Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Passengers were stranded at airports across the country Friday night [17 Jun 2011]after a failure in United Airlines' computer system. The disruption set off widespread delays at airports in San Francisco, Chicago and Washington, with many passengers left sitting in terminals or stuck on planes that were grounded. United said in a statement that the problems began at 8:15 p.m. New York time, when the computer failure knocked out its flight departures, airport processing and reservations systems. The statement did not address the nationwide delays, and a spokesman did not return a phone call seeking comment. http://www.nytimes.com/2011/06/18/us/18united.html AND THEN ON Slashdot: *United Airlines Passengers Stranded By Computer Outage*<https://tech.slashdot.org/story/11/06/18/0327241/United-Airlines-Passengers-Stranded-By-Computer-Outage> A computer outage with effects to dwarf those of the one that stranded thousands of US Airways passengers last week. This time, it's United Airlines' systems that are  out of commission and  unable to handle passenger reservations,  leaving passengers stranded all over the U.S. Experiencing the resultant delays first-hand at Dulles Airport, our reporter saw United planes being sent on—along with their passengers' luggage -- to the cities from which they're to leave tomorrow morning, in anticipation of the computer system being fixed in the interim. Links: 0. http://tech.slashdot.org/story/11/06/11/1625223/Computer-Glitch-Friday-Grounded-US-Airways-Flights 1. http://www.suntimes.com/6024132-417/computer-outage-delays-departures-of-united-airline-flights.html 2. http://www.nbcchicago.com/news/local/ohare-united-airlines-flights-124114134.html 3. http://seattletimes.nwsource.com/html/localnews/2015353612_united18m.html Also: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2011/06/17/BA4A1JVO6F.DTL&tsp=1 http://www.airliners.net/aviation-forums/general_aviation/read.main/5174667/ http://www.cnn.com/2011/US/06/18/united.flight.disruption/index.html?eref=mrss_igoogle_cnn http://travel.usatoday.com/flights/story/2011/06/Uniteds-flight-mess-latest-caused-by-computer-glitches/48564346/1 Also (from Lauren Weinstein): United Airlines blames 5 hour computer outage on "network connectivity issue" http://j.mp/iWp4Zu (This message in Google Buzz) http://j.mp/kvDxid (NPR Article) who added his own interpretation: United's explanation is a bit vague, but luckily through my own sources I've been able to obtain photographic evidence of the actual cause: http://j.mp/m865A7 (Lauren's Blog [JPG])
I first heard about the electronic currency Bitcoin from this article: http://falkvinge.net/2011/05/29/why-im-putting-all-my-savings-into-bitcoin/ Naturally, I was a bit skeptical about a so-called currency not backed up by a government or hard assets, but the implementation seemed technically sweet. I didn't have to wait long for my doubts to be confirmed. http://www.dailytech.com/article.aspx?newsid=21877 Oooh! Loses a third of its value in one day! I better watch the market a little longer before jumping in. http://arstechnica.com/tech-policy/news/2011/06/bitcoin-the-decentralized-virtual-currencyrisky-currency-500000-bitcoin-heist-raises-questions.ars Whoa! Some guy got hacked and lost bitcoins "worth" $500,000. This is obviously not a game for amateurs. Wonder what that guy was doing with so many bitcoins in the first place? http://www.dailytech.com/Inside+the+MegaHack+of+Bitcoin+the+Full+Story/article21942.htm Yikes! The main bitcoin exchange just got robbed for $8.75M! What were the purported reasons for using this "currency"? I know the arguments that the guy who got hacked wasn't using proper security (he admits it) and the problem at the exchange had nothing to do with the underlying Bitcoin technology model. I tend to think, though, that a currency invented by an anonymous computer programmer is not something to jump right into. If it's still around in 10 years, I might re-evaluate, but in the meantime I'll stick to currencies that have been around a couple hundred years.
At the University of Alberta, Philip Baker, the dean of medicine and dentistry, was beginning an inspiring commencement speech when some people in the audience thought they remembered a distinctive expression—a reference to a made-up medical term "velluvial matrix". They pulled out their smartphones and quickly found the entire speech online on *The New Yorker*'s web site at http://www.newyorker.com/online/blogs/newsdesk/2010/06/gawande-stanford-speech.html The speech was actually written by Atul Gawande (who writes for the New Yorker and has is the author of several books, as well as being a professor and a surgeon), to give last year at Stanford University. Baker has apologized to Gawande. See: http://www.globaltvedmonton.com/events/any/4937399/story.html http://www.thestar.com/news/canada/article/1007465--any I include a CBC link because I'm sure it will be durable, but their version is less dramatic in that it doesn't mention the plagiarism being exposed while in progress: http://www.cbc.ca/news/canada/edmonton/story/2011/06/12/edm-university-alberta-speech.html
Looks like householders in Bridgwater, England should prepare for, umm, very high winds this coming weekend. And the coldest June night in history, with an effective temperature of about -30C after factoring in wind chill. http://www.freezepage.com/1308049042EIPKOEAORE (Sanity checks on data ? Who needs 'em ?) Nick Brown, Strasbourg, France
Citigroup acknowledged on Thursday that unidentified hackers had breached its security and gained access to the data of hundreds of thousands of its credit card customers in North America. ... [Source: Chris V. Nicholson, *The New York Times*, 9 Jun 2011] http://dealbook.nytimes.com/2011/06/09/citigroup-card-customers-data-hacked/
SecurIDs Come Under Siege: Security Breach Forces RSA to Offer to Replace Millions of 'Tokens' Siobhan Gorman and Shara Tibken, *The Wall Street Journal*, 7 Jun 2011 RSA Security is offering to provide security monitoring or replace its well-known SecurID tokens-devices used by millions of corporate workers to securely log on to their computers-"for virtually every customer we have," the company's Chairman Art Coviello said in an interview. In a letter to customers Monday, the EMC Corp. unit openly acknowledged for the first time that intruders had breached its security systems at defense contractor Lockheed Martin Corp. using data stolen from RSA. SecurID tokens have become a fixture of office life at thousands of corporations, used when employees log onto computers or sensitive software systems. The token is an essential piece of security, acting as an ever-changing password that flashes a series of six digits that should be virtually impossible to duplicate. ... http://online.wsj.com/article/SB10001424052702304906004576369990616694366.html
href="http://physicsworld.com/cws/article/news/46305">http://physicsworld.com/cws/article/news/46305 "While in principle unbreakable, quantum cryptography is known to have weaknesses in practice. One shortcoming has now been graphically illustrated by physicists in Singapore and Norway, who have been able to copy a secret quantum key without revealing their presence to either sender or receiver. The researchers are now working to remove the loophole they have exposed." And so the arms race continues...
[From Network Neutrality Squad, http://www.nnsquad.org. PGN] "Spam has hit the Kindle, clogging the online bookstore of the top-selling eReader with material that is far from being book worthy and threatening to undermine Amazon.com Inc's publishing foray." http://reut.rs/m7GzvC (Reuters)
[From Network Neutrality Squad, http://www.nnsquad.org. PGN] http://j.mp/kB3GYB (This message on Google Buzz) http://j.mp/kRtCEs (Casey Halverson) "Looking at the GET string above, "lat" and "lon" variables contain the current position of the vehicle, "speed" is the vehicle speed, "car_dir" is the direction of the car, and "lat_dst" and "lon_dst" is your destination configured in your navigation system ... All of these lovely values are being provided to any third party RSS provider you configure: CNN, Fox News, Weather Channel, it doesn't matter! While a lot of these providers are probably not aware of these (rather valuable) parameters the car passes, they probably sit in thousands of HTTP logs already, waiting to be parsed out - or perhaps supported in the future." "Update June 13 3:23 PDT: While nobody bothered to inform the customers, Nissan does document this functionality in this obscure Japanese developer document. http://lab.nissan-carwings.com/CWL/Spec.cgi [Google Translated]."
with Cupcake Recipe Paisley Dodd, 3 Jun 2011 LONDON—Britain's spy agencies have a new message for terrorists: make cupcakes, not war. Intelligence agents managed to hack into the extremist Inspire magazine, replacing its bomb-making instructions with a recipe for cupcakes. It's the first time the agents sabotaged the English-language magazine linked to U.S.-born Yemeni cleric Anwar al-Awlaki, an extremist accused in several recent terror plots. The quarterly online magazine, which is sent to websites and email addresses as a pdf file, had offered an original page titled "Make a Bomb in the Kitchen of Your Mom" in one of its editions last year. The magazine's pages were corrupted, however, and the instructions replaced with the cupcake recipe. ... http://www.huffingtonpost.com/2011/06/03/british-spies-terrorist-bomb-cupcake-recipe_n_870882.html MI6 attacks al-Qaeda in 'Operation Cupcake' British intelligence has hacked into an al-Qaeda online magazine and replaced bomb-making instructions with a recipe for cupcakes. Duncan Gardham, Security Correspondent, 02 Jun 2011 The cyber-warfare operation was launched by MI6 and GCHQ in an attempt to disrupt efforts by al-Qaeda in the Arabian Peninsular to recruit "lone-wolf" terrorists with a new English-language magazine, the Daily Telegraph understands. ... The code, which had been inserted into the original magazine by the British intelligence hackers, was actually a web page of recipes for "The Best Cupcakes in America" published by the Ellen DeGeneres chat show. ... http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/8553366/MI6-attacks-al-Qaeda-in-Operation-Cupcake.html
An iPhone app has been indirectly capturing and compiling statistics on the distribution of passcodes. About 10% are either 1234 or 0000. http://www.dailymail.co.uk/sciencetech/article-2003654 This reminds me of something that happened about 30 years ago. I had scanned nearly a thousand 800 numbers looking for interesting things, and I gave a list of anomalous numbers to a friend of mine. A day or two later he told me that one of the numbers was a call diverter with the password 321. I said "I'll bet you tried 320 numbers before you found that out." He replied "More than that. I tried all the obvious stuff first, like 111, 222, 333 . . .".
Nelson D. Schwartz and Christopher Drew, RSA Faces Angry Users After Breach *The New York Times*, 7 Jun 2011 http://www.nytimes.com/2011/06/08/business/08security.html The nation's biggest banks and large technology companies like SAP rushed Tuesday to accept RSA Security's offer to replace their ubiquitous SecurID tokens as many computer security experts voiced frustration with the company. The company's admission of the RSA tokens' vulnerability on Monday was a shock to many customers because it came so long after a hacking attack on RSA in March and one on Lockheed Martin last month. The concern of customers and consultants over the way RSA, a unit of the tech giant EMC, communicated also raises the possibility that many customers will seek alternative solutions to safeguard remote access to their computer networks. Bank of America, JPMorgan Chase, Wells Fargo and Citigroup said they planned to replace the tokens as soon as possible. The banks declined to say how many customers would be affected, although SAP said that most of its 50,000 employees used RSA's tokens and that it was seeking to replace them all. ...
Customers angry at RSA over delay in admitting depth of breach http://j.mp/j2IwKk (This message in Google Buzz) http://j.mp/jlNAhg (New York Times) "For now, however, the biggest worry for RSA is how to appease angry customers as well as mollify computer security consultants, who have been increasingly critical of how long it took the company to acknowledge the severity of the problem." Just a quick opinion: Once a firm has a reasonable handle on the depth of a security problem that will affect customers, it is in both the company's and the customers' best interests for the firm to "come clean" at least regarding the seriousness of the situation, even if all technical details are not yet available or in a form that can be reasonably communicated with customers. It is crucial that users understand to what extent they may have been made vulnerable, so that they can take appropriate protective steps themselves at least in the short run. Most of all, trying to publicly minimize the seriousness of a situation below the level you know to be true, or lying about how serious matters really are, can be counted upon to make a bad situation worse. This applies pretty much equally in technology and in the rest of our lives (just ask Rep. Anthony Weiner). Lauren Weinstein (email@example.com): http://www.vortex.com/lauren Network Neutrality Squad: http://www.nnsquad.org http://www.pfir.org PRIVACY Forum: http://www.vortex.com +1 (818) 225-2800
Dan Goodin, Senator Sisyphus tries again, *The Register*, 8 Jun 2011 http://www.theregister.co.uk/2011/06/08/data_breach_bill/ US-based companies would be required to report data breaches that threaten consumer privacy and could face stiff penalties for concealing them under federal legislation that was introduced in the Senate on Tuesday. The Personal Data Privacy and Security Act aims to set national standards for protecting the growing amount of personally identifiable information being stored online. Its approval by the Senate Judiciary Committee represents the fourth year the bill has been introduced, said its sponsor, Senator Patrick Leahy of Vermont. The latest incarnation comes amid a glut of high-profile hack attacks on networks operated by Sony, email marketer Silverpop Systems, gossip publisher Gawker Media, and others, which have exposed sensitive data for hundreds of millions of Americans in the past six months.
John C. Dvorak, 1 Jun 2011 Why can't ISPs routinely look at network activity and use deep-packet sniffing to find infected machines and tell the customer in the first place? Operation Adeona, it was called. It involved the FBI. Spyware. Intrigue. Controversy. The FBI took it upon itself to attack one of the miserable botnets that plagues the Internet to figure out how to intercept its "calling home function." And essentially it ended up giving it new and less destructive instructions. Let me try to explain. Botnets generally consist of thousands of infected computers that have some specific piece of malware installed. Your computer at home may be one of them. The malicious code is usually in the form of a Trojan Horse that was planted by a Web site or some code you mistakenly clicked on. Once installed on your computer it doesn't really do much until called into action. The idea nowadays is to inhabit your machine for nefarious purposes including mailing spam from your account, pinging a target computer to harass someone, or even to do odd sorts of market research. Most of the time these infected machines do their dirty work after hours and seldom during the day when an observant owner might spot the dubious activity. It is a public nuisance. I cannot emphasize enough how people should run some good scanners to ferret out these programs. Millions of machines are infected. Anyway, so the FBI decided to counterattack one of the major botnets called Coreflood, which is used to loot bank accounts. The FBI was to replace the servers communicating with infected Coreflood machines with its own servers, and also to disable the Coreflood malware on the infected machines. This process seems to have gone well and the botnet was mostly silenced and had no way of getting any more nefarious instructions, rendering it useless. The problem is that the code is still on the machines. Now it gets dicey. ... http://www.pcmag.com/article2/0,2817,2385959,00.asp
"The underground world of computer hackers has been so thoroughly infiltrated in the US by the FBI and secret service that it is now riddled with paranoia and mistrust, with an estimated one in four hackers secretly informing on their peers, a Guardian investigation has established." [Source: *The Guardian*, 6 Jun 2011.] http://www.guardian.co.uk/technology/2011/jun/06/us-hackers-fbi-informer On the Internet, no one should even trust his dog. PGN]
Thomas Drake, a former NSA employee who had been indicted on 10 counts relating to retaining classified information and leaking it to a *Baltimore Sun* reporter, pleaded guilty to a single misdemeanor charge for `exceeding authorized use of a government computer', with the remaining charges being dropped. Jesselyn Radack (who represented Drake) said, “This was the wrong person, this was the wrong case, and the Espionage Act was an overreach.'' [Source: Kim Hairston, *The Baltimore Sun*, 10 Jun 2011; PGN-ed] http://www.baltimoresun.com/news/maryland/bs-md-nsa-leak-case-20110609,0,3140011.story?page=2&track=rss
In 2005, Sony BMG released a 3-CD set entitled Electric 80s The cover art for this compilation of "the greatest Eighties electric hits" featured a reproduction of a UPC bar code, with the title "ELECTRIC 80s" placed in the space at the bottom of the bar code where the human-readable numbers corresponding to that code would usually appear. (The real bar code -- the one used for scanning the price of the item at checkout counters -- was placed in a corner on the back of the packaging, as it is for nearly every similar item.) http://www.snopes.com/business/market/cdbarcode.asp What could possibly go wrong? Right. The reproduction bar code was a real one, so if the clerk selling you the CD scanned the wrong side, you were charged the wrong price.
All this talk about cloud computing. So now our marriage to the PC has soured, and we return back to the dumb terminal and the university/cloud's VAX/PDP where we started. [It takes me back to MIT's CTSS in the early 1960s and Multics beginning in 1965. Not just full circle, but perhaps 720 or 1080 degrees. And The Shadow (from the 1940s radio shows), with the ability to *cloud* men's minds. PGN]
Fox News found out the hard way that there's nothing like the real thing when it comes to Sarah Palin, especially when it comes to Palin impersonator Tina Fey. A story on "America's News Headquarters" about Palin's current bus tour, in which she may be testing the waters for a 2012 presidential bid, was illustrated with a graphic of Fey portraying Palin, according to Mediaite.com. The snafu was particularly glaring since Palin works for Fox as a correspondent. ... [Source: *LA Times*] http://latimesblogs.latimes.com/showtracker/2011/06/fox-news-mistakenly-uses-tina-fey-as-palin-in-palin-bus-story.html
I've always been wary of Skype for their SBO stance, despite the many security friends who have used it, love it, and promote it at every turn. Prior to this year's disclosures of increasing success in attempts to decode the thing (and the purchase by Microsoft), I was even thinking that I might have to jump on the bandwagon and start using it, as one of the most realistic ways of phoning home from various countries overseas. This new wrinkle in the situation reminds me of the battle royal, many years ago, between Microsoft and AOL over instant messaging functions. (Little good can come out of the fight, I suspect, other than the high probability that someone will come up with some form of realistic alternative to Skype.) In the instant messaging scrap, both sides worked furiously on developing new versions of their client software that would be incompatible with the other. This activity culminated in one vendor creating one with a buffer overflow situation. Not by accident: this was done deliberately so that some instant messaging functions could *only* be accessed by a buffer overflow, thus reducing the (comparative) functionality of the other client. Not the actions of a vendor that has user security at heart ... firstname.lastname@example.org email@example.com firstname.lastname@example.org victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/
[Kamens'] point is valid. However, if we consider the probability of a human driver hitting a pedestrian, the distribution is probably random (X incidents per 100K driver/year - dependent on a large variety of factors). Think of it as wetware fault. With self-driving car, the control S/W will be the same, or very similar, across millions of cars so any S/W fault could be expressed by millions of cars when a given set of input occurs. The distribution of incidences is not likely to be random but rather predictable. While formal methods and rigorous testing would reduce the number of residual bugs, a S/W system like self-driving cars, which is probably very complex and has millions of LOC, will not be bug free. Have we exchanged the risk of a random incident, wetware failure, with the risk of a rare but large scale S/W fault that could cause thousands of incidents in very short period of time?
wouldn't jump to the conclusion that all of the delta in disk space between an initial Windows installation and an updated one is "the updates" per se. Some of it is probably uninstall info for those updates, and some System Restore points providing another method to roll them back. All of which would be completely unnecessary if those updates were flawless—but if Microsoft had THAT capability, there would never be any need to update Windows at all! Memorable flaws include: * WGA, already noted, multiple versions, * Repeated delivery and installation of non-functional ATI video drivers based on Windows Update (or ATI) misidentifying my installed hardware, * Nightly server reboots caused by an update whose automatic installation would consistently fail AFTER noting that a reboot would be required (manual installation mysteriously succeeded)..... In the balance, review a top ten list of Windows worms of recent years to see how many exploited a vulnerability for which the corrective patch had been available as an update for at least three months. How badly do you prefer being in the Problem Set over being in the Solution Set?
Please report problems with the web pages to the maintainer