Connect with us

Biz & IT

Law enforcement needs to protect citizens and their data

Published

on

Over the past several years, the law enforcement community has grown increasingly concerned about the conduct of digital investigations as technology providers enhance the security protections of their offerings—what some of my former colleagues refer to as “going dark.”

Data once readily accessible to law enforcement is now encrypted, protecting consumers’ data from hackers and criminals. However, these efforts have also had what Android’s security chief called the “unintended side effect” of also making this data inaccessible to law enforcement. Consequently, many in the law enforcement community want the ability to compel providers to allow them to bypass these protections, often citing physical and national security concerns.

I know first-hand the challenges facing law enforcement, but these concerns must be addressed in a broader security context, one that takes into consideration the privacy and security needs of industry and our citizens in addition to those raised by law enforcement.

Perhaps the best example of the law enforcement community’s preferred solution is Australia’s recently passed Assistance and Access Bill, an overly-broad law that allows Australian authorities to compel service providers, such as Google and Facebook, to re-engineer their products and bypass encryption protections to allow law enforcement to access customer data.

While the bill includes limited restrictions on law enforcement requests, the vague definitions and concentrated authorities give the Australian government sweeping powers that ultimately undermine the security and privacy of the very citizens they aim to protect. Major tech companies, such as Apple and Facebook, agree and have been working to resist the Australian legislation and a similar bill in the UK.

Image: Bryce Durbin/TechCrunch

Newly created encryption backdoors and work-arounds will become the target of criminals, hackers, and hostile nation states, offering new opportunities for data compromise and attack through the newly created tools and the flawed code that inevitably accompanies some of them. These vulnerabilities undermine providers’ efforts to secure their customers’ data, creating new and powerful vulnerabilities even as companies struggle to address existing ones.

And these vulnerabilities would not only impact private citizens, but governments as well, including services and devices used by the law enforcement and national security communities. This comes amidst government efforts to significantly increase corporate responsibility for the security of customer data through laws such as the EU’s General Data Protection Regulation. Who will consumers, or the government, blame when a government-mandated backdoor is used by hackers to compromise user data? Who will be responsible for the damage?

Companies have a fiduciary responsibility to protect their customers’ data, which not only includes personally identifiable information (PII), but their intellectual property, financial data, and national security secrets.

Worse, the vulnerabilities created under laws such as the Assistance and Access Bill would be subject almost exclusively to the decisions of law enforcement authorities, leaving companies unable to make their own decisions about the security of their products. How can we expect a company to protect customer data when their most fundamental security decisions are out of their hands?

phone encryption

Image: Bryce Durbin/TechCrunch

Thus far law enforcement has chosen to downplay, if not ignore, these concerns—focusing singularly on getting the information they need. This is understandable—a law enforcement officer should use every power available to them to solve a case, just as I did when I served as a State Trooper and as a FBI Special Agent, including when I served as Executive Assistant Director (EAD) overseeing the San Bernardino terror attack case during my final months in 2015.

Decisions regarding these types of sweeping powers should not and cannot be left solely to law enforcement. It is up to the private sector, and our government, to weigh competing security and privacy interests. Our government cannot sacrifice the ability of companies and citizens to properly secure their data and systems’ security in the name of often vague physical and national security concerns, especially when there are other ways to remedy the concerns of law enforcement.

That said, these security responsibilities cut both ways. Recent data breaches demonstrate that many companies have a long way to go to adequately protect their customers’ data. Companies cannot reasonably cry foul over the negative security impacts of proposed law enforcement data access while continuing to neglect and undermine the security of their own users’ data.

Providers and the law enforcement community should be held to robust security standards that ensure the security of our citizens and their data—we need legal restrictions on how government accesses private data and on how private companies collect and use the same data.

There may not be an easy answer to the “going dark” issue, but it is time for all of us, in government and the private sector, to understand that enhanced data security through properly implemented encryption and data use policies is in everyone’s best interest.

The “extra ordinary” access sought by law enforcement cannot exist in a vacuum—it will have far reaching and significant impacts well beyond the narrow confines of a single investigation. It is time for a serious conversation between law enforcement and the private sector to recognize that their security interests are two sides of the same coin.

Source link

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

European Parliament DDoSed after declaring Russia a sponsor of terrorism

Published

on

Enlarge / An iteration of what happens when your site gets shut down by a DDoS attack.

The European Parliament website was knocked offline for several hours on Wednesday by a distributed denial-of-service (DDoS) attack that started shortly after the governing body voted to declare the Russian government a state sponsor of terrorism.

European Parliament President Roberta Metsola confirmed the attack on Wednesday afternoon European time, while the site was still down. “A pro-Kremlin group has claimed responsibility,” she wrote on Twitter. “Our IT experts are pushing back against it & protecting our systems. This, after we proclaimed Russia as a State-sponsor of terrorism.”

While this post was being reported and written, the website became available again and appeared to work normally.

The pro-Kremlin group Metsola referred to is likely the one known as Killnet, which emerged at the start of Russia’s invasion of Ukraine and has posted claims of DDoS attacks in countries supporting the smaller nation. Targets have included police departments, airports, and governments in Lithuania, Germany, Italy, Romania, Norway, and the United States.

Shortly after Wednesday’s attack against the European Parliament started, Killnet members took to a private channel on Telegram to post screenshots showing the European Parliament website was unavailable in 23 countries. Text accompanying the images made a homophobic remark directed at the legislative body.

The outage occurred shortly after the parliament overwhelmingly voted to declare the Kremlin a sponsor of terrorism.

Members of the European Parliament “highlight that the deliberate attacks and atrocities committed by Russian forces and their proxies against civilians in Ukraine, the destruction of civilian infrastructure and other serious violations of international and humanitarian law amount to acts of terror and constitute war crimes,” the declaration stated. “In light of this, they recognize Russia as a state sponsor of terrorism and as a state that ‘uses means of terrorism.’”

The resolution was adopted with 494 votes in favor, and 58 against. There were 44 abstentions.

DDoS attacks typically harness the bandwidth of hundreds, thousands, and in some cases, millions of computers infected with malware. After coming into their control, the attackers cause them to bombard a target site with more traffic than they can accommodate, forcing them to deny service to legitimate users. Traditionally, DDoS has been among the crudest forms of attack because it relies on brute force to silence its targets.

Over the years, DDoSes have become more advanced. In some cases, the attackers can increase the bandwidth by as much as a thousand-fold using amplification methods, which send data to a misconfigured third-party site, which then returns a much larger amount of traffic to the target.
Another innovation has been designing attacks that exhaust the computing resources of a server. Rather than clogging the pipe between the website and the would-be visitors—the way more traditional volumetric DDoSes work—packet-per-second attacks send specifc types of compute-intensive requests to a target in an attempt to bring the hardware connected to the pipe to a standstill.

Metsola said the DDoS attacks on the European Parliament were “sophisticated,” a word that’s often misused to describe DDoSes and hacks. She provided no details to corroborate that assessment.

Continue Reading

Biz & IT

Apple iPhone factory workers clash with police in China

Published

on

Enlarge / Workers walk outside Hon Hai Group’s Foxconn plant in Shenzhen, China, in 2010.

Violent worker protests have erupted at the world’s largest iPhone factory in central China as authorities at the Foxconn plant struggle to contain a COVID-19 outbreak while maintaining production ahead of the peak holiday season.

Workers at the factory in Zhengzhou shared more than a dozen videos that show staff in a standoff with lines of police armed with batons and clad in white protective gear. The videos show police beating workers, with some bleeding from their heads and others limping away from chaotic clashes.

Beijing’s strict zero-COVID regime has posed big challenges for the running of Foxconn’s Zhengzhou plant, which typically staffs more than 200,000 workers on a large campus in the city’s suburbs.

Wednesday’s unrest will heighten investor concerns about supply chain risk at Apple, with more than 95 percent of iPhones produced in China.

Problems at the plant earlier this month led Apple to cut estimates for high-end iPhone 14 shipments and to issue a rare warning to investors over the delays.

Two workers at the Foxconn factory said the protests broke out on Wednesday morning after Apple’s manufacturing partner attempted to deny bonuses promised to new workers put into quarantine before being sent to assembly lines.

“Initially they just went into the plant seeking an explanation from executives, but they [the executives] didn’t show their faces and instead called the police,” said one of the workers.

Another worker said there was growing discontent over the factory’s continued inability to curb a COVID outbreak, tough living conditions, and fear among staff that they would test positive.

Foxconn said the company would work with employees and the government to prevent further violent acts.

The company said it had always fulfilled its contracts and would continue to “communicate and explain” that to new staff. It said reports that the company had mixed COVID positive workers with those not yet infected were untrue.

Videos show workers flipping over carts on the Foxconn campus, charging into the factory’s offices and bashing a COVID testing booth. Live streams from the scene on Wednesday afternoon showed groups of workers milling about in a courtyard between buildings. Some workers were livestreaming the protests on social media until censors stepped in to cut off the broadcasts.

“The Foxconn situation raises concern for China’s leaders because it challenges the narrative of being a reliable supplier,” said Shan Guo at Plenum China Research. “It’s clear workers are not happy being locked down,” she said.

Foxconn has been working with the local government in Henan province, where the plant is located, to repopulate its assembly lines with new workers after a mass staff exodus late last month spurred by conditions at the plant.

Local officials have been tasked with helping send workers to the plant, which is a big taxpayer and was responsible for 60 percent of the province’s exports in 2019.

Ivan Lam, an analyst at Counterpoint Research, said Foxconn had already been shifting iPhone 14 production away from the Zhengzhou factory amid the COVID problems. He estimated the Zhengzhou plant’s share of total iPhone 14 production was down to about 60 percent today from about 80 percent before the outbreak began.

Apple did not immediately respond to requests for comment.

© 2022 The Financial Times Ltd. All rights reserved. Please do not copy and paste FT articles and redistribute by email or post to the web.

Continue Reading

Biz & IT

Meta researchers create AI that masters Diplomacy, tricking human players

Published

on

Enlarge / A screenshot of an online game of Diplomacy, including a running chat dialog, provided by a Cicero researcher.

On Tuesday, Meta AI announced the development of Cicero, which it clams is the first AI to achieve human-level performance in the strategic board game Diplomacy. It’s a notable achievement because the game requires deep interpersonal negotiation skills, which implies that Cicero has obtained a certain mastery of language necessary to win the game.

Even before Deep Blue beat Garry Kasparov at chess in 1997, board games were a useful measure of AI achievement. In 2015, another barrier fell when AlphaGo defeated Go master Lee Sedol. Both of those games follow a relatively clear set of analytical rules (although Go’s rules are typically simplified for computer AI).

But with Diplomacy, a large portion of the gameplay involves social skills. Players must show empathy, use natural language, and build relationships to win—a difficult task for a computer player. With this in mind, Meta asked, “Can we build more effective and flexible agents that can use language to negotiate, persuade, and work with people to achieve strategic goals similar to the way humans do?”

According to Meta, the answer is yes. Cicero learned its skills by playing an online version of Diplomacy on webDiplomacy.net. Over time, it became a master at the game, reportedly achieving “more than double the average score” of human players and ranking in the top 10 percent of people who played more than one game.

To create Cicero, Meta pulled together AI models for strategic reasoning (similar to AlphaGo) and natural language processing (similar to GPT-3) and rolled them into one agent. During each game, Cicero looks at the state of the game board and the conversation history and predicts how other players will act. It crafts a plan that it executes through a language model that can generate human-like dialog, allowing it to coordinate with other players.

A block diagram of Cicero, the <em>Diplomacy</em>-playing bot, provided by Meta.
Enlarge / A block diagram of Cicero, the Diplomacy-playing bot, provided by Meta.

Meta AI

Meta calls Cicero’s natural language skills a “controllable dialog model,” which is where the heart of Cicero’s personality lies. Like GPT-3, Cicero pulls from a large corpus of Internet text scraped from the web. “To build a controllable dialogue model, we started with a 2.7 billion parameter BART-like language model pre-trained on text from the internet and fine tuned on over 40,000 human games on webDiplomacy.net,” writes Meta.

The resulting model mastered the intricacies of a complex game. “Cicero can deduce, for example, that later in the game it will need the support of one particular player,” says Meta, “and then craft a strategy to win that person’s favor—and even recognize the risks and opportunities that that player sees from their particular point of view.”

Meta’s Cicero research appeared in the journal Science under the title, “Human-level play in the game of Diplomacy by combining language models with strategic reasoning.”

As for wider applications, Meta suggests that its Cicero research could “ease communication barriers” between humans and AI, such as maintaining a long-term conversation to teach someone a new skill. Or it could power a video game where NPCs can talk just like humans, understanding the player’s motivations and adapting along the way.

At the same time, this technology could be used to manipulate humans by impersonating people and tricking them in potentially dangerous ways, depending on the context. Along those lines, Meta hopes other researchers can build on its code “in a responsible manner,” and says it has taken steps toward detecting and removing “toxic messages in this new domain,” which likely refers to dialog Cicero learned from the Internet texts it ingested—always a risk for large language models.

Meta provided a detailed site to explain how Cicero works and has also open-sourced Cicero’s code on GitHub. Online Diplomacy fans—and maybe even the rest of us—may need to watch out.

Continue Reading

Trending