For those tormented by the outages of this site and PVC Security, they are restored.

When we’re out of commission, please check:

UPDATE: Both sites are destined for a new location. Stay tuned, but if Paul does it right you won’t know.

UPDATE2: Paul won’t fix it right the first time so you, Dear Friend, will provide your own resilience. Keep the above links in your read-it-later or browser bookmarking solution of choice.

Georgia Supreme Court Rules that State Has No Obligation to Protect Personal Information:

Almost exactly one year after the stringent European General Data Protection Regulation came into effect (May 25, 2019), the Supreme Court of the [U.S.] state of Georgia has ruled (May 20,  2019) that the state government does not have an inherent obligation to protect citizens’ personal information that it stores.

The ruling relates to a case that dates back to 2013. A Georgia Department of Labor employee inadvertently emailed a spreadsheet containing the names, Social Security numbers, telephone numbers and email addresses of 4,457 people who had applied for benefit to about 1,000 people.

Thomas McConnell, whose details appeared on the spreadsheet, … had alleged negligence, breach of fiduciary duty, and invasion of privacy by public disclosure of private facts by the Department of Labor. Each of these claims has been rejected. The first to go was ‘negligence’ — dismissed because there is no requirement in law to protect the data of benefit claimants. Furthermore, McConnell’s claim that Georgia recognizes a “common law duty ‘to all the world not to subject others to an unreasonable risk of harm'” (Bradley Center, Inc. v. Wessner; 1982) does not, according to this ruling, set a precedent.

Furthermore, the existing identity theft statute does not explicitly require anything from data storer, while the statute restricting disclosure of social security numbers only applies to intentional disclosures and not accidental exposures as appeared here. 

The fiduciary duty claim was then dismissed because no public officer stood to gain from the incident, and there was no special relationship of confidence between McConnell and the Department.

Finally, the allegation of an invasion of privacy was rejected. The Supreme Court ruled that “the matter disclosed included only the name, social security number, home telephone number, email address, and age of individuals who had sought services or benefits from the Department. This kind of information does not normally affect a person’s reputation, which is the interest the tort of public disclosure of embarrassing private facts was meant to remedy.”

(Via SecurityWeek RSS Feed)

Georgia is setting a bad precedent. Municipalities and government agencies are being targeted for exactly this type of data. The idea that Georgia law only offers redress for actions of a malicious insider while providing for a “whoopsie” defense is absurd. 

Pillow fight:

Participants compete during the All Japan Pillow Fighting Championships in Ito, Shizuoka Prefecture, on Saturday.

© Reuters

(Via Japan Today)

I love that this exists, but what is that dude with the blanket doing? Is he a target?

From Jason Kottke:

AirPods. This is my favorite gadget in years, the first real VR/AR device that feels seamless … The freedom of wireless headphones feels similar to when I first used a laptop, wifi, and dockless bike share.

I cannot imagine how this is remotely true and Jason Kottke doesn’t elaborate.

I have a pair of AirPods. They are convenient but a regretted purchase. The device is not augmenting or virtualizing reality in any way. That is, until I take one Pod out of an ear and restart my music or podcast.

I used wireless headphones before the AirPods. They did what these do: play music; play podcasts; and do so without a wire (until charge-time).

Progress in Cybersecurity: Toward a System of Measurement by Paul Rosenzweig:

How do we quantify safety and security? That fundamental question underlies almost all modern national security questions (and, naturally, most commercial questions about risk as well). The cost/benefit analysis inherent in measuring safety and security drives decisions on, to cite just a few examples, new car safety devices, airplane maintenance schedules and the deployment of border security systems. In a world where resources are not infinite, some assessment of risk and risk mitigation necessarily attends any decision–whether it is implicit in the consideration or explicit.
What is true generally is equally true in the field of cybersecurity. Governments, commercial actors and private citizens who are considering new deployments of cybersecurity measures either explicitly or implicitly balance the costs to be incurred–whether monetary or in terms of disruptions caused by changes to enterprise and resulting (temporary) reductions in efficiency– against the benefits to be derived from the new steps under consideration.
The problem with this rather straightforward account of enterprise decisionmaking is that no universally recognized, generally accepted metric exists to measure and describe cybersecurity improvements. Unfortunately, for too many, cybersecurity remains more art than science.
Decisionmakers are left to make choices based upon qualitative measures, rather than quantitative ones. They can (and do) understand that a new intrusion detection system, for example, improves the security of an enterprise, but they cannot say with any confidence by how much it does so. Likewise, enterprise leadership can, and does, say that any deployment of a new system (say, an upgrade to an accounting package) will bring with it risks that unknown or previously non-existent vulnerabilities might manifest themselves. Yet, again, they cannot with confidence ask to what degree this is so and measure the change with confidence.
This challenge is fundamental to the maturation of an enterprise cybersecurity model. When a corporate board is faced with a security investment decision, it cannot rationally decide how to proceed without some concrete ability to measure the costs and benefits of its actions. Nor can it colorably choose between competing possible investments if their comparative value cannot be measured with confidence. Likewise, when governments choose to invest public resources or regulate private sector activities, they need to do so with as much information as possible–indeed, prudence demands it.
Because the problem of measuring cybersecurity is at the core of sound policy, law and business judgment, it is critical to get right. The absence of agreed-upon metrics to assess cybersecurity means many companies and agencies lack a comprehensive way to measure concrete improvements in their security. We should strive toward an end state where investment and resource allocation decisions relating to cybersecurity are guided by reference to one (or more than one) generally accepted, readily applicable method of measuring improvements in cybersecurity.
It is a good read focused on software.
One of the challenges of a security program, of course, is how to measure objectively how well the program is working.
It’s not often I can write a piece about cybersecurity that is generally optimistic. But these two new efforts do make me smile a bit.
So true.

Japan folks, please pay attention!

Hackers Access Over 461,000 Accounts in Uniqlo Data Breach:

Fast Retailing, the company behind multiple Japanese retail brands, announced that the UNIQLO Japan and GU Japan online stores have been hacked and third parties accessed 461,091 customer accounts following a credential stuffing attack.

As detailed in the official statement issued Fast Retailing following the security breach, the credential stuffing attack which led to the data breach took place between April 23 and May 10, 2019, with the number of compromised accounts possibly being higher seeing that the investigation has not yet concluded.

“While the number of incidents and circumstances may change during the course of the investigation, Fast Retailing is today providing notice of the facts as determined at the present time, and the company’s response,” says Fast Retailing.

The company also listed the customer information which got accessed during the attack:

• Customer name (last name and first name)
• Customer address (postal code, address, and apartment number)
• Customer phone number, mobile phone number, email address, gender, date of birth, purchase history, and clothing measurements
• Receiver name (last name and first name), address, and phone number
• Customer partial credit card information (cardholder name, expiration date, and portion of credit card number). The credit card numbers potentially accessed are hidden, other than the first four and last four digits. In addition, the CVV number (credit card security code) is not displayed or stored.

On May 13, Fast Retailing disabled the account passwords of 461,091 UNIQLO Japan and GU Japan online shop customers and started sending emails to all affected individuals to reset their passwords.

Fast Retailing discovered the breach after multiple customers reports of weird account activity and blocked the attackers from accessing the company’s computing systems, while also “strengthening monitoring of other access points.”

“Fast Retailing has also filed a report of damages regarding the unauthorized logins with the Tokyo Metropolitan Police,” states the data breach notification.

The company concludes the data breach notification [EN, JP] by asking all its customers to change their passwords especially if they’re also using them on other online platforms:

Fast Retailing is therefore requesting everyone who uses the same user ID or password with other services, not just the customers who have been contacted individually, to change their passwords immediately. The company recognizes that protecting customer information is a matter of the highest priority, considering this incident extremely serious, and is strengthening monitoring of unauthorized access, as well as taking other steps to further ensure that customers are able to shop with safety.

Customers who want more details regarding the data breach can contact the company’s customer service team using the free of charge 0800-000-1022 support phone line “available 9:00-17:00, including weekends and holidays,” or via e-mail at [email protected]

While the number of Fast Retailing online customers is not public, “Internet sales made up 10% of domestic sales in the first half of the company’s current fiscal year,” as Bloomberg initially reported.

(Via BleepingComputer)

I like how fast this was disclosed. I don’t like that I learned about it from a non-Japanese news source.

I have a cool video of Mr. (or Ms., women can be lizards too) Lizard. My site won’t let me upload it right now though. The Chinese couple next to me noticed it first with a shrill cry of surprise that I’m almost positive came from the man.

As typical, the Doubletree was outstanding.

Ride to the airport was good, but I was ill prepared for the mess that was Taipei airport. Long lines, security staff apparently trained in the TSA school of incompetence and rudeness, and moving walkways moving … oddly.

I got into one of the Priority Pass lounges that was rated poorly. I found it very good. The only complaint I had was that the bathroom is outside of the lounge, but if that was the worst that would happen it would be a good day.

It wasn’t.

The EVA Air staff was again poor. Again, we arrived late. The immigration folks at Narita were uncharacteristically inefficient – I was given bad information twice. Then the Narita Express ticket agent was rude. She directed me to the lower level desk (I think because she was on social media) and they pointed me to the self service machines where I proceeded to buy the wrong ticket in roughly the right direction.

I got home about an hour later than expected.

I’m glad I took the trip but I should have done half in Bali and half in Taipei.

… in which I end up back in Taipei three hours late …

Another great breakfast and another swim in the ocean. Check out was noon so I got my full before taking the ride to the airport.

I learned EVA Air is going though a labor dispute, so service was middling at best. We took off late and arrived at the gate even later. By the time I cleared immigration and customs and got a cab it was already after 22:00.

Another nice brief stay at the Doubletree. When I go back for a proper visit I will definitely stay there again. Of all the hotels on this trip, I liked this one the best.

This is my last full day in Bali. Tomorrow midday I head to the airport where I hope there’s not a repeat of inbound immigration (UPDATE: there wasn’t).

I started my day at the breakfast buffet.

It. Is. Huge. And delicious! I’m glad I didn’t take the Hilton points in lieu.

Then I swam in the ocean again. One of the things I forgot to mention is how steep the slope is around high tide. One’s ankles are likely to be pummeled by stones caught in the surf while ones arms are tangled in biomass on the surface.

Low tide shows a very different landscape. The slope is shallow and rock. Not rocky. Rock, pasted with sea foliage. I destroyed a set of hotel flip-flops trying to walk out on it.

Dinner that night was another ride into the village.

Yes. More pork. Again, delicious. Again, the restaurant offered a free shuttle back.

One thing that really irritated me at the Hilton was that no one asked me how my stay was but I was solicited to buy spa treatments 6 times and encouraged to eat at the restaurant twice. Somehow I will overcome.