Security News Update for March 31st, 2023
Twitter to Open-Source Recommendation Algorithm
Not related to the announcement that some of their code was stolen last year and posted on GitHub, Twitter says they plan to publish their recommendation algorithm, which they say, no one left at the company understands. They say this will likely be embarrassing, but good for users. They also say that they are working on a new, simpler algorithm. If all goes as planned, this may improve trust in Twitter. Stay tuned. Credit: Data Breach Today
New Asst. Secy. of Defense for Cyber Won’t Be Proposed Till Year End
Last year Congress mandated a new assistant secretary of defense for cyber policy. The position has to be approved by Congress. Since this is a brand new position, the DoD has hired RAND Corporation to define what the post should do, how it should be organized, etc. That report won’t be done until September. Then the DoD has to figure out who should be nominated. Then the Senate needs to approve. Or not. Don’t wait up for this one. Credit: The Record
Tis the Time for IRS Email Scams
Malwarebytes is warning of a scam that is going around. An email, pretending to be from the IRS, says it contains a W-9 form (which you probably didn’t ask for or need) inside a zip file. If you open the zip file, it contains a 500+ megabyte WORD document (which is absolutely huge). The Word document requires you to enable macros (don’t) and if you do, it installs the Emotet banking trojan software. The email contains a number of typos, which also is a giveaway for something claiming to come from the IRS. Credit: Malwarebytes
Italy Bans ChatGPT – at Least Temporarily
Citing the potential violation of European privacy laws, Italy put the brakes on the use of ChatGPT in the country, saying that they didn’t have enough information to determine whether the company was violating the General Data Protection Regulation, the Digital Services Act and the Digital Markets Act. OpenAI has 20 days to respond and faces the potential of a 20 million Euro or 4 percent of their global revenue fine, whichever is larger. It seems likely to me that using people’s data without their knowledge or permission violates any number of EU laws and is also essential to making large language model AI work. Given the way these companies have been slurping up data, it seems impossible to get people’s permission. It is surprising that the regulators actually woke up this quickly. Credit: MSN
DEA Paid US Companies’ Employees to Steal Data and Open Parcels
Expect lawsuits over this one. Apparently, for years, the DEA paid workers inside U.S. private companies (including publicly traded ones) to steal data from them because it was easier than getting a warrant. They also paid employees in the parcel industry to open and reroute packages; got airline employees to provide them itineraries and other information and employees of bus companies to provide daily lists of passengers who paid cash. Now some lawmakers are pushing the DoJ to ban the practice across the entire DoJ, meaning, I guess, that this problem is wider than the DEA. Any wonder why half the country doesn’t trust the government? While it is hard to sue the government, it is pretty easy to sue the companies whose employees stole the data and sold it to the feds. Credit: Motherboard by Vice