Stop Trying to Violently Separate Privacy and Security

Stop Trying to Violently Separate Privacy and Security:

Let’s focus all this Pedantic-Chi Energy on finding, classifying, and protecting the data in the first place. That’s what companies actually need help with.

(Via Daniel Miessler)

It’s an epic rant that Daniel wrote. His emotions are almost palpable when you read it. This would be more powerful if he stepped away emotionally. The post gets nasty at times, and personal attacks aren’t warranted.

The message, almost lost in Daniel’s frustration, is valid: the distinction between security and privacy is small. I tend to agree.

Also on:

[Orin Kerr] How to Read a Legal Opinion ←

[Orin Kerr] How to Read a Legal Opinion:

A guide for new law students — and others.

With law schools set to open their doors in a few weeks to a new 1L class, it’s time for my annual posting of my 2007 essay, How to Read a Legal Opinion: A Guide for New Law Students. As the abstract explains:

This essay is designed to help new law students prepare for the first few weeks of class. It explains what judicial opinions are, how they are structured, and what law students should look for when reading them.

I’m told that some non-lawyers also have found the essay valuable as an introduction to reading cases.

(Via The Volokh Conspiracy)

This is a free to download PDF.

As more and more cybersecurity case law is established and while more and more existing case law is pressed into cybersecurity service, being able to read and understand the basics of legal opinions isn’t just the realm of compliance team any more.

Also on:

New Data Privacy Regulations

New Data Privacy Regulations:

Surveillance is the business model of the internet. It’s not just the big companies like Facebook and Google watching everything we do online and selling advertising based on our behaviors; there’s also a large and largely unregulated industry of data brokers that collect, correlate and then sell intimate personal data about our behaviours. If we make the reasonable assumption that Congress is not going to regulate these companies, then we’re left with the market and consumer choice. The first step in that process is transparency. These new laws, and the ones that will follow, are slowly shining a light on this secretive industry.

(Via Schneier on Security)

Censorship in the Age of Large Cloud Providers

Censorship in the Age of Large Cloud Providers:

Whatever its current frustrations, Russia might well win in the long term. By demonstrating its willingness to suffer the temporary collateral damage of blocking major cloud providers, it prompted cloud providers to block another and more effective anti-censorship tactic, or at least accelerated the process. In April, Google and Amazon banned—and technically blocked—the practice of “domain fronting,” a trick anti-censorship tools use to get around Internet censors by pretending to be other kinds of traffic. Developers would use popular websites as a proxy, routing traffic to their own servers through another website—in this case—to fool censors into believing the traffic was intended for The anonymous web-browsing tool Tor has used domain fronting since 2014. Signal, since 2016. Eliminating the capability is a boon to censors worldwide.

Tech giants have gotten embroiled in censorship battles for years. Sometimes they fight and sometimes they fold, but until now there have always been options. What this particular fight highlights is that internet freedom is increasingly in the hands of the world’s largest internet companies. And while freedom may have its advocates—the American Civil Liberties Union has tweeted its support for those companies, and some 12,000 people in Moscow protested against the Telegram ban—actions such as disallowing domain fronting illustrate that getting the big tech companies to sacrifice their near-term commercial interests will be an uphill battle. Apple has already removed anti-censorship apps from its Chinese app store.

In 1993, John Gilmore famously said that “The Internet interprets censorship as damage and routes around it.” That was technically true when he said it but only because the routing structure of the Internet was so distributed. As centralization increases, the Internet loses that robustness, and censorship by governments and companies becomes easier.

(Via Lawfare – Hard National Security Choices)

Sorting Through GDPR: What to Watch After May 25

Sorting Through GDPR: What to Watch After May 25:

A lot of concerns have been bandied about in anticipation of the regulation’s launch, so I’ve taken the initiative to outline the key national security and data-privacy threads worth tracking after GDPR goes into effect:

(Via Lawfare – Hard National Security Choices)

Solid write-up on next steps.

Also on:

I think no one learned a valuable lesson …

Yahoo gets $35 million slap on wrist for failing to disclose colossal 2014 data breach

The SEC forced Yahoo to pay $35 million in penalties to settle charges that it misled investors. The breach has been widely publicized and is considered one of the largest data breaches on record.

Yahoo’s operating business, now known as Altaba, was acquired last year by Verizon for $4 billion.

What would have been paid under GDPR? $198M if this article is correct.

Calling this a “slap on the wrist” is an insult to wrist slaps everywhere.

Also on:

Accessing Facebook …

Quick summary of how I use Facebook:

  1. Launch a VPN
  2. Use a private browser (with ad blocking) to navigate
  3. I do my Facebook stuff
  4. I log out of Facebook and then out of said private browser after clearing my browsing history
  5. I disconnect from the VPN

The moral of the story is that I use Facebook so long as it offers me value. However, I do not use it trivially. If and when I log in, it is with purpose and my session lasts exactly as long as I want.

I set myself up for success:

  • I have no app connections or integrations (with my personal website posts going away soon)
  • I don’t use Facebook for authentication anywhere
  • I do not have any of the mobile apps installed (other than Instagram, and only for the moment)
  • I set up two-factor authentication for Facebook login using an Authenticator app (not SMS or email)

What I thoughtlessly shared on Facebook is out there. Time and experience will tell the usefulness of that information and the impact of my data hygiene regimens.

What are you doing to reduce your social media surface and/or take ownership of your data?

Also on:

DNS for privacy, security, and performance

Cloudflare and Quad9 Aim to Improve DNS

Cloudflare and
Quad9 offer public DNS servers that
provide a combination of verification, privacy-focused protocols, and
encryption to mitigate DNS’s leaks and flaws.

I’ll cut to the chase to tell you how to configure your devices to use
these services before getting into the nitty-gritty of how DNS works
and how these services improve on an insecure and easy-to-corrupt

(Via TidBITS)

Go to the article for the how, but …

For the different services, the IP addresses to enter are: Cloudflare: and (see note below) Google Public DNS: and Quad9: and

The last 60% of the article is a solid, easy to understand write up on DNS and how Quad9 and Cloudflare (and, to a lesser extent, Google) are trying to address inherent issues and risks them without a complete redesign (see the last section in the article).

Nevertheless, every step you take toward greater security and privacy is a positive one. It’s important to think about where your data ends up, and only you can decide whether having your queries available to Cloudflare, Google, or Quad9 is an improvement over your existing exposure to your ISP, which may not employ any of the above mitigations.

Full Disclosure: I work for IBM, a founding member of Quad9.

Also on:

You know who does creepier stuff with your data than Cambridge Analytica? Your ISP


So please #DeleteFacebook, but then remember that your ISP is the original creeper, and your Congressjerk is probably in their pocket, and make that a midterm election issue. We can’t win all the really important fights — climate, racial justice, sexual and gender justice, inequality — without an internet to organize with, so we must take the net back to secure those other victories.

Setting aside the name calling, this is definitely true in the US. I’m not sure about other countries.

The Cambridge Analytica-Facebook Debacle: A Legal Primer

Another strong largely hyperbole free summary from Lawfare including possible legal ramifications.

The Cambridge Analytica-Facebook Debacle: A Legal Primer:

What Happened?

On March 17, the New York Times that Cambridge Analytica, the British data analysis firm with ties to Robert Mercer and Stephen K. Bannon and that was hired by the Trump campaign, “harvested private information from the Facebook profiles of more than 50 million users without their permission.” This set off a firestorm in the U.S. and the U.K. as regulators announced they would get to the bottom of what went wrong. Sen. Ron Wyden asked Facebook a . Massachusetts Attorney General Maura Healey into the matter, followed by the . And the U.K.’s information commissioner, Elizabeth Denham, said she would . This in turn —down nearly 7 percent by the market’s close on Monday, March 19 and down nearly another two points on Tuesday, March 20. On Monday night, the New York Times revealed that Facebook’s chief security officer, Alex Stamos, is after much internal disagreement with the way the firm handled concerns about misinformation in the 2016 elections.

(Via Lawfare – Hard National Security Choices)


Also on: