Security News for the Week Ending April 3, 2020
DoD Concerned Covid Will Cause US IP Loss
In an interesting analysis, Ellen Lord, DoD’s top acquisition official, is concerned that foreign interests (including unfriendly foreign interests) will buy or invest in small U.S. defense subs and steal our tech. In theory CFIUS and FRRMA should make that harder as the government has the right to nix buyouts if they think they will hurt us, but first they have to know about it. With Covid potentially impacting the stability of these small companies, the government has its work cut out for it. Source: Defense Systems
Violating a Web Site’s Terms of Service: Hacking or Not?
The Computer Fraud and Abuse Act (CFAA) was written long before the Internet, but leave it to aggressive prosecutors and companies to use it in a way that was never intended. But the various federal courts can’t seem to figure out how to interpret it. The DC federal court has just ruled that using a web site with a legally obtained user account in a way that may violate the web site owner’s terms of service is not hacking and cannot be prosecuted under the CFAA. Since about half of the federal courts have ruled in each direction on this issue, it is likely to make it up to the Supremes. This is important both for web site operators and security researchers. Source: Ars Technica
Zoom Does Not Support End to End Encryption, Despite Claims that it Does
In some of Zoom’s documentation, as well as in the client, Zoom says that it supports end to end encryption, but in fact, it does not, at least when video is involved. I am sure now that it has come out that they lied on their web site, they will likely get sued. If you think about it, given that they have the ability to record your call, there is no way that it can be end to end encrypted. The video is encrypted between their data center and you, which is probably good enough for 99% of the planet. This also means that the fuzz can listen into your call. Moral of the story, if you are doing something illegal. Or classified. Don’t discuss it on a public video conference (or audio) service. There are ways to really do end to end encryption and I have set them up before, but they are neither cheap nor simple. Source: The Intercept
DoJ Inspector General Says FISA Court Requests Are Suspect
The Department of Justice’s Inspector General says that the FBI has not followed the rules when applying for secret FISA warrants over the last five years. Given that the whole process is secret, it is not surprising that it is flawed. Any time the government operates outside the light of day, the opportunity for abuse is there and now, the DoJ IG is questioning 700 warrant requests made over the last 5 years. The court is basically a rubber stamp since there is no “other side” to any request. This came to light when Carter Page, a Trump campaign advisor, was the subject of a FISA court wiretap. This is also at the core of the fight between the House and Senate over the renewal of certain parts of FISA that expired last month. Source: The Register
California AG Revises CCPA Regulations Again
As the deadline set by the legislature for the enforcement of CCPA lurches closer (July 1), the AG has revised the proposed regulations again. Among the changes are a re-expansion of the definition of personal information, privacy notice guidance, instructions on responding to data subject requests, clarification/restriction of service provider use of information and a minor clarification of the definition of financial incentives. See the assessment from law firm ReedSmith here and a copy of the again revised regs here.