Tag Archive for: Foundations

Privacy International and the Electronic Frontier Foundation’s Statement on Unauthorized Access to Data


Statement to the second session of the Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communication Technologies for Criminal Purposes on Agenda Item 4: [illegal/unlawful/unauthorized] access

Addressing some of the first group of questions, we believe that any future Treaty should ensure that [illegal/unlawful/unauthorized] access does not criminalize security research, whistleblowers, and other novel and interoperable uses of technology that ultimately benefit all of usIn particular, the [unauthorized] access to a computer system provision should explicitly require the intention to access a computer system and the person’s intent to cause damage or defraud (malicious intent or mens rea). Without malicious intent, this future treaty risks harshly criminalizing “breaking security,” potentially without any need for harm or damage and seemingly without regard to whether the purpose was beneficial.

Some States have also interpreted unauthorized access laws so broadly as to put computer security researchers at risk of prosecution for engaging in socially beneficial security testing through standard security research practices. “Without authorization” should be defined more clearly to require the circumvention of a technical barrier like a password or other authentication stage. 

When it comes to whistleblowing, the 2015 report of the UN Special Rapporteur of freedom of expression noted that prosecution of whistleblowers generally deters whistle-blowing and recommended that States avoid it, reserving it, if at all, only for exceptional cases of the most serious demonstrable harm to a specific legitimate interest. 

The report states that “in such situations, the State should bear the burden of proving an intent to cause harm, and defendants should be granted (a) the ability to present a defense of an overriding public interest in the information, and (b) access to all information necessary to mount a full defense… Penalties should take into account the intent of the whistle-blower to disclose information of public interest and meet international standards of legality, due process, and proportionality.”…

Source…

The Linux Foundation’s demands to the University of Minnesota for its bad Linux patches security project


To say that Linux kernel developers are livid about a pair of University of Minnesota (UMN) graduate students playing at inserting security vulnerabilities into the Linux kernel for the purposes of a research paper “On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits” is a gross understatement. 

Greg Kroah-Hartman, the Linux kernel maintainer for the stable branch and well-known for being the most generous and easy-going of the Linux kernel maintainers, exploded and banned UMN developers from working on the Linux kernel. That was because their patches had been “obviously submitted in bad faith with the intent to cause problems.” 

The researchers, Qiushi Wu and Aditya Pakki, and their graduate advisor, Kangjie Lu, an assistant professor in the UMN Computer Science & Engineering Department of the UMN then apologized for their Linux kernel blunders. 

That’s not enough. The Linux kernel developers and the Linux Foundation’s Technical Advisory Board via the Linux Foundation have asked UMN to take specific actions before their people will be allowed to contribute to Linux again. We now know what these demands are.

The letter, from Mike Dolan, the Linux Foundation’s senior VP and general manager of projects, begins:

It has come to our attention that some University of Minnesota (U of MN) researchers appear to have been experimenting on people, specifically the Linux kernel developers, without those developers’ prior knowledge or consent. This was done by proposing known-vulnerable code into the widely-used Linux kernel as part of the work “On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits”; other papers and projects may be involved as well. It appears these experiments were performed without prior review or approval by an Institutional Review Board (IRB), which is not acceptable, and an after-the-fact IRB review approved this experimentation on those who did not consent.

This is correct. Wu and Lu opened their note to the UMN IRB by stating: “We recently finished a work that studies the patching process…

Source…

Understanding Android Malware Families (UAMF) – The Foundations (Article 1)


Android malware is one of the most serious threats on the internet and has witnessed an unprecedented upsurge in recent years. There is a need to share the fundamental understanding of behaviour exhibited by prominent Android malware categories and families.

With the increasing number of Android users and devices, the number of exploits on Android apps is also on the rise. It has affected all sectors of business including healthcare, finance, transportation, government, and e-commerce. As the current trend continues, mobile attackers are developing more sophisticated intrusions by deploying malicious apps and malware. The Understanding Android malware families (UAMF) series features six articles that will highlight the main Android malware categories and families. Readers will learn about the threats’ behaviour and examine mitigation procedures. The articles in this series present the results of our Android malware analysis research project, which has been underway since 2017. We generated four datasets AAGM2017, AndMAl2017, InvestAndMAl2019, and AndMal2020 and related academic articles along with proposed Android malware detection and characterization solutions and techniques. 

Introduction

Android is the leading operating system that provides high-performance platforms for users. According to a report published by the International Data Corporation (IDC), Android is dominating the market with 85 per cent of the global market share in the last quarter of 2020. Further, the annual shipment rate of Android is expected to grow by 150 million units in 2021. With the surging demand for Android in the global market, the challenges associated with Android malware are also escalating at a rapid rate. According to a report, as of March 2020, the total number of Android malware samples amounted to 482,579 per month [3]. These statistics are alarming and draw our attention to the menace accompanied by the legacy of the Android operating system. These malware samples can create havoc, if not detected.

Android malware is malicious software that targets smartphone devices running Android operating systems. It is like other malware samples that run on desktops or laptop computers. Android…

Source…

Security Researcher Arrested for Refusing to Disclose Anonymous Source – Electronic Frontier Foundations

An Indian computer scientist was arrested this weekend when he refused to disclose an anonymous source who provided an electronic voting machine to a team of security researchers. Hari Prasad is the managing …
Read more