The government loses your data, too, and when it does it probably does it in a way that intersects something else you were nervous about. In this video I discuss the recent thefts of 1) name and address for ALL concealed carry permit holders in California stolen from a misbegotten Department of Justice portal, and 2) billions of records of comprehensive personal information probably describing more or less everyone in China and probably stolen from the Shanghai National Police database. Both stories are evolving...

You share data with someone or you don't, right? Wrong!

In this video I continue my mini-series on how Ghost PII provides encrypted data-in-use techniques and a flexible permissions system so you can allow a partner to compute just what you want to let them compute and just how you want them to compute it. It's a great way to regulate risk, maintain auditability into how partners use your data, and escape from the either / or of wholesale sharing or not will allow you to get some exciting things done you might not have otherwise. #DataScience #Python #DataPrivacy #CyberSecurity

Have you ever felt like you had a good reason to put data someplace but ran into too much static regarding data privacy or cybersecurity? Maybe you had a prototype that was only allowed on a test environment, but your ideal test data was only allowed on prod. Maybe you wanted to share data with an external partner, but one that compliance felt couldn't maintain cybersecurity standards to your own. If you have run into these kinds of headaches, maybe we can help. In this example, we encrypt some data, pool it while encrypted, and show how the owners can give a third-party analyst the ability to do some computations (mean, stdev) on that pooled, encrypted data but not others (decryption). #Cybersecurity #DataScience #Python

Don't like that Google knows when you go to the bathroom? I know a better way. Check out this demonstration of Ghost PII on location data for contract tracing. It minimizes data exposure to the bare minimum needed for the real-life activity that these analytics are meant to enable.

#CyberSecurity #DataPrivacy #Python

Financial contagion explained via the 2008 crash, similar exploration of the fallout of Luna's collapse via the Luna Foundation Guard, and just how financial contagion could potentially spread after another stablecoin implosion.

"Even if you don't care about the crypto world, this is the kind of disaster where the crypto world could come to see you."

You should find ~6 minutes to learn about major recent events around the stablecoin Luna UST notably its recent depegging (and some basic "hey what is that?"), some problematic design features that put it in danger, comparisons to the 1997 Asian financial crisis and the role of the Federal Reserve, and questions about whether the larger and likely more contagious Tether may be next.

I do some basic regression modeling encrypted data using Ghost PII's Python client as well as giving some background like why one might want such a model, why one might want to get such a model via a more private method, etc.

I discuss the recent decision of the Nigerian government to block more than a third of the SIM cards in that country, provide some context on the relation of these events to security issues as well as the unusual importance of cellular infrastructure in much of Africa, and do some compare and contrast of Nigeria's national identity card program with similar events in the US, EU, and Kenya.

Spare ~5 minutes for a short update on the frontiers of money laundering in cryptocurrency via new information on the Ronin Network / Axie Infinity hack including revelations the North Korea sponsored Lazarus hacker group is responsible, their use Tornado (a transaction bundler in the Ethereum ecosystem, reactions by law enforcement, similarities to events in Russia, and a TikTok rapper named Razzlekhan.

Take 5 minutes to get caught up on recent events in EU v. US data privacy issues including why the recent "agreement in principle" is both important and a sham with important backstory on surveillance a la Snowden, past frameworks struck down a la Schrems, and why we are maybe watching the same movie again. At the end I have some useful advice about why privacy-enhancing technologies might be more fun to deal with than an intercontinental slow-motion legal soap opera.

You might have read in the newspaper lately that $615 million in cryptocurrency was stolen, and that it was related to the popular mobile game Axie Infinity. Beyond these facts, I think it has been a little murky in the coverage just what happened and how it happened to what players. Broadly, "decentralization" is a hot buzzword and while this heist is in the news it might provide a good idea to examine what sort of decentralization existed around Axie Infinity (or not) and whether it provided any real value (or not).

Axie Infinity is a Pokemon-like game that rewards players with cryptocurrency and then the Pokemon-like creatures themselves are non-fungible tokens (NFTs). It is published by a company called Sky Mavis, and this company in turn created a blockchain network called Ronin to handle the activity generated by the game. Ronin is an example of what is called an L2 network, a blockchain network intended to handle the traffic volume of some particular constituency in some specific way. Usually the goal of these L2 networks is greater efficiency and lower cost - perhaps the end user has heard of the Ethereum blockchain and wants to hold Ether for their efforts, yet it would be prohibitively expensive to send all the transactions generated by the game (which lives in regular old-school centralized web infrastructure) directly to the Ethereum blockchain. The L2 network, in our example the Ronin Network, processes the transactions from the game and then sends the information in a condensed form to the Ethereum blockchain via a smart contract called a bridge.

In the recent heist, the cryptocurrency was actually stolen from the Ronin Network via this bridge. Some of the small failures around why this was possible are notable: while Ethereum has a battle-tested global network with multitudes of nodes, the Ronin Network had only 9 nodes with 4 of the 9 operated by Sky Mavis itself. (There is an interesting digression here about how decentralization is in practice quite easy to fake.) Worse, it appears that corners were cut in developing Ronin, as the exploit involved a "gas-free RPC node" they had been using to work on development issues. I don't have space here to unpack that phrase, but I am guessing that readers who recognize these words don't think they are good cybersecurity practice.

To zoom out and see the big picture, Sky Mavis was in a good position to drape themselves in the decentralized cache of the Ethereum blockchain and they did, but maybe this was a little disingenuous. Much of the real action was on the Ronin Network, which in turn had some of the decentralized smell on it, but then in the end it was maybe a bit too much of a Sky Mavis -first jam to really deserve that word. Sky Mavis being able to make a bad decision behind close doors and lose your money is not what decentralization in crypto is supposed to be about.

So... there was an appealing looking decentralized cargo cult but maybe not meaningful decentralization of the full stack... and it went bad in ways true decentralization is supposed to prevent...

There is much to be learned from the recent hack and theft of cryptocurrency from related to Axie Infinity and the Ronin Network, including some standard cyber security lessons about social engineering, distinctions about (de)centralization and what is a layer 1 v. layer 2 network, as well as an imminent experiment in anti money laundering practices around crypto.

Open banking - the API miniseries continues! I resume our conversation on API-centric trends by looking at some familiar fintech innovations for plugging your brokerage into your bank, relate this to my simplified API definition and narrative on why these APIs are empowering to both businesses and consumers, and talk a little bit about how this situation is driving yet another trend in the cybersecurity business around API security.

Today I continue our conversation about API -centric trends with some exploration of these ideas in the context of the FHIR interoperability standard in healthcare, elaboration on my simplified 80/20-rule definition of an API with a very familiar example courtesy of Google, and how these trends and patterns are related to common practices in WebDevelopment. In all our trends, getting developers on board is really the business goal underneath.

I've become a grumpy old man complaining about the FederalReserve... Take ~7 minutes for my basic introduction to how the Fed's policy tools really, what memes about Jerome Powell's "money printer" really refer to, the history of quantative easing (QE) and the taper tantrum as opposed the Fed's more well-traveled manipulation of short-term interest rates, and why inflation concerns leave policy makers caught in between these two tools in a way they don't have a lot of clear historical prototypes for handling.

ALERT: THURSDAY MINI-SERIES EVENT! On Thursdays for the next 3 weeks I will be posting a series of videos discussing a number of API (application programmer interface) - centric trends, specifically open banking, the FHIR standard in healthcare, and the NEF (network exposure function) idea attached to the move to 5g in telecom. In addition to discussing the details for each I will talk about how the business backdrop is about access to developers and the tension between established companies and younger, app-driven would-be-disruptors in verticals that happen to also share name suffices like fintech and insurtech.

I will also talk about how you can use private computation, like Capnion's Ghost PII API, to provide a much higher level of data privacy in these settings especially in cases where you want to consume data from multiple sources.

Privacy is emerging as an important product differentiator that can provide you a nice story to tell consumers about why they want to throw in with you and not somebody else. Spend ~5 minutes to learn about how Litecoin is set to adopt the private computation protocol Mimblewimble, how you might say this is a sort of cryptocurrency world version of a legacy product adopting privacy as a means of staying fresh in the marketplace, and finally enjoy my understated sarcastic jokes about the role played by meme images of dogs.

I have a positive story for you about a hospital responding well to a ransomware attack. Specifically, they made a gutsy, quick decision to shut down their IT systems to prevent spread and fell back onto an all-paper contingency to continue operations while the issues were sorted out.

You should definitely take ~5 minutes to learn about personal cybersecurity best-practices involving use of a password manager and two-factor authentication, why the credential stuffing type of cyberattack makes these best-practices such, and learn about some interesting current events involving Lastpass and the New York attorney general that exemplify this how and why.

Cybersecurity executives are seeing more and more civil and criminal legal liability from breaches that occur on their watch (if not handled correctly). I discuss this trend in the context of Uber's 2016 breach, the recent accelerating criminal proceedings against Uber's then CSO (often a similar role is styled CISO), talk some very basic best practices around what is supposed to happen, and discuss how this trend has chilled enthusiasm for ransomware payments and bug bounty programs.