Andrew Patrick

The US military has been collecting millions of biometric samples from Iraqi citizens, both good guys and bad guys. Now that the US is leaving, what should be done with the biometric waste? There are real risks that the records could be used to determine who worked with the US forces during the occupation, or to identify members of rival tribes. And can the new Iraqi government be trusted to use the records properly?

As the war draws down, however, the collection of so much personal information has raised questions about how data gathered during wartime should be used during times of peace, and with whom that information should be shared.

via Questions arise about use of data gathered in Iraq war – The Boston Globe.

Michael Geist has an interesting article on the income that Canadian universities are making from licencing intellectual property. He questions whether an open distribution model might be better than the current traditional commercialization model.

The latest report is based on survey data from 2008 which finds that the total IP income (primarily from licencing) at reporting Canadian universities was $53.2 million. The cost of generating this income?  The reporting institutions employed 321 full-time employees in IP management for a cost of $51.1 million.  In other words, after these direct costs, the total surplus for all Canadian universities was $2.1 million.

Wired Science is reported that a Tennessee court has thrown out lie detection “evidence” from brain scans because it was unscientific. The defendant had offered the scans as proof that he was not lying about defrauding the government over Medicare payments.

The defense tried to use brain scans of the defendant to prove its client had not intentionally defrauded the government. In a 39-page opinion, Judge Tu Pham provided both a rebuke of this kind of fMRI evidence now, and a roadmap for how future defendants may be able to satisfy the Daubert standard, which governs the admissibility of scientific evidence.

It is particularly important to note that the company actually violated their own protocols during the scan. After two tests produced different results, the testing was repeated a third time until the desire result was obtained.

“Dr. Semrau risked nothing in having the testing performed, and Dr. Laken himself testified that had the results not been favorable to Dr. Semrau, they would have never been released,” Pham noted.

Lying is hard, but some people are particularly good at it. Psychology Today offers 10 tips for effective lying.

…human beings have an innate skill at dishonesty. And with good reason: being able to manipulate the expectations of those around us is a key survival trait for social animals like ourselves. Indeed, a 1999 study by psychologist Robert Feldman at the University of Massachusetts showed that the most popular kids were also the most effective liars.

Employers are looking for specific skills when hiring security professionals, and these mirror the most common issues are threats seen today.

So what do employers in the federal and private sectors want in a security pro today? The most in-demand qualifications basically mirror the types of attacks, breaches, and threats these organizations face today, as well as the regulations that help dictate their defenses: They’re looking for experience in incident-handling and response, compliance, risk management, business-side acumen, security clearance for sensitive government work, and leadership.

Researchers will be presenting a paper at the IEEE security conference in Oakland next week that demonstrates various attacks against the computer systems in modern cars. These attacks allow someone to control a variety of systems, including the breaks, and even erase all evidence of the attacks. We know a lot about building safety critical systems, but we seem to also be good at ignoring the lessons.

Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input — including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on. We find that it is possible to bypass rudimentary network security protections within the car, such as maliciously bridging between our car’s two internal subnets.

The paper is available here.

Media coverage can be read here.

Here is an interesting attack method: launch a denial-of-phone attack to prevent communication with a bank while draining the accounts. Apparently, fake VoIP accounts were setup to phone the victim repeatedly while the bad guys transferred thousands of dollars out of the accounts. This is an example of a cross-over attack using different types of technologies to perform the fraud.

The FBI says the calls were a diversionary tactic, meant to tie up Thousand’s line so that Ameritrade couldn’t reach him to authenticate the money transfer requests.

via Posted: May 13th, 2010 under Security & privacy.
Comments: none |  18 views