The main discussion on this breach, as well as others involving medical records, is their use in financial identity theft, especially fraudulent insurance claims. That's the main motive for the attacker. What about the consequences? I wonder if this has or will start to have an affect on the patients. In other words, reluctance to seek care because the diagnosis won't remain private. Maybe it would also cause an increase in people seeking, so called, alternative medicine where they don't have to standardize records and put them online as HIPAA requires.
The social contract will fundamentally change when this information becomes so easily accessible.
And how is that going to happen? Currently, the information in the hands of data brokers is not just jelously guarded, information on the extent of the information they have is jelously guarded.
Unfortunately, so far, society here in the US has become even more unforgiving of a person's past. How often have you heard a statement along the lines that an employer should have known that a given employee was a risk? We've decided we can't have gun control so we will have to track any suggestion of mental illness in people to see if they could be a threat...
I would even go further and have separate accounts for people who I know from different activities/organizations. The main thing is that it shouldn't be a social media site. It should be a social media P2P network. Having a commercial site involved really adds very little value, in my opinion, while it creates most of the privacy problems and causes other limitations, for example, limits in the size of files you can share.
In the article, they mention a JTAG hardware debugger as a possible tool to defeat HARES. Suppose, however, that your reverse engineering environment is a virtual machine, possibly with CPU emulation as well. Couldn't you then do the equivalent debugging in software? What if you write the the VM software specifically to help you out, possibly even just give you the key which the authentic CPU would keep secret?
I think there is a big difference depending on how they do the blocking. If they can determine that some device on thier network is resharing the connection and block that device from using the hotel network that's not so bad. If they use active jamming of the radio signal, that's against FCC rules in all cases.
Indeed, the oath taken by members of the US military spells that out even further. It says that you have to disobey orders which violate the constitution or any treaty signed by the US (e.g. The Geneva Convention). This was adopted after the Vietnam War to make it perfectly clear to ordinary soldiers that the argument "I was just following orders," does not fly. Snowden, however, was a contractor so I don't know exactly what oath he took.
In fact, the Fourteenth Amendment says "... All persons within the jurisdiction of the United States are entitled to equal protection under the laws..." This amendment was passed after the US Civil War since slave owners had argued that slaves had no rights because they were not citizens. In Boumediene v. Bush, the Supreme Court ruled that Guantanamo Bay is within the jurisdiction of the US and therefore, detainees there have consittutional rights, particularly Habeus Corpus defined in the Ninth Amendment. Even though GTMO is legally part of Cuba's soverign territory, the US has full control.
As I remember, Lavabit was intended to not have the ability to decrypt user data but, in fact, there were at least two ways unanticipated by the designers. One way is to wait until a user logs on again and capture their key. The mistake here was that encryption is performed on the server and not on the user's own machine before sending to Lavabit. The other thing, which is apparently what was requested in the court order, was to give up their private SSL key which the government agencies would then use to decrypt previously captured network traffic and recover the keys of, potentially, every Lavabit user. One issue here is the same as before. They were sending keys over the internet when the only safe way to do it is to keep the storage encryption process entirely client side. The other thing was that they were not using Perfect Forward Secrecy, which would have created a different temporary key for each SSL session and discarded it after transfer. They were using traditional SSL where every transfer going to the server is encrypted with the one public key matching the site's SSL certificate.
Levison (owner of Lavabit) also made the big mistake of trying to answer the court order himself without getting a lawyer first. He bolloxed the legal argument which is why he ended up getting finded.
The fix could be legislation or it could be a firm Supreme Court decision. The Court could, at some point, decide that the Fouth Amendment applies to cloud services exacly the same way that it does to rental property in the physical world. Renters have the same rights as home owners under the Fourth Amendment. A landlord is not allowed to just let the police into your appartment to search without a warrant. So far, online storage has been treated as information in the possession of a third party rather than information in your possession using rented space.
The other decision that needs to be clarified is that the government can't just use a third party to collect information that it could not legally collect itself. This would be anything analogous to hiring a private security firm to search someone's home and arguing that they are not subject to the Fourth Amendment because they are not part of the government. An argument like that, relating to the physical world, would never get past a court of law. We need a decision which says the same thing about the virtual world.
Both arguments above, in my opinion, are things which should already be obvious under existing law and do not require additional legislation. Google and others, should understand that this is the only way that people will trust cloud storage.
The material linked from this article is not entirely clear about the privacy implecations. The article talks about giving individual patients more ability to specify exactly what data about them is shared. They also talk about standardization of health information but that was actually part of HIPAA from the beginning. They talk about security a little more than they would if this were only anonymous data but they probably are mainly talking about anonymous, aggregate infomation.
HIPAA requires that PHI (anything which is both personally identifyable and has diagnostic information) is provided on a need-to-know basis. Even if you are the patient's direct care provider, you are not supposed to look at records without a reason. When you transfer records, they have to be de-identified if de-identified information is sufficient for the purpose. The vast majority of what they are discussing in this "Strategic Plan" can and should involve only de-identified information.
Unlike the common, disingenuous, privacy policies of many web sites, HIPAA lists both specific and general requirements for de-identifying information so that it can not be re-identified. These measures go a long way but are not perfect. I wish I could give a specific example from my own research experience but I shouldn't because the most interesting case is currently being looked at by an Institutional Review Board (IRB.) Suffice it to say that I want to merge some data sets from different institutions which have used different anonymous identifyers but have some overlap in patients. HIPAA requires that anonymous tokens be issued on a one-off basis and not reused from one study to the next. However, I think that the different data sets have enough information to link the anonymous identifiers to each other (although not back to the actual patients.) So the question before the IRB is whether going ahead and linking those identifiers would be a HIPAA violation or has the damage already been done.
I actually have some inside knowledge of Watson and, at least at this point, it requires quite a bit of tinkering by human experts to learn a new task. Watson would have to change fundamentally for that not to be true.
The article is specifically talking about Solar Radiation Management (SRM). This is adjusting temperature by reflecting more heat back to space, not by reducing CO2 emissions or sequestering CO2. So any other effects of increased CO2, such as ocean acidification, remain in place.
An animal model is an animal which has been specifically engineered to resemble human disease. For example, there is a mouse model for melanoma which has a specifically engineered copy of the BRAF gene with a V600E mutation that occurs in about half of all human melanomas along with a knock out of the PTEN gene, also very common in human melanomas. These genes are fused to a tyrosenase promoter, which is only expressed in melanocytes in the skin, and a drug activator so that they can be turned on at a specific time and in the correct place. Melanoma is unknown in mice besides this model and previous cases created in the laboratory with chemical or ultraviolet mutagenesis. "Animal model" also implies some body of literature studying the engineered animal to verify that it really does resemble the human condition better than other practically available alternative experimental subjects.
Right, the study is enrolling people with type 1 diabetes (juvenile onset) which is typically genetic or caused by infection or other damage to the pancreas. It's type 2 diabetes (adult onset) which is thought to have some environmental cause like diet, lack of exercise or some combination of the two. High fructose corn syrup has been specifically vilified in this regard but I don't think the evidence is convincing that it is any worse than any other sugar. IMHO, it fall into the category of correlation is not causation.
No doubt, the title of this article is a reference to the book Daemon by Daniel Suarez. The Daemon uses a rudementary AI of the kind that controls NPCs in a MMORPG. What the book explores is the idea that such a thing can be used as a tool to magnify the ability of a few people to control the lives of many others. The single most significant takeaway I got from the book is not that AI needs to be restricted but that unrestrained and unaccountable corporate power becomes much more dangerous in a world with AI. The Daemon ends up making corporations more powerful than governments.
Slashdot Mirror
...and Hari Seldon is his prophet.
The main discussion on this breach, as well as others involving medical records, is their use in financial identity theft, especially fraudulent insurance claims. That's the main motive for the attacker. What about the consequences? I wonder if this has or will start to have an affect on the patients. In other words, reluctance to seek care because the diagnosis won't remain private. Maybe it would also cause an increase in people seeking, so called, alternative medicine where they don't have to standardize records and put them online as HIPAA requires.
The social contract will fundamentally change when this information becomes so easily accessible.
And how is that going to happen? Currently, the information in the hands of data brokers is not just jelously guarded, information on the extent of the information they have is jelously guarded.
Unfortunately, so far, society here in the US has become even more unforgiving of a person's past. How often have you heard a statement along the lines that an employer should have known that a given employee was a risk? We've decided we can't have gun control so we will have to track any suggestion of mental illness in people to see if they could be a threat...
I would even go further and have separate accounts for people who I know from different activities/organizations. The main thing is that it shouldn't be a social media site. It should be a social media P2P network. Having a commercial site involved really adds very little value, in my opinion, while it creates most of the privacy problems and causes other limitations, for example, limits in the size of files you can share.
In the article, they mention a JTAG hardware debugger as a possible tool to defeat HARES. Suppose, however, that your reverse engineering environment is a virtual machine, possibly with CPU emulation as well. Couldn't you then do the equivalent debugging in software? What if you write the the VM software specifically to help you out, possibly even just give you the key which the authentic CPU would keep secret?
I think there is a big difference depending on how they do the blocking. If they can determine that some device on thier network is resharing the connection and block that device from using the hotel network that's not so bad. If they use active jamming of the radio signal, that's against FCC rules in all cases.
Indeed, the oath taken by members of the US military spells that out even further. It says that you have to disobey orders which violate the constitution or any treaty signed by the US (e.g. The Geneva Convention). This was adopted after the Vietnam War to make it perfectly clear to ordinary soldiers that the argument "I was just following orders," does not fly. Snowden, however, was a contractor so I don't know exactly what oath he took.
In fact, the Fourteenth Amendment says "... All persons within the jurisdiction of the United States are entitled to equal protection under the laws..." This amendment was passed after the US Civil War since slave owners had argued that slaves had no rights because they were not citizens. In Boumediene v. Bush, the Supreme Court ruled that Guantanamo Bay is within the jurisdiction of the US and therefore, detainees there have consittutional rights, particularly Habeus Corpus defined in the Ninth Amendment. Even though GTMO is legally part of Cuba's soverign territory, the US has full control.
As I remember, Lavabit was intended to not have the ability to decrypt user data but, in fact, there were at least two ways unanticipated by the designers. One way is to wait until a user logs on again and capture their key. The mistake here was that encryption is performed on the server and not on the user's own machine before sending to Lavabit. The other thing, which is apparently what was requested in the court order, was to give up their private SSL key which the government agencies would then use to decrypt previously captured network traffic and recover the keys of, potentially, every Lavabit user. One issue here is the same as before. They were sending keys over the internet when the only safe way to do it is to keep the storage encryption process entirely client side. The other thing was that they were not using Perfect Forward Secrecy, which would have created a different temporary key for each SSL session and discarded it after transfer. They were using traditional SSL where every transfer going to the server is encrypted with the one public key matching the site's SSL certificate.
Levison (owner of Lavabit) also made the big mistake of trying to answer the court order himself without getting a lawyer first. He bolloxed the legal argument which is why he ended up getting finded.
The fix could be legislation or it could be a firm Supreme Court decision. The Court could, at some point, decide that the Fouth Amendment applies to cloud services exacly the same way that it does to rental property in the physical world. Renters have the same rights as home owners under the Fourth Amendment. A landlord is not allowed to just let the police into your appartment to search without a warrant. So far, online storage has been treated as information in the possession of a third party rather than information in your possession using rented space.
The other decision that needs to be clarified is that the government can't just use a third party to collect information that it could not legally collect itself. This would be anything analogous to hiring a private security firm to search someone's home and arguing that they are not subject to the Fourth Amendment because they are not part of the government. An argument like that, relating to the physical world, would never get past a court of law. We need a decision which says the same thing about the virtual world.
Both arguments above, in my opinion, are things which should already be obvious under existing law and do not require additional legislation. Google and others, should understand that this is the only way that people will trust cloud storage.
The material linked from this article is not entirely clear about the privacy implecations. The article talks about giving individual patients more ability to specify exactly what data about them is shared. They also talk about standardization of health information but that was actually part of HIPAA from the beginning. They talk about security a little more than they would if this were only anonymous data but they probably are mainly talking about anonymous, aggregate infomation.
HIPAA requires that PHI (anything which is both personally identifyable and has diagnostic information) is provided on a need-to-know basis. Even if you are the patient's direct care provider, you are not supposed to look at records without a reason. When you transfer records, they have to be de-identified if de-identified information is sufficient for the purpose. The vast majority of what they are discussing in this "Strategic Plan" can and should involve only de-identified information.
Unlike the common, disingenuous, privacy policies of many web sites, HIPAA lists both specific and general requirements for de-identifying information so that it can not be re-identified. These measures go a long way but are not perfect. I wish I could give a specific example from my own research experience but I shouldn't because the most interesting case is currently being looked at by an Institutional Review Board (IRB.) Suffice it to say that I want to merge some data sets from different institutions which have used different anonymous identifyers but have some overlap in patients. HIPAA requires that anonymous tokens be issued on a one-off basis and not reused from one study to the next. However, I think that the different data sets have enough information to link the anonymous identifiers to each other (although not back to the actual patients.) So the question before the IRB is whether going ahead and linking those identifiers would be a HIPAA violation or has the damage already been done.
I actually have some inside knowledge of Watson and, at least at this point, it requires quite a bit of tinkering by human experts to learn a new task. Watson would have to change fundamentally for that not to be true.
The article is specifically talking about Solar Radiation Management (SRM). This is adjusting temperature by reflecting more heat back to space, not by reducing CO2 emissions or sequestering CO2. So any other effects of increased CO2, such as ocean acidification, remain in place.
An animal model is an animal which has been specifically engineered to resemble human disease. For example, there is a mouse model for melanoma which has a specifically engineered copy of the BRAF gene with a V600E mutation that occurs in about half of all human melanomas along with a knock out of the PTEN gene, also very common in human melanomas. These genes are fused to a tyrosenase promoter, which is only expressed in melanocytes in the skin, and a drug activator so that they can be turned on at a specific time and in the correct place. Melanoma is unknown in mice besides this model and previous cases created in the laboratory with chemical or ultraviolet mutagenesis. "Animal model" also implies some body of literature studying the engineered animal to verify that it really does resemble the human condition better than other practically available alternative experimental subjects.
Right, the study is enrolling people with type 1 diabetes (juvenile onset) which is typically genetic or caused by infection or other damage to the pancreas. It's type 2 diabetes (adult onset) which is thought to have some environmental cause like diet, lack of exercise or some combination of the two. High fructose corn syrup has been specifically vilified in this regard but I don't think the evidence is convincing that it is any worse than any other sugar. IMHO, it fall into the category of correlation is not causation.
TFA specifically says it's type 1 diabetes.
No doubt, the title of this article is a reference to the book Daemon by Daniel Suarez. The Daemon uses a rudementary AI of the kind that controls NPCs in a MMORPG. What the book explores is the idea that such a thing can be used as a tool to magnify the ability of a few people to control the lives of many others. The single most significant takeaway I got from the book is not that AI needs to be restricted but that unrestrained and unaccountable corporate power becomes much more dangerous in a world with AI. The Daemon ends up making corporations more powerful than governments.