TechLetters #38 - Russian proposal for international cybersecurity treaty; Biden warns that cyberwar means war; China accused US of cyberattacks (huh); Privacy Sandbox leaks; Huge GDPR fine
Éditorial
Security
China demands explanation from the US. China started a petition concerning “suspicion surrounding the biological laboratory at the US Fort Detrick”. Someone DDoSed the petition site rendering it inaccessible. Now China demands explanation - but from US authorities.
Cryptographic vulnerabilities. The average lifetime of a vulnerability (time since deployment to a fix) is around 5 years. “cryptographic libraries we studied produced vulnerabilities at rates of up to one CVE for each thousand lines of code added, a rate roughly three times as much as in non-cryptographic software”
Iran’s cyberwarfare plans? "Classified documents, allegedly from Iran, reveal secret research into how a cyber attack could be used to sink a cargo ship or blow up a fuel pump at a petrol station". Allegedly leaked confidential documents describing Iran's plans on cyber capabilities. It sounds either highly far-fetched or highly ambitious. The report, if true, unambiguously discusses cyber operations with a potential disruptive or destructive physical effects - what you may typically expect cyberwarfare operations to look like. (Report)
Cyberwar means war? Biden warned that cyberattacks may escalate to a real hot shooting war. “I think it’s more than likely we’re going to end up, if we end up in a war - a real shooting war with a major power - it’s going to be as a consequence of a cyber breach of great consequence and it’s increasing exponentially, the capabilities,”
Le Pegasus. French ministers were equipped with new telephones. Out of abundance of caution against hacking, also with Pegasus. Apparently, after the latest reports, they "panicked". Now there will be an obligation to communicate exclusively through this new channel. Some journalists in France were confirmed to have their smartphones hacked with NSO’s Pegasus.
International cybersecurity treaty? Russian cybersecurity convention proposal (translation; "United Nations Convention on Counteracting the Criminal Use of Information and Communication Technologies"). It would ban malware "except for lawful research". It would ban also "subversive or armed activities directed towards the violent overthrow of the regime of another State". But also dissemination of information (extremist, but also "political hatred", good luck interpreting this? (Critics will call this "censorship"). It would also give legal grounds to compel service providers to offer information transmitted via their systems, perhaps via backdoors? "collect or record, through the application of technical means ... data on content ..." (critics will call this "technical surveillance")
Privacy
Privacy needs to be first-class citizen - it’s still not. “privacy cannot be truly fixed with a bandaid after a system is built. The cause of data privacy failures happen upstream in the SDLC, long before most of us think of privacy” (link)
Privacy leak risk in cookie-replacement mechanism. Google’s Privacy Sandbox proposals for privacy-preserving ad targeting systems have an issue that lets the attackers recover some user-linked information, or use it to track the users. Let’s hope that all such issues are identified, vetted, and fixed prior to the targeted date of replacing third-party cookies with the new solutions, scheduled for 2023. (article)
Monsanto fined for maintaining a lobbying fine. Without notifying the people (politicians, journalists, civil society, etc.) included in the lobbying file. Now when people are considered in lobbying registers, they must be notified. 400,000 euros fine by French DPA CNIL. “between 2016 and 2017, the companies FLEISHMAN-HILLARD (now the company OMNICOM PUBLIC RELATIONS GROUP) and the company PUBLICIS CONSULTANTS had established, on behalf of the company MONSANTO, files containing the personal data of more than 200 French and European political figures or belonging to civil society including journalists, activists from the environmental cause, scientists and farmers, as part of the campaign for the renewal of the authorization for the use of glyphosate by the European Commission … the processing of personal data corresponding to the identification and mapping of the stakeholders in the debate on the renewal of the authorization of glyphosate, which has resulted in particular in the preparation of the file " 20160822 French Monsanto stakeholders database - cultivating trust ", began in 2016 but continued until 2019, ie after the entry into force of the GDPR, as explicitly stated in the specifications of the rider n ° 7, signed on October 15, 2016 and renewed many times until 2019”
Highest GDPR fine. Amazon received a €746M #GDPR fine. Pretty huge, until now - the highest. They'll probably appeal. Source document here.
Technology Policy
Chip production in Europe. After considering USA (Arizona) as the off-Taiwan chip production site, the next possible site is Germany. Just in case?
AI to the rescue? Hundreds of tools using AI have been created to help fight the coronavirus/#COVID19. The problem is, none of them worked, or helped. Some could even be harmful.
Other
Technical debt. “we’re often faced with trade-offs that sacrifice what is best for the long term against something that increases velocity in the short term. A commonly used financial analogy is describing this as taking on technical debt”. This has consequences both to cybersecurity and privacy. (link)
Russian mobile data center. For real! Loaded on a kamAZ truck (here).
In case you feel it's worth it to forward this letter further, I leave this thingy below:
You may also share: