shift change 01-09-2024
Welcome to your shift change, reports from the off-going watch to the oncoming on anything interesting in privacy, security, or intelligence.
1. Licensing authorities use government authority to get your personal info, and then sell it. But don’t worry, not to marketers, just anyone else. One politician in Indiana is trying to put a stop to it, at least…in Indiana. He makes a fair point (emphasis mine):
“Hoosier privacy matters,” Hill said in a release. “The sale of private, personal data by the government is an egregious breach of Hoosier trust. We are only now learning exactly how much money the government has profited from our data over the years. I see this as no different than a data breach from a private company putting millions of Hoosiers at risk. Once this private information is sold and out of the government’s hands, there is no accountability for what happens to your data or where it goes.”
2. The Markup continues its series on easy-to-implement privacy practices: multi-factor authentication! MFA creates friction for attackers, and sometimes friction for users. Just tossing MFA at a problem is as likely to fail you as not having it at all—as a security or privacy practitioner, be the one who can explain why adding friction to an attacker’s scheme protects your users and institutions. Just having it in place is not enough, be ready for MFA spamming and attack fatigue.
Any MFA is better than none, but SMS is worse than anything but nothing (mostly because of SIM swapping and SS7). Get an authenticator app for yourself, get one for your enterprise, and get hard tokens for sensitive or critical personnel/systems.
3. If you work in privacy or security, you know NIST—and now NIST wants you to think through the AI security and privacy risks as the variety of forms of new tech we call artificial intelligence is getting thrown at everything.
Highlights include:
This report offers guidance for the development of the following:
• Standardized terminology in AML to be used by the ML and cybersecurity communities;
• A taxonomy of the most widely studied and effective attacks in AML, including
– evasion, poisoning, and privacy attacks for PredAI systems,
– evasion, poisoning, privacy, and abuse/misuse attacks for GenAI systems;
– attacks against all viable learning methods (e.g., supervised, unsupervised, semi-supervised, federated learning, reinforcement learning) across multiple data modalities.
• A discussion of potential mitigations in AML and limitations of some of the existing mitigation techniques.
4. Your shopping cart may soon be tracking you, because of course.
## The shift change is a collection of timely stories of interest in the security, privacy, and intelligence worlds. Thanks for reading, and feel free to reach out to will@signaltonoise.fyi for any questions, comments, or thoughts on items you’d like to see highlighted.