TechLetters #43 - NSA on quantum risk; NSA backdoors; Australian hacking bill; WhatsApp with a fine GDPR fine; not considered security risks of banking apps; can AI be an inventor?
Security
National Security Agency on quantum computing and risk. They treat it seriously but they also advise caution (link). “: Some solutions may be implemented using symmetric, pre-shared keys that protect against the longterm quantum computing threat. NSA considers the use of pre-shared symmetric keys in a standardscompliant fashion to be a better near-term post-quantum solution than implementation of experimental postquantum asymmetric algorithms that may or may not be proven secure”. My initial quantum risk assessment is here. Being informed is advised, also when deciding about migrations. “Some organisations may be interested in preparing appropriate risk assessment as well as contingency and migration plans. Such plans should always prioritise guaranteeing data security with respect to today’s non-quantum security. When transitioning to post-quantum systems, organisations should consider existing risks and the usual considerations during migration of data that would guarantee data security (i.e. reliability, availability) as well as confidentiality (e.g. when the data is re-encrypted with post-quantum cryptography).”
Australian "Surveillance Legislation Amendment" Bill. It has been passed by the parliament and awaits a ‘Royal Assent’ which is a formality. The law contains a lot of interesting elements. Allows authorities to hack devices, modify/tamper data, take control of user's accounts
Leaving Afghanistan for cyber. “Joe Biden says he chose to end the war in Afghanistan to focus on other security problems, including China and Russia … concentrating on threats such as cyberattacks”. Appropriate reasons?
When backdoors stop working. Why the NSA did not notice when they lost their backdoor?
Responding to ransomware. Irish police fighting back "significant disruption operation which targeted the IT infrastructure of a cyber crime group has been conducted by the Garda National Cyber Crime Bureau", and "seized several domains" (link).
Privacy
WhatsApp fined €225m. GDPR. The inside story considers a number of european DPAs disputing on the legal and technological aspects. Fascinating!
- "a reprimand with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions"
- "WhatsApp IE failed to comply with its obligation under Article 14".
- Used obsolete algorithms?
- "Lossy hashes are personal data". "WhatsApp could, if requested, achieve the indirect identification of the non-user".
- "Netherland's DPA argues that the hashing scheme applied by WhatsApp IE is vulnerable to a brute force attack. For example, in the Netherlands, 54 million mobile phone numbers are issued. Constructing a look-up table takes around three minutes"
Technology Policy
Kidnapping over a banking app. The Brazilian Central Bank tightens the rules for using the Pix national banking app for fast electronic payments. There is a growing problem of kidnapping people when kidnappers order someone to make a transfer: “"We observe criminals specialized in other segments, such as theft and robbery of condominiums, who have started to take advantage of the opportunity to do lightning kidnapping. They realized that Pix allows them to transfer a large amount of money in a short period of time . In this way, they keep the victim detained and gain a significant advantage," said the delegate.”. This problem is noticed in the official FAQ “ 9 - Does Pix facilitate the action of kidnappers and other criminals?“
Well, yes.
AI not an inventor. US Judge ruled that AI system-developed idea cannot be patented. Law is for humans, and “AI” is out of scope: it cannot be the inventor.
Other
Joys of medical AI. “Three retrospective studies compared AI systems with the clinical decisions of the original radiologist, including 79 910 women, of whom 1878 had screen detected cancer or interval cancer within 12 months of screening. Thirty four (94%) of 36 AI systems evaluated in these studies were less accurate than a single radiologist, and all were less accurate than consensus of two or more radiologists” (link).
In case you feel it's worth it to forward this letter further, I leave this thingy below:
You may also share here: