Teaching Cybersecurity Law and Policy: My Revised 62-Page Syllabus/Primer - Lawfare
Cybersecurity law and policy is a fun subject to teach. There is vast room for creativity in selecting topics, readings and learning objectives. But that same quality makes it difficult to decide what to cover, what learning objectives to set, and which reading assignments to use. 

With support from the Hewlett Foundation, I’ve spent a lot of time in recent years wrestling with this challenge, and last spring I posted the initial fruits of that effort in the form of a massive “syllabus” document.  Now, I’m back with version 2.0.
policy  cybersecurity  syllabus 
8 days ago
VLAN Network Segmentation and Security- Chapter 5
Traditional networks resemble Figure 5-1. Perimeter defenses protect the data center from external threats with little protection against internal threat agents. Once on-the-wire, an attacker has free access to system attack surfaces. No system attack surface defense is perfect; eliminating unwanted access significantly reduces risk of system breach.

In our example, the trust boundaries are located either on or external to the data center perimeter. A DMZ and SSL VPN appliance provide protection from unauthorized access, but they do little once a threat agent enters the data center network. Locally connected devices have full access to the data center network once the user authenticates. The assumption here is that perimeter controls prevent unauthorized access to system attack surfaces… a bad assumption.
network  InfoSec 
11 days ago
AWS Global Transit Network – AWS Answers
Amazon Virtual Private Cloud (Amazon VPC) provides customers with the ability to create as many virtual networks as they need, as well as different options for connecting those networks to each other and to non-AWS infrastructure. There are two common strategies for connecting multiple, geographically dispersed VPCs and remote networks: one is to implement a hub-and-spoke network topology that routes all traffic through a network transit center (a transit VPC); the other is to create a meshed network that uses individual connections between all networks. Both approaches can create an efficient and available transit network, each offering specific benefits and tradeoffs for different business needs.
transit_vpc  jumpbox  aws  InfoSec  networking  Cloud 
11 days ago
How Lobbying Blocked European Safety Checks For Dangerous Medical Implants - ICIJ
Confidential injury and malfunction reports have tripled in less than 10 years in many countries
iot  liability  product_liability  medical_devices 
17 days ago
Reconstructing human contributions to accidents: the new view on error and performance
Problem: How can human contributions to accidents be reconstructed? Investigators can easily
take the position a of retrospective outsider, looking back on a sequence of events that seems to lead
to an inevitable outcome, and pointing out where people went wrong. This does not explain much,
however, and may not help prevent recurrence. Method and results: This paper examines how
investigators can reconstruct the role that people contribute to accidents in light of what has recently
become known as the new view of human error. The commitment of the new view is to move
controversial human assessments and actions back into the flow of events of which they were part
and which helped bring them forth, to see why assessments and actions made sense to people at the
time. The second half of the paper addresses one way in which investigators can begin to reconstruct
people’s unfolding mindsets. Impact on industry: In an era where a large portion of accidents are
attributed to human error, it is critical to understand why people did what they did, rather than
judging them for not doing what we now know they should have done. This paper helps investigators
avoid the traps of hindsight by presenting a method with which investigators can begin to see how
people’s actions and assessments actually made sense at the time
22 days ago
SANS Packet Capture on AWS
Companies using AWS (Amazon Web Services) will find that traditional means of full packet capture using span ports is not possible. As defined in the AWS Service Level Agreement, Amazon runs certain aspects of the cloud platform and does not give customers access to physical networking hardware. Although access to physical network equipment is limited, packet capture is still possible on AWS but needs to be architected in a different way. Instead of using span ports, security professionals can leverage the software that runs on top of the cloud platform. The tools and services provided by AWS may facilitate more automated, cost-effective, scalable packet capture solutions for some companies when compared to traditional data center approaches.
aws  networking  InfoSec 
5 weeks ago
The General Data Protection Regulation: Technical Implications of Compliance
As breaches of sensitive data become more and more common globally, GDPR is the most
extensive regulation on data protection to be passed in history. GDPR is part of a continuum of
EU legislation focused on protecting personal data and privacy. It’s predecessor is the EU’s 1995
Data Protection Directive (DPD), which set initial standards for the processing of EU residents’
personal data by companies [8]. While providing important baseline privacy and protection
benchmarks, the effectiveness of DPD was hindered by privacy laws that differed between EU
member states and thus limited DPD’s implementation and enforcement [8]. Additionally, DPD
is a directive, thus it is only enforceable once an EU Member State welcomes it into its national
law. GDPR, on the other hand, is a regulation and therefore is immediately enforceable across
the entire EU. Building off DPD, GDPR was created by the European Commission to be a more
comprehensive, collaborative data protection framework that could be equally enforced within
all EU Member States. GDPR officially goes into effect on May 25, 2018, at which time it can
be officially enforced and organizations that do not meet compliance standards can begin to be
gdpr  infosec 
5 weeks ago
Facebook Portal privacy walkback: device will collect data - 9to5Mac
Last Monday, we wrote: “No data collected through Portal — even call log data or app usage data, like the fact that you listened to Spotify — will be used to target users with ads on Facebook.” We wrote that because that’s what we were told by Facebook executives.

But the company has since reached out to change its answer: Facebook Portal doesn’t have ads, but data about who you call and data about which apps you use on Portal can be used to target you with ads on other Facebook-owned properties.
facebook  portal  video  privacy  Ad_tracking 
6 weeks ago
[no title]
New 5th Am. compelled-decryption passcode case from Fla. 4th Dist. Ct. of Appeal: disagreeing with sister court's decision in Stahl; held, Dft can't be compelled to produce iPhone 7 passcode or iTunes account password; foregone conclusion doctrine N/A
compelled_decryption  5th_Amendment 
7 weeks ago
US v Henderson 9th Circuit
The warrant stated: “This warrant authorizes the use of a network
investigative technique (“NIT”) to be deployed on the computer server
. . . operating the Tor network child pornography website referred to
herein as the TARGET WEBSITE, . . . which will be located at a
government facility in the Eastern District of Virginia.” The warrant
further provided that, through the NIT, the government may obtain
information, including IP address, from all “activating computers”—
“those of any user or administrator who logs into the TARGET
WEBSITE by entering a username and password.”
playpen  warrant 
7 weeks ago
FBI ran website sharing thousands of child porn images
The operation — whose details remain largely secret — was at least the third time in recent years that FBI agents took control of a child pornography site but left it online in an attempt to catch users who officials said would otherwise remain hidden behind an encrypted and anonymous computer network. In each case, the FBI infected the sites with software that punctured that security, allowing agents to identify hundreds of users.
playpen  warrant  compelled_decryption 
7 weeks ago
« earlier      
1201 4th_amendment 5th_amendment action ad_networks ad_tracking adserved_malware advertising ai alexa algorithm all_writs_act amazon amendment android android_updates apartment api apple apps articles attribution aws backdoor biometric_unlock bitcoin blackhat blog book bookmarks_bar books border botnet botnet_takedown breach bug bug_bounty bugs business cake calea car cell_phone_unlocking cellphone cellphones certificate_pinning cfaa chilling china chocolate christmas chrome cleaning cloud cloud_computing communications_security compelled_decryption compliance computer_crime computer_security contract coordination copyright croissant crypto cs ctf culture cyber cybercrime cybersecurity d_and_o_lawsuit data data_breach data_protection data_security dc defcon design dessert development dfir disclosure diy downloads ebook ebooks economics education eff email encryption entertainment etsy exercise exploit facebook faceid fb fbi feature feedly first_amendment fisa fitness food for forensics franchise free front_page ft ftc funny fuzzing gdpr general gf github google gsoc hack hacking health history holiday household how_to https ifttt incident_response infosec inspiration instagram insurance internet ios iot iphone javascript juniper kids kindle later law law_enforcement learning legal legal_tech letterpress liability load_testing_tips location mac maker malvertising malware management microsoft mitm mobile music national_security_letters network networking news nist nj_restaurants nsa nsls nyc older open_source oscon2012 osx paris password patching pci pentesting performance photography popular post privacy privacy_harm privacy_law privilege product_liability programming project_zero public_speaking publishing python quilt ransomware raspberry_pi read recently recipes reference regulation responsible_disclosure reverse_engineering risk robots saved science search seattle security security_research security_testing selenium selenium_knowledge sewing slides smartphones software software_&_tools software_product_liability software_testing_and_quality space ssl stagefright standards surveillance target tech technology technology_law testimony testing third_party tips tls tools top tort touch_id tracking training trainings transparency_reports travel tsa tumblr tutorial tutorials tweet twitter uncategorized underwriters_lab unix unlock unlocking usb usb_hacking vendor vicarious_liability video vulnerabilities vulnerability vulnerability_disclosure warrant warrant_canary wassenaar web web_security webappsec windows wireshark wiretap wordpress wyndham xss zero_day

Copy this bookmark: