Lukasz Olejnik Profile picture
Security & Privacy. Data protection. Research. Engineering. Analyst. Policy. W3C/IE. Consultant. Book author. (perhaps happy to do work for you?). Ph.D, LL.M.
3 subscribers
Jun 11 11 tweets 2 min read
Apple AI announcement is interesting. In this thread, I analyze the security and privacy of Private Cloud Compute (PCC). Preliminary summary: trust is necessary. It is not pure on-device processing. Transparency is unclear now.
Image
Image
They put loads of effort into this design. Technically, it probably can’t be made much better. Cloud servers perform computations in a way that does not retain any user data after processing, enhancing security.
Dec 22, 2021 4 tweets 2 min read
For example, entirely hypothetically, Russia could stage a false-flag cyber operation "as Ukraine". On itself. An operation that would evidently cross the war threshold, which is very simple to do with cyber. Then "legally" respond. It may then be evidently and completely "legal" to self-defend, including by sending a tank division for an invasion, possibly with airborne support, why not.
Oct 11, 2021 8 tweets 5 min read
Our latest paper on technology standardisation is out in @PolicyR! Thanks @teirdes for the fabulous co-op. Some people doubt that values-inspired technology design is possible. We show that not only it is possible, but values already influence technology. policyreview.info/pdf/policyrevi… ImageImageImageImage "Values" not only guide the building of technologies in aspects such as privacy or cybersecurity, accessibility, freedom of expression, or censorship. There are past examples of political-technology clashes/interventions, too. On-demand decryption or OS changes are examples. ImageImage
Sep 10, 2021 5 tweets 4 min read
It turns out that wireless charging leaks private data. It leaks information about websites visited by the user. " allows accurate website fingerprinting on a charging smartphone". Information leaked depends on the battery level. Cool work! #GDPR #ePrivacy arxiv.org/pdf/2105.12266… ImageImageImageImage "Below approximately 80% state of charge, both wired and wireless charging side-channels observed in this experiment do not leak information. ... consistently classify traces with a battery state 90%". Privacy-preserving advice: have less than 80% battery charge? :-) ImageImage
Mar 7, 2021 4 tweets 3 min read
Google doubling-down on their new (hopefully, claimed) privacy-improved proposals for ads systems, Turtledove. What is it? This thing lets to choose the ad to display on the user's device - with no data supposed to leave the user's browser. So no tracking?groups.google.com/a/chromium.org… The testing environment ('Fledge') have a bit relaxed privacy properties. So let's hope the final solution is more tight with respect to privacy protection. It'q quite a complex proposal. github.com/WICG/turtledov… chromestatus.com/feature/573358…
Nov 14, 2020 4 tweets 4 min read
Ticketmaster fined £1.25million for security compromise (they were hacked by Magecart group, their website code was altered to steal data during payments), #GDPR breach. ~9.4m customers affected. Payment data stolen, too. ico.org.uk/media/action-w… Third-party (chatbot provider) was breached. This spilled to Ticketmaster. Had this functionality not included on the payment site, this breach would not happen (this way, at least). Fun fact: ICO decided to enforce PCI-DSS requirements. #GDPR #ePrivacy
Oct 15, 2019 6 tweets 4 min read
The Netherlands government published its position on rules applying to security in cyberspace (cyberattacks/cyberwarfare. My short take (the dokument is v. good) government.nl/binaries/gover… Sovereignty as a matter of rule applies to cyberspace. But it's extent is not clear. Some investigations may (or may not) be breaching sovereignty of other countries.
May 29, 2019 15 tweets 11 min read
International Committee of the Red Cross releases report on the human cost of cyber operations. What rules exist? Need to expand? I'm proud being part of this (co-author). Threat with analysis. #CyberICRC blogs.icrc.org/law-and-policy… My analysis of @ICRC report selection. Cyberoperations. What impacts on exploit cost? Why supply chain attacks are a risk? Targeting health care (lethal cyberattacks; can you even detect?), ICS. Armed conflict context. How to move forward? #CyberICRC blog.lukaszolejnik.com/icrc-report-on…
Mar 26, 2019 5 tweets 4 min read
First #GDPR fine by Polish DPA. 6M records in database. Scrapped from public sources. Not informed data subjects about their rights. 229k EUR fine. Breach of Article 14. Impressive: no particular explanation provided. English press release related to the first PL #GDPR fine. 6M user data scraped from public registers. Not informed data subjects about their rights. €220k fine. No tech component; purely lawful case. uodo.gov.pl/en/553/1009
Nov 28, 2018 4 tweets 3 min read
Massive ad fraud botnet taken down. Pretended to be human traffic, exploited Real-Time Bidding vulnerabilities. I researched this in 2013, interesting how long it take to be operationalized. services.google.com/fh/files/blogs… The scale of the operation is huge. Over 3 Billion bid request fraud, over 1 million of compromised machines. Border Gateway Protocol hijacking was even used. The biggest and most sophisticated operation like that ever.