Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
On flight 447, the handoff from computer to pilots proved fatal for the 228 aboard. http://www.latimes.com/news/opinion/commentary/la-oe-garrison-flight-447-accident-20110814,0,5104609.story ... The Airbus A330, like other new-generation airliners, is controlled by a computer, in theory a sort of super-pilot, never tired or distracted, with lightning-fast reflexes and an encyclopedic knowledge of how best to fly. The human pilot still uses the stick and throttles in the traditional way, but commands go to the computer, which in turn executes them. If the pilot tells the airplane to bank too steeply or fly too slowly or too fast, the computer will not comply. Its "laws" are intended to protect against pilot errors that, far more often than mechanical failures, have led to accidents. The transition from mechanical to digital flight controls has brought about a shift in the way pilots are trained. Basic flying skills - the ability, for instance, to recover from unusual situations or to intuitively sense what an airplane is doing or is about to do - receive less and less emphasis. Testable knowledge of airplane systems and standardized flight procedures takes precedence. ... But we are still in transition, and Flight 447 fell victim to a philosophical inconsistency. The computer was supposed to protect the pilots from themselves, but in a pinch it threw up its hands and abruptly turned over control to a startled and unprepared human crew.
The second section of a recent "Ask the Pilot" article http://www.salon.com/technology/ask_the_pilot/2011/08/18/myths_of_automation has some comments from an A330 captain regarding Air France flight 447: “We know the airplane stalled, but the interim reports do not detail how the Air France pilots reached this point in the first place. No way do I believe that the pilots manually commanded an extreme nose-up input, as the report is claiming. To say that a pilot would, for an "unreliable airspeed event," initiate a 7,000-foot-per-minute climb, with 16 degrees of nose-up input, is crazy. But the electronic flight control system (EFCS) of the A330 is capable of generating this magnitude of performance on its own, if, say, the overspeed protection mode was activated by the blocked pitot probes. This is what the A330 simulator displays when this fault is inserted. The auto trim also runs up to about 13 degrees of nose-up trim—the same figure mentioned in the interims—and reduces the nose-down authority for the resulting stall.'' The pilot cannot override the EFCS quickly when it is misbehaving. The checklist procedures for this are time-consuming and confusing. The `unreliable airspeed' checklist is also ineffective if the EFCS takes control of pitch, as the pilot is locked out.
"The Daily News", Kamloops, British Columbia, Canada; Saturday, August 13, 2011; pages A1 and A2. MISTAKE: Canine illness causes cancer confusion; Man baffled by medical questions PRINCE GEORGE—A B.C. man was forced to convince his doctor and his girlfriend that he doesn't have cancer after a mixup with the province's pharmacy system confused him with his dog. It turned out that Rick Gillingham of Prince George does not have cancer, but his dog, Cooper, was taking the medication phenobarbital for canine epilepsy. When Gillingham went to the local university hospital for a simple painkiller recently, the doctor started asking him questions about his cancer. "I told him, 'I don't have cancer,' and he kept telling me not to be coy, that nobody was within earshot, so it was all right to talk about it and he needed to know," said Gillingham. Gillingham's girlfriend overheard the conversation from the waiting room, prompting her to storm in and demand to know why she was kept out of the loop, too. "She was saying things like, 'They are professional, they don't make these kind of mistake.' And I really didn't know what to tell her. I was at a loss for words." As Gillingham attempted to convince his girlfriend that he wasn't sick, the doctor finally revealed the source of the confusion. "As well were yakking about it, the physician piped up and said, 'Well, if you're not the one taking the phenobarbital, who is?' And as soon as he said that, the light went on for her. It was for the dog, not for me. I didn't even remember the name of the dog's stuff, but she did and it all clicked." Cooper's veterinarian had prescribed phenobarbital to ease the animal's canine epilepsy. But when the dog's medication was entered into the province-wide PharmaNet system, there was nothing to indicate that Gillingham and his dog were not the same person—or even the same species. Adding to the confusion, the vet's name is identical to a well-known cancer specialist. "It would probably not have been harmful (if Gillingham took the dog's drugs), but if someone else had this happen, it could be life-threatening," said his girlfriend, Charlaine MacGillivray. "There should be some way of knowing the difference at a glance between human medication and animal meds. This is scary stuff." Bob Nakagawa, an assistant deputy minister in the province's Health Ministry, said his department asked the College of Pharmacists of B.C. to investigate what happened. [THE CANADIAN PRESS] Scary Bits: 1) The doctor trusted the system despite protests. 2) The doctor said that Gillingham and he could not be overheard, but they were. 3) The girlfriend trusted the system. 4) There was apparently no way to distinguish Gillingham and Cooper. 5) There are two very different kinds of prescribers with the same name.
Agence France Presse (AFP) reports of a man who, unable to escape, succumbed to dehydration inside a locked car. He and his brother had been nightclubbing and he had consumed lots of alcohol. On arriving home, his brother got out of the car (one presumes, hopefully, that he was the one driving) and went to sleep in his bed. He took the car keys with him, but left the car unlocked. The first man continued to sleep in the car. After a certain period of time, the locking system activated and locked the doors. In the house, everyone assumed he was asleep in his own bed. The car was parked in the sun and the outside temperature was 40 degrees Celsius (104F). It is not clear at what time he woke up, however, there is evidence that he tried to break a window to escape. He did not succeed, and died of dehydration. Apparently, the locking system in this particular model (the car maker is not specified in the article) has an interesting "feature": when the car is locked and the keys are not in the cabin, one cannot open the car from the inside. Pressing the unlock button has no effect. This sounds unbelievable, but AFP rarely makes mistakes in reporting. If it's true, then it's a particularly horrifying example of embedded systems failure. http://bit.ly/nFLZde http://www.liberation.fr/societe/01012356057-piege-dans-sa-voiture-il-meurt-deshydrate
Bitomat, the third largest exchange for bitcoin—the cybercryptocurrency not backed up by a government or any hard assets—lost its wallet.dat file which held all of its bitcoins. http://siliconangle.com/blog/2011/08/01/third-largest-bitcoin-exchange-bitomat-lost-their-wallet-over-17000-bitcoins-missing/ According to the article, this was due to using the wrong cloud computing model on the part of the exchange, not any fault of Amazon's cloud computing services. A consequence of this latest bitcoin disaster has been the acquisition of Bitomat by the largest exchange, Mt. Gox. http://siliconangle.com/blog/2011/08/11/mtgox-acquires-bitomat-pl-in-bid-to-restore-confidence-in-bitcoin-market/ This article calls it a "bid to restore confidence in the bitcoin market". I don't quite get how merging the two exchanges involved in the largest bitcoin disasters restores confidence, but I suppose confidence can't get any lower so anything you do must be an improvement.
[Source: Daniel Eran Dilger] http://www.appleinsider.com/articles/11/08/23/united_airlines_uses_11000_ipads_to_take_planes_paperless.html http://www.prnewswire.com/news-releases/united-airlines-launches-paperless-flight-deck-with-ipad-128240343.html United is the latest airline to ditch pilots' paper flight manuals, having announced today that it is distributing 11,000 iPads across all of its Continental and United flight decks. Going green with a light and streamlined machine United said in a press release that its new iPad-bearing pilots will use Jeppesen Mobile FliteDeck, "the industry's premier app featuring interactive, data-driven enroute navigation information and worldwide geo-referenced terminal charts. The enhanced full-color, high-quality information display ensures the right information is displayed at the right time." In addition to having less weight to carry in and out of the plane, the weight savings also saves fuel, while reducing the amount of unnecessary paper used and printed by airlines. United states that "a conventional flight bag full of paper materials contains an average of 12,000 sheets of paper per pilot. The green benefits of moving to EFBs are two-fold: it significantly reduces paper use and printing, and, in turn, reduces fuel consumption. ...
[The English source is a highly politicized newsgroup, but the factual material seems to be legit.] Slip-Up in Chinese Military TV Show Reveals More Than Intended Piece shows cyber warfare against US entities, *Epoch Times* A standard, even boring, piece of Chinese military propaganda screened in mid-July included what must have been an unintended but nevertheless damaging revelation: shots from a computer screen showing a Chinese military university is engaged in cyberwarfare against entities in the United States. The documentary itself was otherwise meant as praise to the wisdom and judgment of Chinese military strategists, and a typical condemnation of the United States as an implacable aggressor in the cyber-realm. But the fleeting shots of an apparent China-based cyber-attack somehow made their way into the final cut. The screenshots appear as B-roll footage in the documentary for six seconds - between 11:04 and 11:10 minutes - showing custom-built Chinese software apparently launching a cyber-attack against the main website of the Falun Gong spiritual practice, by using a compromised IP address belonging to a United States university. ... The software window says "Choose Attack Target." The computer operator selects an IP address from a list - it happens to be 220.127.116.11 - and then selects a target. rest: http://www.theepochtimes.com/n2/china-news/slip-up-in-chinese-military-tv-show-reveals-more-than-intended-60619.html The story points out that 18.104.22.168 => University of Alabama at Birmingham, and has some comments from them, too.
[via David Farber's IP distribution. PGN] Apparently the IRS believes an individual's right to privacy terminates at death...SSNs easily available online and used for fraud: http://www.forbes.com/sites/irswatch/2011/08/01/death-taxes-identity-theft/ clip: > And by the way, do the deceased have a right to privacy? Apparently, no. > I found also on the SSA website, "Because these individuals are deceased, > the Privacy Act does not apply to our collection and maintenance of these > records."
Visa is going to move to chip & pin (also known as EMV) in the US. This technology, already widely in use in Europe, will offer an exemption from PCI DSS compliance if a merchant does at least 75% of their transactions using EMV. (Not clear if this is 75% by number or value.) Beginning in Oct 2017, merchants that sell fuel (a major place where stolen credit cads are used) will be forced to accept liability for fraudulent transactions if they don't use EMV or similar technology. See http://www.informationweek.com/news/security/vulnerabilities/231400073 Sounds good? Well, not so much. Will they use the same broken techniques used in Europe ? How will they protect against hackers manipulating the devices to capture card and PINs ? The RISKS? Moving to a EMV, while perhaps a small step forward, may inhibit a real improvement. Once the transition starts (reissuing everyone's cards - hundreds of millions in the US - and replacing all of the merchant terminals with new ones that can handle the chip & PIN technology), it will be hard to stop and switch again for another decade or two.  "Chip and PIN is Broken", Steven J. Murdoch, et al, IEEE Security & Privacy 2010. www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf  "Legacy Support Leaves Chip-And-PIN Vulnerable", Information Week, Aug 1 2011. http://www.informationweek.com/news/security/vulnerabilities/231003001
http://j.mp/preOv4 (Extreme Tech) [From Network Neutrality Squad] "For now the only evidence that such an attack occurred is the report of Coderman on the Full Disclosure mailing list. Coderman seems to be a relative veteran of security and open source mailing lists, though, and he says he has attended six DEF CONs. If he's telling the truth, then this attack would represent the first ever man-in-the-middle attacks on two networks that have so far proven to be unhackable. For the ailing and nigh-stillborn CDMA this isn't such a huge issue - but if 4G has fallen, just as AT&T, Sprint, Verizon, and cellular companies around the world begin to plow huge dollars into its roll out, this could be a massive blow." Lauren, NNSquad Moderator
I can confirm attempts against my dumb LG (install apps and register) on Verizon. I just assumed it was the normal type of stuff that one sees at defcon (been going since DC7). Even though I'm fairly confident that the attempts were unsuccessful I had my phone admin do a clean wipe and restored contacts from a backup. This does not confirm anything against 4G.
[From Network Neutrality Squad. PGN] Why Governments Are Terrified of Social Media http://lauren.vortex.com/archive/000891.html In Missouri, teachers and others are up in arms over a law that would ban most contacts between teachers and students through social media, not only via systems like Facebook, but even apparently mechanisms such as Google Docs ( http://j.mp/pSqX11 [ABC News] ). In the UK, Prime Minister David Cameron has proposed censoring or cutting off BlackBerry and other social media systems based on the misguided and false assumption that this would prevent planning and communications by potential rioters or other "undesirable" persons. And back here in the U.S., BART shut down parts of the cell phone network, in an attempt to block communications in advance of a legal protest that never took place, though we know full well from history that protests—even of enormous scope—do not require high technology to be organized and deployed ( http://j.mp/rq7SO9 [Lauren's Blog] ). Around the world, including here in the U.S., governments are demanding unencrypted access to supposedly "secure" communications systems. The common thread is very clear. Governments are increasingly terrified of the communications abilities that Internet and other technologies have provided their citizenry and other residents. While usually careful to express their concerns in the context of seemingly laudable motives like fighting crime or terrorism, in reality these governments have revealed the distrust and contempt with which they view their populations at large. This is by no means a new phenomenon. Throughout human history, governments and many leaders have cast a jaundiced eye on virtually every new technological development that enabled communications, particularly if that technology made it easier for direct person-to-person messages to be exchanged outside the view of government services and minders. These government efforts to suppress and control communications have virtually all failed in the end, though a great deal of damage has been done to individuals and groups in the process. At one time, even the ability to read and write was considered too dangerous a skill set for the commoners. The invention of the printing press threw government and churches alike into convulsions of apprehension. And now "social media" is the new scapegoat, the whipping boy, the technological designated evil that short-sighted politicians of both major parties, and their various administrative minions and supporters, are demanding be monitored, leashed, and controlled. In reality of course, it's not the technology that these persons wish to leash—it's ordinary people. It's you and me and the vastness of other law-abiding persons who have become the targets of the 21st century law enforcement mantra: "Screw the Bill of Rights—treat everybody like a suspect, all the time." The broad implications of this "guilty until proven innocent" mindset are all around us now. They're at the heart of the newly revealed alliance between CIA and the New York Police Department to monitor the activities of innocent citizens, using surveillance techniques that would have seemed comfortably familiar to the old East German Stasi secret police. They're seen in the massive government-mandated Internet data retention demanded by "The Protecting Children from Internet Pornographers Act of 2011"—now moving rapidly through Congress, and disingenuously titled to suggest it only applies to child abuse, when in reality its true reach would broadly encompass all manner of Internet access activities ( http://j.mp/o13jMO [Atlantic] ). Governments seem to increasingly no longer feel that it's necessary or desirable to have "probable cause" or court orders before spying on individuals, tracking their movements via hidden GPS units, building dossiers, or even disrupting communications. Constitutional guarantees are more and more viewed by our leaders as quaint artifacts of the past, to be ignored today merely as annoying inconveniences. The innocent are now being treated largely as potential "future criminals"—and so subject to many of the same sorts of surveillance and other law enforcement techniques that in the past were generally limited to specific suspects of specific crimes. To the extent that these activities for now appear to be mostly aimed at persons with skin colors or religions different from us, it becomes easier to "go with the flow" of this new law enforcement mentality, to not make waves, to be quiet, to be sheep. But the same techniques used today against one group can be easily repurposed for others. Government ordered records of users' Internet activities will affect us all, and the infrastructures created to support these surveillance-related systems may be be extremely long-lived. When governments no longer trust the people, when officials make the mental and physical leaps to targeting vast numbers of innocent persons in the manner of criminal suspects of yesteryear, we have embarked on a road that leads to a very dark place indeed. Today, social media is the crosshairs. Governments certainly are enthusiastic about using social media for their own investigatory and enforcement purposes, but they appear to be desperately seeking ways to control and limit the ability of ordinary persons to communicate privately and securely on these systems, or to use them at all in some cases. This is hypocrisy of the highest order. It is a serious risk to innocent individuals being targeted by its adherents today. Unchallenged, tomorrow it will be a serious risk to us all. People For Internet Responsibility: http://www.pfir.org Skype: vortex.com Network Neutrality Squad: http://www.nnsquad.org Tel: +1 (818) 225-2800
I've just switched to a new bank, and of course they're trying to get me to use their debit card for purchases as often as possible so they can make money off of the fees. (I've already told them I want a plain ATM card, not a debit card, but they're still sending me the literature.) I couldn't help but notice these Orwellian statements in a pamphlet they sent me (EMPHASIS added by me): What's the best way to use my [bank name elided]//Debit MasterCard for purchases? * When paying, say or press "Credit" * THERE'S NO NEED TO USE YOUR PIN, SO YOUR TRANSACTIONS ARE EVEN MORE SECURE * Your purchase comes directly out of your checking account Can somebody please explain to me how it's "more secure" for anyone to be able to steal my debit card and use it to take money directly out of my checking account without entering my PIN? I imagine if I called the bank and asked what they're talking about, they'd say, "If you don't need to enter your PIN, then the people standing near you won't be able to see what it is." But (a) you can protect against that just by blocking people's view of the keypad with your other hand, and (b) that's probably not the threat they should be most worried about, and (c) it's totally irrational, since anyone who saw my PIN would have to get their hands on my card to use it, and if they get my hands on my card then they can use it to make purchases without a PIN! And I had such high hopes for my new bank. *sigh*
> This is a bold and at first blush promising idea. ... Um, not quite so bold. Fred Cohen noted the possibility in 1983 or so. In fact, the first (widely) available antivirus program for the PC/MS-DOS world was not a scanner, but an activity/behaviour monitor and blocker. (It had actually been brought out as an anti-trojan, but was quite effective against early viruses.)
Workshop on Cryptography for Emerging Technologies and Applications Call for Abstracts, NIST Campus in Gaithersburg, MD, 7-8 November 2011 The National Institute of Standards and Technology (NIST) is hosting a workshop on Cryptography for Emerging Technologies and Applications that is intended to identify the cryptographic requirements for emerging technologies and applications. The workshop provides an opportunity for industry, research and academia communities, and government sectors, to identify cryptographic challenges encountered in their development of emerging technologies and applications, and to learn about NIST's current cryptographic research, activities, programs and standards development. In preparation for the workshop, NIST calls for the submission of abstracts that identify cryptographic challenges identified during the research and development of emerging technologies and applications. Submitted abstracts will be posted on csrc.nist.gov before the workshop, and the authors of selected abstracts will be invited to present their work during the workshop. The deadline for abstract submission is September 26, 2011 at 5:00 PM Eastern Daylight Saving Time. The abstracts should be sent to: firstname.lastname@example.org<mailto:email@example.com>, indicating in the subject line: "CETA Workshop Abstract Submission". The submission should clearly identify the emerging technology space (e.g., "Internet of Things"), the class of cryptographic requirements (e.g. Stream ciphers), the title of the abstract, and the author(s). The abstract's body should contain no more than 300 words. Examples of emerging or evolving technology spaces include: * Sensor and building networks * Mobile devices * Smart Objects/Internet of Things, and * Cyber physical systems. Examples of cryptographic requirements for emerging sectors might include performance or resource issues, cryptographic services (such as anonymous or group signatures), or key management challenges. Authors are welcome to identify, through their submissions, other areas of cryptography for emerging technologies and applications that are not listed above. Location: NIST Campus, 100 Bureau Dr., Gaithersburg, MD 20899 Date: 7 and 8 November, 2011 Registration fee: $155.00 Additional information about the workshop and submission of abstracts can be found at: http://www.nist.gov/itl/csd/ct/ceta-workshop.cfm.
Please report problems with the web pages to the maintainer