Tag Archives: electronic

H-1B lottery change may drive increase in visa applicants

The U.S. government’s new electronic H-1B visa registration will make it easier for employers to submit a visa applicant. But there is concern it might encourage more visa petitions and make it harder for employers to win the H-1B lottery.

That’s one of the issues raised by immigration attorneys who apply for visas on behalf of employers. They are also worried about the reliability of the electronic system once it goes live March 1.

The U.S. has put in rules to discourage employers from gaming the new system. Officials also insist that the technology is ready. But there’s still plenty of doubt and questions among users.

Previously, employers mailed a paper application and a check covering fees that could total in the thousands. The U.S. issues 85,000 work H-1B visas each year, but last year received 190,000 applications. An H-1B lottery randomly selects the visa winners.

With the electronic system, employers pay $10 and fill out an online registration to be entered into the H-1B lottery, which is held in April. If a company’s visa candidate wins, the employer then has 90 days to submit a full petition by mail with all the required fees.

Will the system work as advertised?

Immigration attorneys worry about the reliability of the electronic system. Could a flood of registrations on March 1 overwhelm it? The electronic system for H-2B visas for labor and agricultural workers crashed earlier this year.

Because entering the H-1B lottery is cheap and relatively easy, immigration attorneys also wonder if the electronic system will encourage more employers to enter candidates.

“I do think we will see an increase in the number of cases that are entered in the lottery,” said Chad Blocker, immigration attorney and partner at Fragomen, Del Rey, Bernsen & Loewy LLP in Los Angeles. The $10 registration fee is “not enough to dissuade any employers from filing,” he said.

“There’s just no real downside to submitting a case,” Blocker said. He wouldn’t be surprised to see a 20% to 30% increase in petitions.

But Blocker does see merit in the electronic system. “What we’ve been doing in the past is terribly inefficient,” he said.

HR managers may coordinate H-1B hiring by working with their in-house legal staff or outside counsel. The electronic registration process is expected to reduce business costs because firms won’t have to pay to submit a completed visa application unless they win the H-1B lottery.

For its part, the U.S. government estimates it will save $1.6 million annually in H-1B processing costs as a result of moving to an electronic registration system. It is spending about $1.5 million to create the electronic system, although this is a one-time cost, not including annual maintenance charges.

USCIS rules to prevent abuse

The United States Citizenship and Immigration Services (USCIS) has established some rules it hopes will keep employers from flooding the registration system. They include prohibiting an employer from submitting more than one registration for the same beneficiary in the same fiscal year. The government also requires registrants to attest their intent that they plan to follow through with the visa petition, should they win the lottery.

Sharvari Dalal-Dheini, director of government affairs for the American Immigration Lawyers Association, said it’s hard to predict how the electronic system will impact registration volumes.

There is, however, “general anxiety” among immigration attorneys about “how USCIS will operationalize this and whether it will be rolled out seamlessly,” Dalal-Dheini said.

The U.S. will begin taking H-1B petitions March 1 for the 2021 fiscal year, which begins Oct. 1, 2020. The USCIS planned to launch the electronic registration for this fiscal year, but suspended it “to ensure that the system met requirements,” USCIS spokesman Matthew Bourke said in an email. The government “conducted sufficient stress-testing and evaluation before determining the registration process was ready for implementation,” he said.

Bourke said the pilot testing phase was successful, but added that “USCIS can suspend the registration requirement if it experiences technical challenges with the H-1B registration process and/or the new electronic system that would be used to submit H-1B registrations, or if the system otherwise is inoperable for any reason.”

The electronic registration period will run from March 1 to March 20. The government will lengthen that period if needed or re-open the registration if there are problems, Bourke said.

Worry remains, despite assurances

USCIS assurances aside, there is worry among immigration attorneys about whether the system will work without glitches. They also have questions about how it will work. Will they be notified, for instance, once a registration is accepted and submitted to the H-1B lottery?

Among those with concerns is Amanda Franklin, an immigration attorney at Moore & Van Allen PLLC in Charlotte, N.C.

There’s a lot of concern and a lot of questions about how this is going to work, and if it doesn’t work, then what?
Amanda FranklinImmigration attorney, Moore & Van Allen PLLC

Franklin expects filers to try to register March 1, the day the system opens. “The government’s ability to keep their technology up and running with high volume is notoriously bad,” she said.

“There’s a lot of concern and a lot of questions about how this is going to work, and if it doesn’t work, then what?” Franklin said.

Franklin isn’t sure the registration system itself will encourage more employers to file H-1B visa petitions. If employers want to hire someone, they’re going to do what they need to do, whether it’s a paper-based application or an electronic one, she said.

Punam Rogers, an immigration attorney and partner in the Boston office of Constangy, Brooks, Smith & Prophete LLP, said she hopes USCIS “has enough IT support and help desk support to assist attorneys and employers who are going to be filing.”

Rogers, overall, likes the new process. It helps manage resources “so you don’t have to file all your applications all at once, only those that are selected” for the lottery. 

Go to Original Article
Author:

Lenovo’s smarter devices stoke professional passions – Stories

Juan Dimida in front of a brick wall, holding a Lenovo ThinkPad in front of a Lenovo logo he drew graffiti-style

In Philadelphia, Juan Dimida, 40, creates graphic art and electronic music on touchscreen devices, working them into beats with other songs or multimedia pieces.

He recently created an album of electronic music on his Motorola G3 over the summer and has been performing it on his Lenovo Yoga PC, connected to drum machines and synthesizers. He’s playing this music live in November.

His artistic background began with graffiti art as a teen, but then he joined a city-run art program in his 20s that channeled his creative energy into colorful murals that covered up graffiti through community-based commissions. These collaborative projects usually involved four to five people and would include elaborate scenery, characters and animation. While each had a theme, the artists also improvised.

Dimida used Photoshop to get designs together and make alterations. While he was working on these murals, an event planner stopped by with a Lenovo ThinkPad tablet, and gave it to him to draw on. He hired Dimida to create art for a 2012 event, where Dimida connected different devices, such as a Lenovo IdeaCentre AIO, to projectors. Dimida drew mosaics on that screen that projected onto 80-foot walls.

After that event, he gained traction to host his own events, showing his original projections at art shows and parties.

Sound visualizations are something he particularly enjoys. Dimida uses a Lenovo ThinkPad X220t to record different sounds, so he’s able to set up different scenes, music effects and visuals, using multiple projectors. He has a separate Lenovo Yoga feed into that, where he draws on its screen. The ThinkPad X220t adds sounds and projects that out.

Go to Original Article
Author: Steve Clarke

Irregularities discovered in WinVote voting machines

LAS VEGAS — The insecurity of electronic voting systems has been well-documented, but so far there has been no concrete evidence that those systems have been hacked in the field. However, a forensic analysis by security researcher Carsten Schuermann discovered irregularities in eight WinVote voting machines used in Virginia elections for more than a decade.

Speaking at Black Hat 2018, Schuermann, associate professor at IT University of Copenhagen, presented data that showed voting machine irregularities in WinVote systems used in a variety of state and federal elections from 2004 to 2014. In his session, titled “Lessons from Virginia – A Comparative Forensic Analysis of WinVote Voting Machines,” Schuermann also pushed for mandated paper ballots and regular audits to mitigate potential threats.

“When you add technology to the voting process, you clearly increase its attack surface,” Schuermann said.

Schuermann noted that there are actually two problems with insecure voting machines. The first is obvious — the systems can be easily hacked.

“That’s a real threat,” he said. “But the other threat is equally important and equally dangerous, and that is the threat of an alleged

cyberattack
— when people claim there was a

cyberattack
when there actually wasn’t.”

Such allegations can disrupt elections and damage the credibility of voting results. And since too many voting machines don’t produce paper trails, he said, those allegations can be as damaging as a real

cyberattack
.

Schuermann had such a voting machine with him on stage — a decommissioned WinVote system that had a printer but only printed vote tallies and not individual ballots. He said he obtained eight WinVote voting machines from an unnamed source two years ago, and first hacked into one of the machines for a DEFCON Voting Village session last year.

Schuermann followed up with a deeper forensic analysis that uncovered concerning voting machine irregularities as well as serious vulnerabilities. He told the audience that while he had access to the machines’ SSDs, he did not have any access to memory or memory dumps, security logs or a record of wireless connections.

But what data was available showed a number of holes that hackers could exploit, including open ports (135, 139, 445 and 3387, among others) and unpatched versions of Windows XP Embedded from 2002 that were vulnerable to a critical buffer overflow attack, CVE-2003-0352.

“Another problem is that this machine has wireless turned on all the time,” Schuermann said, adding that the wireless password for the systems was “ABCDE.” “That’s not a very secure password.”

I have only one conclusion, and that is, use paper and do your audits.
Carsten Schuermannassociate professor, IT University of Copenhagen

Those vulnerabilities in themselves didn’t prove the machines had been hacked, but a closer examination of files on some of the WinVote voting machines showed unexplained anomalies. One of the machines, for example, had MP3s of a Chinese pop song and traces of CD ripping software, and data showed the machine broadcast the song on the internet. That was strange, he said, but there were more concerning voting machine irregularities.

For example, three of the machines used during the 2005 Virginia gubernatorial election dialed out via their modems on Election Day, though the data didn’t explain why. Schuermann speculated that perhaps the systems were getting a security update, but one of the machines actually dialed the wrong number.

In addition, two of the systems that were used in the 2013 Virginia state elections had more than 60 files modified on Election Day before the polls closed. In addition, USB devices connected to one of the machines while the polls were open.

“That’s really bizarre,” he said.

It was unclear whether the files were modified as part of a system update, he said, and there wasn’t enough data to explain what those USB connections were for. Schuermann cautioned the audience that the voting machine irregularities weren’t necessarily evidence of hacking, but he said the uncertainty about the irregularities should serve as a call to action. Only a few states, he said, have electronic voting systems that produce paper ballots and can be audited.

“I have only one conclusion,” he said. “And that is, use paper and do your audits.”

EFF’s STARTTLS Everywhere aims to protect email in transit

The Electronic Frontier Foundation this week unveiled STARTTLS Everywhere, a new initiative that aims to secure email in transit by encrypting messages as they hop from one email server to the next as they are delivered.

STARTTLS Everywhere aims to promote and improve the use of STARTTLS, a service extension for the Simple Mail Transfer Protocol that was defined in RFC 3207, “SMTP Service Extension for Secure SMTP over Transport Layer Security,” and published in 2002. When a mail server initiates a connection with another SMTP server, it can demand to negotiate the use of encryption and authentication using the Transport Layer Security protocol.

Sydney Li, staff technologist at the Electronic Frontier Foundation (EFF), and Jeremy Gillula, tech policy director at EFF, wrote in the blog post announcing the new initiative that because most email traffic is still being sent in the clear, “without encryption, government agencies that perform mass surveillance, like the NSA [National Security Agency], can easily sweep up and read everyone’s emails — no hacking or breaking encryption necessary.”

Invoking STARTTLS means mail servers can negotiate encryption and authentication mechanisms for their traffic. This means “network observers gobbling up worldwide information from Internet backbone access points (like the NSA or other governments) won’t be able to see the contents of messages while they’re in transit, and will need to use more targeted, low-volume methods,” they wrote.

Using STARTTLS can protect the integrity of email messages by preventing third parties from scanning plain text messages when they are forwarded by routers as they traverse the internet between mail servers, as well as requiring that servers authenticate mail transmissions.

Even though most email servers already support STARTTLS, the ecosystem for hop-to-hop email encryption is flawed, according to the EFF, starting with the fact that most servers that support STARTTLS do not validate the certificates used to encrypt and authenticate transmissions.

The first thing that needs to be done is to ensure that their STARTTLS configuration is working as intended. All too often, we see poorly configured implementations that offer no additional security and actually increase the attack surface for threat actors.
Ed Williamsdirector of SpiderLabs at Trustwave

“Without certificate validation, an active attacker on the network can get between two servers and impersonate one or both, allowing that attacker to read and even modify emails sent through your supposedly ‘secure’ connection. Since it’s not common practice for emails (sic) servers to validate certificates, there’s often little incentive to present valid certificates in the first place,” Li and Gillula wrote. “As a result, the ecosystem is stuck in a sort of chicken-and-egg problem: no one validates certificates because the other party often doesn’t have a valid one,” and mail servers keep using invalid certificates because they are never validated.

Another problem with STARTTLS is the request to initiate an encrypted channel is sent in the clear, meaning a malicious actor can scan for such requests and block them. The result of this downgrade attack is the request is never seen by the recipient server, so the communication channel is left unencrypted.

The focus of the STARTTLS Everywhere initiative is to encourage widespread adoption of the protocol to help secure email in transit. “STARTTLS protects against attackers snooping on email traffic between servers and attacks that make the malicious mail servers appear authentic,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, based in Salt Lake City.

Steps to support STARTTLS Everywhere

In addition to making sure email servers are properly configured to support STARTTLS, the EFF recommended email administrators get valid certificates on their mail servers and configure them to validate the certificates of other servers with which they communicate. As part of the STARTTLS Everywhere initiative, the EFF offers software that can get a valid certificate from Let’s Encrypt automatically, and then step through email server configuration to begin using STARTTLS properly.

The other key action enterprises can take is to add their STARTTLS-compliant mail servers to the EFF’s policy list of servers “that we know support STARTTLS,” Li wrote in a technical deep-dive post. “This list acts essentially as a preload list of MTA-STS security policies. We’ve already preloaded a select number of big-player email domains, like Gmail, Yahoo, and Outlook.”

Justin Jett, director of audit and compliance, PlixerJustin Jett

Justin Jett, director of audit and compliance for Plixer LLC, a network traffic analysis company based in Kennebunk, Maine, said STARTTLS Everywhere is an important step to securing email, but it is not sufficient. Organizations should also consider supporting the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol to do email validation in order to detect and prevent email spoofing, Jett said.

“DMARC allows domain owners to control where email can be sent, as well as sign emails as they are sent. This allows recipient email servers to verify that an email coming from example.com is actually sent from an authorized server or service,” he said via email.

Ed Williams, director of SpiderLabs at Trustwave, based in Chicago, said companies participating in the STARTTLS Everywhere initiative need to start by looking at their own servers.

“The first thing that needs to be done is to ensure that their STARTTLS configuration is working as intended. All too often, we see poorly configured implementations that offer no additional security and actually increase the attack surface for threat actors,” Williams said via email.

Williams added that STARTTLS Everywhere is not a complete answer for securing email.

“It’s important to understand that STARTTLS is not a silver bullet for email security; it looks to address the issue of integrity and confidentiality. If correctly configured, having STARTTLS will mitigate the ability to trivially collect emails from passively monitoring the packets as they traverse the network.”

Microsoft Teams e-discovery enabled for hybrid clouds

For businesses with on-premises Exchange mailboxes, Microsoft will facilitate the electronic discovery of Microsoft Teams chats — a feature that should appeal to large enterprises in the process of migrating to the cloud.

Upon request, Microsoft will create cloud-based mailboxes for the sole purpose of storing the Teams chat data of users with on-premises Exchange mailboxes. Those users must have their on-premises identities synced to the cloud in Office 365’s Azure Active Directory. 

Organizations that take advantage of the tool will be able to search, preview and export Teams chat data stored in the cloud. That activity could be useful for Microsoft Teams e-discovery cases, compliance reviews or data service requests related to the General Data Protection Regulation.

However, businesses won’t be able to apply Office 365 retention policies to that chat data or place it on hold. In a blog post announcing Microsoft Teams e-discovery for hybrid setups, Microsoft said it would “provide more updates about our plan to address this gap soon.”

Microsoft Teams muddles path to cloud for large enterprises

Microsoft needs to continue to promote hybrid capabilities, such as its new Microsoft Teams e-discovery feature, to help on-premises customers feel comfortable with the transition to the cloud — a process that could take years.

“It’s messy to be in the middle, and I think Microsoft forgets that if you’ve got 100,000 people, you’re going to live in the middle for a long time,” said Kevin Kieller, a partner at consulting firm EnableUC in Oakville, Ont.

Many large enterprises with on-premises Skype for Business deployments had previously been gearing up to transition to the cloud version of that platform, Kieller said. Then, Microsoft introduced Teams last year, significantly complicating the cloud migration path for those businesses.

Microsoft has been steadily rolling out interoperability features between Skype for Business and Teams over the past several months, such as persistent chats and aggregated presence. But almost all of those features require businesses to have their employees registered through Skype for Business Online, the cloud version of the service.

“As far as I’ve seen, there isn’t really a good and easy way to migrate from Skype for Business on-prem to Teams,” said Zeus Kerravala, founder and principal analyst at ZK Research in Westminster, Mass. “It just seems like [Microsoft] didn’t think about it very well.”

Advanced telephony features for Teams coming soon

Microsoft is on track to add dozens of telephony features to Teams that are critical to large enterprises by the end of June, including call queues and organizational auto attendants. The final advanced calling features are expected to come online by year’s end.

The perception that Microsoft Teams lacks the full capabilities of Skype for Business has slowed adoption of the platform, particularly among large enterprises. But even as those features get added, Microsoft faces another hurdle: perception.

It could take months to get the message across that Teams is fully built-out, Kieller said. “Microsoft has a tough time, as everybody does, in terms of discoverability of the right information for somebody that’s contemplating this migration.”

Still, there is no end date in sight for support of Skype for Business on premises. However, while Microsoft plans to release a new on-premises server in 2019, the vendor is expected to keep some of its latest and most advanced collaboration tools as cloud-only offerings.

“It’s almost, by definition, going to be a hybrid mode,” Kieller said. “It’s just another way that I think Microsoft, even for on-prem customers … [is] effectively pushing them, moving them, cajoling them to move to the cloud.”