Bed Head with the IT Privacy and Security Weekly update for the week Ending November 28th. 202311/28/2023 Episode 167 This week we start with the dollar bill ranking of the top US Universities for earnings potential We then throw some light on a global disappearing act, first the presenters and then a whole developer conference. This is one you have to read to believe! - Click the pic to hear the podcast - From there, in our third story, it’s a thumbs down for the security that fingerprint reader on your laptop is delivering. In at four is a new agreement between the US, UK and a dozen countries pitched at making AI safer. From there it’s hot water, and wait, one martial artist’s company that seems to be soaking in it. We get a “better late than never” from “Down under” in the fight on cyber crime and finally for our last story, an Internet of Things thing that you’re spending a third of your life on that may be sharing more about you than you want. This week’s update is all over the place and all over the world, but you get it served up fresh right here! Dig in! US: The U.S. college with the richest graduates isn't an Ivy League school, according to data. https://www.payscale.com/college-salary-report/bachelors https://www.msn.com/en-us/money/careersandeducation/the-college-with-the-richest-graduates-isn-t-an-ivy-league-school-according-to-data-here-are-the-top-100/ss-AA1kFJs6?cvid=f95653663f19478dabaac5c11bfb0381&ei=36 Stacker compiled a list of the colleges whose graduates earn the most, using 2021 data—released in 2023—from PayScale. Colleges are ranked by the highest mid-career earnings, with ties broken by early career earnings. Mid-career earnings are median salaries for alumni with 10+ years of experience, and early career earnings are for alumni with 0-5 years of experience. Slides also include the percentage of students earning degrees in STEM—science, technology, engineering, and mathematics—as well as the percentage of those who report that their work is not only important to them personally but also, they believe, has a positive effect on the world at large, defined here as "high meaning." So what's the upshot for you? The top three? Princeton University, Massachusetts Institute of Technology (MIT), and United States Naval Academy but a surprise at place number four is the Harvey Mudd College in California. (Why are their graduates so fiscally successful? It could be the preponderance of Aerospce industries located on their doorstep.) LV: Dissappearing act: first the presenters... and now the whole conference https://www.404media.co/coding-unicorn-instagram-julia-kirsina-devternity/ https://en.wikipedia.org/wiki/DevTernity_Conference https://www.theregister.com/2023/11/28/devternity_conference_fake_speakers/ First Eduards Sizovs got busted for artificially creating diversity at his Latvian Devternity developer conference. Engineer Gergely Orosz tweeted on Thursday that he'd discovered fake speakers listed on the Devternity site. Two women -- Anna Boyko, listed as a staff engineer at Coinbase, and Natalie Stadler, a "software craftswoman" at Coinbase -- were included on the site as speakers but appear to not exist in real life. Then the “most popular coding account on Instagram” which features more than a thousand photos of a woman named Julia Kirsina “posting no-BS coding, career, productivity tips.” has led many developers to point out that the account seems to be run by Devternity’s Eduards Sizovs!! Now IP logs from a forum for programmers show an account the forum administrator said belonged to Sizovs inviting and then logging into an account belonging to Coding Unicorn, Kirsina’s social media handle. A YouTube video posted last year by Sizovs showed him logged into his own email accounts as well as one for “Coding Unicorn.” The news presents an unusual, and bizarre, wrinkle on an ongoing crisis where multiple high profile speakers have dropped out of Devternity over Sizovs’ use of at least one fake woman on the conference’s website. So what's the upshot for you? Presenters at the DevTernity software developer conference have been told that the "sold out" gig, (at up to $870 a ticket) scheduled to begin December 7, has been canceled and we can confirm the website is completely blank. Global: Researchers Figure Out How To Bypass Fingerprint Readers In Most Windows PCs https://blackwinghq.com/blog/posts/a-touch-of-pwn-part-i/ A great report on the efficacy (or not) of fingerprint readers in Windows PCs. In a recent revelation by Blackwing Intelligence, researchers detailed successful workarounds for popular fingerprint sensors in Windows PCs. The team, led by Jesse D'Aguanno and Timo Teras, demonstrated exploits on the Goodix sensor in a Dell Inspiron 15, the Synaptic sensor in a Lenovo ThinkPad T14, and the ELAN sensor in a Microsoft Surface Pro Type Cover. Despite variations in reverse engineering and external hardware use, vulnerabilities in these widely-used sensors suggest that many Windows PCs with fingerprint readers may be susceptible to similar exploits. Blackwing's findings also shed light on the inner workings of fingerprint sensors, emphasizing the importance of the Secure Device Connection Protocol (SCDP) for enhanced security. Each sensor faced defeat through distinct weaknesses, including improper SCDP implementation in Linux and a lack of enabled SCDP in Windows for certain models. Blackwing recommends enabling SCDP on all Windows Hello fingerprint sensors to mitigate potential exploits. So what's the upshot for you? The clincher is "PC makers should have a qualified expert third party audit [their] implementation" to improve code quality and security. Wait... what? They don't do that? Global: US, Britain, Other Countries Ink Agreement To Make AI 'Secure by Design' https://www.ncsc.gov.uk/files/Guidelines-for-secure-AI-system-development.pdf The United States, Britain and more than a dozen other countries on Sunday unveiled what a senior U.S. official described as the first detailed international agreement on how to keep AI safe from rogue actors, pushing for companies to create AI systems that are "secure by design." In a 20-page document unveiled Sunday, the 18 countries agreed that companies designing and using AI need to develop and deploy it in a way that keeps customers and the wider public safe from misuse. The agreement is non-binding and carries mostly general recommendations such as monitoring AI systems for abuse, protecting data from tampering and vetting software suppliers. Still, the director of the U.S. Cybersecurity and Infrastructure Security Agency, Jen Easterly, said it was important that so many countries put their names to the idea that AI systems needed to put safety first. "This is the first time that we have seen an affirmation that these capabilities should not just be about cool features and how quickly we can get them to market or how we can compete to drive down costs," Easterly told Reuters, saying the guidelines represent "an agreement that the most important thing that needs to be done at the design phase is security." So what's the upshot for you? It's really not that much, but it's a start and a good start can take you places. US: Meta Knowingly Collected Data on Pre-Teens, Unredacted Evidence From Lawsuit Shows https://www.msn.com/en-us/money/companies/meta-designed-products-to-capitalize-on-teen-vulnerabilities-states-allege/ar-AA1kwu32 Meta, the parent company of Instagram, is under legal scrutiny as attorneys general from 33 states accuse it of receiving over 1.1 million reports of users under 13 on Instagram since 2019. The complaint alleges that Meta failed to adequately disable these accounts and continued collecting children's personal information without parental consent, violating federal privacy laws. The company could face substantial civil penalties if the allegations are proven, with claims that Meta prioritized growth over implementing effective age-checking systems. Internal documents, unsealed as part of the legal proceedings, suggest that Meta was aware of millions of underage users on Instagram. The company is accused of downplaying its knowledge in congressional testimonies and failing to develop systems to detect and exclude underage users. The lawsuit contends that Meta, aware of the demographic importance of children, neglected to implement measures to ensure compliance with age restrictions. An internal 2020 Meta presentation reveals the company's intention to capitalize on aspects of youth psychology, exploiting teenagers' predisposition to impulse and peer pressure. The documents allege that Meta engineered its products to trigger dopamine responses in teens, aiming to keep them engaged on the platform. The legal complaint includes allegations against Meta CEO Mark Zuckerberg, accusing him of prioritizing platform usage over user well-being. The unsealed material claims that Zuckerberg dismissed warnings about the harm caused to young users by Meta's flagship social-media platforms. The lawsuit highlights instances where Meta executives made public statements that contradicted internal documents, and points to a significant backlog of under-13 accounts awaiting action, indicating inadequate staffing and progress in addressing the issue. So what's the upshot for you? A 2018 internal email stated that product teams should keep in mind that “The lifetime value of a 13 y/o teen is roughly $270”. Why would Meta give that revenue stream up? US: Meta Splits Up Its "Responsible AI" Team https://www.theinformation.com/articles/meta-breaks-up-its-responsible-ai-team Meta has disbanded its Responsible AI team and moved staff into other areas to focus on generative AI. Meta launched its Responsible AI (RAI) team in 2019 in hope this internal group of interdisciplinary experts could help technical teams design and build machine-learning models ethically. In 2021, Meta listed five core concerns the team would focus on, including: privacy and security; fairness and inclusion; robustness and safety; transparency and control; and accountability and governance. One year later, the group was folded into the WhatsApp parent's Social Impact unit. Now, the Responsible AI team is being scrapped altogether. Most of the employees have been reassigned to Meta's Generative AI arm – the tech that outputs content based on user requests and prompts – with some going to its machine-learning infrastructure unit. So what's the upshot for you? Just when we thought Meta was turning a new leaf. The new Zuck is just the same as the old Zuck. AU: Australia Beefs Up Cyber Defences After Major Breaches https://www.reuters.com/technology/cybersecurity/australia-goes-cyber-offensive-with-sweeping-resilience-plan-2023-11-22/ Australia will give cyber health checks for small businesses, increase cyber law enforcement funding and introduce mandatory reporting of ransomware attacks under a security overhaul announced on Wednesday after a spate of attacks. The federal government said it will also subject telecommunications firms to tougher cyber reporting rules which apply to critical infrastructure, seek migrants to build up the cyber security workforce and set limits on inter-agency data sharing to encourage people to report incidents. The A$587 million ($382 million) plan shows the centre-left Labor government trying to get on the front foot after a year in which nearly half the country's 26 million population had personal information stolen in just two data breaches at companies, while a cyber attack at its biggest port operator this month brought supply chains to a standstill. So what's the upshot for you? The big question is why half of the Australian population had to have their personally identifiable information (PII) compromised for an initiative like this to kick in. - click the pic to hear the podcast - US: CEO Reminds Everyone His Company Collects Customers' Sleep Data https://www.404media.co/ceo-reminds-everyone-eightsleep-pod-collects-sleep-data-to-make-zeitgeisty-point-about-openai-drama/ Matteo Franceschetti, CEO of Eight Sleep, the company behind the $2,295 smart mattress topper "The Pod," recently tweeted about a concerning rise in low-quality sleep in San Francisco. According to Eight Sleep's data, there was a 27 percent increase in people getting less than 5 hours of sleep, prompting Franceschetti to emphasize the need for a solution. The tweet raises questions about the privacy implications of smart devices like The Pod, which collects extensive user data for business purposes. The Pod boasts features such as intelligent cooling, sleep tracking, and a personalized Sleep Fitness Score. However, Franceschetti's revelation underscores the potential misuse of user data for marketing or other purposes. Eight Sleep's terms of service outline the broad scope of data collection, including sleep activity, location data, and the possibility of sharing or selling de-identified information. Despite a privacy pledge in its terms of service, Eight Sleep's data practices reveal a significant gap between assurances and the actual extent of information collected. The company pledges to respect privacy but simultaneously gathers data that can be used for marketing, scientific studies, and potentially sold to interested parties. It's important to note that Eight Sleep's data does not definitively show a citywide spike in low-quality sleep in San Francisco. Instead, it reflects the sleep patterns of a specific group—Pod users in San Francisco who haven't opted out of analytics. The revelation raises broader concerns about the accuracy and representativeness of data collected by smart devices. Eight Sleep's case serves as a reminder of the broader privacy implications associated with smart devices. Users must remain vigilant about the data they share, considering how it may be used beyond the device's intended purpose. The incident prompts a reevaluation of the balance between technological convenience and the protection of user privacy in the rapidly expanding landscape of smart devices. So what's the upshot for you? Two things that you can generally assume about Internet connected things: 1) Whatever it is will generate some data about you that someone wants and 2) that data will end up somewhere that you don't want. So to recap: This week we started with the top four US Universities in terms of earning potential and ended up more than a bit surprised at the rankings! We then threw some light on a global disappearing act, first two fictional presenters, an Instagram account holder and then the whole DevTernity conference. Honestly, Sizova? You tried to pull the wool over a whole conference load of developers? What a way to live dangerously. At number three we found out that the thumb reader on your laptop isn’t anything more than decoration in many cases and we ended with a plea for independent 3rd party testing. Next we had a new agreement between the US, UK and a dozen countries pitched at making AI safer. It doesn’t commit to much, but something is better than nothing! From there Mark and Meta just keep reminding us what fools we were to think they had turned over a new leaf. We found out how the Ozzies have decided to fund better cyber security, but only after half the population had sensitive data stolen. And we ended with a stunning statistic that certain of us don’t get enough sleep, as revealed by Matteo Franceschetti, CEO of Eight Sleep …. someone who really should not know. - click the pic to hear the podcast- Our quote – Opportunity comes to the prepared mind. - Charlie Munger 1924-2023 That's it for this week. Stay safe, stay secure, sweet dreams and we'll see you in se7en!
Jenna
11/28/2023 09:17:26 pm
I love it! I may never sleep again!
Reply
Oliver V.
11/30/2023 12:47:54 pm
This is my go to website for Privacy and Security. We all love it here at reference removed for confidentiality
Reply
Leave a Reply. |