The IT Privacy and Security Weekly update Gives Large for the week Ending December 19th. 202312/19/2023 Episode 170 Our first few stories present some unique gifting ideas. Who needs another Rolex when you can give “large”? - click the pic to hear the podcast - We get new breach reporting requirements from the US’ SEC and China’s MIIT. Wait, what is this, a competition? In that same vein we get something less than super from Mr. Cooper. After a court ruling that you cannot be forced to reveal your phone pin, there’s great news from Google about a change to your location data. And we finish up this update in front of a crackling fire. Quick, get the eggnog, we’ll go get a cat and let's settle in comfortably for this week's update! UK: Most original gift for 2023? Don't tell us, you finally found a present for that person who has everything. https://jalopnik.com/concorde-engine-finally-sold-on-ebay-afterburner-inclu-1851108481 Whether your holiday has passed or is still to come, we wonder, dear reader if this is you: A Rolls-Royce Olympus jet engine used to power the Concorde supersonic jet was listed on eBay for years before finally selling this past weekend for $714,500. The engine was owned and removed from a British Airways' Concorde plane that made its last flight 20 years ago. It cannot fly again but could be repurposed decoratively. The purchaser and plans for the 3.5 ton engine are unknown. However, it sold at a substantial discount from its $975,000 list price back in 2019. This particular engine still contained the Concorde's signature afterburner for added thrust capacity making it more unique. There is hope that this iconic piece of aviation history, rather than being dismantled for parts, can be preserved and displayed proudly in a museum setting much like the retired Concorde airframe it powered. - click the pic to hear the podcast - So what's the upshot for you? Happy Holidays and best wishes for a brilliant new year. And yes, we will remain on the edge of our seats in anticipation over 2024's "most original gift". - click the pic to hear the podcast - Global: Microsoft releases Phi-2, a small language model AI that outperforms Llama 2, Mistral 7B https://venturebeat.com/ai/microsoft-releases-phi-2-a-small-language-model-ai-that-outperforms-llama-2-mistral-7b/ Looking to try something different over the holiday break? Microsoft Research, the blue sky division of the software giant, announced the release of its Phi-2 small language model (SML), a text-to-text AI program that is "small enough to run on a laptop or mobile device," according to a post on X. At the same time, Phi-2 with its 2.7 billion parameters (connections between artificial neurons) boasts performance that is comparable to other, much larger models including Meta's Llama 2-7B with its 7 billion parameters and even Mistral-7B, another 7 billion parameter model. Microsoft researchers also noted in their blog post on the Phi-2 release that it outperforms Google's brand new Gemini Nano 2 model despite it having half a billion more parameters, and delivers less "toxicity" and bias in its responses than Llama 2. Microsoft also couldn't resist taking a little dig at Google's now much-criticized, staged demo video for Gemini in which it showed off how its forthcoming largest and most powerful new AI model, Gemini Ultra, was able to solve fairly complex physics problems and even correct students' mistakes on them. As it turned out, even though it is likely a fraction of the size of Gemini Ultra, Phi-2 also was able to correctly answer the question and correct the student using the same prompts. However, despite these encouraging findings, there is a big limitation with Phi-2, at least for the time being: it is licensed only for "research purposes only," not commercial usage, under a custom Microsoft Research License, which further states Phi-2 may only be used for "non-commercial, non-revenue generating, research purposes." But er, businesses looking to build products atop it are out of luck.... So what's the upshot for you? Children all over the world are putting in last minute updates to "Santa wish lists" for laptops with an Nvidia 4050 (or better) GPU chip in them. Thankfully Santa seems to be pretty tight with Jensen Huang (CEO of Nvidia). Global: Your Smart TV knows what you are watching. https://themarkup.org/privacy/2023/12/12/your-smart-tv-knows-what-youre-watching Did you get a new smart TV during the recent holiday sales? Well, there might be an uninvited guest joining your viewing parties. Most modern smart TVs employ Automatic Content Recognition (ACR), a sneaky ad surveillance tech that tracks your viewing habits for targeted ads. This software is often hidden, and opting out is not easy. Many consumers are completely oblivious to ACR's presence. Let's break down the tech first. ACR works like a constant background Shazam for your TV, identifying content through screenshots and comparing them to a massive database of media and ads. These TVs can capture up to 7,200 images per hour, powering content recommendations and a booming $18.6 billion smart TV ad industry. If you're not keen on having ACR snooping on your watchlist, you may be able to turn it off, depending on your TV's software. The process might take anywhere from 10 to 37 clicks and the article provides instructions for removing ACR on Roku, Samsung and LG devices. So what's the upshot for you? Third on the list after the unboxing of your new telly. First plug in the TV, put the batteries in the remote, and then turn off the ACR. Why do we advise this? Let's say you have your parents over and they watch a few days of classical movies and old reruns. That will feed the ad database and you may be served up hearing aid, insurance and prepaid funeral arrangement commercials for the foreseeable future. It's even worse when it's young parents as the selection moves to diapers and laundry detergent..... US: SEC disclosure rule for ‘material’ cybersecurity incidents in effect: 4 days to report https://cyberscoop.com/sec-cybersecurity-incidents-disclosure-rule/ US Publicly traded companies are now obliged to disclose "material" cybersecurity incidents to the U.S. Securities and Exchange Commission (SEC) following the implementation of a new rule on Monday. Critics argue that the disclosure time is too rapid and could pose national security risks. Some view it as duplicative of existing regulations, potentially increasing liability pressure on Chief Information Security Officers (CISOs). The SEC ruling mandates companies to report major hacks within four days and submit annual reports detailing their Cybersecurity management. Lawmakers and industry experts express worries about potential conflicts with existing regulations, particularly those from the Cybersecurity and Infrastructure Security Agency (CISA). Concerns also center around the possibility of disclosed information being exploited by malicious hackers for further attacks. So what's the upshot for you? CISOs are expressing concerns about heightened liability, potentially leading to increased demand for Directors & Officers insurance. We can only imagine the excitement in the insurance industry as yet another type of big ticket policy evolves. CN: China issues draft contingency plan for data security incidents: 10 minutes to report https://www.reuters.com/world/china/china-issues-draft-emergency-plan-data-security-incidents-2023-12-15/ China on Friday proposed a four-tier classification to help it respond to data security incidents, highlighting Beijing's concern with large-scale data leaks and hacking within its borders. The plan, which is currently soliciting opinions from the public, proposes a four-tier, colour-coded system depending on the degree of harm inflicted upon national security, a company's online and information network, or the running of the economy. According to the plan, incidents that involve losses surpassing 1 billion yuan ($141 million) and affect the personal information of over 100 million people, or the "sensitive" information of over 10 million people, will be classed as "especially grave," to which a red warning must be issued. So what's the upshot for you? The plan demands that in response to red and orange warnings, the involved companies and relevant local regulatory authorities must establish a 24-hour work rota to address the incident and Ministry of Industry and Information Technology (MIIT) must be notified of the data breach within ten minutes of the incident happening. Sounds like fun. US: Hack of Mortgage Lender Mr. Cooper leaks PII on 14.7 Million People https://www.pcmag.com/news/hack-of-mortgage-lender-mr-cooper-ensnares-147-million-people In an effort to report significant breaches, but keep them short, we present the Mr. Cooper Breach: In October Jay Bray, chairman and CEO of Mr. Cooper Group called it an “outage;” last month, it became a “cybersecurity incident;” now it’s a full-on Personally Identifiable Information (PII) leak. Mortgage company Mr. Cooper Group has confessed to losing the personal info of 14,690,284 people. So what's the upshot for you? That’s quite a feat for a firm with “only” 4.3 million customers. US: Why Google Will Stop Telling Law Enforcement Which Users Were Near a Crime https://finance.yahoo.com/news/google-stop-telling-law-enforcement-001953651.html Earlier this week Google Maps stopped storing user location histories in the cloud. But why? The company said Thursday that for users who have it enabled, location data will soon be saved directly on users' devices, blocking Google from being able to see it, and, by extension, blocking law enforcement from being able to demand that information from Google. "Your location information is personal," said Marlo McGriff, director of product for Google Maps, in the blog post. "We're committed to keeping it safe, private and in your control." The change comes three months after a Bloomberg Businessweek investigation that found police across the US were increasingly using warrants to obtain location and search data from Google, even for nonviolent cases, and even for people who had nothing to do with the crime. "It's well past time," said Jennifer Lynch, the general counsel at the Electronic Frontier Foundation, a San Francisco-based nonprofit that defends digital civil liberties. "We've been calling on Google to make these changes for years, and I think it's fantastic for Google users, because it means that they can take advantage of features like location history without having to fear that the police will get access to all of that data." Google said it would roll out the changes gradually through the next year on its own Android and Apple Inc.'s iOS mobile operating systems, and that users will receive a notification when the update comes to their account. The company won't be able to respond to new geofence warrants once the update is complete, including for people who choose to save encrypted backups of their location data to the cloud. So what's the upshot for you? There’s still another kind of warrant that privacy advocates are concerned about: reverse keyword search warrants, where police can ask a technology company to provide data on the people who have searched for a given term. “Search queries can be extremely sensitive, even if you’re just searching for an address,” Lynch said. - click the pic to hear the podcast - IS: Missing your Summer BBQ? https://livefromiceland.is/webcams/fagradalsfjall Livestream the volcanic eruption direct from Iceland instead. Apparently this is 10x more activity than the last volcanic eruption in Iceland So what's the upshot for you? Get it while it's hot. So to recap: Our first few stories present some unique gifting ideas. Who needs another Rolex when you can give “large” and what is larger and more in your face than a jet engine (with afterburner) out of a Concorde? Then we updated you on a cool new LLM from Microsoft that could be smarter than Google’s newly announced Gemini Nano and it runs on a laptop! We told you why you have been getting those diaper ads on your smart TV and where you can get the details to fix it for three of the most popular brands. We heard about new breach reporting requirements from the US’ SEC, of four days for US businesses while China’s MIIT color coded their breach reporting and might slap a 10 minute reporting requirement in place. Then US Mortage lender Mr. Cooper told us that with just over 4 million customers, they lost the PII of over 14 million. And after the Utah court decision that suspects can refuse to provide phone passcodes to police under the US Constitution's Fifth Amendment privilege against self-incrimination there’s great news from Google about a change to your location tracking data. And we ended up in front of a roaring fire with the cat. This week’s quote - People never believe in volcanoes until the lava actually overtakes them. George Santayana - philosopher, poet, and humanist That's it for this week. Stay safe, stay secure, happy holidays if you’re celebrating them this week, and we'll see you in se7en! Leave a Reply. |