion. You've given me some things to think about. Again, much appreciated.
=> More informations about this toot | View the thread
Molly White (@molly0xfff) has a great piece on AI. Nuanced in the discussion of positives and negatives of AI LLMs. You can find it here:
https://www.citationneeded.news/ai-isnt-useless/
Definitely worth a follow if you are interested in #Web3 and #AI. And technical topics in general.
=> More informations about this toot | View the thread
NIST and Web3 Security – A Developing Perspective
The National Institute for Standards and Technology just released an initial draft of “A Security Perspective on the Web3 Paradigm” as document IR 8475. It is not long and it is a great take on how NIST is thinking about Web3 security. Here is the link:
https://csrc.nist.gov/pubs/ir/8475/ipd
This is an admirable start. I think there are some areas that need improvement and I will be making comments to NIST. I will probably write a bit more about this in the future (not a promise). My perspective has been molded by my experience with a blockchain start up and by my work on a potential application based on IPFS.
Here are some of my initial thoughts.
Technology-Only Focus:
NIST very transparently limits their focus to Web3 technology and not to other aspects of Web3 security. I think they do a fairly good job at identifying some of the security risks in current blockchain (including cryptocurrency) and other Web3 technologies. This paper talks about the risks in wallets and single authentication factors. It is a pretty good overview of Web3 security risks, in my opinion. I am sure that their view will mature as they receive comments, but it is a pretty good starting point. However (you knew this was coming), I think it is a mistake to limit the Web3 discussion to just the technology. I get that you need to limit the scope of the discussion, but I think the non-technical risks are significant enough to warrant inclusion.
Compliance Regulations:
NIST also avoids an in-depth analysis of compliance regulations such as GDPR, CPRA and others. They understand some of the challenges in accommodating Web3 technologies to compliance regulations, but avoid a direct analysis. I think this is a mistake. If Web3 technologies cannot meet various compliance regulations I think this puts users and businesses at heightened risk.
NIST seems to think that the decentralized and distributed nature of Web3 will isolate users and businesses from compliance risk. I doubt that very much. As just one example, GDPR and CPRA implement the notion of the Right To Be Forgotten (sometimes called the Right Of Deletion). How would you request that your information be deleted from a blockchain? Or from IPFS? It is more than “difficult” as there is no delete function. I do not see how most Web3 implementations can be compliant.
Human Factors in Security:
As many others have also noted, there are many cases of Web3 users losing access to their credentials with no way of retrieving or re-constituting them. I think the seriousness of this as a security risk is understated in the NIST 8475 draft. They note:
"It is currently estimated that nearly 20% of the total amount of Bitcoin is “lost” due to users having lost access to their keys [24][25]."
That is about $300 BILLION in financial loss just on Bitcoin!
We have trouble getting users to use strong passwords and not to reuse passwords. The widespread adoption of Web3 will just increase unintentional losses due to human error.
User Control of Data:
In this draft document NIST echoes one of the common claims by Web3 advocates that Web3 promises better user control of their own data and identities. I agree with certain aspects of this argument, but I think there are serious weaknesses in this notion. If you don’t have any way to delete data you put into a Web3 application, do you really have control? How would a business respond to a GDPR delete request if the data is on a blockchain or IPFS?
These are a few of my initial thoughts on the NIST draft document IR 8475. Probably more to come.
Thanks to Dylan Yaga and Peter Mell of NIST for this draft. We all owe a debt of gratitude to all of the NIST security folks.
No discussion of Web3 issues would be complete without recognition of, and a hat tip to:
Molly White @molly0xfff
Mike Masnick @mmasnick
Cory Doctorow @pluralistic
And many others working in this area.
[#]Web3 #NIST #Security #InfoSec #BlockChain #IPFS
=> More informations about this toot | View the thread
=> This profile with reblog | Go to patrick_townsend@infosec.exchange account This content has been proxied by September (ba2dc).Proxy Information
text/gemini