Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Robert McMillan, IDG News Service, 13 May, 2011 [PGN-ed] http://www.networkworld.com/news/2011/051311-computer-glitch-forces-us-to.html It turns out that the country's 2012 Diversity Lottery wasn't fair. In a videotaped statement posted to the Web, Deputy Assistant Secretary of State for Visa Services David Donahue said the results, announced by his department earlier this month, "did not represent a fair random selection of the entrants, as required by U.S. law. Although we received large numbers of entries every day during the 30-day registration period, a computer programming error caused more than 90 percent of the selectees to come from the first two days of the registration period." (5-6 Oct 2010) More than 12 million people applied for the green card lottery last year. The program is designed to even out the mix of U.S. immigrants by giving some people from certain countries priority in the years-long wait for a U.S. work visa, also known as a green card. There are between 50,000 and 55,000 winners each year. Entrants will have to wait until July 15, when the State Department will announce results based on a new, random algorithm.
http://www.theaustralian.com.au/business/industry-sectors/westpac-systems-crash-in-it-meltdown/story-e6frg96f-1226050242014 An air-conditioning failure has crippled Westpac's (Australian bank) IT systems throughout the nation one day after reporting record profits of almost $4 billion. At 12.05 AEST Westpac said ATM and EFTPOS facilities were restored but there was no word on when online banking would be working. "Westpac sincerely apologises to all our customers who have been impacted by today's outage. We take systems reliability extremely seriously and are very disappointed by the inconvenience to our customers and will undertake a thorough review," Rob Coombe, Westpac Group executive, retail and business banking, said. Westpac subsidiary St George Bank was also affected by the system failure. Customers have complained to The Australian and taken to social media websites to vent their anger after they couldn't withdraw funds from ATMs or use EFTPOS facilities this morning. Earlier a Westpac spokeswoman told ABC Radio that an air conditioning problem at one of its data centres had triggered the shut down of the bank's systems. Michal Rosa, WorkCover SA, 100 Waymouth St, Adelaide, SA 5000 P: 0882332147 www.workcover.com<http://www.workcover.com/> mrosa@workcover.com
I noticed an article in the Wall Street Journal today about vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications to cars. The idea is cars so equipped could help alert drivers to sudden changes in traffic. Joseph B. White, Car Talk and Talk and..., *Wall Street Journal*, 23 May 2011 http://online.wsj.com/article/SB10001424052748703778104576286631174569232.html Mostly the article does a good job of outlining positives and the risks of this effort: false alarms could numb drivers, auto makers could be sued if an alarm fails to sound, drivers would not like their cars to help them get tickets. One quote near the end from an advocacy group spokesman caught my attention as worrisome however: "It's important to move to large-scale deployments to figure out what the issues are," says Scott Belcher, president of the Intelligent Transportation Society of America ... I hope most issues can be found before the "large-scale deployments" take place.
This is actually quite funny - the thieves are worried that the increased supply of stolen credit card numbers will drive down the value of the already-stolen cards. Perhaps they'll ask for government regulation to protect the value of their stolen merchandise? Nick Bilton, Bits, Perverse cybereconomic impacts, *The New York Times*, 3 May 2011 http://bits.blogs.nytimes.com/2011/05/03/card-data-is-stolen-and-sold/ Last week, after the Sony PlayStation Network was attacked by a group of unknown hackers, Sony's 77 million customers, along with security specialists and government officials, were surprised by the amount of information that might have been stolen from the company. But there was another group that worried about the attack: other hackers who steal credit card numbers and personal identity online and then sell and trade this information in underground markets. "We're keeping a close eye on the Sony story as it would drastically affect the resale of other cards," explained an experienced hacker based in Europe who declined to share his name due to the nature of his work. Kevin Stevens, senior threat researcher at the computer security firm Trend Micro, explained in an interview last week that there was a lot of discussion taking place in hacker forums about the Sony data breach. Several credit card dealers are worried that the distribution of millions of credit cards would flood the market and lower prices, he said. [...] Jeremy Epstein, Senior Computer Scientist, SRI International 1100 Wilson Blvd, Suite 2800, Arlington VA 22209 703-989-8907 (M)
[Thanks to Richard M. Smith, computerbytesman. PGN] Joe Mullin, *The Wall Street Journal*, 20 May 2011 http://paidcontent.org/article/419-wall-street-journal-reporter-takes-heat-over-tone-of-privacy-series/ In many ways, the series of articles about online privacy that *The Wall Street Journal* began publishing last year has set the tone for the privacy debate nationally—but not everyone is thrilled about that. During a discussion about personal information and privacy at the pii2011 <http://pii2011.com/> conference, Evidon CEO Scott Meyer suggested that the tone of the WSJ series about digital privacy, called <http://online.wsj.com/public/page/what-they-know-digital-privacy.html> "What They Know," was over the top and inflammatory. "When you use words like 'surveillance' and 'spying,' it freaks people out," Meyer said to Julia Angwin, one of the WSJ reporters who has worked on the series. "If it weren't for you, we wouldn't be here," he said, referring to the panel of behavioral advertising companies that he was on, which Angwin was moderating. A questioner from the audience, Morgan Reed of the Association for Competitive Technology <http://actonline.org/>, agreed, noting that the WSJ series had directly influenced the comments made by Congressional representatives. "The question addressed to me [by Congress] was, 'Look at these apps the Wall Street Journal found-so you, app developer, tell us why we shouldn't be afraid of these.'"
Eli Pariser, 22 May 2011, *The New York Times*, 23 May 2011 http://www.nytimes.com/2011/05/23/opinion/23pariser.html Once upon a time, the story goes, we lived in a broadcast society. In that dusty pre-Internet age, the tools for sharing information weren't widely available. If you wanted to share your thoughts with the masses, you had to own a printing press or a chunk of the airwaves, or have access to someone who did. Controlling the flow of information was an elite class of editors, producers and media moguls who decided what people would see and hear about the world. They were the Gatekeepers. Then came the Internet, which made it possible to communicate with millions of people at little or no cost. Suddenly anyone with an Internet connection could share ideas with the whole world. A new era of democratized news media dawned. You may have heard that story before - maybe from the conservative blogger Glenn Reynolds (blogging is "technology undermining the gatekeepers") or the progressive blogger Markos Moulitsas (his book is called "Crashing the Gate"). It's a beautiful story about the revolutionary power of the medium, and as an early practitioner of online politics, I told it to describe what we did at MoveOn.org. But I'm increasingly convinced that we've got the ending wrong - perhaps dangerously wrong. There is a new group of gatekeepers in town, and this time, they're not people, they're code. Today's Internet giants - Google, Facebook, Yahoo and Microsoft - see the remarkable rise of available information as an opportunity. If they can provide services that sift though the data and supply us with the most personally relevant and appealing results, they'll get the most users and the most ad views. As a result, they're racing to offer personalized filters that show us the Internet that they think we want to see. These filters, in effect, control and limit the information that reaches our screens. ...
I wish this were only April 1st. My Windows computer is now spending a significant fraction of its time running "updates" on every program that I have installed. I have no idea what these "updates" do, but each "update" takes more and more space, and my computer runs slower and slower. A large fraction of these "updates" require restarting Windows, so these "updates" are disruptive to my use of my computer. The "going rate" for updates now appears to be 100Mbytes. Adobe's Reader X is *three times* the size of Reader 8, and (as far as I'm concerned) it is much worse because it takes forever to load. I'm also terribly concerned that Javascript is enabled by default in Adobe Reader; since when does Adobe Reader need Javascript? For that one time per year when I need to fill out the IRS form? The latest Apple iTunes "update" from a couple of days ago not only didn't work, but froze my system so badly I had to "system restore" to a previous date. Apple themselves has the hubris to not bother installing a restore point itself, because it assumes that its software would _never_ be buggy enough to require a restore. I'm about ready to ditch iTunes completely, since none of this additional bloat has anything to do with me (I don't have an iPhone or iPad, although I do have an older iPod). iTunes also has an unfixed bug that has existed for the past two years, where with hundreds of podcast feeds, I try to update them all at once, iTunes reliably crashes. Each crash, of course, is dutifully sent back to Microsoft, which Microsoft apparently throws directly into the circular file because Microsoft is thrilled to see Apple software crash & burn. If I were cynical, I would assume that that the computer in "cloud computing" means *my computer*, and under the guise of "updates", all of these vendors are stealing time & disk space on my computer to sell to their cloud customers. At the current rate of bloat, my computer will soon run out of disk space -- not for any of *my* data—but for all the bloatware "updates" that everyone wants to install. I'm starting to downgrade my software—I've reinstalled Adobe Reader 8 (only 33Mbytes), and I'm moving more and more to open source software which (at least so far) isn't so bloated with features that I have no idea what they do or why they are there, yet they open security holes that continually need to be fixed with even more updates. - - - I can't wait for automobiles with WiFi to start automatically "updating" themselves every time I want to buy gas. Clearly, *nothing could go wrong* in that scenario. I can foresee massed armies arrayed against one another in the near future, but neither is capable of fighting, because each is receiving "updates" for all of its computers & rebooting... Who needs Stuxnet, when we have Microsoft/Apple/Adobe/Java/... automatic updating?
Summary of the Amazon EC2 and Amazon RDS Service Disruption in the US
East Region
Now that we have fully restored functionality to all affected services, we
would like to share more details with our customers about the events that
occurred with the Amazon Elastic Compute Cloud ("EC2") last week, our
efforts to restore the services, and what we are doing to prevent this sort
of issue from happening again. We are very aware that many of our customers
were significantly impacted by this event, and as with any significant
service issue, our intention is to share the details of what happened and
how we will improve the service for our customers.
http://aws.amazon.com/message/65648/
Joe Mandak, AP wire story, 3 May 2011: PITTSBURGH - A major furniture rental chain has software on its computers that lets it track the keystrokes, screenshots and even webcam images of customers while they use the devices at home. A lawsuit was filed on behalf of a Wyoming couple who said they learned about the PC Rental Agent "device and/or software" inside the computer they rented last year when an Aaron's Inc. store manager in Casper came to their home on 22 Dec 2010. The manager tried to repossess the computer because he mistakenly believed the couple hadn't finished paying for it, the couple said. Brian Byrd, 26, said the manager showed him a picture of Byrd using the computer - taken by the computer's webcam. The image was shot with the help of spying software, which the lawsuit contends is made by North East, Pa.-based Designerware LLC and is installed on all Aaron's rental computers. [...] PC Rental Agent includes components soldered into the computer's motherboard or otherwise physically attached to the PC's electronics, the lawsuit said. It therefore cannot be uninstalled and can only be deactivated using a wand, the suit said." source: http://news.yahoo.com/s/ap/20110503/ap_on_re_us/us_rental_computer_spyware I'm not exactly sure what the hardware components mentioned above *are*, especially not the one that can be "deactivated using a wand". I have seen a recent (mid-2000s) IBM PC that had some kind of antenna connected to the motherboard, but it wasn't for a built-in WiFi adapter. The marketing material for that machine implied it was some kind of asset-tracking system. The machine boots and appears to run OK with the antenna unplugged. The other functions mentioned (remote activation of webcam, key logging, etc.) could easily be implemented in software, and this has already been done by various school districts to spy on their students (Wirchenko, RISKS-25.95).
Sometimes those annoying pop-ups warning about not having a trusted certificate really do indicate something is wrong, as in the case of this recent Syrian man-in-the-middle attack. https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook As noted in the bulletin, we often reflexively click through these warnings. The RISK is that a warning given too often is ignored, a scenario we've seen so many times in other contexts, such as warning alarms on medical equipment.
Muhahaha, they forgot that we occasional _text browser_ users can still see their page as plain as day! $ w3m -dump http://lyrics.wikia.com/Devo:Triumph_Of_The_Will You must enable javascript to view this page. This is a requirement of our licensing agreement with music Gracenote.
John Brandon, Six rising threats from cyber criminals Watch out for these
cyber attacks that can turn smartphones into texting botnets, shut off
electricity, jam GPS signals, ... InfoWorld, 19 May 2011
http://www.infoworld.com/d/security/six-rising-threats-cyber-criminals-573
The article is eight Web pages long. Here are the topics:
1. Text-message malware
2. Hacking into smart grids
3. Social network account spoofing
4. Cyber stalking
5. Hackers controlling your car
6. GPS jamming and spoofing: Threat or nuisance?
My credit union has been acquired by a larger credit union. Instructions for logging in to the "bill pay" area of the new website include: Important: Your new Bill Pay Password is the last four digits of your five-digit home ZIP code, followed by the last four digits of your home phone number (i.e., if your ZIP code is "95125," and your home phone number is "555-1234," your CEFCU Bill Pay password would be "51251234") Somebody thinks that my zip code and home phone number are secrets only known to me ... sigh.
BKBLKSWN.RVW 20110109
"The Black Swan", Nassim Nicholas Taleb, 2007, 978-1-4000-6351-2,
U$26.95/C$34.95
%A Nassim Nicholas Taleb
%C One Toronto Street, Unit 300, Toronto, ON, Canada M5C 2V6
%D 2007
%G 978-1-4000-6351-2 1-4000-6351-5
%I Random House/Vintage/Pantheon/Knopf/Times/Crown
%O U$26.95/C$34.95 800-733-3000 randomhouse.ca www.atrandom.com
%O http://www.amazon.com/exec/obidos/ASIN/1400063515/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1400063515/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/1400063515/robsladesin03-20
%O Audience n- Tech 1 Writing 2 (see revfaq.htm for explanation)
%P 366 p.
%T "The Black Swan: The Impact of the Highly Improbable"
I was irritated into reviewing this book. I knew that the title referred to
events which are rare, and therefore seen as unlikely or impossible, but
which, once observed, are obviously true. I had heard this book (and idea)
discussed in terms of risk analysis, but the mere fact didn't strike me as
terribly useful. To a certain extent we deal with such issues all the time
in business continuity planning. So, when, during yet another conversation
on risk analysis, one participant insisted that we should all read this
text, I responded that the earth might fall into the sun, soon, and
therefore I couldn't see risking what little time I had left reading Taleb's
work.
The participant insisted that we weren't going to fall into the sun for a
long while, and therefore I should read the book. Having now read it, I can
say that this person didn't understand one of the author's main points.
In the prologue, Taleb describes a Black Swan event as one which is rare,
has an enormous impact on the world, and is explainable after the fact.
During the course of the work he presents a number of examples. A great
deal of the text, though, discusses, disparages, and even rants against
efforts to predict future events or outcomes, particularly those which rely
on models. The author notes that many of these models fail to take certain
factors into account. This is quite true: a model, by its very nature, must
be limited. A map of Canada, the full size of Canada, would be accurate,
but not very portable, and thus not useful. In the same way, any model is a
heuristic, giving a quick indication of operation on the basis of a very
limited set of factors. Taleb's thesis about rare events seems to take
second place to his assertion that you can go badly awry by relying on a
model which fails to take all factors into account.
My "earth into the sun" example, therefore, fits well into the theme of the
book. As far as we understand, we have probably billions of years before we
spiral into the sun. On the other hand, some rare event may make this
happen much sooner, and we'll all be impacted (if you'll pardon the
expression). And, if it does happen, you can bet that, in the few weeks or
hours between the event and our incineration, there will be plenty of people
who will be building models to explain why it did happen.
This statement is undoubtedly true. But is it helpful? Much of the
author's work is addressed at the issue of investment, and particularly
"playing" the stock market. He notes that an investor, by betting on black
swan events, can make a large return (since black swan events have a large
impact). This declaration is also true, but you can't bet on all possible
events, so which ones do you choose? For example, computer equipment
retailers who "bet" on tablet computers last year would, this year, be in a
very strong position. Those who did the same thing twenty-three years ago
would have been stuck supporting the Newton.
Taleb keeps repeating (and repeating, and repeating, and repeating: his few
points are duplicated many times over through nineteen chapters) that just
about everyone tries to avoid risk on the basis of what they have seen in
the past. In fact, not only many studies but also common observation show
that this isn't the case. The general public loves to gamble. Studies of
"successful" people (business leaders, etc.) indicate that they are more
prone to gambling and risk- taking than the general public, and, in fact,
foolishly so. ("Leaders" have a strong tendency to gamble even when it is
quite clear that taking the small but sure return is the better deal.)
Is this, in fact, evidence that Taleb is correct, and that we all should be
risk-takers, betting on black swans? No. As he, himself, points out in a
different context, some risk-takers win, and become "successful," while a
lot of risk-takers lose, but disappear into the general population. (Or
just disappear.)
The central point about making predictions on the basis of insufficient
knowledge is emphasized most repetitively in regard to investments and
finance. The author does suggest a method for ventures: keep 90% of your
funds in the most conservative undertakings, and invest the 10% in wildly
speculative "positive" black swans. Of course, this doesn't guarantee that
any of your wild investments do pay off, but at least you will have your
90%. Unless a "negative" black swan comes along and wipes them out.
The book is, actually, fairly fun to read, but annoying to review. Taleb
has good facility with language, and writes in an amusing, if scattered,
manner. As a means of passing the time, the text is fluid, entertaining,
and even has some points worth thinking about. However, in terms of this
review series, I must consider whether the tome is useful or not, and I'm
not certain that it is. Taleb presents some salient warnings, but makes any
number of statements ( several of them outrageous) without going to the
trouble of backing them up. (This fact is rather ironic in view of his
repeated denigration of academics and technical authors who cannot write
clearly and "properly." He even admits, almost up front, that a friend
"caught [him] red-handed" by challenging him to "justify the use of the
precise metaphor of a Black Swan," and he had to confess "this book is a
story.")
To take a page from the way Taleb writes, I could point out that his
"Extremistan" bears a strong resemblance to the age of the dinosaurs. They
developed the largest land-dwelling creatures ever to walk on earth, lasted
much longer than we humans have, and, some models show, were able, simply
because of their immense numbers, to effect climate in ways that we have
only recently been able to do by pumping their remains out of the earth and
burning them. They were also subject to a black swan event in the shape of
an asteroid, which left, as their descendants, only Taleb's much maligned
turkeys.
There are certainly holes in this argument, but it is as entertaining, and
as valid, as much of what Taleb writes in the book.
In the end, I have to agree with Taleb's mother: there is some use in
this book, but an enormous disparity between what the author thinks it
is worth, and what it is actually worth.
(No ballet dancers were mentally harmed in the reviewing of this book.)
copyright, Robert M. Slade 2011 BKBLKSWN.RVW 20110109
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
Please report problems with the web pages to the maintainer