Inside Out Security

We're back! Kind of. We'll soon relaunch this podcast and wanted to give you a quick update on what's happening.

Thanks for watching the first season of the security tools podcast! Want more? We're live on the SecurityFwd YouTube channel twice per week! Come hack with us or watch any of the previously recorded streams.

Nick's Twitter: https://twitter.com/nickgodshallKody's Twitter: https://twitter.com/kodykinzieVaronis Cyber Attack Workshop: https://www.varonis.com/cyber-workshop/

Canary Tokens - https://canarytokens.org/generateLearn more about canaries - https://canary.tools/Adrian's Twitter - https://twitter.com/sawaba

Apologies for the scratchy mic!Vic's Blog on Defeating Facial Recognition: https://vicharkness.co.uk/2019/02/01/the-art-of-defeating-facial-detection-systems-part-two-the-art-communitys-efforts/Check out Vic's Twitter:  https://twitter.com/VicHarknessKody's Twitter: https://twitter.com/kodykinzieVaronis Cyber Attack Workshop: https://www.varonis.com/cyber-workshop/ 

Joshua's Twitter: https://twitter.com/jbrowder1DoNotPay's website: https://donotpay.comSue Phone Scammers: https://donotpay.com/learn/robocall-compensationThis podcast is brought to you by Varonis, if you'd like to learn more check out the Cyber Attack Lab at https://www.varonis.com/cyber-workshop/

Mathy's Website: https://www.mathyvanhoef.comMathy's YouTube Channel: https://twitter.com/vanhoefmMathy's Paper on Defeating MAC Address Randomization: https://papers.mathyvanhoef.com/asiaccs2016.pdfThis podcast is brought to you by Varonis, if you'd like to learn more check out the Cyber Attack Lab at https://www.varonis.com/cyber-workshop/ 

Seytonic's Malduino Website: https://maltronics.com/Seytonic's Website: https://seytonic.com/Seytonic's YouTube Channel: https://www.youtube.com/channel/UCW6xlqxSY3gGur4PkGPEUeAThis podcast is brought to you by Varonis, if you'd like to learn more check out the Cyber Attack Lab at https://www.varonis.com/cyber-workshop/

Alex's Website: http://alexlynd.comCheck out the Creep Detector Video: https://www.youtube.com/watch?v=ug9dHwm3h0sAlex Lynd's Twitter: https://twitter.com/alexlyndCheck out Alex's GitHub: https://github.com/AlexLyndThis podcast is brought to you by Varonis, if you'd like to learn more check out the Cyber Attack Lab at https://www.varonis.com/cyber-workshop/

Check out Maltego: https://www.maltego.com/Maltego Twitter: https://twitter.com/maltegohqCheck out Maltego use cases: https://docs.maltego.com/support/solutions/articles/15000012022-use-cases This podcast is brought to you by Varonis, if you'd like to learn more check out the Cyber Attack Lab at https://www.varonis.com/cyber-workshop/

Check out Objective-See: https://objective-see.com/Objective-See Twitter: https://twitter.com/objective_seeObjective-See Patreon: https://www.patreon.com/objective_seeWhile In Russia: Patrick's RSA talk on hacking journalists - Patrick's Twitter: https://twitter.com/patrickwardle This podcast is brought to you by Varonis, if you'd like to learn more check out the Cyber Attack Lab at https://www.varonis.com/cyber-workshop/

Stefan's Site with links to all of his projects: https://spacehuhn.io/Twitter: https://twitter.com/spacehuhnYouTube: https://www.youtube.com/channel/UCFmjA6dnjv-phqrFACyI8twAn overview of the ESP8266 https://www.espressif.com/en/products/hardware/esp8266ex/overviewStefan's Github https://github.com/spacehuhnESP8266 Deauther 2.0 https://github.com/spacehuhn/esp8266_deautherWiFi Duck - Wireless injection attack Platformhttps://github.com/spacehuhn/WiFiDuckWiFi Satellite - monitoring and logging 2.4GHz WiFi TrafficThis podcast is brought to you by Varonis, if you'd like to learn more check out the Cyber Attack Lab at https://www.varonis.com/cyber-workshop/

A honeypot is a tool that acts as bait, luring an attacker into revealing themselves by presenting a seemingly juicy target. In our first Security Tools podcast, we explore a free tool called Grabify that can gather information about scammers or attackers when they click on a honeypot tracking link.https://grabify.link/https://jlynx.net/https://twitter.com/grabifydotlinkThis podcast is brought to you by Varonis, if you'd like to learn more check out the Cyber Attack Lab at https://www.varonis.com/cyber-workshop/

We wanted you to be the first to know that next week; we will be back in this same feed with a new security podcast from Varonis.The new Security Tools podcast will keep you up to date with the most exciting and useful tools the Infosec community has to offer.Join us on the new show to hear from the researchers and hackers behind tools like Grabify, a link-based Honeypot service that unmasks scammers leveraging the same web tracking tactics used by most modern websites. We’ll find out why it’s so hard to stay anonymous online and show you how to use the power of tracking links to find the real location of an online scammer.See you next week.

Summer is approaching, and of course, that’s when we feel the most heat. However, for cybersecurity managers, they feel the heat all the time. They must be right every time because cybercriminals only have to be right once. So summer can potentially feel like it’s year-round for cybersecurity pros and it can cause job burnout. Another problem that managers face is the potential ineffectualness of cybersecurity awareness training. Learning and sharing interesting security information in a class is really wonderful and expansive for a user’s mind. However, if it doesn’t change a user’s behavior and he continues to click on links he shouldn't be clicking on, training might not be as helpful as it claims to be. Other articles discussed: Airbnb and 23 and Me team up Baltimore ransomware strikes again When your car knows when you get fast food Tool of the week: htrace.sh - simple Swiss Army knife for http/https troubleshooting and profiling. Panelists: Cindy Ng, Mike Buckbee, Kris Keyser, Kilian Englert

Searching a traveler’s phone or laptop is not an extension of a search made on a piece of luggage. As former commissioner of Ontario Ann Cavoukian said, “Your smartphone and other digital devices contain the most intimate details of your life: financial and health records.” In general, it’s also dangerous to connect laws made in accordance with the physical world to the digital space. But even with GDPR that’s aimed to protect consumer data, the law hasn’t taken action against any major technology firms such as Google or Facebook. It seems our relationship with technology might get worse before it gets better. Other articles discussed: How YouTube engineers eviscerated IE6 Attackers hosted phishing kits on GitHub Tool of the week: Ghidra is a software reverse engineering (SRE) framework

Lately, we’ve been hearing more from security experts who are urging IT pros to stop scapegoating users as the primary reason for not achieving security nirvana. After covering this controversy on a recent episode of the Inside Out Security Show, I thought it was worth having an in-depth conversation with an expert. So, I contacted Angela Sasse, Professor of Human-Centred Technology in the Department of Computer Science at University College London, UK. Over the past 15 years, she has been researching the human-centered aspects of security, privacy, identity and trust. In 2015, for her innovative work, she was awarded the Fellowship of the Royal Academy of Engineering(FREng) for being one of the best and brightest engineer and technologist in the UK. In part one of my interview with Professor Angela Sasse, we cover the challenges that CISOs have in managing risk while finding a way to understand what’s being asked of the user. And more importantly, why improving the usability of security can positively impact an organization’s profits. Transcript Cindy Ng: Since 1999, Professor Angela Sasse has researched and promoted the concept of having security that works with and for users and their organization. She accomplishes this by appealing to the bottom line. Her hallmark paper, "Users Are Not the Enemy," argues that security frameworks designed with the users are dangerous approach creates barriers that users must overcome in order to do their jobs, which makes it a resort intensive administrative burden for their organization. For her exceptional work in 2015, Professor Angela Sasse was awarded the Fellowship of the Royal Academy of Engineering as being one of the best and brightest engineers and technologists in the UK. I think what you're doing is multilayered, multifaceted, and you're targeting two very different fields where you're trying to think about how to design innovative technologies that are functional while driving the bottom line. So that's B2B and then also improve the well-being of individuals and society and that's B2C and the strategies of those two things are very different. So maybe to just peel the layers back to start from the beginning, your research focuses on human usability of security and perhaps privacy too. Maybe it might be helpful to define what usability encompasses. Angela Sasse: Okay. So, usability, there's a traditional definition, there's an, you know, International Standards Organization definition of it, and it says,"Usability is if a specified user group can use the mechanism to achieve their goals in a specified context of use." And that actually makes it really quite, quite complex, because what it's really saying is there isn't a sort of, like, hard-line measure of what's usable and what isn't. It's about the fit, how well it fits the person that's using it and the purpose they're using it for in the situation that they're using it. Cindy Ng: Usability is more about the user, the human and not necessarily the technology, it's, after all, just a tool. And we have to figure out a way to fit usability into the technology we're using. Angela Sasse: Yes, of course, and what it amounts to is that, of course, it's not economic. It wouldn't be economically possible to get a perfect fit for a 120 different types of interactions in situations that you do. What we generally do is we use four or five different forms of interaction, you know, that work well enough across the whole range of interactions that we do. So their locally optimal and globally optimal, so you could make a super good fit for different situations. But if you don't want to know about 120 different ways of doing something, so globally optimal is to have a limited set of interactions and symbols and things that you're dealing with when you're working with technology. So, security, however, one of the things that a lot of people overlook when it comes to security and usability is that from the user's point of view, security is always what usability people call a secondary task or enabling task. So this is a task I have to do to get to the thing I really want to do, and so the kind of tolerance or acceptance that people have for delays or difficulty is even less than with their sort of primary interactions. Cindy Ng: It's like a chore. For instance, an example would be I need to download an app, perhaps, in order to register for something. Angela Sasse: Yeah, and so what you want to do is, you know, you want to use the app for a particular purpose, and then if you basically have...if the user perceives that in order to be able to use the app, you know, all the stuff you have to do to get to that point is too much of a hurdle, then most of them would just turn around and say, "It's not worth it. I'm not going ahead." Cindy Ng: When it comes to the security aspect how does a CISO or an IT security admin decide that users are dangerous, and that if they only had the same knowledge that I have, that they would behave differently. Where does downloading the app or using a website intersect with the jobs of what a CISO does? Angela Sasse: CISO is trying to manage the risks, and some of the risks might affect the individual employee or individual customer as well. But other risks are really risks to the organization, and if something went wrong it wouldn't directly affect the employee or the customer. But I think what, a CISO or SysAdmin, I would say to them is, "You've got to understand what you are asking the user to do. You have to accept that you're a security specialist, and you are focused on delivering security, but you're the only person in the organization for whom security is a primary task. For everybody else, it's a secondary task. It's a hurdle they have to jump over in order to do what they've been trained for, what they are good at, what they're paid to do. And so it's in your best interest to make that hurdle as small as possible. You should effectively manage the risk, but you've got to find ways of doing it that no one really bothers, where you're really taking as little time and effort away from the people who have to do it. Because otherwise you end up eating all the profits. Right?" Angela Sasse: The more effort you're basically taking away from the main activity that people do, the more you're reducing the profits of the organization. Cindy Ng: You've done the research, and you're presenting them and you're interacting with CISOs and SysAdmins and how has the mindset evolved and also some of the push back. Can you provide some examples? Angela Sasse: Early on a lot of of the push back was really, well, people should do what they are told, and the other main push back is, "So, you're telling me, this is difficult or effortful to do for people. Can we give them some training?" The real push back is that they don't want to think about changing, making changes to the technology and to the way they are managing the risks. So their first thought is always, "How can I make people do what I want them to do." And so the very first big study that Adams and I did, we then subsequently...it's published in the paper, "Users Are Not the Enemy." So, this was a very big telecommunication company and when we said to them, "Look, your staff have between 16 and 64 different passwords, six digit pins and eight character passwords, complex, and you're telling them they have to have a different one and they can't write it down. And they were also expiring them every 30 days, so they had to change them every 30 days. And basically I said, "Nobody can do this." Then they said, "Okay, could they do it if we gave them some extra training?" And my response was, "Yes, and that would look like this, all your employees have to go on a one-year course to become memory athletes. Even when they come back, they're going to spend half an hour a day doing the memory techniques that you need to do in order to be able to recall all this stuff." And if you think about it that way, it's just absurd that rather than making changes to the password policy or providing easier to use authentication mechanism. Sometimes what's equally ridiculous is, so, like, "Can you give me a psychology test so I can screen out the people who are not compliant so that I can recruit people that are naturally compliant." That's bizarre. You need to recruit people who are good at the jobs that your business relies on, good at the stuff your business delivers. If you just recruit compliant and risk averse people, you're gonna go bust. So, you sometimes you have to really show the absurdity of the natural thinking that there is. There is this initial resistance to go, like, "I don't really want to change the way how I think about security, and I don't want to change the mechanisms I use." Cindy Ng: I think a lot of the CISOs and the SysAdmins are restricted too by the tools and the software, and they feel like they're confined and have to work within a framework, because their job is really technical. It's always about are you able to secure my network first over the human aspect of it. And I really like what you said about how phishing scam attackers understand more of the human element of security than security designers have. Can you elaborate more on that? Angela Sasse: I think... So, I'm working with some of the government here in the UK, with those government agencies that are responsible for security and for advising companies about security. And I think it's very interesting to see that they have concluded that CISOs need, and security practitioners, that they need to develop their soft skills and that they need to engage. They need to listen more, and they need to also learn how to...once they have listened, you know, and understand how they can provide a fit, then how they can persuade people of the need for change. You know, because part of the whole problem is if you reconfigure the mechanisms, and they're now easier to use without people still need to change their behavior. They still need to move on from existing habit to the new ones, and that can be a bit of a blocker for change, and you need to persuade people to embark on this journey of changing their existing habits. And for that you need soft skills, and you need to persuade them that I have now made it as easy as possible to use. Now your part, your responsibility is to change your existing habit towards this new secure one, you know, which is feasible to do. And it's not particularly onerous, but you need to work through that process of changing, learning a new habit. Cindy Ng: How long do they want it to be? How long does it actually take, and how has their mindset evolved? Angela Sasse: Most of them now realize that their role is really is to be a cheerleader for security, not, you know, the kind of the old school that they are some sort of gatekeeper who can stop everybody. So most of them now do realize. Cindy Ng: When did that happen? Angela Sasse: I think it's happened...it's only very recent. For the majority of them it happened in the last, maybe, four or five years. Some still haven't gotten there, but quite a few of them, and, you know, I've seen some very...I mean, if I go to Infosec for instance to meet people there who've really done a very good job. And I think, actually, say if you, for instance, look at the born digital companies. I think they generally do...they do very well. You know, if you look at Google, Amazon, Facebook, eBay, they've generally worked very hard to secure their business without...and they know that it would be a threat to their business if people couldn't use the security or found the security to be cumbersome. And I think they've actually done a good job, pretty good job, to look at how you can make it easier to use. So I think those companies are currently leading the charge. But I've seen this happen in a couple of other... So, I think basically, other companies that have very big customer bases, you know, sort of experiences that they get with that that they realize that they have to make it easier for the customers to access services or use devices. Those lessons then also tend to filter through to how they are designing security for their own employees. So, you know, if you look at mobile phone companies and the television companies, you know, cable and satellite TV companies, I think they've really internalized...so the people working there really have quite a modern outlook. I think next coming around the corner is the big software and technology development companies. They have started to...so companies like Microsoft have started to realize this as well.

Over the past few weeks, Kaiser Fung has given us some valuable pointers on understanding the big data stats we are assaulted with on a daily basis.  To sum up, learn the context behind the stats — sources and biases — and know that the algorithms that crunch numbers may not have the answer to your problems. In this third  segment of our podcast, Kaiser points out all the ways the stats can trick us through its inherently random nature — variability in stats-speak. Transcript Cindy Ng: In part one and two with our interview with Kaiser Fung, we discussed the process behind a numerical finding, then focused on accuracy. In our last installment, Kaiser reveals one last way to cultivate numbersense. Your third point is to have a nose for doctored statistics. And for me, it's kind of like…if you don't know what you don't know? Kind of like I was surprised to read in the school rankings chapter in Number Sense that different publications have different rules in ranking. And then I didn't know that like reporting low GPAs as not available, it's a magic trick that causes a median GPA to rise. And so if I didn't know this, I would just use any number in any of these publications and use it in my marketing. How do I cultivate a nose for doctored statistics? Kaiser Fung: Well, I think...well, for a lot of people, I think it would involve like reading certain authors, certain people who specializes in this sort of stuff. I'm one of them but there are also others out there who have this sort of skepticism and they will point out how...you know, I mean I think it's all about figuring out how other people do it and then you can do it even to just follow the same types of logic. Often times, it involves sort of like, there are multiple stages to this. So there's the stage of can you smell something fishy? So it's sort of this awareness that, "Okay, do I want to believe this or not?" And then there's the next stage of, do you...once you smell something, do you know where to look, how to look, how do you investigate it? So usually when you smell something that means that you have developed an alternative hypothesis or interpretation that is different from what the thing you're reading. So in sort of this scientific method, what we want to do at that point is to try to go out and find cooperating evidence. So then the question becomes do you have this notion of what kinds of things I could find that could help you decide whether you're right or whether the original person is right? And here the distinction is really around if you're more experienced, you might be able to know if I am able to find this information that will be sufficient for me to even validate this or to fortify that. So you don't necessarily go through the entire analysis. Maybe you just find a shortcut to get to a certain point. And then the last stage is, that's the hardest to achieve and also not always necessary but it's sort of like okay if you no longer believe in what was published, how do you develop your alternative argument? So that requires a little more work and that's the kind of thing that I try to train my students to do. So often times when I set very open-ended type problems for them, you can see these people in different stages. Like there are people who don't recognize where the problems are, you know, just believe what they see. There are people who recognize the problems and able to diagnose what's wrong. Then there are ones that can diagnose what's wrong and they will have...you know, whether it's usually through looking at some other data or some other data points, they can decide, okay, instead of making the assumptions that the original people made which you no longer believe, I'm going to make a different set of assumptions. So like make this other set of assumptions, what would be the logical outcome of the analysis? So I think it's something that can be trained. It's just difficult in the classroom setting in our traditional sort of textbook lecture style. That type of stuff is very difficult to train. Andy Green: Something you said about sort of being able to train ourselves. And one thing that, it comes up in your books a lot, is that a lot of us don't have the sense of variability in the data. We don't understand what that means or what it...if we were to sort of put it out on a bar chart, we don't have that picture in our mind. And one example that you talk about I think on a blog post in something as marketers, we do a lot is A/B testing. And so we'll look at, we'll do a comparison of changing one website slightly and then testing it and then noticing that maybe it does better, we think. And then when we roll it out, we find out it really doesn't make too much of a difference. So you talked about reasons why something might not scale up in an A/B test. I think you wrote about that for one of the blogs. I think it was Harvard Business Review, Kaiser Fung: ...I'm not sure about whether we're saying the same things. I'm not quite exactly remembering what I wrote about there. But from an A/B testing perspective, I think there are lots of little things that people need to pay attention to because ultimately what you're trying to do is to come up with a result that is generalizable, right? So you can run your test in a period of time but in reality, you would like this effect to hold, I mean that you'll find anything over the next period of time. Now, I think both in this case as well as what I just talked about before, one of the core concepts in statistics is not just understanding it's variability. Whatever number is put in front of you, it's just a, at the moment sort of measurement, right? It's sort of like if you measure your weight on the same scale it's going to fluctuate, morning, night, you know different days. But you don't have this notion that your weight has changed. But the actual measurement of the weight, even though if it's still the same weight, will be slightly different. So that's the variability but the next phase is understanding that there are sources of variability. So there are many different reasons why things are variable. And I think that's sort of what we're getting into. So in the case of A/B testing, there are many different reasons why your results have been generalized. One very obvious example is that what we call the, we say that there's a drift in population. Meaning that especially websites, you know, a site changes over time. So even if you keep stable during the test, when you roll it forward it may have changed. And just a small change in the same part of the website could actually have a very large change in the type of people that comes to the page. So I have done...in the past, I've done a lot of A/B testing around kind of what you call the conversion funnel in marketing. And this is particularly an issue if you...let's say you're testing on a page that is close to the end of the funnel. Now, people do that because that's the most impactful place because the conversion rates are much higher in those pages. But the problem is because it's at the end of many steps. Anything that changed in any of the prior steps, it's going to potentially change the types of people ended up on your conversion page. So that's one reason why there are tests that test variability in the type of people coming to your page. Then even if the result worked during a test, it's not going to work later. But there's plenty of other things including something that people often times fail to recognize which is the whole basis of A/B testing is you are randomly placing people into more pockets. And the randomization, it's supposed to on average tell you that they are comparable and the same. But random while it will get you there almost all of the time but you can throw a coin 10 times and get 10 heads. But there's a possibility that there is something odd about that case. So another problem is what is your particular test had this weird phenomenon? Now, in statistics, we account for that by putting error box around these things. But it still doesn't solve the problem that that particular sample was a very odd sample. And so one of the underlying assumptions of all the analysis in statistics is that you're not analyzing that rare sample. That rare sample is kind of treated as part of the outside of normal situation. So yeah, there are a lot of subtlety in how you would actually interpret these things. And so A/B testing is still one of the best ways of measuring something. But even there, there are lots of things that you can't tell. I mean, I also wrote about the fact that sometimes it doesn't tell you...we'd like to say A/B testing gives you cause-effect analysis. It all depends on what you mean by cause-effect because even the most...for a typical example, like the red button and the green button, it's not caused by the color. It's like the color change did not cause anything. So there are some more intricate mechanisms there that if you really want to talk about cause, you wouldn't say color is a cause. Although in a particular way of interpreting this, you can say that the color is the cause. Andy Green: Right, right. Cindy Ng : It really just sounds like at every point you have to ask yourself, is this accurate? Is this the truth? It's a lot more work to get to the truth of the matter. Kaiser Fung: Yes. So I think when people sell you the notion that somehow because of the volume of the data everything becomes easy, I think it's the opposite. I think that's one of the key points of the book. When you have more data, it actually requires a lot more work. And going back to the earlier point which is that when you have more data, the amount of potentially wrong analysis or coming to the wrong conclusion is exponentially larger. And a lot of it is because of the fact that most analysis, especially with data that is not experimental, it's not randomized, not controlled, you essentially you rely on a lot of assumptions. And when you rely a lot on assumptions, it's the proverbial thing about you can basically say whatever the hell you want with this data. And so that's why I think it's really important for people when especially for those people who are not actually in this business of generating analysis, if you're in the business of consuming analysis, you really have to look out for yourself because you really could, in this day and age, could say whatever you want with the data that you have. Cindy Ng: So be a skeptic, be paranoid. Kaiser Fung: Well the nice thing is like when they're only talking about the colors of your bicycles and so on, you can probably just ignore and not do the work because it's not really that important to the problem. But on the other hand, when you...you know, in the other case that is ongoing which is the whole Tesla autopilot algorithm thing, right? Like in those cases and also when people are now getting into healthcare and all these other things where your potential...there's a life and death decision, then you really should pay more attention. Cindy Ng: This is great. Do you have any kind of final thoughts in terms of Numbersense? Kaiser Fung: Well, I'm about...I mean, this is a preview of a blog post that I'm going to put out probably this week. And I don't know if this works for you guys because this could be a bit more involved but so here's the situation. I mean, it's again that basically reinforces the point that you can easily get fooled by the data. So my TA and I were reviewing a data set that one of our students is using for their class projects. And this was basically some data about the revenue contributions of various customers and some characteristics of the customers. So we were basically trying to solve the problem of is there a way to use these characteristics to explain why the revenue contributions for different customers have gone up or down? So we've spent a bit of time thinking about it and we eventually come up with a nice way of doing it. You know, it's not an obvious problem, so we have a nice way of doing it. We thought that actually produced pretty nice results. So then we met with the student and pretty much the first thing that we learned from this conversation is that, oh, because this is for proprietary data, all the revenue members were completely made up. Like there is some, this thing, formula or whatever that she used to generate the number. So that's sort of the interesting sort of dynamic there. Because on the one hand, like obviously all of the work that we spent kind of put in creating this model and then the reason why we like the model is that it creates a nicely interpretable results. Like it actually makes sense, right? But it turns that yes, it makes sense in that imaginary world but it really doesn't have any impact on reality, right? So I think that's the...and then the other side of this which I kind of touch upon in my book too is well, if you were to just look at the methodology of what we did and the model that we built, you would say we did a really good work. Because we applied a good methodology, generate it, quick results. So the method and the data and then your assumptions, I mean all these things play a role in this ecosystem. And I think that...so going back to what I was saying today, I mean it's the problem is all these data. I think we have not spent sufficient time to really think about what are the sources of the data, how believable is this data? And in this day and age, especially with marketing data, with online data and all that, like there's a lot of manipulation going on. There are lots of people who are creating this data for a purpose. Think about online reviews and all other things. So on the analysis side, we have really not faced up to this issue. We just basically take the data and we just analyze and we come up with models and we say things. But how much of any of those things would be refuted if we actually knew how the data was created? Cindy Ng: That's a really good takeaway. You are working on many things, it sounds like. You're working on a blog, you teach. What else are you working on these days? Kaiser Fung: Well, I'm mainly working on various educational activities that are hoping to train the next generation of analysts and people who look at data that will hopefully have...the Numbersense that I want to talk about. I have various book projects in mind which I hope to get to when I have more time. And from the Numbersense perspective, I'm interested in exploring ways to describe this in a more concrete way, right? So there this notion of...I mean, this is a general ecosystem of things that I've talked about. But I want a system that ties it a bit. And so I have an effort ongoing to try to make it more quantifiable. Cindy Ng: And so if people want to follow what you're doing, what is your Twitter handle on your website? Kaiser Fung: Yes, so my Twitter is @junkcharts. And that's probably where most of my, like in terms of updates that's where things go. I have a personal website called just kaiserfung.com where they can learn more about what I do. And then I try to update my speaking schedule there because I do travel around the country, speak at various events. And then they will also read about other things that I do like for corporations that are mostly around, again, training managers, training people in this area of statistical reasoning, data visualization, number sense and all that.

It’s great to be Amazon to only have one on-call security engineer and have security automated. However, for many organizations today, having security completely automated is still an aspirational goal. Those in healthcare might would love to upgrade, but what if you’re using a system that’s FDA approved, which makes upgrading a little more difficult. What if hackers were able to download personal data from a web server because many weren’t up-to-date and had outdated plugins. Meanwhile, here’s a lesson from veteran report, Brian Krebs on how not to acknowledge a data breach. By the way, would you ever use public wifi and do you value certificates over experience?

In part oneof our interview with Kaiser, he taught us the importance of looking at the process behind a numerical finding. We continue the conversation by discussing the accuracy of statistics and algorithms. With examples such as shoe recommendations and movie ratings, you’ll learn where algorithms fall short. Transcript Cindy Ng: In part one, Kaiser taught us the importance of looking at the process behind a numerical finding. And today, we’ll to continue in part two on how to cultivate numbersense. Kaiser, do you think algorithms are the answer. And when you’re looking at a numerical finding, how do you know what questions to ask? Kaiser Fung: So I think...I mean, they are obviously a big pile of questions that you ask but I think that the most important question not asked out there is the question of accuracy. And I've always been strucken, I keep mentioning to my blog readers this, is that if you open up any of the articles that are written up, whether the it's the New York Times, Wall Street Journal, you know all these papers have big data articles and they talk about algorithms, they talk about predictive models and so on. But you can never find a quantified statement about the accuracy of these algorithms. They would all qualitatively tell you that they are all amazing and wonderful. And really it all starts with understanding accuracy. And in the Numbersense book, I addressed this with the target example of the tendency models. But also in my previous book, I talk in the whole thing around steroids and also lie detector testing, because it's all kind of the same type of framework. It's really all about understanding the multiple different ways of measuring accuracy. So starting with understanding false positive and false negative. But really they are all derived with other more useful metrics. And you'll be shocked how badly these algorithms are. I mean it's not that...like for a statistical perspective, they are pretty good. I mean, I try to explain to people, too. It's not that we're all kind of snake oil artist that we...these algorithms do not work at all. I mean, usually, they work if you were to compare with not using the algorithm at all. So you actually have incremental improvements and sometimes pretty good improvements over the case of not using an algorithm. Now, however, if the case of not using the algorithm leads to, let's say 10% accuracy, and now we have 30% accuracy, you would be three times better. However, 30% accuracy still means that 70% of the time you got the wrong thing, right? So there's an absolute versus relative measurement here that's important. So once you get into that whole area, it's very fascinating. It's because usually the algorithms also do not really make decisions and they are specific decision rules that are in place because often times the algorithms only calculate a probability of something. So by analogy, the algorithm might tell you that there's a 40% chance of raining tomorrow. But somebody has to create a decision rule that says that, you know, based on...I mean, I'm going to carry umbrella if it's over 60%...So there's all these other stuff involved. And then you have to also understand the soft side of it which is the incentive of the various parties to either go one or the other way. And the algorithm ultimately reflects the designer's because the algorithm will not make that determination of whether you should bring an umbrella since … however, it's over 60% or under 60%. All it can tell you is that for today it's 40%. So I think this notion that the algorithm itself is running on its own, it's false anyway. And then so once you have human input into these algorithms, then you have to also have to wonder about what the humans are doing. And I think in a lot of these books, I try to point out that what also complicates it is that in every case, including the case of Target, there will be different people coming from this in angles where they are trying to optimize objectives that are conflicting. That's the beginning of this...that sort of asking the question of the output. And I think if we start doing that more, we can avoid some of this, I think a very reticent current situation that runs into our conversation here is this whole collapse of this…company. I'm not sure if you guys have been following that. Well, it's an example of somebody who's been solving this algorithm people have been asking. Well, a lot of people have not been asking for quantifiable results. The people have been asking for quantifiable results have been basically pushed back and, you know, they refused all the time to present anything. And then, at this point, I think it's been acknowledged that it's all...you know, empty, it's hot air. Andy Green: Right, yeah. You had some funny comments on, I think it was on your blog about, and this is related to these algorithms, about I guess buying shoes on the web. On, I don't know, one of the website. And you were always saying, "Well," they were coming up with some recommendations for other types of items that they thought you would be interested in. And what you really wanted was to go into the website and at least, when you went to buy the shoe, they would take you right to the shoe size that you ordered in the past or the color that you ordered. Kaiser Fung: Right, right, yes. Andy Green: And it would be that the simple obvious thing to do, instead of trying to come up with an algorithm to figure out what you might like and making suggestions... Kaiser Fung: Yeah. So I think there are many ways to think about that. Part of it is it's that often times the most unsexy problems are the most impactful. But people tend to focus on the most sexy problems. So in that particular case, I mean the whole article was about that the idea is that what makes prediction inaccurate is not just the algorithm being bad...well I mean the algorithms are often times actually, are not bad. It is that the underlying phenomenon that you are predicting is highly variable. So I love to use examples like movies since movie ratings was really big some time ago. So how you rate a movie is not some kind of constant. It depends on the mood, it depends on what you did. It depends on who you are with. It depends on so many things. And you hear the same person in movies and under different settings, you probably gave different ratings. So in that sense, it is very difficult for an algorithm to really predict how you're going to rate the movie. But what I was pointing out is that there are a lot of other types of things that these things could...the algorithms could predict that have essentially, I call invariable nature of property. And a great example of that is the fact that almost always, I mean it's like it's still not a hundred percent but 90% of the time you're buying stuff for yourself, therefore, you have certain shirt sizes, shoe sizes and so on. And therefore it would seem reasonable that they should just show you the things that is appropriate for you. And that's a...it's not a very sexy type of prediction. But it is a kind of prediction. And there are many, many other situations like that, you know. It's like if you just think about just even using an email software, there are certain things that you click on there… it's because the way it's designed is not quite the way you use it. So we have all the data available, they're measuring all this behavior, it could very well be predicted. So I feel like everybody who has done the same with the clicks every time because they're very much like, "Well, I just say what I mean."

Recently in the security space, there’s been a spate of contradicting priorities. For instance, a recent study showed that programmers will take the easy way out and not implement proper password security. Antidotally, a security pro in a networking and security course noticed another attendee who covered his webcam, but noticeably had his bitlocker recovery code is printed on a label attached to his screen. When protocols and skills compete for our attention, ironically, security gets placed on easy mode. In the real word, when attackers can potentially create malware that would automatically add “realistic, malignant-seeming growths to CT or MRI scans before radiologists and doctors examine them.” How about that time when ethical hackers were able to access a university’s student and staff personal data, finance systems and research networks? Perhaps more education and awareness might be needed to take security out of easy mode and bring it in real-time alerting mode.

In the business world, if we’re looking for actionable insights, many think it's found using an algorithm. However, statistician Kaiser Fung disagrees. With degrees in engineering, statistics, and an MBA from Harvard, Fung believes that both algorithms and humans are needed, as the sum is greater than its individual parts. Moreover, the worldview he suggests one should cultivate is numbersense. How? When presented with a numerical finding, go the extra mile and investigate the methodology, biases, and sources. For more tips, listen to part one of our interview with Kaiser as he uses recent headlines to dissect the problems with how data is analyzed and presented to the general public. Transcript Cindy Ng: Numbersense essentially teaches us how to make simple sense out of complex statistics. However, statistician Kaiser Fung said that cultivating numbersense isn’t something you can learn in a book. But there are three things you can do. First is you shouldn’t take published data as face value. Second, is to know what questions to ask. And third is to have a nose for doctored statistics. And so, the first bullet is you shouldn't take published data at face value. And so like to me, that means it takes more time to get to the truth that matters, to the matter, to the issue at hand. And I'm wondering also like to what extent does the volume of data, big data, affects fidelity because that certainly affects your final result? Kaiser Fung: There are lots of aspects to this. I would say, let's start with the idea that, well it's kind of a hopeless situation because you pretty much have to replicate everything or check everything that somebody has done in order to decide whether you want to believe the work or not. I would say, well, in a way that's true but then over time you develop kind of a shortcut. Then part of it is that if you have done your homework on one type of study, then you could apply all the lessons very easily to a different study that we don't have to actually repeat all that. And also organizations and research groups tend to favors certain types of methodologies. So once you've understood what they are actually doing and what are the assumptions behind the methodologies, then you could...you know, you have developed some idea about whether if you're a believer in the assumptions or their method. Also the time, you know I have certain people who's work I have come to appreciate. I've studied their work, they share some of my own beliefs about how do you read data and how to analyze data. And it's this sense of, it also depends on who is publishing the work. So, I think that's part one of the question is encourage people to not just take what you're told but to really think about what you're being told. So there are some shortcuts to that over time. Going back to your other issue related to the volume of data, I mean I think that is really causing a lot of issues. And it's not just the volume of data but the fact that the data today is not collected with any design or plan in mind. And often times, the people collecting the data is really divorced from any kind of business problem or divorce from the business side of the host. And the data has just been collected and now people are trying to make sense of it. And I think you end up with many challenges. One big challenge is you don't end up solving any problems of interest. So I just had a read up my blog, that will be something just like this weekend. And this is related to somebody's analysis of the...I think this is Tour de France data. And there was this whole thing about, "Well, nowadays we have Garmin and we have all these devices, they're collecting a lot of data about these cyclists. And there's nothing much done in terms of analysis," they say. So which is probably true because again, all of that data has been collected with no particular design in mind or problem in mind. So what do they do? Well, they basically then say, "Well, I'm going to analyze the color of the bike that have actually won the Tour de France over the years." But then that's kind of the state of the world that we're in. We have the data then we try to portrait it by forcing it answer some questions that we’re supposed to create. And often times these questions are actually very silly and doesn't really solve any real problems, like the color of the bike is. I don't think anyone believe it impacts whether you win or not. I mean, that's just an example of the types of problems that we end up solving. And many of them are very trivial. And I think the reason why we are there is that when you just collect the data like that, you know, let's say you have a lot of this data about...I mean, let's assume that this data measures how fast the wheels are turning, the speed of your bike, you know, all that type of stuff. I mean, if the problem is that when you don't have an actual problem in mind, you don't actually have all of the pieces of the data that you need to solve a problem. And most often what you don't have is like an outcome metric. You have a lot of these sort of expensive data but there's no measurement of that thing that you want to impact. And then in order to do that, you have to actually merge in a lot of data or try to collect data from other sources. And you probably often times cannot find appropriate data so you're kind of stuck in this loop of not having any ability to do anything. So I think it's the paradox of the big data age is we have all these data but it is almost impossible to make it useful in a lot of cases. there are many other reasons why the volume of data is not helping us. But I think...what flashed in my head right now because of … is that one of the biggest issues is that the data is not solving any important problems. Andy Green: Kaiser, so getting back to what you said earlier about not sort of accepting what you're told, and I'm also now become a big fan of your blog, Junk Charts. And there was one, I think it's pretty recent, you commented on a New York Times article on CEO executives, CEO pay. And then you actually sort of looked a little deeper into it and you came to sort of an opposite conclusion. In fact, can you just talk about that a little bit because the whole approach there is kind of having to do with Numbersense? Kaiser Fung: Yeah. So basically what happened was there was this big headline about CEO pay. And it was one of these sort of is counter-intuitive headlines that basically said, "Hey, surprise..." Sort of a surprise, CEO pay has dropped. And it even gives a particular percentage and I can't remember what it was in the headline. And I think the sort of Numbersense part of this is that like when I read something like that, because it's sort of like the...for certain topics like this particular topic since I have an MBA and I've been exposed to this type of analysis, so I kind of have some idea, though it's some preconceived notion in my head about where CEO pay is going. And so it kind of triggers a bit of a doubt in my head. So then what you want to do in these cases, and often times, I think this is an example of very simple things you can do, If you just click on the link that is in the article and go to the original article and start reading what they say, and in this particular case, you actually only need to read like literally the first two bullet points of the executive summary of the report. Because then immediately you'll notice that actually CEO pay has actually gone up, not down. And it all depends on what metric people use it. And that they're both actually accurate from a statistic perspective. So, the metric that went up was the median pay. So the middle person. And then the number that went down was the average pay. And then here you basically need a little bit of statistical briefing because you have to realize that CEO pay is an extremely skewed number. Even at the very top, I think they only talk about the top 200 CEOs, even the very top the top person is making something like twice the second person. Like, this is very, very steep curve. So the average is really meaningless in this particular case and the median is really the way to go. And so, you know, I basically blogged about it and say, you know, that that's a really poor choice of a headline because it doesn't represent the real picture of what is actually going on. So that's the story. I mean, that's a great...yes, so that's a great example of what I like to tell people. In order to get to that level of reasoning, you don't really need to take a lot of math classes, you don't need to know calculus, you know...I think it's sort of the misnomer perpetuated by many, many decades of college instruction that statistics is all about math and you have to learn all these formulas in order to go anywhere. Andy Green: Right. Now, I love the explanation. And also, it seems that if the Times had just shown a bar chart and it would have been a little difficult but what you're saying is that at the upper end, there are CEOs making a lot of money and that they just dropped a little bit. And correct me if I'm wrong, but everyone else did better, or most like 80% of the CEOs or whatever the percentile is, did better. But those at the top, because they're making so much, lost a little bit and that sort of dropped the average. But meanwhile, if you polled CEOs, whatever the numbers, 80% or 90% would say, "Yes, my pay has gone up." Kaiser Fung: Right. So yeah. So I did look at the exact numbers there. I don't remember what those numbers are but in conceptually speaking, given this type of distribution, it's possible that just the very top guy having dropped by a bit will be sufficient to make the average move. So the concept that the median is the middle guy has actually moved up. So what that implies is that the bulk, you know, the weight of the distribution has actually gone up. There are many different actual numbers that made this in levels of aspect that you can talk about. That's the first level of getting the idea that you rarely talk in the median. And if you really want to dig deeper, which I did in my blog post, is that you also have to think about what components drive the CEO pay, because if the accounting, not just the fixed-base salary but maybe also bonuses and also maybe they even price in any of the stock components and you know the stock components are going to be much more volatile. I mean it all points to the fact that you really shouldn't be looking at the averages because it's now so affected by all these other ups and downs. So to me, it's a basic level of statistical reasoning that unfortunately hasn't seem to have improved in the journalistic world. I mean, even in this day and age when there's so much data, they really need to improve their ability to draw conclusions. I mean,...that's a pretty simple example of something that can be improved. Now we also have a lot of examples of things that are much more subtle. I'd like to give an example, a different example of this, and it also comes from something that showed up in the New York Times some years ago. But this is a very simple scatter plot that was plotting or trying to explain or trying to correlate the average happiness of people in different countries. And that's typically measured by survey results. So you base your happiness from a scale of zero to ten or stuff like that. And then they want to correlate that with the what they call the progressiveness of the tax system in each of these countries. So,the thing that people don't understand is by making this scatter plot, you have actually imposed upon your reader a particular model of the data. And in this particular case, it is the model that says that happiness can be explained by just one factor which is the tax system. So in reality, they are a gazillion other factors that affects somebody's happiness. And you really...and if you know anything about statistics, we would learn that it multivariable regression which would actually control all the other factors. But when you do a scatter plot, you haven't adjusted for anything else. So it's like the very simple analysis could be extremely misleading.

Should CISOs use events or scenarios to drive security, not checklists? It also doesn’t matter how much you spend on cybersecurity if ends up becoming shelfware. Navigating one’s role as a CISO is no easy feat. Luckily, the path to becoming a seasoned CISO is now easier with practical classes and interviews. But when cybersecurity is assumed to not be not very important. Does that defeat the leadership role of a CISO? Panelists: Cindy Ng, Sean Campbell, Mike Buckbee, Kris Keyser

Scott Schober wears many hats. He's an inventor, software engineer, and runs his own wireless security company. He's also written Hacked Again, which tells about his long running battle against cyber thieves. Scott has appeared on Bloomberg TV, Good Morning America, CNBC, and CNN. We continue our discussion with Scott. In this segment, he talks about the importance of layers of security to reduce the risks of an attack. Scott also points out that we should be careful about revealing personal information online. It's a lesson he learned directly from legendary hacker Kevin Mitnick! Transcript Andy Green: So speaking of the attack that the Mirai...I'm not sure if I'm pronouncing that right...attack from last week, I was wondering if, can cell phones be hacked in a similar way to launch DDoS attacks? Or that hasn't happened yet? I was just wondering if...with your knowledge of the cellphone industry? Scott Schober: Absolutely. I mean, to your point, can cell phones be attacked? Absolutely. That's actually where most of the hackers are starting to migrate their attacks toward a cell phone. And why is that, especially they're aiming at Android environment. Excuse me. It's open-source. Applications are not vetted as well. Everybody is prone to hacking and vulnerable. There are more Android users. You've got open-source, which is ideal for creating all kinds of malicious viruses, ransomware, DDoS, whatever you want to create and launch. So that's their preferred method, the easiest path to get it in there, but Apple certainly is not prone to that. The other thing is that mobile phone users are not updating the security patches as often as they should. And that becomes problematic. It's not everybody, but a good portion of people are just complacent. And therefore hackers know that eventually, everybody's old Windows PC will be either abandoned or upgraded with more current stuff. So they'll target the guys that are still using old Windows XP machines where there's no security updates and they're extremely vulnerable, until that dries up. Then they're gonna start migrating over to mobile devices...tablets, mobile phones...and really heavily increase the hacks there. And then keep in mind why. Where are you banking? Traditionally everybody banked at a physical bank or from their computer. Now everybody's starting to do mobile banking from their device...their phone. So where are they gonna go if they want to compromise your credit card or your banking account? It's your mobile device. Perfect target. Andy Green: Yeah. I think I was reading on your blog that, I think, your first preference is to pay cash as a consumer. Scott Schober: Yes. Yes. Yep. Andy Green: And then I think you mentioned using your iPhone next. Is that, did I get that right? Scott Schober: Yeah, you could certainly..."Cash is king," I always say. And minimize. I do...I probably shouldn't say it...but I do have one credit card that I do use and monitor very carefully, that I try to use only at secure spots where I know. In other words, I don't go to any gas station to get gas and I don't use it for general things, eating out. As much as I can use cash, I will, to minimize my digital footprint and putting my credit out there too much. And I also watch closely, if I do hand somebody my credit card, I write on the back of it, "Must check ID." And people sometimes...not always...but they'll say, "Can I see your ID?" Hand them my license. "Thank you very much." Little things like that go a long way in preventing somebody, especially if you're handing your credit card to somebody that's about to swipe it through a little square and steal your card info. When they see that, they realize, "Oh, gosh, this guy must monitor his statement quickly. He's asking for ID. I'm not gonna try to take his card number here." So those little tips go a long, long way. Andy Green: Interesting. Okay. So in the second half of the "Hacked Again" book, you give a lot of advice on, sort of, security measures that companies can take and it's a lot of tips that, you know, we recommend at Varonis. And that includes strong passwords. I think you mentioned strong authentication. Pen testing may have come up in the book as well. So have you implemented this at your company, some of these ideas? Scott Schober: Yes, absolutely. And again, I think in the book I describe it as "layers of security," and I often relate that to something that we physically can all relate to, and that's our house. We don't have, typically, a single lock on our front door. We've got a deadbolt. We've got a camera. We've got alarm stickers, the whole gamut. The more we have our defenses up, the more likely that a physical thief will go next door or down the block to rob us. The same is true in cyber-security. Layered security, so not just when we have our login credentials. It's our user name and a password. It's a long and strong password, which most people are starting to get, although they're not all implementing. We never reuse the same password or parts of a password on multiple sites because password reuse is a huge problem still. More than half the people still reuse their password, even though they hear how bad it is because we're all lazy. And having that additional layer, multi-factor authentication or two-factor authentication. That additional layer of security, be it when you're logging into your Gmail account or whatever and have a text go your phone with a one-time code that will disappear. That's very valuable. Messaging apps, since we deal a lot with the surveillance community and understanding how easy it is to look at content. For anything that is very secure, I will look at messaging apps. And what I look for in there is something like...The one I've been playing with and I have actually on my phone is Squealock. There, you do not have to provide your actual mobile phone number. Instead, you create a unique ID and you tell other people that you wanna text to and talk to, "Here's my ID." So nobody ever actually has your mobile phone number because once you give out your mobile phone number, you give away pieces of information about you. So I really strongly encourage people, think before they put too much information out. Before you give your phone number away. Before you give your Social Security number away if you're going to a doctor's office. Are you required to do that? The answer is no, you're not required to, and they cannot deny you treatment if you don't give them a Social Security number. Andy Green: Interesting. Yeah. Scott Schober: But yet everybody gives it. Scott Schober: So think very carefully before you give away these little tidbits that add up to something very quickly, because that could be catastrophic. I was at an event speaking two weeks ago down in Virginia, Norfolk, cyber-security convention, and one of the keynotes, they invited me up and asked if I'd be willing to see how easy it is to perform identity theft and compromise information on myself. I was a little reluctant, but I said, "Okay, everything else is out there," and I know how easy it is to get somebody's stuff, so I was the guinea pig, and it was, Kevin Mitnick performed. This is the world's most famous hacker, so it made it very interesting. Andy Green: Yes. Scott Schober: And within 30 seconds and at the cost of $1, he pulled up my Social Security number. Andy Green: Right. It's astonishing. Scott Schober: Scary. Scary. Scary. Andy Green: Yep, very scary. Yeah... Scott Schober: And any hacker can do that. That's the part that is kinda depressing, I think. So even though you could be so careful, if somebody really wants anything bad enough, there is a way to do it. So you wanna just put up your best defenses to minimize and hopefully they move on to the next person. Andy Green: Right. Yeah, I mean, we've seen hackers, or on the blog, we've written about how hackers are quite good at sort of doing initial hacks to get sort of basic information and then sort of build on that. They end up building really strong profiles. And we see some of this in the phishing attacks, where they seem to know a lot about you, and they make these phish mails quite clickable because it seems so personalized. Scott Schober: It can be very convincing. Yes. Andy Green: Very convincing. So there's a lot out there already on people. I was wondering, do you have any advice...? We're sort of pro-pen testing at Varonis. We just think it's very useful in terms of assessing real-world risks. Is that something...can you recommend that for small, medium businesses, or is that something that may be outside their comfort zone? Scott Schober: No, I do have to say, on a case-by-case basis, I always ask business owners to do this first. I say, "Before you jump out and get vulnerability assessment or pen testing, both of which I do normally recommend, analyze what value you have within your walls of your company." Again, like you mentioned earlier, good point, are you storing customer information? Credit card information? Account numbers? Okay, then you have something very valuable, not necessarily just to your business, but to your customers. You need to make sure you protect that properly. So how do you protect that properly, is by knowing where your vulnerabilities are for a bad guy to get in. That is very, very important. What pen tests and vulnerability assessments reveal are things that your traditional IT staff will not know. Or in a very small business, they won't even think of these things. They don't think about maybe updating, you know, your security patches on WordPress for your website or, you know, other basic things. Having the world's most long and strong password for your wireless access point. "Well, it's only my employees use it." That's what they think. But guess what? A hacker pulls into your lot after hours and they're gonna try some automated software that's gonna try to socially pull off the internet everything and anything about you and your company in case part of that is part of your password. And guess what? They have a high success ratio with some of these automatic programs to guess passwords. That is very scary to me. Or they may use social engineering techniques to try to get some of that information out of a disgruntled employee or an innocent secretary or whatever...we've all heard these extreme stories...to get into your computer networks and place malware on there. So that's how you really find out. You get an honest appraisal of how secure your company is. Yeah, we did it here. I was honestly surprised when I thought, "Wow, we've got everything covered." And then I was like, "What? We never would have thought of that." So there are some gotchas that are revealed afterward. And you know what, if it's embarrassing, who cares? Fix it and secure it and that'll protect your company and your assets. And again, you gotta think about IP. Some companies...our industry, we've got a lot of intellectual property here, that over 44 years as a company, that's our secret sauce. We don't want that ending up in other international markets where it could be used in a competitive area. So how do you protect that, is making sure your company is very, very secure. Not just physical security, because that is extremely important. That goes hand in hand. But even keeping your computer network secure. And from the top down, every employee in the organization realizes they're not part of the security problem. They're part of the security solution and they have a vested interest just to make sure that...yeah. Andy Green: Yeah, no, absolutely. We're on the same page there. So do you have any other final advice for either consumers or businesses on security or credit cards or...? Scott Schober: Again, I always like to make sure I resonate with people, people have the power to control their own life and still function and still have a relative level of security. They don't have to live in fear and be overly paranoid. Am I paranoid? Yes, because maybe an exceptional number of things keep happening to me and I keep seeing that I'm targeted. I had another email the other day from Anonymous and different threats and crazy things that keep unfolding. That makes you wonder and get scared. But do the things that are in your control. Don't put your head in the sand and get complacent, as most people tend to do. People say, "Well, just about everybody's been compromised. Why bother? It's a matter of time." Well, if you take that attitude, then you will be the next victim. But if you can make it really difficult for those cyber-hackers, at least with a clean conscience, you said, "I made them work at it," and hopefully they'll move on to the next target. And that's what my goal is, to really encourage people, don't give up. Keep trying, and even if it takes a little bit more time, take that time. It's well, well worth it. It's a good investment to protect yourself in the long run. Andy Green: No, I absolutely agree. Things like two-factor authentication on, let's say, Gmail or some of your other accounts and longer passwords. Just make it a little bit harder so they'll then move on to the next one. Absolutely agree with you. Scott Schober: Yeah, yeah. That's very true. Very true. Andy Green: Okay. Thank you so much for your time. Scott Schober: Oh, no, any time, any time. Thank you for the time. Really appreciate it and stay safe.

Scott Schober wears many hats. He's an inventor, software engineer, and runs his own wireless security company. He's also written Hacked Again, which tells about his long running battle against cyber thieves. Scott has appeared on Bloomberg TV, Good Morning America, CNBC, and CNN. In the first part of the interview, Scott tells us about some of his adventures in data security. He's been a victim of fraudulent bank transfers and credit card transaction. He's also aroused the wrath of cyber gangs and his company's site was a DDoS target. There are some great security tips here for both small businesses and consumers. Transcript Andy Green: Scott Schober wears more than a few hats. Scott is President and CEO of Berkeley Varitronics, a company that makes wireless test and security solutions. He is also an inventor. The gadget that enforces no cell phone policies, that's one of his. He's a sought-after security speaker and has been interviewed on ABC News, Bloomberg TV, CNBC, CNN. And he's been on the other side of the security equation, having been hacked himself, and writing that experience in his book, "Hacked Again." So, we're excited to have Scott on this podcast. Thanks for coming. Scott Schober: Yeah, thanks for having me on here. Andy Green: Yeah, so for me, what was most interesting about your book "Hacked Again," is that hackers actively go after small, medium businesses, and these hacks probably don't get reported in the same way as an attack on, of course, Target or Home Depot. So, I was wondering if you could just talk about some of your early experiences with credit card fraud at your security company? Scott Schober: Yeah, I'd be happy to. My story, and what I'm finding, too, is not necessarily that different than many other small business owners. What perhaps I'm finding is more different is many small businesses and medium size business owners are somewhat reluctant to share the fact that they actually have had breach within their company. And often times, because they perhaps are embarrassed or maybe there's a brand that they don't wanna have tarnished, they're afraid customers won't come back to the well and purchase products or services from them. In reality... And I talk about this often about breaches, pretty much every week now, trying to educate and share my story with audiences and I always take a poll. And I am amazed, almost, now, everybody raises their hand that they've had some level of having their business compromised or personally compromised be it a debit card or credit card. So, it's something now that resonates, and a lot more people realize that it's frequent, and it almost becomes commonplace. And another card gets issued, and they have to dispute charges, and write letters, and go through the wonderful procedure that I've had to do. I think, with myself, it's happened more frequently unfortunately because, again, sharing tips and how-to and best practices with individuals, it kinda gets the hackers a little bit annoyed and they like to take on a challenge to see if they could be disruptive or send a message to those that are educating people how to stay safe, because obviously it makes their game a lot harder. And I'm not alone, I'm in good company with a lot of other security experts out there and in the cyber world that had been targeted. And we all share war stories and we're always got the target on our back, I guess it's safe to say. And with myself, it started with debit card, credit card, then eventually the checking account. Sixty-five thousand dollar was taken out. And I realized this was not just a coincidence. This is a targeted, focused attack against me, and it really hasn't stopped since. I wish I could say it has, but every week I'm surprised with something I find. Andy Green: Right. Scott Schober: Very scary. I have to just keep reinforcing what we're doing in making it safer to run our business and protect ourselves and our assets. Andy Green: Right. So, I was wondering if you had just some basic tips because I know you talked a lot...you had some credit card fraud early on. But some basic advice for companies that are using credit cards or e-commerce. Is there something like an essential tip in terms of dealing with credit card processing? Scott Schober: Yeah, yeah, absolutely. There's actually a couple things that I always share with people. Number one, a lot of it has to do with how well do you manage your finances, and this is basic 101 finances. When you have a lot of credit cards, it's hard to manage and hard to keep on top of looking at the statements or going online and making sure that there's no fraudulent activity. Regular monitoring of statements is essential. I always emphasize, minimize the number of cards you use. Maybe it's one card that you use, perhaps a second card you use for online purchases. Again, so it could be very quickly isolated and cleaned up if there is a compromise. It's ironic, the other day I was actually presenting at a cyber security show and I was about to go up on stage and my wife called me in a panic. She has one credit card in her own name that she took out many years ago, and she says, "You won't believe it, my card was compromised. How could this happen?" So here it is, I'm preaching to my own family and she's asking me how it happened. She was all embarrassed and frustrated. It's because if we're not regularly monitoring the statement and not careful where we're shopping, we just increase the odds. It's a numbers game. So, really, minimizing and being very careful where we shop, especially online. If we shop for the best price, the best bargain, oftentimes there will be a site with the cheapest price, that's a telltale sign there's gonna be stolen credit card there. Go to name brand stores online, you have a much, much more successful chance that you're not gonna be compromised with your credit card. Andy Green: Right. So, that's actually some good advice for consumers, but what about for vendors because as a company, you were taken advantage of. I think I have a note here of $14,000 charge? Scott Schober: You're exactly right, yes. That's a little different. That particular charge, just to clarify, that was somebody that was purchasing our equipment and provided stolen credit card to purchase equipment. So there the challenge is how do you vet somebody that provides... Somebody that you don't see face-to-face or don't know personally, especially in another country, how do you make sure that that customer's legit? And I've done a couple simple things to do that. In fact, I had one earlier today, I actually did. Number one, pick up the phone and ask a lot of questions, verify that they are who they say they are, what their corporate address is. Make sure you're talking to a person in the accounting department if it's a larger company. Try to vet them and make sure they're legit, go online and see. And there are fake websites and there are fake company profiles and things. But sometimes crisscrossing, you do a quick Google search, go onto LinkedIn and see if you see that same person and their title, what their background. Does it kind of jive with what you're hearing on the phone and what you're reading in the email? It's very, very important. Do your due diligence even if it takes you five or ten extra minutes. You could prevent a breach and save yourself a lot of hassle and a lot of money. Andy Green: Right. So, would a small business like yours be held liable if you don't do that due diligence, or does the credit card company protect you if you do the due diligence and then there turns out to be a fraudulent charge? Scott Schober: Great question. Unfortunately, the laws greatly protect the buyer, the consumer. There's a lot less laws in place to protect the business owner. And I found that out the hard way, in some cases, in talking to other business owners. Really hard to get your money back, where the second that there's a dispute, that money comes out of the account and goes into an account between the two parties till it can actually be settled or arbitrated. And it's usually a series, you each have two shots of writing a letter and trying to show your case, so on and so forth. In a case where I had been given fraudulent stolen credit cards from somebody that actually had a lawnmower shop, in that particular case, the money went out of our account, went into this other account, and I said right away, "Honestly..." I said, "I didn't realize these were fraudulent charges," they immediately went back into the other person's account. So, the person that was compromised fortunately they got their money back and I felt good that small business owner wasn't duped or stuck. The problem I had was the fact we shipped the goods and almost lost them. So, we got hit with some shipping bills and things like that, but it was more the lesson I learned that was powerful. Spend that time up front, even if cost you a little bit of money, to save the potential that you're receiving a fraudulent charges. The card companies, the credit card companies that accept it, yes, there are some basic checks that they do. If it's in, like the United States, they'll do is a zip code check or address check, very basic. They really don't validate for you a 100% that that card is not compromised. There's not enough checks and balances in place, or security that can say, "Hey." And really, what does it do, the onerous goes back to you, on the business owner. Your name is at the bottom of it, signed, that they can go after your company or you personally, depending upon what your agreement is. And most of the credit card agreements, they can go after you personally if something fraudulent happens. So really be aware what you sign on with your credit card processor. Andy Green: Right, right. We talk a lot about what they call the PCI credit card industry DSS, Data Security Standard, which is supposed to put companies that store credit card information at a certain security level. And it's been a little bit controversial or people had issues with the standard, I guess vendors. I was wondering if you had any thoughts on that standard? Is that something that you have implemented or you don't store credit card numbers and it's not an issue for you or...? Scott Schober: I think it's an issue for everyone because to some degree everybody has credit card storage for a period of time. And be it on premise, be it physical, be it a receipt. What we have done beyond what the standard mandate says, we do shred with micro shredder old documents. So, a customer will call me up a week later, a month later, a year later, and I'm gonna say, "I'm sorry, I need to get your credit card again." We do it over the phone, traditionally. We say, "Do not email us. Do not fax us your credit card," even though many people like to do that, there's risks on many fronts obviously why you should not do that. A lot of companies also, you have to keep in mind, it's important to realize that they're storing a lot of their information in the cloud. Claim to be secure, claim to be encrypted, it's a remote server. I always ask the question, "Do you know where the physical location of that server is?" And most people say, "No." "Do you realize that there is redundancy and backup of that?" "Well, no." "And do you realize that somewhere in the process that data may not all be encrypted, as they say?" "No, I didn't realize that." So, to me, I'm very, very cautious. What we do use is for online commerce store, none of the employees within my organization ever see the credit card. And that allows some transparency and, I think, some security. So, you keep it out of our hands, they can buy online. We never are in possession of their physical credit card, or expiration date, or links to their account. And that, I think, is important that you can keep that level of security, and it actually helps customers. I've had a couple customers say, "You know what, you guys do it right. I can just go online and buy it. There's no extra cost or this or that. It's simple to purchase on your store, and I know nobody's holding that credit card." I say, "Great." Andy Green: Right, and that's a very typical solution to go to a processor like that. Scott Schober: Exactly. Andy Green: Although some of them have been hacked, and... Scott Schober: True, true, that is very true. Andy Green: But, yeah, that is a very typical solution. And then I... Reading your book, going back to your book, "Hacked Again," there's a series of hacks. I guess it started out sort of with credit cards, but over the years you also experienced a DDoS attack. So, I was wondering if you can tell us a little bit about that. It sounds like one of the earlier ones, and just how you became suspicious and how your ISP responded? Scott Schober: Yeah, that's an interesting one. And again, I think especially in light of just what happened the other week, a lot more people can understand what in the world that acronym, DDoS means. And we learned it firsthand awhile back, and so the pain of it... Having an online commerce store that in the past few years we've grown... And we'll typically do maybe $40,000 to $50,000 in commerce per month on our online store, so it's an important piece of revenue for a small business. When you start to find that your store is very spotty and having problems, and people cannot buy, and it's not one or two people, but you start getting the phone calls, "Hey, I can't process an order. I can't access your store. I'm being denied. Is there something wrong?" "Gee, that's funny. Let me try. Wait a second, what's wrong. Let's call the ISP, let's call..." And we started digging in and finding out there's waves of periods over a time that we've been out. None of these were prolonged, wasn't like we were out for an entire week. There's short burst of an hour at a time, perhaps, that we've been out. What we did was we got actually some monitoring hardware in place so we can actually look at the traffic and look at the specific content, payload that is sent. And sure enough, classic DDoS attack by analyzing the garbage coming over. So, I always encourage companies, if you are having problems, number one, contact your ISP. They can do some analysis. If you may have to go above and beyond that if the problem keeps happening... We eventually had to change everything that we did, unfortunately from our website, or our host, our ISP. We have a dedicated server now with hardware at the server. We have hardware here before our firewall as well. Again, layers of security, that starts to minimize all the problems. And ironically, we actually receive a lot more DDoS attacks now than we ever did, but we're actually blocking them, that's the good news. Andy Green: Actually, your servers are on premises and...or you're using them...? Scott Schober: It's not here physically in our building, but we have a dedicated server, as opposed to most companies, it's usually shared. What starts to happen is you start to now inherit some of the problems that others on your server have. And sometimes the hackers use that as backdoor to have access to you, by getting through what the other guys have. So better to just have a dedicated server, pay the extra money. Andy Green: Okay, that's right.

With data as the new oil, we’ve seen how different companies responded. From meeting new data privacy compliance obligations to combining multiple data anonymized points to reveal an individual’s identity – it all speaks to how companies are leveraging data as a business strategy. Consumers and companies alike are awakening to data’s possibilities and we’re only beginning to understand the psyche and power of data. Tool of the Week: Zorp Panelists: Cindy Ng, Kilian Englert, Mike Buckbee

By now, we’ve all seen the wildly popular internet of things devices flourish in pop culture, holding much promise and potential for improving our lives. One aspect that we haven’t seen are IoT devices that not connected to the internet. In our follow-up discussion, this was the vision Simply Secure's executive director Scout Brody advocates, as current IoT devices don’t have a strong foundation in security. She points out that we should consider why putting a full internet stack on a new IoT device will help an actual user as well as the benefits of bringing design thinking when creating IoT devices. Transcript Cindy Ng: I also really liked your idea of building smart devices, IoT devices, that aren't connected to the internet. Can you elaborate more? Scout Brody: Yes, you know, I like to say, when I'm talking to friends and family about the internet, there are a lot of really interesting, shiny-looking gadgets out there. But as someone who has a background in doing computer security, and also someone who has a background in developing production software in the tech industry, I'm very wary of devices that might live in my home and be connected to the internet. I should say, low power devices, or smaller devices, IoT devices that might be connected to the internet. And that's because the landscape of security is so underdeveloped. We think about where...I like to draw a parallel between the Internet of Things today and desktop computers in the mid-90s. When desktop computers started going online in the 90s, we had all sorts of problems because the operating systems and the applications that ran on those machines were not designed to be networked. They were not designed, ultimately, with a threat model that involved an attacker trying to probe them constantly in an automated fashion from all directions. And it took the software industry, you know, a couple of decades, really, to get up to speed and to really harden those systems and craft them in a way that they would be resilient to attackers. And I think that based on the botnet activity that we've seen in just the past year, it's really obvious that a lot of the IoT systems that are around the internet full-time today, are not hardened in the way that they need to be to be resilient against automated attacks. And I think that with IoT systems, it's even scarier than a desktop, or a laptop, or a mobile phone because of the sort of inevitable progression toward intimacy of devices. We look at the history of computing. We started out with these mainframe devices or these massive god awful things that lived in the basement of the great universities in this country. And we progressed from those devices through mainframes and, you know, industry through personal computers and now the mobile phones. With each step, these devices have become more integrated into our lives. They have access to more of our personal data and have become ever more important to our sort of daily existence. And IoT really takes us to the next step. It brings these devices not just into our home, but into our kitchens and into our bathrooms, and into our bedrooms, and our living rooms with our children. And the data they have access to is really, frankly, scary. And the idea of exposing that data, exposing that level of intimacy, intimate interaction with our lives, to the internet without the hardening that it deserves, is just really scary. So, that's, you know, a bit of a soapbox, but I'm just very cautious about bringing such devices into my home. However, I see some benefits. I mean, there are certainly...I think that a lot of the devices that are being marketed today with computer smarts in them are, frankly, ridiculous. There are ways that we could, sort of, try and mediate their access or mediate a hacker's access to them, such that they were a little less scary. One way to do that is, as you mentioned, and as we discussed before, to not have them be just online. You know, have things be networked via less powerful protocols like Bluetooth low energy, or something like that. That poses challenges when it comes to updating software or having, you know, firmware or software on a device, or having a device being able to communicate to the outside world. If we want to be able to turn our light bulb on the back porch on from our phone when we're 100 miles away, it's difficult. More difficult if the light bulb is only really connected to the rest of our house by Bluetooth, but it's still possible. And I think that's something that we need to explore. Cindy Ng: Do you think that's where design comes in where, okay, well, now we've created all these IoT devices and we haven't incorporated privacy and security methodologies and concepts in it, but can we...it sounds like we're scrambling to fix things...are we able to bring design thinking, a terminology that's often used in that space, into fixing and improving how we're connecting the device with the data with security and privacy? Scout Brody: I think so. I mean, I think what's happening today...the sort of, our environment we're in now, people are saying, "Oh, I'm supposed to have smart devices. I want to ship smart devices and sell smart devices because this is a new market. And so, what I'm going to do is, I'm going to take my thermostat, and also my television, and also my light bulb, and also my refrigerator, and also my washer-dryer, and I'm going to just put a full internet stack in them and I'm going to throw them out on the big, bad, internet." Without really stopping to think, what are the needs that actual people have in networking these devices? Like, what are the things that people actually want to be able to do with these devices? How is putting these devices online going to actually improve the lives of the people who buy them? How can we take these devices and make their increased functionality more than just a sales pitch gimmick and really turn this into something that's useful, and usable, and advances their experience? And I think that we, frankly, need more user research into IoT. We need to understand better what are the needs that people have in their real lives. Say, you want to make a smart fridge. How many people, you know, would benefit from a smart fridge? What are the ways that they would benefit? Who are the people that would benefit? What would that really look like? And based on the actual need, then try and figure out how to...and here's where we sort of switched the security perspective, how do I minimize access? How do I minimize the damage that can be done if this machine is attacked while still meeting the needs that the humans actually have? Is there a way to provide the functionality that I actually know that humans want, that the human people need, without just throwing it on the internet willy-nilly. And I think the challenge there is that, you know, we're in an environment where IoT devices...that the environment is very competitive and everyone is trying to do, sort of, the early mover trying to get their device on the market as soon as possible. We see a lot of startups. We see a lot of companies that don't have any security people. I know we have, sort of, one or two designers who don't have the opportunity to really go in and do research and understand the actual needs of users. And I think, unfortunately, that's backwards. And until that gets rectified, and you see companies both exploring what it is that people actually will benefit from, and how to provide that in a way that minimizes access, I think that I will continue to be pretty skeptical about putting such devices in my own home. Cindy Ng: And, so we've spent some time talking about design concepts, and security, and merging them together. How can someone get started? How do they start looking for a UX designer? Is that something that Simply Secure, the nonprofit that you're a part of, can you help in any way? Scout Brody: Yeah. So, that is actually, kind of, exactly what Simply Secure has set out to do as a nonprofit organization. You know, we recognize that it's important to have this partnership between design and security in order to come up with products that actually meet the needs of people while also keeping them secure and keeping their data protected. And so, Simply Secure works both in a sort of information sharing capacity. We try to, sort of, build a sense of community among designers who are interested in security and privacy topics as well as developers and security folks who are interested in learning more about design. We try to be sort of a community resource. We, on our blog, and our very small but slowly growing GitHub repository, try to share resources that both designers and software developers can use to try and explore and expand their understanding at the intersection of security and design. We actually, as an organization, do ourselves what we call open research and consulting. And the idea here is that an organization, and it can be any organization, either a small nonprofit consortium organization, in which case, you know, we work with them potentially pro bono. Or, a large for-profit tech company, or a startup, in which case we would, you know, try to figure out some sort of consulting arrangement. But we work with these organizations to help them go through a design process that is simultaneously integrated with their security and privacy process as well. And since we are a nonprofit, we don't just do, sort of, traditional consulting where we go in, do UX research and then come out, you know, with a design that will help the company. We also go through a process of open sourcing that research in such a way that it will benefit the community as a whole. And so the idea here is that by engaging with us, and sort of working with us to come up with a design or research problem...a problem that an organization is having with their software project, they will not only be solving their problem but also be contributing to the community and the advancements of this work as a whole.

With the spring just a few short weeks away, it’s a good time to clean the bedroom windows, dust off the ceiling fans, and discard old security notions that have been taking up valuable mind space. What do you replace those security concepts with? How about ones that say that security systems are not binary “on-off” concepts, but instead can be seen as a gentle gradient. And where user experiences developed by researchers create security products that actually, um, work. This new world is conceived by Scout Brody, executive director of Simply Secure, a nonprofit dedicated to leveraging user interface design to make security easier and more intuitive to use. “UX design is a critical part of any system, including security systems that are only meant to be used by highly technical expert users,” according to Brody. “ So if you have a system that helps monitor network traffic, if it’s not usable by the people who are designed to use it or it’s designed for, then it’s not actually going to help them do their jobs.” In the first part of my interview with Scout Brody, we cover why security systems aren’t binary, the value of user interface designers, and how to cross pollinate user personas with threat models. Transcript Cindy Ng: Scout Brody has long been passionate about improving the usability of security tools. Rather than a tech and product only mindset, she advocates a human first or empathy first mindset. Processes such as user experience and human centered design can help improve the way humans and security technologies interact. As a former product manager at Google, she worked on projects such as 2-Step Verification and the Android operating system. Now she's an executive director at Simply Secure, a nonprofit dedicated to crafting usable and secure technologies, while making them available to everyone. The cornerstone of your work, Scout, you say consumers abdicate their security and privacy for ease, convenience and because sometimes they're strong-armed to yielding all their personal information in order to download an app or use a piece of technology because that's how technology is being developed. And the way you describe how security and privacy technologies are being developed, that they're not binary concepts but gradient, and can you elaborate more on what that means? Scout Brody: Well, Cindy, I think that as a security professional in our field we tend to think of things in absolutes and we tend to be constantly striving for the ideal. So if you're an I.T. professional working in a corporate environment, you are trying to do your utmost to make the settings as secure as it possibly can be because that's how you define success as a security professional. When it comes to thinking about security for end-users however, it's important to recognize that not everyone has the same definition of what security they need to meet their needs or what privacy means to them.  So one good example might be that you have, say you know a government worker who lives in Washington, D.C., and is very concerned they might have what we call in the security business, a particular threat model or they're worried about those people accessing their information, for professional purposes. They might be concerned about organized crime or foreign governments or all sorts of different things. And that's a very different threat model than someone who is a stay-at-home dad in Minnesota for example, who you know may not have those same concerns when he's going and posting adorable photos of his kids on Facebook, that that information might be compromised or used to hurt him or his professional life in any way. So I think this notion that there is no one definition of what is secure but I like to talk about usability and design as being gradient in the same way that security is. So in security, although we tend to think of it as an absolute, when we get down to the practice of security, and we very rarely say "Oh, this system is secure." No, we say "This system is secure against threats A, B and C," it's secure in the face of a particular threat model. And similarly when you talk about a system being usable or useful to end-users, we have to say, "This is usable and useful to these users in these contexts." Cindy Ng: I like what you mentioned about threat model and context. Can you provide us an example of how you would align a threat model alongside with the technology you have, what would that look like? Scout Brody: Well, I think that it depends, I think I want to clarify that when you say design, we're talking not just about a system architecture design but we're really talking about the design of the entire piece of software, including the user-interface or as you like to say in the design side, the user experience or U.X. And a U.X. design, I maintain, is a critical part of any system, including security systems, even security systems that are really only meant to be used by highly technical expert users. So if you have an I.T. system that helps monitor network traffic, if it's not usable by the people who are designed to use it or that it's designed for, then it's not going to actually help them do their job, it's not actually going to be successful as a piece of software.  Re-emphasizing that design doesn't just mean architecture design, it may mean design also of the user experience. And I think it's really important when we're looking at the software design process to consider a partnership between the user experience designer and the software designer, including the security expert. So I think that it's important to look at the user experience from a security perspective and to look at the security from a user experience perspective, and that's one of the reasons that we advocate a deep partnership between security folks and user experience folks. That they collaborate on the design of the system from the beginning, but they try to understand one another's priorities and concerns and that they try and sort of use one another's language to talk about those priorities for the system. Cindy Ng: And when you talk about U.X. design and then design in general, what is the business value of a designer and why is that partnership so critical? Because these days anyone can install Illustrator or Photoshop and start drawing or creating or you can submit a request online for any kind of artwork to be created and within 24 hours, 48 hours you get what you requested. What's the difference between the kind of design I'm talking about versus a partnership? Scout Brody: Well my favorite analogy when talking to security folks about the importance of, you know, high quality in-house design, is to talk about cryptanalysis or cryptographic protocol design. We do not expect that a designer, a user experience designer or even an average sort of lay person software developer will be able to develop a secure cryptographic protocol. We don't say, "Oh but you know what, I have a terminal window, I've got a text editor, I can write my own cryptographic protocol, I understand prime numbers, I understand, like, the concept of factoring, so therefore I am totally qualified to write a cryptographic protocol." No. We also don't say, "Oh well but there are freelance people on the internet that I can hire to write my cryptographic protocols for me, so I'm just gonna, you know, outsource this on this site here, I need a protocol that allows me to change it in this way under these parameters, "Hey freelance cryptographer that I met on the internet, that I found on a freelance website, can you design this for me?" No, absolutely not. And why is that? It's because we recognize the value of the expertise that goes into designing a cryptographic protocol. We recognize that there are deep concerns, deep nuances that come to bear when a cryptographic protocol is put into place. There are ways in which it can break that are very hard to predict unless you have a lot of background in designing and analyzing these protocols. Although it's not quite as extreme when you look at U.X. design because there are certainly I guess probably more qualified U.X. designers out there than there are truly qualified cryptographic, you know, cryptographers. It is an important analogy to draw because we don't expect designers to do cryptography, why do we expect cryptographers or software developers in general to do design? I think that there is that sort of assumption that anyone can do design, anyone can pop open Illustrator and then come out with a user experience that is going to be workable. Or the expectation that you can just hire sort of a freelancer to come in and work for a two week sprint and put something out for your product, really underestimates the importance of the user experience design to the success of your product. I think that you look at all of the ways in which systems fail, security systems in particular, because security's way of talking about this is, "Oh humans are the weakest link." And I say, "No, it's not that humans are the weakest link, it's that the user interface that you have created or the human policies that you have put in place are broken." And that they're not taking the human system into account in the way that you need to. And that's exactly what U.X. designers can help you do, is understand. U.X. designers and researchers, can help you understand the users that are going to be using your system and help you can put in place interfaces and human processes that will allow them to be successful in using your system. Cindy Ng: You mentioned in a previous conversation we had about U.X. designers developing user personas, can you talk a little bit about why they're used in creating a product you might be building? Scout Brody: Yeah, so user personas are a handy sort of reference that is created out of a user experience research process. So the idea is that ideally, you know, U.X. designers or researchers have the opportunity to go and spend some quality time talking to people who would ideally be users of the system that's being designed. So if you're designing a system for system administrators like I mentioned earlier, to do network analysis, you know, ideally you'd have the opportunity to go and actually talk to these people. You know, go see them in their workplace, experience the challenges that they face, the things that they're concerned about, the tools that they use today, what they like about them and what they don't like about them. And ideally you would have the opportunity to talk to a great variety of folks who do these things. And on the upside of this research process, you would have all of this data about the various different people you talk to. And you go through a sort of informal clustering process to try and capture that data in a succinct way that the user experience designers can then move forward with their design, bearing all of that information in mind. And that sort of abstraction is called a user persona. The idea is that talk to 20 different system administrators from around the globe and you come out with four or five different user personas that sort of reflect the needs and challenges that those users face. So you might have a user persona named Annabelle, and Annabelle is a very experienced system administrator who is overworked because she has too many meetings and gets too many emails and too many notifications, and is really looking for a system that will help her sort of cut through all of the noise and really identify the important signals. And then you might have a user persona named Jim, and Jim is a more junior system administrator who has the time to really go through and read all every single email notifications and understand what it means, things like that, and really wants to be able to have lots of detail at his fingertips. So these are two distinct sort of personalities that are based in the actual user research that you did that help inform your design and end up allowing you to have sort of a shorthand to bear in mind each of these different users' needs as you're going through the process of designing your system. One really interesting and compelling idea that I've come across for the past couple of years is the notion of using user personas instead of cross-pollinating them with threat model. And the idea here is, okay you are a user experience designer and you have these different user personas that you're using to try and design a system that will work for a great diversity of users, can you also consider the possibility of having user personas for your potential attackers? So if you are working in partnership with your security professional who is working on a project, can you say, "Okay what are the threats that we think are facing our software?" Okay, we expect that there is going to be an attacker who is sort of a script kiddie persona. That there is going to be an attacker who is a nation state actor. We expect there is going to be a criminal, you know, organized crime attacker. And what are the different capabilities of these attackers and what is our system going to do, both at the architecture level and at the user experience level, to try and be resilient to these things? And I think it's a sort of interesting way of bringing the expertise and the structure from the two different domains, security and user experience, and working together to highlight the needs and vulnerabilities of a piece of software you're trying to develop and process.

The combination of business and technology-related challenges and the requirement to meet regulatory compliance obligations as well as managing risk is no easy feat. European officials have been disseminating information on how to prevent online scams, general tips as well as warning signs. Other attorneys have been reflecting on legislative developments to prepare for the year ahead. Meanwhile, businesses like Facebook and Reddit are finding their rhythm as they dance between running their business, meeting compliance requirements and keeping their users’ data safe and secure.

Tiffany C. Li is an attorney and Resident Fellow at Yale Law School’s Information Society Project. She frequently writes and speaks on the privacy implications of artificial intelligence, virtual reality, and other technologies. Our discussion is based on her recent paper on the difficulties with getting AI to forget. In this second part, we continue our discussion of GDPR and privacy, and then explore some cutting edge areas of law and technology. Can AI algorithms own their creative efforts? Listen and learn. Guidance for GDPR Right to be Forgotten Cindy Ng We continue our discussion with Tiffany Li who is an attorney and Resident Fellow at Yale Law Schools Information Society Project. In part two, we discuss non-human creators of intellectual property and how it could potentially impact the right to be forgotten, as well as the benefits of multi-disciplinary training where developers take a law class and lawyers take a tech class. Andy Green So do you think the regulators will have some more guidance specifically for the GDPR right to be forgotten? Tiffany Li The European regulators typically have been fairly good about providing external guidance outside of regulations and outside of decisions. Guidance documents that are non-binding have very helpful in understanding different aspects of regulation. And I think that we will have more research done. I would love to really see though is more interdisciplinary research. So one problem I think that we have in law generally, in technology law, is the sort of habit of operating in a law and policy only silo. So we have the lawyers, we have the policymakers, we have the lobbyists, everyone there in a room talking about, for example, how we should protect privacy. And that's wonderful and I've been in that room many times. But what's missing often is someone who actually knows what that means on the technical end. For example, all the issues that I just brought up are not in that room with the lawyers and policymakers really, unless you bring in someone with a tech background, someone who works on these issues and actually knows what's going on. So this is something that's not just an issue with the right to be forgotten or just with EU privacy law, but really any technology law or policy issue. I think that we definitely need to bridge that gap between technologists and policymakers. AI and Intellectual Property Cindy Ng Speaking of interdisciplinary, you recently wrote a really interesting paper on AI and intellectual property, and you describe the future dilemmas of what might arise in IP law specifically involving works by non-human creators. And I was wondering if you can introduce to our listeners the significance of your inquiry. Tiffany Li So this is a draft paper that I've been writing about AI and intellectual property. Specifically, I'm looking at the copyright ability of works that are created by non-human authors, which could include AI, but could also include animals for example, or other non-human actors. Getting back to that same difference I mentioned earlier where we have one from an AI that is simply machine learning and super advanced statistics, and we have one from an AI that may be something close to a new type of intelligence. So my paper looks at this from two angles. First, we look what current scholarship says about who should own creative works that are created by AI or non-humans. And here we have an interesting issue. For example, if you devise an AI system to compose music, which we've seen in a few different cases, the question then is who you should own the copyright or the IP rights generally over the music that's created? One option is giving it to the designer of the AI system on the theory that they created a system which is the main impetus for the work being generated in the first place. Another theory is that the person actually running the system, the person who literally flipped the switch and hit run should own the rights because they were provided the creative spark behind the art or the creative work. So other theories prevail or exists right now. Some people say that there should be no rights to any of the work because it doesn't make sense to provide rights who are not the actual creators of the work. Others say that we should try to figure out a system for giving the AI the work. And this of course is problematic because AI can't own anything. And even if it could, even if we get the world where AI is a sentient being, we don't really know what they want. We can't pay them. We don't know how they would prefer to be incentivized for their creation, and so on. So a lot of these different theories don't perfectly match up with reality. But I think the prevailing ideas right now are either to create a contractual basis for figuring this out. For example, when you design your system, you signed a contract with whoever you sell it to, that lays out all the rights neatly in the contract so you bypass a legal issue entirely. Or think of it as a work-for-hire model. Think of the AI system as now just an employee who is simply following the instructions of an employer. In that sense for example, if you are an employee of Google and you develop something, you develop a really great product, you don't own the product, Google owns that product, right? It's under the work-for-hire model. So that's one theory. And what my research is finding is that none of these theories really makes sense because we're missing one crucial thing. And I think the crucial point they're missing is really goes back to the very beginnings of why we have copyright in the first place, or why we have intellectual property, which is that we want to incentivize the creation of more useful work. We want more artists, we want more musicians, and so on. So the key question then if you look at works created by non-humans isn't, you know, if we can contractually get around this issue, the key question is what we want to incentivize. Whether we want to incentivize work in general, art in general, or if for some reason we think that there's something unique about human creation, that we want humans to continually be creating things, and those two different paradigms I think should be the way we look at this issue in the future. So it's a little high level but I think that that's interesting distinction that we haven't paid enough attention to yet when we think about the question of who should own intellectual properties for works that are created AI and non-humans generally. Andy Green If we give AIs some of these rights, then it almost conflicts with the right to be forgotten because now you would need the consent of the AI? Tiffany Li Sure. That's definitely possible. We don't know. I mean, we don't have AI citizens yet except in Saudi Arabia. Andy Green I've heard about that, yeah. Cindy Ng So since we're talking about AI citizens, if we do extend AI citizens to have intellectual property rights, does it mean that they get other kinds of rights? Such as freedom of speech and the right to vote, or that's not a proper approach or way to think about it? Are we treading in science fiction movies that we've been where humans are superior to a machine? I know we're just kind of playing around with ideas, but it will be really interesting to hear your insights especially... It's your specialty. Tiffany Li No problem. I mean, I'm in this field because I love playing around with those ideas. Even though I do continually mention that there is that division between the AI we have now and that futuristic sentient AI, I do think that eventually we will get there. There will be a point where we have AI that can think, for a certain definition of thinking, that can think at least like level human beings. And because those intelligent systems can design themselves, it's fairly easy to assume that they will then design even more intelligent systems. And we'll get to that point where there will be super intelligent AIs who are more intelligent than humans. So the question they ask then I think is really interesting. It's the concept of whether we should be giving these potential future beings the same rights that we give human beings. And I think that's interesting because it gets down to a really a philosophical question, right? It's not a question about privacy or security or even law. It's the question of what we believe is important on a moral level, and it's who we believe to be capable of either having morals or being part of a moral calculus. So in my personal opinion, I believe if we do get to that point, if there are artificially intelligent beings who are as intelligent as humans, who we believe to be almost exactly the same as humans in every way in terms of having intelligence, being able to mimic or feel emotion, and so on, we should definitely look into expanding our definition of citizenship and fundamental rights. I think, of course, there is the opposite view, which is that there is something inherently unique about humanity and there's something unique about life as we see it right now, biological, carbon based life as we see it right now. But I think that's a limited view and I think that that limited view is not something that really serves us well if you consider the universe as a whole and the large expanse of time outside of just these few millennia that humans have been on this earth. Multidisciplinary Training Cindy Ng And to wrap up and to bring all our topics together, I wanna bring it back to regulations and technology and training and I'd like to continue our play thinking with the idea that developers who create technology, if we should require training so that they take principle such as right to be forgotten, privacy by design, and you even mentioned the moral obligation for developers to consider all of these elements because what they'll be creating will ultimately impact humans. And I wonder if they could get  the training that we require of doctors and lawyers so that everyone is working from the same knowledge base. Could you see that happening? And I wanted to know what your opinions are on this. Tiffany Li I love that mode of thought. I think that in addition to lawyers and policymakers needing to understand more from technologists, I think that people working in tech definitely should think more about these ethical issues. And I think that it's starting, we're starting to see a trend of people in the technology community thinking about really how their actions can affect the world at large. And there may be partially in the mainstream news right now because of the reaction to the last election and to ideas such as fake news and disinformation and so on. But we see the tech industry changing and we're accepting somewhat the idea that maybe they should be responsibility or ethical considerations built into the role of being a technologist. So what I like to think about it's just the fact that regardless of whether you are a product developer or you are a privacy officer or you're a lawyer at a tech company per se, for example, regardless of what role you have every action that you make have an impact in the world at large. And this is something that, you know, maybe is giving too much moral responsibility to the day to day actions of most people. But if you consider that any small action within a company can affect the product, and any product can then affect all the users that it reaches, you kind of see this easy scaling up of your one action to effect on the people around you, which can then affect maybe even larger areas and possibly the world. Which is not to say, of course, that we should live in fear of having to the decide every single aspect of our lives based on greater impact the world. But I do think it's important to remember that especially if you are in a role in which you're dealing with things that might have really direct impact on things that matter, like privacy, like free speech, like global idealistic human rights values, and so on. I think it's important to consider ethics and technology definitely. And if we can provide training, if we can make this part of the product design process, if we can make this part of what we expect when hiring people, sure. I think it would be great. Adding it to curriculum, adding tech or information ethics course into the general computer science curriculum for example would be great. I also think that it would be great to have a tech course for the law school curriculum as well. Definitely both sides can learn from each other. We do in general just need to bridge that gap. Cindy Ng So I just wanted to ask if you had anything else that you wanted to share that we didn't cover? We covered so many different topics. Tiffany Li So I'd love to take a moment to introduce the work that I'm currently doing. I'm a Resident Fellow at Yale Law School's Information Society Project, which is a research center dedicated to different legal issues involving the information society as we know it. I'm currently leading a new initiative which is called the Wikimedia and Yale Law School Initiative on intermediaries and information. This initiative is funded by a generous grant from the Wikimedia Foundation, which is the nonprofit that runs Wikipedia. And we're doing some really interesting research right now on exactly what we just discussed on the role of tech companies, but particularly these information intermediaries or these social media platforms and so on. These tech companies and their responsibilities or their duties, towards users, towards movements, towards governments, and possibly towards the world and larger ideals. So it's a really interesting new initiative and I would definitely welcome different feedback and ideas on these topics. So if people want to check out more information, you can head to our website. It's law.yale.edu/isp. And you can also follow me on twitter @Tiffany, T-I-F-F-A-N-Y-C-L-I. So I would love to hear from any of your listeners and love to chat more about all of these fascinating issues.

On the last week of the year, the Inside Out Security panelists reflected on the year’s biggest breaches, scams and fake everything. And is computer security warfare? Well, it depends on who you ask. A 7th grader trying to change her grades isn’t an enemy combatant. But keep in mind as another argues, “There's an opponent who doesn't care about you, doesn't play by the rules, and wants to screw you as fully as possible.” Panelists: Cindy Ng, Mike Buckbee, Kilian Englert, Kris Keyser

Tiffany C. Li is an attorney and Resident Fellow at Yale Law School’s Information Society Project. She frequently writes and speaks on the privacy implications of artificial intelligence, virtual reality, and other technologies. Our discussion is based on her recent paper on the difficulties with getting AI to forget. In this first part , we talk about the GDPR's "right to be forgotten" rule and the gap between technology and the law. Consumer Versus Business Interests Cindy Ng Tiffany Li is an attorney and resident fellow at the Yale Law School Information Society Project. She is also an expert on privacy, intellectual property, law and policy. In our interview we discuss the legal background in GDPR's right to be forgotten, the hype and promise of artificial intelligence, as well as her paper, "Humans forget, machines remember." The right to be forgotten, it's a core principle in the GDPR, where a consumer can request to have their personal data be removed from the internet. And I was wondering if you can speak to the tension between an individual's right to privacy and a company's business interest. Tiffany Li So the tension between the consumer right to privacy and a company's business interest really happens in many different spaces. Specifically, here we're wrote about the right to be forgotten, which is the concept that an individual should be able to request that data or information about them be deleted from a website or a search engine, for example. Now, there's an obvious tension there between a consumer's rights or desire to have their privacy unstated and the business or the company's business interest in having information out there and also in decreasing the cost for compliance. Before the right to be forgotten in particular, there is that interesting question about whether or not we should be protecting the personal privacy rights of whoever's requesting that their information be deleted, or should we protect this concept that the company should be able to control the information that they provide on their service, as well as a larger conceptual ideal of having free speech and free expression and knowledge out there on the internet. So one argument outside of this consumer versus business tension, one argument really is simply that the right to be forgotten goes against the values of speech and expression, because by requesting that your information or information about you be taken down, you are in some ways silencing someone else's speech. AI and the Right to Be Forgotten Andy Green Right. So, Tiffany, I wanted to  follow up a little bit. I was wondering if you can give some of the legal background behind the GDPR's right to be forgotten, specifically referring to the Spain versus Google case that you mentioned in your paper on AI and the right to be forgotten. Tiffany Li The main important case that we discuss the right to be forgotten is the Spanish case that started in 2010. In that year, a Spanish citizen, along with the Spanish DPA, the Data Protection Agency, sued both the Spanish newspaper as well as Google, the American internet company that is now part of Alphabet. So the Spanish citizen argued that Google infringed on his right to privacy because the Google search results included information related to things that he didn't want to be in the public realm any longer. That's the basic legal framework. Eventually, this case went up to the ECJ, which in 2014 ruled in favor of the Spanish citizen and against Google. Essentially, what they ruled was that the right to be forgotten was something that could be enforced against search engine operators. Now, this wasn't a blanket rule, indicating a few searching conditions. A few conditions have to be met in order for search engine operators to be forced to comply with the right to be forgotten, and there are various exceptions that apply as well. And I think what's interesting really is that even then people were already discussing this tension that we mentioned before. Both the tension between consumer rights and business interests but also the tension between privacy in general and expression and transparency. So it goes all the way back to 2010, and we're still dealing with the ramifications of that decision now. Andy Green Right. So one thing about that decision that maybe a lot of people don't understand is that the Spanish newspaper that originally ran this story still has that content. The court decided, and correct me if I'm wrong, that that had to be still available. It's just that Google's search page results could not show it. Tiffany Li Yes. I think that there have been instances in a few other cases that have had similar past patterns, and there has been discussion of, you know, whether we can actually force newspapers to delete their archives. I know one person mentioned this, and really, what to me is kind of frightening framing that the right to be forgotten, taken to an ultimate endpoint...what essentially mean burning newspaper archives. Especially coming from an American point of view. You know, I'm in the U.S. where free speech is sacrosanct thing. That is incredibly frightening to think about, the idea that any individual could control what's kept as part of the news media and what's kept as part of our history is a little worrisome. And of course, the right to be forgotten has many conditions on it and it's not an ultimate right without, you know, anything protecting all these values we discussed. But I think it should be mentioned that there are consequences, and if we take anything to an extreme, the consequences become, well, extreme. Andy Green Extreme, right. So I'm wondering if you can just explain a little bit about what the right to be forgotten specifically requires of companies. Tiffany Li An interesting distinction that I discussed, my coauthors and I discussed in our paper on the right to be forgotten and artificial intelligence is that the law back in 2010, as well as the law that is upcoming, the GDPR in 2018, the law does not really define what it means to comply with the right to be forgotten. So they mentioned removing records and erasing records, but this isn't really clearly defined in terms of technical aspects, you know, how to actually comply. And it's especially an issue with current databases and with artificial intelligence and big data in general. We don't know if the law means that you have to delete a record, you have to override a record, you have to replace the record with a null value, you have to take away the data file, the data point from the record in general. We don't know what this means. Companies aren't told how to comply. They're just told that they absolutely have to, which is problematic. Cindy Ng So deleting is not just as simple as dragging a file to the trash can or clicking delete. I'd like to pivot to artificial intelligence. There's a lot of excitement and promise of artificial intelligence, and I'm wondering if you can set the stage by highlighting a few benefits and risks and then linking it back to your specific interest in artificial intelligence and the right to be forgotten. Tiffany Li So broadly speaking, I think that artificial intelligence definitely is the way of the future. And I don't wanna over-hype it too much because I know that right now AI is such a buzzword. It's included really in any discussion that anyone has about the future, right? On the other hand, I also don't believe that AI is this, you know, horrible monster that will eventually lead to the end of humanity as some people have put it. I think right now we're dealing with two things. We're dealing with maybe a soft AI. So, advanced machine learning or really what I call AI as being just very advanced statistics, right? We have that kind of artificial intelligence that can train itself, that can learn, that can create better algorithms based on the algorithms that it's programmed with and the data that we give it. We have that from the artificial intelligence. We do not yet have that form of super intelligent AI. We don't have, you know, the Terminator AI. That doesn't exist yet and we're not anywhere close to that. So take a step back a little bit. Get away from that idea of the super intelligent sentient AI who is either a God or a monster, and get back to what AI is right now. Andy Green So Tiffany, in your recent paper on AI and the right to be forgotten, you talk about AI apps as they are now and you describe how it's not so easy to erase something from its memory. Tiffany Li In our paper, we look at a few different case scenarios. I think the first issue to bring up is what I already mentioned, which is simply that there is no definition of deletion. So it's difficult to understand what it means to delete something, which means that in the case of the right to be forgotten, it seems like legislators are treating this as analogous to a human brain, right? We want the right to be forgotten from the public eye and from the minds of people around us. Translating that to machine intelligence though doesn't quite make sense because machines don't remember or forget in the same way that people do. So if you forget something, you can't find a record of it in your brain, you can't think of it in the future. If you want a machine to forget something or an artificial intelligence system, you can do a number of things, as I mentioned. You can override the specific data point, replace it with a null value, delete it from the record, delete it in your system index and so on. So that's one issue, right? There's no definition of what deletion means, so we don't really know what forgetting means. I think another issue, if we take a step back, if we think about machine learning algorithms and artificial intelligence, you consider any personal information as part of the training data that is used to train an AI system. If your personal information, for example, if you committed a crime and the fact of that crime and your personal information are linked to that crime, and put into an algorithm that determines the likelihood of any human being to become a criminal. So after adding in your data, that AI system then has a slight bias towards believing that people who may be similar to your various data points may be more likely to commit a crime, by a very slight bias. So when that happens, after that, if you request for your data to be removed from the system, we get into kind of a quandary. If we just remove the data record, there's a possibility of affecting the entire system because the training data that the algorithm was trained on is crucial to the development of the algorithm and the development of the AI system. Andy Green Yep. Tiffany Li So there's that first question of, can we even do this? Is this possible? Will this negatively affect these AI systems? Will this actually protect privacy, right? Because if you delete your data on a system that's already been trained on your data, then there may still be a negative effect on you. And the first basic goal of this right to be forgotten might not be accomplished through these means. I know there's a long list of questions, but are a few issues that we're thinking of when we consider it a problem of artificial intelligence in contrast with the right to be forgotten and with privacy in general. There's a lot that hasn't been figured out, which makes it a little problematic that we're legislating before we know really the technical ways to comply to legislation. Andy Green That's really fascinating, how the long-term memory that's embedded in these rules, that it's not so easy to erase once you...

The CIO is responsible for using IT to make the business more efficient. Meanwhile, the CISO is responsible for developing and executing a security program that’s aimed to protect enterprise systems and data from both internal and external threats. At the end of the day, the CISO makes security recommendations to the CIO has the final say. Perhaps it’s time that the CISO gets a seat at the table. Meanwhile, good Samaritans such as Chris Vickery and Troy Hunt help companies find leaked data and hopes the company seal the leak before cybercriminals find it. Other articles discussed: Donald Knuth, the Yoda of Computer Programming ISP blocks internet: on purpose or because it was law? Email’s evolution Earn a CPE with a live Varonis Cyber Attack Workshop Panelists: Cindy Ng, Kilian Englert, Mike Buckbee, Matt Radolec

We need to do better. Exhausting. Dramatic. That’s how the Inside Out Security panelists described our 2018 security landscape. We see the drama unfold weekly on our show and this week was no different. As facial recognition software becomes more prevalent, we’re seeing it used in security to protect even the biggest stars like Taylor Swift. Her security team set up a kiosk replaying rehearsal highlights. Meanwhile, onlookers who stopped were cross checked against their database of stalkers. What a stealthy way to protect one of our favorite singers in the world! And here’s a story that’s less wholesome. A few years ago, we thought it was a major threat when ransomware gained prominence. Cybercriminals upped the ante and threatened victims with a note that someone planted bombs in the building unless a bitcoin ransom is paid. Kris is right, we do need to do better. Kilian is right, it’s all exhausting. Tool of the Week: BloodHoundAD Panelists: Cindy Ng, Kilian Englert, Mike Buckbee, Kris Keyser Other articles discussed: How data transformed the NBA Android malware tricks use PayPal to steal funds

There’s a yin and yang to technology. For instance, the exchange for convenience and ease with our data. Unfortunately Facebook is getting most of the blame, when many companies have collect many points of data as the default setting. Meanwhile, as quickly as diligent security pros are eager to adopt and advance security solutions with biometrics, cybercriminals are equally determined to thwart these efforts. Other articles discussed: • Google’s plan to mitigate bias in their algorithm • Australia approves bill, requiring tech companies to provide data upon request

We’ve completed almost 100 podcast panels and sometimes it feels like we’re talking in circles. Over the years, the security and privacy landscape have gotten more complex, making baseline knowledge amongst industry pros ever so more important. Old concepts are often refreshed into current foundational security concepts. Technological advancements as well as decline also bring forth new challenges. When there’s a decline, we need to reserve the right to change our strategy. For years, users were blamed and labeled as the enemy, but our infrastructure wasn’t built with security in mind. So, perhaps the weakest link in cybersecurity isn't human, but the infrastructure. When there are advancements, security and privacy need to be baked in from the very beginning. Concerns are already arising with DNA and fitness testing kits as well as what constant surveillance is doing to our brains. Other articles discussed: BGP mishap redirects traffic to a state sponsored site Cybersecurity prime minister has never used a computer before

Passwords are easy to use. Everyone knows how it works. However, many security pros point out the inherent design flaw in passwords as a safe form of authorization and authentication. The good news is that we can reflect upon what old technologies can teach new technologies as we’re creating new products and services. One vital concern to keep in mind are terms and conditions, particularly with DNA ownership rights. Other articles discussed: How did Iran find CIA spies? They Googled It Panelists: Cindy Ng, Kilian Englert, Forrest Temple, Matt Radolec

Troy Hunt, creator of “Have I been pwned”, gives a virtual keynote that explores how security threats are evolving - and what we need to be especially conscious of in the modern era. In this keynote, you’ll learn: Real world examples of both current and emerging threats How threats are evolving and where to put your focus How to stem the flow of data breaches and protect against malicious activity and much more! Transcript Cindy Ng: Troy Hunt is a world-renowned web security expert known for public education and outreach on security topics. And we recently invited Troy to give a keynote on the modern state of insecurity. Troy Hunt: So, let's move on and talk a little bit detection because this is another interesting thing where we're seeing adversaries within environments, or data breaches having occurred, and then long periods of time passing before anyone realizes what's going wrong. And I think probably one of the most canonical examples of long lead time for detection is Sony Pictures. So, if everyone remembers Sony Pictures, so this was back in about 2014. Folks came into the office one day, sat down at their PC and got, this is what appeared on the screen. Hacked by GOP, Guardians of Peace. Evidently not so peaceful. And then you can see a whole bunch of hyperlinks down at the bottom as well. And this was Sony's data. And the data that was leaked was massively extensive. So, the attackers claimed that they'd been in the network for a year and taken about 100 terabytes of data. I've not seen anything to verify it was quite that long or quite that much, but what we do know is that there was a huge amount of data taken. So, things like unreleased films, sensitive internal emails, some of those emails caused a huge amount of embarrassment because they were disparaging towards Obama, which wasn't a great move. Also, things like employee data with social security numbers and they're kind of important in the U.S. And one of the things that I find really fascinating about those three different classes of data, the unreleased films, sensitive internal emails, and employee data is that it's not like these are just all sitting on a shared folder somewhere. They're not there in one location. These are the sorts of assets, particularly in a large organization, like Sony Pictures, which would have been distributed into very, very different corners of the organization. So, it's from all over the place. And someone's had enough time to go and retrieve very large amounts of data from different locations within the network, exfiltrate them, and then eventually upload them to those locations. So, this was really devastating. And it's really interesting now to look at just how much stuff is exposed in organizations which causes things like this. So, I'll give you a bit of an example here. Varonis produced a report earlier this year, ''The 2018 Global Data Risk Report''. And they found that 21% of all folders in an organization are open to everyone. So, if you're in a corporate environment, just have a look around you, like have a look at just how much stuff is open. I spent a lot of years in a corporate environment. And I would see this all the time, folders that were open to everyone. And why do people do it? Well, because it's easy. They're taking the shortcuts. Fifty-eight percent of those have over 100,000 folders open to everyone. A hundred thousand folders that are open to everyone. Now, obviously, these are large organizations. And of course the larger organization, the harder it is to manage this sort of stuff as well. But that is just a staggeringly high number. So, I remember back in my corporate role, some of you know where that was, I would find these open folders. And I'd go to my leadership and I'll say, ''Look, we've got a lot of open folders. Like we've got to stop doing this. This is going to work out badly.'' And the fix was always to secure the folder. And what this ultimately was, it was always just treating the symptom. It's like, ''Hey, we found something. It's been open, let's close it.'' And I would drive and drive and drive to say, ''Look, there is an underlying root cause which is causing these folders to be opened in the first place.'' And then what it boiled down to was a whole bunch of people having the ability to open them in the first place that shouldn't have. A whole bunch of people had server admin rights to places they shouldn't have. And those are harder problems to solve. But if your only means of detection is some bloke having a browse around the network in spare time and finding too much stuff open, well, then that's probably not a good place to be in. So, we're saying way too much stuff, way too open, for way too long. So, time and time again in running ''Have I Been Pwned'', I find that I'm the vector by which organizations learn of a data breach. And this shouldn't be the way. Very often, this is very large amounts of data as well. This can be many tens of gigabytes worth of data that someone had sent me. And I've got to go to the organization say, ''Hey look, I've got your data. I think this is yours. You should do something with it.'' I'm in the middle of about half a dozen disclosures right now. And one of them is tens of gigabytes with the log files. And those log files include things like emails. Some of them are disparaging. I'll leave it at that. I'm not quite sure how this will pan out yet. But Troy Hunt should not be your disclosure. This is not the way you want it to work. So, these organizations really need to do a better job at the ability to detect when data is flying out of their networks in abnormal ways. And if we go back and have a look at some of the really notable recent incidents, you can see just how much data we're talking about. So, LinkedIn is a good example. So, often when I do talks, I talk about ''Have I Been Pwned.'' And I'll ask the audience, ''So, say who was in LinkedIn?" And there's always, "I hate the people in LinkedIn'' because there are 165 million records there, including mine, unfortunately. Now, the thing is their data breach happened in 2012. And back in 2012, they did actually acknowledge it. They said, ''Look, we've, we've had a cyber thing, we don't think it's too bad.'' I think at the time, they thought it might've been something like 5 million records, not too bad. And then four years passed, so for four years, someone had all this data. SHA-1 hashed passwords too. So, pretty trivial to crack those. In fact, I was speaking to someone at an event just yesterday in Sydney and they said, ''Look, they'd gone through and managed to crack about 98% of them." So, for all intents and purposes that cryptographic storage was absolutely useless. So, four years between incident and detection. Dropbox, another popular one a lot of people have been in including me. And again, the same sort of time frames. So, the incident happened in 2012. It took four years before they realized what actually happened and just how bad it was. In fact, as I understand it, and bear with me here, the way the Dropbox data breach went down was Dropbox employees storing a backup of Dropbox data in their Dropbox and then their Dropbox got broken into. It's all very meta. But apparently, that was what happened. But four years before we learned about the incident. Another one. Also another one that I was in. This is not an intentional thing, I've just been on a lot of data breaches. Disqus. So, someone reached out to me last year and said, ''Look, I've got the Disqus data. There's about 18 million records in here.'' And I had a look at it and it looked very legitimate. And then I found my own data. And incidentally, finding your own data in a data breach makes verification a lot easier. Actually, my number one blog post ever is titled ''The Dropbox hack is real.'' And it was number one I think because I managed to get verification out there very early. And the way I verified it is that I had one password, generated password. So, it's just like 40 or 50 crazy random characters. And there was a bcrypt hash in the database. And when I passed in that crazy random string of password, it matched, go go, there we go. So, good. So, Disqus looked legitimate and I had to reach out to them. And that was the first they knew of it. They said, ''Look, you know, we weren't aware of any incident, certainly not an incident dating back three years.'' And they verified it. And then had to go through the disclosure process. And again, like these organizations, your organization, you really don't want to get emails from me. It's not a good day usually. Imgur was the last one as well. So, Imgur was like last year as well. Slightly after Disqus and very, very similar sorts of time frame. Now, fortunately, there are only 1.7 million records. And I think that that was only that small because it dated back to a point which was pretty early for that. So, they managed to sort of dodge a bit of a bullet. But, you know, even still, four years passing from an almost 2 million records being breached to when they actually realize it. So, clearly, we've got a problem with detection. And I think that's really, really sort of worthwhile everyone thinking about. If you did have malicious activity happened within your internal network or within your website, would you actually be able to identify anomalous behavior? And would you be able to identify it or is the first you're going to know about it when you get an email from me? So, moving on, the money pit is an interesting one. Now, this is kind of a little bit delicate. Because there's obviously a lot of companies out there selling a lot of security things. And the trick that organizations have today is they are just absolutely bombarded by messaging. If any of you have been to any of the big security shows, particularly something like RSA in San Francisco, it's just absolute bedlam with security companies everywhere selling cyber things. And it's very, very hard. In fact, I'm very sympathetic to organizations who are trying to make decisions about, how are we going to protect our company? Because everywhere they look there is a cyber-something. And I'll give you a few examples of this. There are cyber enablement services. You can go and buy cyber-enablement. There are cyber innovation services. That's also a thing here. You can go and buy cyber innovation services. There are even cyber matrix services. You can buy into the cyber matrix. Not quite sure what it is, but it is out there. And just to make the point that they are actually all genuine services that are out there. Have a Google for them. There are 27,000 cyber enablement results out there. Fifty-two thousand cyber innovation. And if we go all the way down to matrix there's going on 44,000 cyber matrix results. And you might be looking at this going, where on earth do they get these terms from? Like is this something they just make up? It's not really something I made up, but it's something you can make up. Because every one of these came out of the bullshit generator. There is literally a website. You can see the URL up there on the top right. And I know that everyone now wants to go there because it's actually really cool. So, you go there and you can make bullshit. And what it does is it combines a verb, an adjective, and a noun. And all I did is, I just went and took a bunch of those and added them after cyber and we got the results we saw before. So, that's actually kind of cool. So, you just go through and you make new terms, repurpose interactive readiness, I can barely even say that one. You go through and streamline next-generation functionalities. This is a real service. Give this to your marketing people, they will love it. It will drive you nuts but they'll love it. And like this was meant to be a little bit tongue in cheek, but the very fact that I could go here and generate terms of the actual things that people are selling sort of demonstrates the point of how difficult it is for those actually having to make decisions about where they spend their cyber dollar. So, moving on, let's just wrap up a few takeaways here from what we've just looked at and then we'll go through and do some questions. So, thinking back to the conventional risks, we still have the same fundamental underlying problems today as we did many, many years ago. We've also got a whole bunch of new ones as well. And particularly thinking about conventional risk, things like risks in the humans are still massive. We've really not put much of a dent in phishing attacks. You know, a great example, we've still got this conventional vulnerability, which is the organic matter sitting at the keyboard, and we haven't been able to solve it yet. The monetization side of things as well. So, many of the old monetization strategies still apply today. They've just been streamlined because we've got cryptocurrency and email and internet, which we didn't have when these things started out. And of course, monetization also goes all the way through to the organizations that are...I was going to say defending against these attacks. I'm not sure if that's a fair representation of professional data recovery, but certainly playing in that ecosystem. The supply chain bit I think is really fascinating. And the bit that we looked at was really just this sort of embedding of external services. It doesn't touch on all the libraries that we're dependent on or all the other things that go into modern-day software. But this is becoming a problem. And that's before we even get into things like the hardware supply chain. So, where does your hardware come from? Do you trust that party? And there's certainly some very interesting things going on at the moment that cast some really massive doubts about where we can trust our equipment to come from. So, have a think about all the different bits and pieces that go into modern-day applications and indeed into physical infrastructure as well. On the detection side of things, I sort of metaphorically posed the question for us and said, ''Look, how well equipped are you to detect if there's large amounts of data being exfiltrated from your network or from your website?'' And in fairness, this is a nontrivial problem as well. This is not an easy thing, but it's an important thing. Because again, as I said a couple of times, like you really don't want to be getting emails from me. You especially don't want to see like a tweet from me saying, ''Do you have a security contact at your company?'' This is not the way you want your detection to work. Much better to detect it quietly and try and stop it before it happens in the first place. And finally, that piece on the money pit. And again, I have this huge amount of sympathy for organizations that are having to make decisions today about where they spend their money. Particularly when there are a bunch of infosec companies out there who are claiming that will solve all your problems with this one shiny thing. Because of course, the one shiny thing is a very attractive thing to the people that hold the purse strings in a lot of organizations who are very frequently aren't the technical folks but are wowed by flashy presentations. And I just had a flashback to my corporate life for another moment and day. So, they're the five takeaways from the talk, but I hope that they, if nothing else, sort of give you food for thought about what's going on with your applications in your environment today. ...

We had a unique opportunity in talking with data privacy attorney Sheila FitzPatrick. She lives and breathes data security and is recognized expert on EU and other international data protection laws. FitzPatrick has direct experience in representing companies in front of EU data protection authorities (DPAs). She also sits on various governmental data privacy advisory boards. During this first part of the interview with her, we focused on the new General Data Protection Regulation (GDPR), which she says is the biggest overhaul in EU security and privacy rules in twenty years. One important point FitzPatrick makes is that the GDPR is not only more restrictive than the existing Data Protection Directive—breach notification, impact assessment rules—but also has far broader coverage. Cloud computing companies no matter where they are located will be under the GDPR if they are asked to process personal data of EU citizens by their corporate customers. The same goes for companies (or controllers in GDPR-speak) outside the EU who directly collect personal data – think of any US-based e-commerce or social networking company on the web. Keep all this in mind as you listen to our in-depth discussion with this data privacy and security law professional. Transcript Cindy Ng Sheila FitzPatrick has over 20 years of experience running her own firm as a data protection attorney. She also serves as outside counsel for Netapp as their chief privacy officer, where she provides expertise in global data protection compliance, cyber security regulations, and legal issues associated with cloud computing and big data. In this series, Sheila will be sharing her expertise on GDPR, PCI compliance, and the data security landscape. Andy Green Yeah, Sheila. I'm very impressed by your bio and the fact that you've actually dealt with some of these PPA's and EU data protection authorities that we've been writing about. I know there's been, so the GPDR will go into effect in 2018, and I'm just wondering what sort of the biggest change for companies, I guess they're calling them data controllers, in dealing with DPA's under the law. Is there something that comes to mind first? Sheila FitzPatrick And thank you for the compliment by the way. I live and breathe data privacy. This is the stuff I love. GPR ...I mean is certainly the biggest overhaul in 20 years, when it comes to the implication of new data privacy regulations. Much more restrictive than what we've seen in the past. And most companies are struggling because they thought what was previously in place was strict. There's a couple things that stick out when it comes GDPR, is when you look at the roles of the data controller verses the data processor, in the past many of the data processors, especially when you talk about third party outsourcing companies and any particular cloud providers, have pushed sole liability for data compliance down to their customers. Basically, saying you decide what you're going to put in our environment, you have responsibility for the privacy and security aspects. We basically accept minimal responsibility. Usually, it's around physical security. The GDPR now is going to put very comprehensive and very well-defined regulations and obligations in place for data processors as well. Saying that they can no longer flow responsibility for privacy compliance down to their customers. And if they're going to be... even if they... often times, cloud providers will say, "We will comply with the laws in countries where we have our processing centers." And that's not sufficient under the new laws. Because if they have a data processing center say in in UK, but they're processing the data of a German citizen or a Canadian citizen or someone from Asia Pacific, Australia, New Zealand, they're now going to have to comply with the laws in those countries as well. They can't just push it down to their customers. The other part of GDPR that is quite different and it's one of the first times it's really going to be put into place is that it doesn't just apply to companies that have operations within the EU. It is basically any company regardless of where they're located and regardless of whether or not they have a presence in the EU, if they have access to the personal data of any EU citizen they will have to comply with the regulations under the GDPR. And that's a significant change. And then the third one being the sanction. And the sanction can be 20,000,000 euro or 4% of your global annual revenue, whichever is higher. That's a substantial change as well. Andy Green Right, So that's some big, big changes. So you're referring to I think, what they call 'territorial scope'? They don't have to necessarily have an office or an establishment in the EU as long as they are collecting data? I mean we're really referring to social media and to the web commerce, or e-commerce. Sheila FitzPatrick Absolutely, but it's going to apply to any company. So even if for instance you say, "Well, we don't have any, we're just a US domestic company", but if you have employees in your environment that hold EU citizenship, you will have to protect their data in accordance with GDPR. You can't say, well they're working the US, therefore US law applies. That's not going to be the case if they know that the individual holds citizenship in the EU. Andy Green We're talking about employees, or...? Sheila FitzPatrick Could be employees, absolutely. Employees... Andy Green Anybody? Sheila FitzPatrick Anybody. Andy Green Isn't that interesting? I mean one question about this expanded territorial scope, is how are they going to enforce this against US companies? Or not just US, but any company that is doing business but doesn't necessarily have an office or an establishment? Sheila FitzPatrick Well it can be... see what happens under GDPR is any individual can file a complaint with the ports in basically any jurisdiction. They can file it at the EU level. They can file with it within the countries where they hold their citizenship. They can file it now with US courts, although the US courts... and part of that is tied to the new privacy shield, which is a joke. I mean, I think that will be invalidated fairly quickly. With the whole Redress Act, it does allow EU citizens to file complaints with the US courts to protect their personal data in accordance with EU laws. Andy Green So, just to follow through, if I came from the UK into the US and was doing transactions, credit card transactions, my data would be protected under EU law? Sheila FitzPatrick Well, if the company knows you're an EU citizen. They're not going to necessarily know. So, in some cases if they don't know, they're not going to held accountable. But if they absolutely do know then they will have to protect that data in accordance with UK or EU law. Well, not the UK... if Brexit goes through, the EU law won't matter. The UK data protection act will take precedence. Andy Green Wow. You know it's just really fascinating how the data protection and privacy now is just so important. Right, with the new GPDR? For everybody, not just the EU companies. Sheila FitzPatrick Yeah, and its always been important, it's just the US has a totally different attitude. I mean the US has the least restrictive privacy laws in the world. So for individuals that have really never worked or lived outside of the US, the mindset is very much the US mindset, which is the business takes precedence. Where everywhere else in the world, the fundamental right to privacy takes precedence over everything. Andy Green We're getting a lot of questions from our customers the new Breach Notification rule... Sheila FitzPatrick Ask me. Andy Green ...in the GDPR. I was wondering if you could talk about... What are one the most important things you would do when you discover a breach? I mean if you could prioritize it in any way. How would you advise a customer about how to have a breach response program in a GDPR context? Sheila FitzPatrick Yeah. Well first and foremost you do need to have in place, before a breach even occurs, an incident response team that's not made up of just the IT. Because normally organizations have an IT focus. You need to have a response team that includes IT, your chief privacy officer. And if the person... normally a CPO would sit in legal. If he doesn't sit in legally, you want a legal representative in there as well. You need someone from PR, communications that can actually be the public-facing voice for the company. You need to have someone within Finance and Risk Management that sits on there. So the first thing to do is to make sure you have that group in place that goes into action immediately. Secondly, you need to determine what data has potentially been breached, even if it hasn't. Because under GDPR, it's not... previously it's been if there's definitely been a breach that can harm an individual. The definition is if it's likely to affect an individual. That's totally different than if the individual could be harmed. So you need to determine okay, what data has been breached, and does it impact an individual? So, as opposed to if company-related information was breached, there's a different process you go through. Individual employee or customer data has been breached, the individual, is it likely to affect them? So that's pretty much anything. That's a very broad definition. If someone gets a hold of their email address, yes, that could affect them. Someone could email them who is not authorized to email them. So, you have to launch into that investigation right away and then classify the data that has been any intrusion into the data, what that data is classified as. Is it personal data? Is it personal sensitive data? And then rank it based on is it likely to affect an individual? Is it likely to impact an individual? Is it likely to harm an individual? So there could be three levels. Based on that, what kind of notification? So if it's likely to affect or impact an individual, you would have to let them know. If it's likely to harm an individual, you absolutely have to let them know and the data protection authorities know. Andy Green And the DPA, right? So, if I'm a consumer, the threshold is... in other words, if the company's holding my data, I'm not an employee, the threshold is likely to harm or likely to affect? Sheila FitzPatrick Likely to affect. Andy Green Affect. Okay. That's a little more generous in terms of... Sheila FitzPatrick Right. Right. And that has changed, so it's put more accountability on a company, because you know that a lot of companies have probably had breaches and have never reported them. So, because they go oh well, there was no Social Security Number, National Identification number, or financial data. It was just their name and their address and their home phone number or their cell phone. And the definition previously has been well, it can't really harm them. We don't need to let them know. And then all of a sudden people's names show up on these mailing lists. And they're starting to get this unsolicited marketing. And they can't determine whether or not... how did they get that? Was it based on a breach or is it based on trolling the Internet and gathering information and a broker selling that information? That's the other thing. Brokers are going to be impacted by the new GDPR, because in order to sell their lists they have to have explicit consent of the individual to include their name on a list that they're going to sell to companies. Andy Green Alright. Okay. So, it's quite consumer friendly compared to what we have in the US. Sheila FitzPatrick Yes. Andy Green Is there sort of new rules about what they call sensitive data? And if you're going to process certain classes of sensitive data, you need approval from the... I think at some point you might need approval from the DPA? You know what I'm referring to? I think it's the... Sheila FitzPatrick Yes. Absolutely. I mean, that's always been in place in most of the member states. So, if you look at the member states that have the more restrictive data privacy laws like Germany, France, Italy, Spain, Netherlands, they've always had the requirement that you have to register the data with the data protection authorities. And in order to collect and transfer outside of the country of origination any sensitive data, it did require approval. The difference now is that any personal data that you collect on an individual, whether it's an employee, whether it's a customer, whether it's a supplier, you have to obtain unambiguous and freely given explicit consent. Now this is any kind of data, and that includes sensitive data. Now the one difference with the new law is that there are just a few categories which are truly defined as sensitive data. That's not what we think of sensitive data. We think of like birth date. Maybe gender. That information is certainly considered sensitive under... that's personal data under EU law and everywhere else in the world, so it has to be treated to a high degree of privacy. But the categories that are political/religious affiliation, medical history, criminal convictions, social issues and trade union membership: that's a subset. It's considered highly sensitive information in Europe. To collect and transfer that information is going to now require explicit approval not only from the individual but from the DPA. Separate from the registrations you have done. Andy Green So, I think what I'm referring to is what they call the Impact Assessment. Sheila FitzPatrick Privacy Impact Assessments have to be conducted now anytime... and we've always... Anytime I've worked with any company, I've implemented Privacy Impact Assessments. They're now required under the new GDPR for any collection of any personal data. Andy Green But sensitive data... I think they talked about a DNA data or bio-related data. Sheila FitzPatrick Oh no. So, what you're doing... What happened under GPDR, they have expanded the definition of personal data. And so that not the sensitive, that's expanding the definition of personal data to include biometric information, genetic information, and location data. That data was never included under the definition of personal data. Because the belief was, well you can't really tie that back to an individual. They have found out since the original laws put in place that yes you can indeed tie that back to an individual. So, that is now included into the definition. Andy Green In sort of catching up a little bit with that technology? Sheila FitzPatrick Yeah. Exactly. But part of what GPDR did was it went from being a law around processing of personal data to a law that really moves you into the digital age. So, it's anything about tracking or monitoring or tying different aspects or elements of data together to be able to identify a person. So, it's really entering into the digital age. So, it's trying to catch up with new technology. Andy Green I have one more question on the GDPR subject. There's some mention in the law about sort of outside bodies can certify...? Sheila FitzPatrick Well, they're talking about having private certifications and privacy codes. Right now, those are not in place. The highest standard you have right now for privacy law is what's call Binding Corporate Rules. And so companies that have their Binding Corporate rules in place, there's only less than a hundred companies worldwide that have those. And actually, I've written them for a number of companies, including Netapp has Binding Corporate rules in place. That is the gold standard. If you have BCRs, you are 90% compliant with GDPR. But the additional certifications that they're talking about aren't in place yet. Andy Green So, it may be possible to get a certification from some outside body and that would somehow help prove your... I mean, so if an incident happens and the DPA looks into it, having that compliance should help a little bit in terms of any kind of enforcement action? Sheila FitzPatrick yes, it certainly will once they come up with what those are. Unless you have Binding Corporate Rules. But right now... I mean if you're thinking something like a trustee. No. there is no trustee certification. Trustee is a US certification for privacy, but it's not a certification for GDPR. Andy Green Alright. Well, thank you so much. I mean these are questions that, I mean it's great to talk to an expert and get some more perspective on this.

Learning about the CIA’s tips and tricks on disguising one’s identity reminded us that humans are creatures of habit and over a period of time, can illuminate predictable behavioral patterns, which are presented as biometric data. As a result, businesses can leverage and integrate these data points with their operations and sales process. For instance, businesses are buying data about one’s health and also creating patents to measure a user’s pulse and temperature. Others are learning about the psychology about a user and making it difficult for a user to cancel a service. Other articles discussed: A trolley problem’s ethical dilemma Humans, not algorithms, hired to curate Apple News Panelists: Cindy Ng, Kris Keyser, Mike Buckbee, Sean Campbell

Vulnerability after vulnerability, we’ve seen that there’s no perfect model for security. Hence, the catchphrase, “If you can’t build in security, then build in accountability.” But history has also shown that even if there was enough political will and funding, consumers aren’t interested in paying a huge premium for security when a comparable product with the features they want is available much more cheaply. Will that theory hold when it comes to self-driving cars? At the very least, safety should be a foundational tenet. What’s the likelihood that anyone would enter a self-driving car knowing that a number of things could go wrong? Other articles discussed: Students pay with their data for free coffee Financial institutions that sell your data Panelists: Cindy Ng, Kris Keyser, Kilian Englert

Troy Hunt, creator of “Have I been pwned”, gives a virtual keynote that explores how security threats are evolving - and what we need to be especially conscious of in the modern era. In this keynote, you’ll learn: Real world examples of both current and emerging threats How threats are evolving and where to put your focus How to stem the flow of data breaches and protect against malicious activity and much more! Transcript Cindy Ng: Troy Hunt is a world-renowned web security expert known for public education and outreach on security topics. And we recently invited Troy to give a keynote on the modern state of insecurity. Troy Hunt: Then moving on another one I think is really fascinating today is to look at the supply chain, the modern supply chain. And what we're really talking about here is what are the different bits and pieces that go into modern-day applications? And what risks do those bits and pieces then introduce into the ecosystem? There's some interesting stats, which helps set the scene for why we have a problem today. And the first that I want to start with, the average size of webpage, just over 700 kilobytes in 2010. But over time, websites have started to get a lot bigger. You fast forward a couple of years later and they're literally 50% larger, growing very, very fast. Go through another couple of years, now we're up to approaching 2 megabytes. Get through to 2016 and we're at 2.3 megabytes. Every webpage is 2.3 megabytes. And when you have a bit of a browse around the web, maybe just open up the Chrome DevTools and have a look at the number of requests that come through. Go through on the application part of the DevTools, have a look at the images. And have a look at how big they are. And how much JavaScript, and how many other requests there are. And you realize not just how large pages are, but how the composition is made up from things from many, many different locations. So, we've had this period of six years where we've tripled the average size of a webpage. And of course, ironically, during that period we've become far more dependent on mobile devices as well. Which very frequently have less bandwidth or more expensive bandwidth, particularly if you're in Australia. So, we've sort of had this period where things have grown massively in an era where we really would have hoped that maybe they'd actually be a little bit more efficient. The reason I stopped at 2016 is because the 2.3-megabyte number is significant. And the reason it's significant is because that's the size of Doom. So, remember Doom, like the original Doom, like the 1993 Doom, where if you're a similar age to me or thereabouts, you probably blew a bunch of your childhood. When you should've been doing homework, just going through fragging stuff with BFG. So, Doom was 2.3 megabytes. That's the original size of it. And just as a reminder of the glory of Doom, remember what it was like. You just wander around these very shoddy looking graphics, but it was a first-person shoot-em-up. There were monsters, and aliens, and levels, and all sorts of things. Sounds. All of that went into two floppy disks and that's your 2.3 megabytes. So, it's amazing to think today when you go to a website, you're looking at the entire size of Doom, bundled into that one page, loaded on the browser. Now, that then leads us into where that all goes. So, let's consider a modern website. The U.S. Courts website. And I actually think it's pretty cool looking government website. Most government websites don’t look this cool. But, of course, to make a website look cool, there's a bunch of stuff that's got to go into it. So, if we break this down by content type, predictably images are large. You've got 1.1 megabytes worth of images, so almost half the content there is just images. The one that I found particularly fascinating though when I started breaking this apart is the script. Because you've got about 3/4 of a megabyte worth of JavaScript. Now keep in mind as well, JavaScript can be very well optimized. I mean, we should be minimizing it. It should be quite efficient. So, where does 726 kilobytes worth of script go? Well, one of the things we're seeing with modern websites is that they're being comprised of multiple different external services. And in the case of the U.S. Courts website, one of those web services is BrowseAloud. And BrowseAloud is interesting. So, this is an accessibility service made by a company called Texthelp. And the value proposition of BrowseAloud is that if you're running a website, and accessibility is important to you...and just to be clear about what we mean by that, if someone is visually impaired, if they may be English is second language, if they need help reading the page, then accessibility is important. And accessibility is particularly important to governments because they very often have regulatory requirements to ensure that their content is accessible to everyone. So, the value proposition of a service like BrowseAloud is that there's this external thing that you can just embed on this site. And the people building the site can use all their expertise to sort of actually build the content, and the taxonomy, and whatever else of the site. They just focus on building the site and then they pull in the external services. A little bit like we're pulling an external library. So, these days there's a lot of libraries that go into most web applications. We don't go and build all the nuts and bolts of everything. We just throw probably way too much jQuery out there. Or other themes that we pull from other places. Now, in the case of BrowseAloud, it begs the question, what would happen if someone could change that ba.js file? And really where we're leading here, is that if you can control the JavaScript that runs on a website, what would you do? If you're a bad dude, what could you do, if you could modify that file? And the simple answer is is that once you're running JavaScript in the browser and you have control over that JavaScript, there is a lot you can do. You can pull in external content, you can modify the DOM. You can exfiltrate anything that can be accessed via client script. So, for example, all the cookies, you can access all the cookies so as long as the cookies aren't flagged as HTTP only. And guess what? A lot of them which should be, still are. So, you have a huge amount of control when you can run arbitrary JavaScript on someone else's website. Now, here's what went wrong with the BrowseAloud situation. So, you've got all of these websites using this exact script tag, thousands of them, many of them government websites. And earlier this year, Scott Helme, he discovered that the ICO, the Information Commissioner's Office in the UK, so basically the data regulator in the UK, was loading this particular JavaScript file. And at the top of this file, was some script which shouldn't be there. And if you look down at about the third line and you see Coinhive, you start to see where all of this has gone wrong. Now, let's talk about Coinhive briefly. So, everyone's aware that there is cryptocurrency and there is crypto currency mining. The value proposition of Coinhive...and you can go to coinhive.com in your browser. Nothing bad is going to happen. You can always close it. But bear with me, I'll explain. So, the value proposition of coinhive.com is you know how people don't like ads. You know because you get a website, and there's tracking, and they're obnoxious, and all the rest of it. Coinhive believe that because they don't like ads, but you might still want to monetize your content, what you can do is you get rid of the ads, and you just run a crypto miner on people's browser. And what could go wrong? And in fairness, if there's no tracking and you're just chewing up a few CPU cycles, then maybe that is a better thing, but it just feels dirty. Doesn't it? You know, like if you ever go to a website and there's a Coinhive crypto miner on there, and they usually mine Monero, and you see your CPU spiking because it's trying to chew up cycles to put money in someone else's pocket, you're going to feel pretty dirty about it. So, there is a valid value proposition for Coinhive. But unfortunately, when you're a malicious party, and there's a piece of script that you can put on someone else's website, and you can profit from it, well then obviously, Coinhive is going to be quite attractive to you as well. So, what we saw was this Coinhive script being embedded into the BrowseAloud JavaScript file, then the BrowseAloud JavaScript file being embedded into thousands of other websites around the world. So, U.S. Courts was one. U.S. House of Representatives was another. I mentioned the Information Commissioner's Office, the NHS in Scotland, the National Health Service, so all of these government websites. Now, when Scott found this, one of the things that both of us found very fascinating about it is that there are really good, freely accessible browser security controls out there that will stop this from happening. So, for example, there are content security policies. And content security policies are awesome because they're just a response killer, and every single browser supports them. And a CSP lets you say, ''I would like this browser to be able to load scripts from these domains and images from those domains.'' And that's it. And then if any script tries to be loaded from a location such as coinhive.com, which I would assume you're not going to whitelist, it gets blocked. So, this is awesome. This stops these sorts of attacks absolutely dead. The adoption of content security policies is all the sites not using it. And that's about 97%. So, it's about a 3% adoption rate of content security policies. And the reason why I wanted to flag this is because this is something which is freely accessible. It's not something you go out and spend big bucks on a vendor with. When I was in London at the Infosecurity EU Conference, loads of vendors there selling loads of products and many of them are very good products, but also a lot of money. And I'm going, ''Why aren't people using the free things?'' Because the free things can actually fix this. And I think it probably boils down to education more than anything else. Now, interestingly, if we go back and look at that U.S. Courts website, here's how they solved the problem. So, they basically just commented it all out, and arguably this does actually solve the problem. Because if you comment out the script, and someone modifies it, well, now it's not a problem anymore. But now you've got an accessibility problem. I actually had people after I've been talking about this, say, ''Oh, you should never trust third-party scripts. You should just write all this yourself.'' This is an entire accessibility framework with things like text to speech. You're not going to go out and write all that yourself. You're actually got to go and build content. Instead, we'd really, really like to see people actually using the security controls to be able to make the most of services like this, but do so in a way that protects them if anything goes wrong. Now, it's interesting to look now at sites that are still embedding BrowseAloud but are doing so with no CSP. And in case anyone's wondering, no Subresource Integrity as well. So, things like major retailers, there are still us government sites, there are still UK government sites. And when I last looked at this, I found a UK transportation service as well. Exactly the same problem. And one of the things that that sort of makes me lament is that even after we have these issues where we've just had an adversary run arbitrary script and everyone's browser, and let's face it, just Coinhive is dodging a bullet. Because that is a really benign thing in the scope of what you could have done if you could have run whatever script you wanted in everyone's browser. But even after all that these services are still just doing the same thing. So, I don't think we're learning very well from previous incidents. ...

Troy Hunt, creator of “Have I been pwned”, gives a virtual keynote that explores how security threats are evolving - and what we need to be especially conscious of in the modern era. In this keynote, you’ll learn: Real world examples of both current and emerging threats How threats are evolving and where to put your focus How to stem the flow of data breaches and protect against malicious activity and much more! Transcript Cindy Ng: Troy Hunt is a world-renowned web security expert known for public education and outreach on security topics. And we recently invited Troy to give a keynote on the modern state of insecurity. Troy Hunt: Where I'd like to start this talk is just to think briefly about some of these, sort of, conventional threats that we've had, and in particular some of the ways in which some of the just absolute fundamentals of InfoSec we're still struggling with today just as we were yesterday. And I wanted to kind of set a bar, and this will be...as you will see in a moment, it's kind of like a very, very low bar. And then we'll have a look at some of the newer things. I was looking around for examples and I actually...it's always nice to talk about something in your own country where you've come from, so I wanted to try and find an example that showed where that bar was. And very fortuitously, not so much for them, we had a little bit of an incident with CommBank. CommBank are pretty much the largest bank in the country, certainly one of our big four banks. As part of our royal commission into banking at the moment, where all the banks are coming under scrutiny, there was a little bit of digging done on the CommBank side and they discovered that there had actually been an incident which they needed to disclose. One of the reasons it's fascinating is because banks are, sort of, the bastions of high levels of security. So we have this term, we literally have a term, bank-grade security, which of course people imply means very, very good security, not always that way but that's the expectation. So CommBank had to disclose a bit of an incident where they said, "Look, we're decommissioning a data center, moving from one data center to another and as part of the decommissioning processes, what we needed to do was take all the tapes with the customer data on them and send them for destruction. And what they've done is they've loaded all of the tapes up onto a truck, I've got some file footage, here's the Commonwealth Bank truck. So all of the tapes are on the truck, the truck's driving along, they're taking all the data from this one data center and they're going to go and securely destroy it. Now, there's about 12 million customer records on the back of the truck, and it's driving along and it turns out they may have put just a few too many datas on the truck and some of it fell off. And this was the disclosure, like, there was some data that was lost, it might have fallen off the back of the truck. And there was literally a statement made by the auditors, I think it was KPMG that audited them, they said, "Forensic investigators hired to assess the breach, retraced the route of the truck to determine whether they could locate the drives along the route but were unable to find any trace of them." And I just find it fascinating that in this era of high levels of security in so many ways and so much sophistication, we're still also at the point where data is literally falling off a back of a truck. Not metaphorically, but literally falling off the back of a truck. Possibly, they couldn't find it again so maybe it didn't fall off but they were the headlines we were faced with a few months ago. So it's interesting to sort of keep that in mind and you'll see other, sort of, analogous things to data falling off the back of a truck, perhaps in a more metaphorical sense, every single day online. I mean the canonical one at the moment is data exposed in open S3 buckets. Going back to late 2016, early last year it was constantly data in exposed MongoDBs with no passwords on it. So we're leaving data lying all over the place, either digitally or potentially even physically in the case of CommBank. Now, moving back towards some more sort of traditional InfoSec threats as well, one of the interesting things to start thinking about here is the monetization of pipleline. So what are the ways in which our data gets monetized? And this is where, I think, the history is quite interesting as well because we often think about things like ransomware as being a very modern-day problem. Particularly, I think, last year was probably a bit of a peak for ransomware news just seeing consistently everything from hospitals to police departments to you name it, was getting done by ransomware. We're seeing this happen all the time and we do think of it as a modern internet-driven problem, but ransomware also goes back a lot further than that as well. And this was the AIDS Trojan. This dates all the way back to 1989 and this was ransomware which would encrypt the C drive and you'd need to have a private key in order to unlock the contents of the drive. There was no bitcoin, of course, you've got to get an international money order, make it payable to PC Cyborg Corporation, and then all you do is you just send it off to this location in Panama. Imagine this as well, right, you would have had to actually put the check in an envelope and then it would go by trucks and planes and boats, and whatever else, eventually get there and then, I guess, they would open it and cash the money and then maybe send you back a key. It sounds like a lot of labor, doesn't it compared to ransomware today? But this was a thing so there was ransomware going back 30 years. Now, of course, it didn't distribute via the internet in the late '80s, it distributed via envelopes and this was literally shipped around, I guess in this case, in like a 5.25-inch floppy disk, quite possibly. And you'd get this in the mail, and maybe this was like the olden day equivalent of finding a USB in a car park, you know? Like, something just turns up and you think, "Oh, this will be interesting, chuck this in and see what happens." But this was a problem decades ago and it's still a problem today, and this sort of speaks to the point of the modern state of insecurity is very much like what it was many years ago as well. But of course, due to the internet and due to the rise of cryptocurrencies, the whole thing just works far more efficiently at least on behalf of those breaking into systems. But what this also does is creates a bit of an economy, and there's an economy around ransomware, not necessarily just for bad guys because by encrypting devices, and of course many organizations not having appropriate backups, it also leads to an economy in organizations that would help you get your data back, proven data recovery or PDR, 97.2%. And that is a pretty impressive success rate because we often think of ransomware as being very effective, and very often it is very effective, it's good crypto that you actually need the key for. And occasionally we see smart researchers manage to break that and provide keys publicly to people, but very frequently it's very effective ransomware that's hard to get access to. So it makes you wonder how an organization like this manages to achieve such a high success rate. And we did actually learn how they achieved it. The FBI said subsequent investigation confirmed that PDR was only able to decrypt the victims' files by paying the subject the ransom amount via Bitcoin. And this is a kind of another one of these really multifaceted issues which I struggle with mentally. And I'll explain why. On the one hand, I struggle with the fact that someone is paying ransoms, because I think within all of us we don't want to feel like you ever should pay the bad guys, because if you pay the bad guys they're just going to continue being bad and it legitimizes their business. On the other hand, I can also understand why organizations get really desperate as well. We've certainly seen a lot of ransoms paid and almost, unfortunately, we've seen data recovered as a result of that. So the economics of paying the ransom are often very good on the victims' behalf regardless of where it sits morally with you. But because the economics are also very good, it legitimizes organizations like PDR that were charging people the ransom to get their files back. And I'd actually be curious to know if you're gonna pay the equivalent of the ransom anyway, why would you pay PDR, why wouldn't you just pay the bad guys? And I suspect that maybe it comes back to that sort of moral high ground, we don't want to legitimize the business, let's pay a professional data recovery organization to get the data back for us, and then we get the end result without sort of legitimizing the business. And I think the bit here that sits really badly with people is that there was obviously some level of deceit going on here where PDR was saying, "Look, we'll get your data back for you." And then they just went and paid the ransom. I would imagine that they actually mark up the ransom as well because they've got to have a margin on this thing, either that or they somehow managed to negotiate it. So that's a sort of curious indictment of where we're at today insofar as we've had ransomware for decades, it's still here, different problems now but still very, very effective in creating this other ecosystem around monetization.

After the latest Microsoft Ignite conference, the enduring dilemma of how CISOs explain security matters to the C-Suite bubbled to the surface again. How technical do you get? Also, when the latest and greatest demos are given at one of the world’s most premier technology show, it can be easy to get overwhelmed with fancy new tools. What’s more important is to remember the basics: patching, least privilege, incident response, etc. Other articles discussed: Engineer fined for not disclosing a vulnerability responsibly Young Mirai botnet authors avoid jail time Is public shaming bad security a good idea? Tool of the week: cspparse - A tool to evaluate Content Security Policies Panelists: Cindy Ng, Kilian Englert, Matt Radolec, Mike Buckbee

Reminder: it's not "your data".It's the patients' dataIt's the taxpayers' dataIt's the funder's data-----------------If you're in industry or self-fund the research & don't publish, then you have the right not to share your data. Otherwise, it's not your data.— Lenny Teytelman (@lteytelman) July 16, 2018 We continue our conversation with Protocols.io founder Lenny Teytelman.In part two of our conversation, we learn more about his company and the use cases that made his company possible. We also learn about the pros and cons of mindless data collection, when data isn’t leading you in the right direction and his experience as a scientist amassing enormous amount of data. Transcript Lenny Teytelman: I am Lenny Teytelman, and I am a geneticist and Computational Biologist by training. I did graduate school in Berkeley and then postdoctoral research out at MIT. And since 2012, I have been the co-founder and CEO of Protocols.io, which is a GitHub Wikipedia-like central repository of research recipes. So for science methods detailing what exactly scientists have done. Cindy Ng: Welcome Lenny. Why don't you tell us a little bit more about what you do at Protocols and some of the goals and use cases? Lenny Teytelman: So I had no entrepreneurial ambitions whatsoever. Actually, I was in a straight academic path as a yeast geneticist driven just by curiosity in the projects that I was participating in. And my experience out at MIT as a postdoc was that literally, the first year and a half of my project went into fixing just one step of the research recipe of the protocol that I was using. Instead of a microliter of a chemical, it needed five. Instead of an incubation for 15 minutes, it needed an hour and the insane part is that at the end of the day, that's not a new technique. I can't publish an article on it because it's just a correction of something that's previously published and there is no good infrastructure. There's no GitHub of science methods. There's no good infrastructure for updating and sharing such corrections and optimizations. So the end result of that year and a half was that I get no credit for this because I can't publish it and everybody else was using the same recipe is either getting completely misleading results or has to spend a year or two rediscovering what I know, what I would love to share, but can't. It led to this obsession with creating a central open access place that makes it easy for the scientist to detail precisely what the research steps were, what are the recipes, and then after they've published, giving them the space to keep this current by sharing the corrections and optimizations and making that knowledge discoverable. Cindy Ng: There's a hole in the process and you're connecting what you can potentially do now with what you did previously and not lose all the work. That's brilliant. Lenny Teytelman: I shouldn't take too much credit for it because a lot of people have had this same idea over the last 20 years and there have been several attempts to create a central place. One of the hard things is that this isn't just about technology and building a website and creating a good UI, UX for people to share. One of the hard things is that it's a culture change, right? So if we are used to publishing a scientist's made brief methods that have things like context author for details, or we roughly follow the same procedure as reported in another paper and then good luck figuring out what that roughly means, what are the slight modifications, but then one of the hard things as the culture change and getting scientists to adopt platforms like this. Cindy Ng: So it sounds like the scientists prior who wanted to create something like Protocols, they were ahead of their time. Lenny Teytelman: I think yes. I know of a number of efforts to create exactly what we've done. Some of the people from those have actually been huge supporters and advisors, partners helping us avoid the mistakes and helping us succeed. So, it's a long quest, a long journey towards this, but a lot of them I give them credit for the same idea and it's exactly what you said, being ahead of your time. Cindy Ng: Because you're a scientist and have a lot of expertise collecting enormous amount of data, a lot of companies nowadays because data's the new oil, they think that, "Oh, we should just collect everything. Well, we might be able to solve a new business problem or we might be able to use it much later on." Then actually research has been done about that, that that's not a good idea because then you end up solving really silly problems. What is your approach? Lenny Teytelman: There are sort of two different camps. One argues that you should be very targeted with the data that you collect. You should have a hypothesis, you should have a research question that's guiding you towards an experiment and towards the data that you're collecting. And another one is, let's be more descriptive. Let's just get data and then look inside and see what pops out. See what is surprising. There are two camps and I know both types of scientists. I was more in one camp than another, but there is value to both. The tricky part in science is that you are not aware of the statistics and e-hacking and just what it means to go fishing in large datasets, particularly in genomics, particularly now with a lot of the new technology that we have for generating massive datasets across different conditions, across different organisms, right? And you can sort of drown in data and then if you're not careful, you start looking for signal. If you're not thinking of the statistics, if you're not thinking almost of multiple testing, correction, you can get these false positives in science where something looks their usual, but it really is just by chance, it's because you're running a lot of tests and slicing data in 100 different ways and one out of 100 times just by chance, you're getting something that looks like an outlier, that looks very puzzling or interesting, but it's actually chance. So, I don't know about in industry particularly, it seems to me if you're a business and you are just trying to grab everything and feeling that something useful will come out of it. If you're not in the business of doing science, but you're in the business of actual business, it seems to me, intuitively, that you will become very distracted and probably is not the best use of your time or resources. But in science, both approaches are valuable. You just have to be really careful if you are analyzing data without a particular question and you're trying to see what is there that's interesting. Cindy Ng: If you're collecting everything, do you have a team or a group of people that you're working with to suss out the wrong ideas? Lenny Teytelman: I see more and more journals, I see more and more academics becoming aware that, "Oh, I need to learn something about statistics, or I need to collaborate with biostatisticians who can help me to be careful about this." There are journals that have started statistics reviews. So it might be a biology paper, but depending on the data and the statistics that are in it, it might need to go to an expert statistician to review to make sure that you've used the appropriate methods and you've thought through the pitfalls that I'm discussing, but there's a lot more to do on this side. And again, there is the spread…there are teams that are collaborating. And you know they have data scientists or computational biologists and statisticians who are more used to thinking about data. Then you also have people like me who used to do both. And I wasn't a great computational biologist and I wasn't a great geneticist, but my strength was the ability to do both. So, again, it's all over the map and there's a lot of training, a lot of education that still needs to happen to improve how we handle the large data sets. Cindy Ng: Do you think that data, it's about getting the numbers right, working with statisticians, or the more qualitative side of things where even if the data showing one thing, your, let's say, experience says otherwise? Lenny Teytelman: Oh, I've been misled by data that I've generated or had access to nonstop. As a scientist, I've given talks on things that I thought were exciting and turned out to be an artifact of how I was doing the analysis and I've experienced that many times. Think at the end of the day, whether you try to be careful or not, we always have a scientist and we always will make mistakes. And that's why I particularly feel that it's so essential for us to share the data because we think we're doing things correctly, but reviewers and other scientists who are reading your papers really can't tell unless they have access to the data that you've used and can run the analysis themselves or use different tools to analyze, and that's where problems come up, that's where mistakes are identified. So I think science can really improve more through the sharing and less through trying to be perfectionist on the people who are generating the data and publishing the stories. I think both are important, but I think there's more opportunity for ensuring reproducibility and that mistakes get fixed by sharing the data. Cindy Ng: Yeah. And when you're solving really complicated and hard problems, it helps to have many people work on it too, even though it might seem like they're too many chefs in the kitchen, but that it can only help, I imagine. Lenny Teytelman: Absolutely. That's what peer review is for. It's getting eyeballs with people who have not been listening to you give this presentation evolving over time for the last five years. It's people who don't necessarily trust you the same way or have different strengths. So it does help to have people from the outside take a look. But even reviewers, they are not going to be rerunning all of your analyses. They're not going to be spending years digging into your data. They're going to read the paper and kind of mostly trying to tell is it's clear? Do I trust what they're saying? Have they done the controls? At the end of the day, figuring out which papers are correct and which hypotheses and conclusions stand the test of time, it really does require time. And that's where sharing the data shortens the time to see what is and isn't true.

We’re in an impermanent phase with technology where circumstances and cyberattacks are not always black or white. Here’s what we’re contending with: would you prefer a medical diagnosis from a human or machine? In another scenario, would a cyberattack on a state’s power grid be an act of war? Officially, it’s not considered so, yet. Or, perhaps a scenario less extreme where you buy a video and then 5 years later, it disappears from your library bc the company where you bought your video from loses the distribution rights. Data ownership is an important part of data security and privacy, but there are no hard and fast rules. Panelists: Cindy Ng, Mike Thompson, Kilian Englert, Mike Buckbee

Reminder: it's not "your data".It's the patients' dataIt's the taxpayers' dataIt's the funder's data-----------------If you're in industry or self-fund the research & don't publish, then you have the right not to share your data. Otherwise, it's not your data.— Lenny Teytelman (@lteytelman) July 16, 2018 A few months ago, I came across Protocols.io founder Lenny Teytelman’s tweet on data ownership. Since we’re in the business of protecting data, I was curious what inspired Lenny to tweet out his value statement and to also learn how academics and science-based businesses approach data analysis and data ownership. We’re in for a real treat because it’s rare that we get to hear what scientists think about data when in search for discoveries and innovations. Transcript Lenny Teytelman: I am Lenny Teytelman and I'm a geneticist and computational biologist by training. I did graduate school in Berkeley and then post-doctoral research out at MIT. And since 2012, I have been the Co-founder and CEO of Protocols.io, which is a GitHub Wikipedia-like central repository of research recipes, so for science methods detailing what exactly scientists have of found. Cindy Ng: Welcome, Lenny. We first connected on Twitter through a tweet of yours, and I'm going to read it, it says, "Reminder: it's not 'your data.' It's the patient's data, it's the taxpayers' data. It's the funders' data. And if you're in an industry or self-funded the research and don't publish, then you have the right not to share your data. Otherwise, it's not your data." So can you tell us a little bit more about your point of view, your ideas about data ownership, and what inspired you to tweet out your value statement? Lenny Teytelman: Thank you, Cindy. So this is something that comes up periodically, more so particularly, in the past 5, 10 years in the research community as different funders and publishers starting more and more intentions of reproducability challenges and published research, and including guidelines and policies that encourage or require the sharing of data as a prerequisite for publication or as a condition of getting funding. So we're seeing more and more of that, and I think the vast majority of the research community, of the scientists, are in favor of those then this time that it's important, then this time that it's one of the pillars of science to be able to reproduce and verify and validate out the people's results and not just to take them at their word. We all make mistakes, right? But there is a minority that is upset about these kinds of requirements and I, periodically, either in person or someone on Twitter will say, "Hey, I've spent so long sailing the oceans and collecting the data. I don't want to just give it away. I want to spend the next 5, 10 years publishing and then it's my data." And so that's the part that I'm reacting to it. There are some scientists that forget who's funding them and who actually has the rights to the data. Cindy Ng: Why do they feel like it's their data rather than the patients' data or the taxpayers' data or the funder's data? Lenny Teytelman: So it's understandable because, particularly when the data generation takes a long time, so imagine you go on an own expeditions two, three months away from family, sampling bacteria in oceans or digging in the desert, and it can take a really long time to get the samples, to get the data, and you start to feel ownership, and it's also the career, your career, the more publications you get on a given dataset, the stronger your resume, the higher the chances of getting fellowships, faculty positions, and so on. People become a little bit possessive and take ownership of the data, if you like, put so much into it, "It's mine." Cindy Ng: Prior to digitalizing our data, who owned the data? Lenny Teytelman: Well, I guess, universities can also lay some claim to the intellectual property rights. I'm not an attorney so it's tricky. But I think there was always the understanding in the science world that you should be able to provide the tables, the datasets that you're publishing on request. But then we got paper journals, there really just wasn't space to make all of that available. And we're now in a different environment where we have repositories, there's GitHub focal, there are many repositories for the data to be shared. And so, with the web, we're no longer in that contact author for details and we're now in a place where journals can say, "If you want to publish in our journal, you have to make the data available." And there are some that have put in very stringent data requirement policies. Cindy Ng: Who sets those parameters in terms of the kind of data you publish and the stringency behind it? Do a bunch of academics come together, chairman, scientists decide best practices, or they vary from publication to publication? Lenny Teytelman: Both. So it depends on the community. There are some communities, for example, the genomics community, back when the human genome was being sequenced, there were a lot of...and I mean before that, there were a lot of meetings of the leaders in the field sort of agreeing on what are the best practices, and depositing the DNA sequences in the central repository GenBank run by the U.S. government became sort of expected in the community and from the journals. And so, that really was community-led best practices, but more recently, I also see just funders putting out mandates, and when you agree to getting funding, you agree to the data-sharing policies of the foundation. And same thing for journals. Now, journals, more and more of them are putting in statements requiring data, but it doesn't mean that they're necessarily enforcing it, so requirements are one thing, enforcement is another. Cindy Ng: What is the difference between scientific academic research versus the science-based companies? Because a lot of, for instance, pharmaceuticals hire a lot of PhDs and they must have a close connection between one another. Lenny Teytelman: So there is certainly overlap. You're right that, I think, in biomedicine particularly, most of the people who get PhDs actually don't stay in academia and then outside of it. Not all of it is in industry. They go through a broad spectrum, all for different careers, but a lot do end up in industry. There is some overlap where you will have industry funding some of the research. So, Novartis could give a grant to UC Berkeley, or British Petroleum could be doing ecological research, and those tend to be very interesting because there may be a push from the industry side to keep the data private, like you can imagine tobacco companies sponsoring something. So there's some conflict of interest then usually universities try to frame these in a way that gives the researchers the right to publish regardless of what the results are, and to make it available so that the funder does not have a yea or nay vote. So those are on collaboratives side when there's some funding coming in from industry but, in general, there is basic science, there is academic science, and there is expectation there that you're publishing and making the results open, and then there is the industry side, and, of course, I'm broadly generalizing. There are things you will keep private in academia, there's competitiveness in academia as well, you're afraid of getting scooped. But broadly speaking, academia tends to publish and be very open, and your reputation and your career prospects are really tied to your publications. And on the industry side, it's not so much about the publications as about the actual company bottom line and the vaccines, drug targets, right, molecules that you're discovering, and those you're not necessarily sharing, so there's a lot of research that happens in industry. And my understanding is that the vast majority of it is actually not published. Cindy Ng: I think even though they have different goals, the thread between all of them really, is the data because regardless of what industry you're in, I hate this phrase, "data is the new oil," but it's considered one of the most valuable assets around. I'm wondering is there a philosophy around how much you share amongst scientists regardless of the industry? Lenny Teytelman: In academia, it tends to be all over the place. So I think in industry, they're very careful about the security, they're very, very concerned about breach and somebody getting access to the trials, to the molecules they're considering. The competition is very intense and they take the intellectual property and security very seriously. On the academic side, it really varies and there are groups that, even long before they're ready to publish their intel on science, they generate data, they feel like we've done the sequencing of these species or of these tissues from patients, and we're going to anonymize the patient names and release the information and the sequences of the data that we have as soon as we've generated it even before the story is finished so other people can use it. There are some academic projects that are funded as resources where you are expected to share the data as they come online. There might be requests that you don't publish from the data before we did if they're the ones producing it, so there can be community standards, but there are examples in academia, many examples in academia where the data are shared and simply as they're produced even before publications. And then you also have kind of groups that are extremely secretive. Until they're ready to publish, no one else has access to the data and sometimes even after they publish, they try to prevent other people from getting access to the data. Cindy Ng: So it's back to the possessiveness aspect of it. Lenny Teytelman: My feeling just anecdotally from the 13 years that I was at the bench, as a student, post-doc, is that the vast majority of scientists are open and are collaborative in academia and that it's a tiny minority that try to hoard the data, but I'm sure that that does vary by field. Cindy Ng: In the healthcare industry, it's been shown that people try to anonymize data and release it for researchers to do research on, but then there are also a few security and privacy pros who have said that you can re-identify the anonymized data. Has there been a problem? Lenny Teytelman: Yes, this is something that comes up a lot in discussions. Everone does when you're working with patient data, every one does go through concerted effort to anonymize the information, but usually, when people opt in to participating in these studies and these types of projects, the disclaimers do warn the patients, do warn the people participating that, yes, we'll go through anonymizing steps, but it is possible to re-identify, as you said, the anonymized, the data and figure out who it really is no matter how hard you try. So there are a lot of conversations in academia about this and it is important to be very clear with patients about it. There are concerns, but I don't know actual examples of people re-identifying for any kind of malicious purpose. There might be space and opportunity for doing that, and I'm not saying the concerns are not valid, but I don't know of examples where this has happened with genomic data, DNA sequencing, or individuals. Cindy Ng: What about Henrietta Lacks where she was being treated for...I can't remember what problem she had, and then it was a hospital... Lenny Teytelman: Yes, that's a major...there's a book on this, right, there's a movie. That's a major fiasco and a learning opportunity for the research community where there was no consent. Cindy Ng: Did you ever see this movie called the "Three Identical Strangers" about triplets who found each other? Lenny Teytelman: No, I haven't. Cindy Ng: And then they found that all three of those triplets were adopted, and then they thought, "Hmm, that's really strange." So then they had a wonderful reunion and then, later down the line, they realized that they're being used as a study. There were researchers that went in every single week to their homes, to the adoptee's homes, to do research on the kids, and knew that they're all brothers, but neglected to tell the families until they found each other by chance. And then they realized they're part of a study and they refused to release the data. And so, I found the Henrietta Lacks and this new movie that came out just really fascinating. I mean, I guess that's why they have regulations so that you don't have things like these scenarios happen, where you find out after you're an adult, that you're a part of a strange experiment. Lenny Teytelman: That's fascinating. So I don't know this movie, but on a related note, I'm thinking back…I don't remember the names, but I'm thinking back on the recent serial killer that was identified, not through his own DNA being in the database, but the relatives participating in ancestry sequencing, right, submitting personal genomics, submitting their cells for genotyping, and the police having access, tracing the serial killer through that. There certainly are implications of the data that we are sharing. I don't know what the biggest concerns are, but there are a lot of fascinating issues that the scientific community, patients, and regulators have to grapple with. Cindy Ng: So, since you're a geneticist, what do you think about the latest DNA testing companies working with pharmaceuticals in potentially finding cures with a lot of privacy alarms coming up for advocates? Lenny Teytelman: Yeah, so it has to be done ethically. You do have to think about these issues. My personal feeling is that there's a lot for world and humans to gain from sharing the DNA information and personal information. The positives outweigh the risks. That's a very vague statement, so I do, you know, I think about the opportunity to do studies where a drug is not just tested whether it works or not, but depending on the DNA of the people, you can figure out what are the percolations, what are the types of the drugs that will have adverse reactions to it, who are the ones who are unlikely to benefit from it. So there is such powerful opportunity for good use of this. Obviously, we can't dismiss the privacy risks and the potential for abuse and misuse, but it would be a real shame if we just backed away from the research and from the opportunity that this offers altogether, instead of carefully thinking through the implications and trying to do this in an ethical way.

Systems engineering manager Mike McCabe understands that State, Local and Education (SLED) government agencies want to be responsible stewards of taxpayer’s funds. So it makes sense they want to use security solutions that have proven themselves effective. For the past six years, he’s brought awareness on the tried and true efficacy of how Varonis solutions can secure SLED’s sensitive unstructured data. In our podcast interview, he explains why data breaches are taking place, why scripts aren’t the answer, and how we’re able to provide critical information about access to SLED’s sensitive data. We also make time to learn more about what Mike does outside of work and he has great advice on figuring out what to eat for dinner.

Our community is finally discussing whether computer science researchers should be required to disclose negative societal consequences of their work to the public. Computer scientists argue that they aren’t social scientists or philosophers, but caring about the world isn’t about roles, it’s the responsibility of being a citizen of the world. At the very least, researchers ought to be effective communicators. We’ve seen them work with law enforcement and vulnerability announcements. There must be more they can do! Tool of the week: Wget, Proof of Concept Panelists: Cindy Ng, Mike Thompson, Kilian Englert, Mike Buckbee

While some of our colleagues geeked out at Blackhat, some of us vicariously experienced it online by following #BHUSA. The keynote was electric. They’re great ideas and we’ve seen them implemented in certain spaces. However, the reality is, we have a lot more work to do. There was also a serious talk about burn out, stress, and coping with alcohol as a form of escape. We learned that mental health is growing concern in the security space. As more organizations rely on technology, security pros are called on at all hours of the day to remediate and prevent disasters. Other articles and tweets discussed: Random car notifications Dangerous algorithms DNA testing dilemmas Panelists: Cindy Ng, Kris Keyser, Forrest Temple

Over the past six years, Colleen Rafter has been educating Varonis customers on the latest and greatest data security best practices. Share or NTFS permissions? She has an answer for that. Aware that security pros need to meet the latest GDPR requirements, she has been responsibly reading up on the latest requirements and developing course material for a future class. In our podcast, Colleen advises new Varonis customers what to do once they have our solutions and which classes to take and in what order.