Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
All right now, how many people reading this: [1] saw a previous version of this message in RISKS-6.34, 13.21, 17.81, 20.83, 23.24, and/or 25.07? [2] still wear a wristwatch instead of using a cellphone or something as a pocket watch? [3] have the kind that needs to be set back a day because (unlike the smarter types that track the year) it went directly from February 28 to March 1? and [4] *hadn't realized it yet*? Me, I remembered around 11:50 pm, but could do nothing about it then—and didn't remember *again* until nearly 12 hours later. ["Deja vu all over again" is Standard here! PGN]
Product Outage/Anomaly: Windsat Data Outage: Issued February 29, 2012, 1229 UTC (CORRECTION) *Topic:*: Windsat data will not be available ***Date/Time**:*February 29, 2012, 1229 UTC* * Product(s) or Data Impacted:*Windsat data** * Date/Time of Initial Impact: *February 29, 2012 0000 UTC** * Date/Time of Expected End: * March 01, 2012 0000 UTC * Length of Outage:* 24 hours * Details/Specifics of Change:*FNMOC/MONTEREY has informed ESPC that because of the leap year, Windsat data will be unavailable for 24 hours. *Contact Information for Further Information:* ESPC Operations at ESPCOperations@noaa.gov and 301-817-3880 **
In the "When will they ever learn?" department: Steve McCaskill, Windows Azure Leap-Year Glitch Takes Down G-Cloud; Microsoft says that most services have now returned to normal after a day of chaos, *Tech Week Europe*, 1 Mar 2012, http://www.techweekeurope.co.uk/news/windows-azure-leap-year-glitch-takes-down-g-cloud-63920 Microsoft has confirmed that a service outage that affected its cloud computing service Microsoft Azure, appears to be caused by a leap year bug.
I can hardly believe that there are leap-year problems, but both the system used for processing health insurance claims and one of the major banks seem to have stuffed it up. Medical insurance claims: http://www.theage.com.au/business/leap-year-blamed-for-hicaps-stumble-20120229-1u1z7.html ATMs at Commonwealth Bank: http://www.theage.com.au/business/commbank-atms-crash-nationwide-20120229-1u1q9.html I would have thought that this was sorted a long time ago. I was wrong.
I just read an article in the IEEE *Spectrum* and so many risks are hinted/listed that even if I only read the forum once in a while without having subscribed, I think it may interest some other readers! http://spectrum.ieee.org/biomedical/devices/the-shocking-truth-about-defibrillators/0
The Voting News Weekly for February 27 - March 4 2012, 4 Mar 2012 The Voting News Weekly is a service of the Verified Voting Foundation. [This long, well documented, and extremely informative item has been truncated for RISKS. VVF is an extremely worthy organization devoted to election integrity. PGN] Computerworld reported on discussions of Internet voting at the RSA computer security conference. Doug Chapin observed that while the latest felony voter fraud stunt (this time in New Mexico) was possible in was nevertheless still wrong. PolitiFact Florida determined that Stephen Colbert's observation that shark attacks are more common than voter fraud was "mostly true." Advocates for Latino voting rights criticized redistricting maps drawn by a Federal court. The majority Tory Party in Canada was implicated in robocall scheme aimed at suppressing voter turnout in Ontario. With all genuine opposition to the Supreme Council banished, different conservative factions vied in Iran's Presidential election, while Vladimir Putin is expected to win re-election in an election widely perceived by many Russians and outside observers as unfair and Senegal is headed for a run-off after no candidates received a majority of the vote in their Presidential election.
Internet voting systems too insecure, researcher warns "Internet voting systems are inherently insecure and should not be allowed in the upcoming general elections, a noted security researcher said at the RSA Conference 2012 being held here this week. David Jefferson, a computer scientist at Lawrence Livermore National Laboratories and chairman of the election watchdog group Verified Voting, called on election officials around the country to drop plans to allow an estimated 3.5 million voters to cast their ballots over the Internet in this year's general elections." http://j.mp/yHJ2nU (Computerworld) Nothing fundamentally has changed to make Internet Voting any less insecure since I wrote "Hacking the Vote" in 2000: http://j.mp/w2qhSp (Nettime)
A new video has been released of Prof. Alex Halderman at the RSA conference last week describing the attack on the D.C. Internet voting system and the general problem of Internet voting security. This is one of the most articulate, most compact presentations of the subject ever offered. The video runs 8 minutes. http://it.slashdot.org/story/12/03/10/2351259/prof-j-alex-halderman-tells-us-why-internet-based-voting-is-a-bad-idea-video?utm_source=rss1.0moreanon&utm_medium=feed
This is about the most amazing story of a malfunction (I think!) laid bare that I've ever seen in my work on voting systems! best, Joe On 27 Feb 2012, John Travis <TravisJ@exchange.law.nyu.edu> wrote: > Board of Elections does nothing as hundreds of Bronx votes go missing > Ignores warnings of busted ballot scanner > *NEW YORK DAILY NEWS*, 27 Feb 2012 > http://www.nydailynews.com/opinion/voters-damned-article-1.1028275#ixzz1nb60Oaz2 > > The Board of Elections' highest duty is to ensure that New Yorkers get a > straight count when they exercise the franchise. The patronage-ridden > cesspool can't even do that. > > More than six months ago, voting experts at New York University Law School's > Brennan Center detected an alarming pattern at one polling place in the > South Bronx: > > The tallies from the electronic scanning machines at Public School 65 > included high proportions of invalidated votes. > > There were two possibilities: Either huge numbers of voters had improperly > filled out their ballots, or at least one of the scanners had gone haywire. > The board did nothing. Actually, the board did worse than nothing. It > refused to check—even when asked to do so by state election officials. > > Using the Freedom of Information Law, this editorial page then demanded the > right to inspect ballots cast at PS 65 in the 2010 primary and general > elections—the ones that put Gov. Cuomo into office. > > The board complied, marking what may be the first time members of the public > in New York State have been given permission to look over cast ballots and > review how they were counted. > > All too predictably, we discovered that voters had done their part > correctly, while one of the three scanners at PS 65 misread and miscounted > votes. Here are the disgraceful findings: > > In the September primary, the scanner processed 103 ballots and made errors > on 69 of them, a failure rate approaching 70%. > > In the November general election, the scanner handled 289 ballots and > misread votes on 156 of them, a 54% failure rate. > > The errors occurred in identifying so-called overvotes. These happen when > voters fill in two ballot ovals for different candidates in the same race, > darkening one for, say, Cuomo and the other for opponent Carl Paladino. > > Presented with the conflicting marks, a scanner alerts the voter with an > on-screen message that gives two choices: Correct the ballot or proceed. If > the voter proceeds, the machine invalidates the vote in that race. Neither > Cuomo nor Paladino would be credited with a vote. > > Time after time, looking at photographic images of the ballots that are > recorded by the scanners, we found ballots that were perfectly filled out: > one vote for Cuomo, one vote for Eric Schneiderman, then running for > attorney general, one vote for Kirsten Gillibrand, running for Senate. > > And, time after time, we also saw that the machine had registered overvotes > where none existed. For example, detecting a valid Cuomo vote while also > recording phantom votes for Paladino and for the five other lesser-known > candidates, plus a write-in. > > In those circumstances, the machine invalidated proper votes. > > On other ballots, voters chose not to fill out an oval in a particular race >—and the machine recorded that they had filled one in. For example, a voter > opted to skip the contest between Gillibrand and Democratic primary > challenger Gail Goode—but the scanner scored a vote for Goode. > > The board and the scanner supplier, Election Systems & Software, swear the > machines are accurate. Really? And that the machines are calibrated and > tested before every Election Day. Really? > > That's not what happened—and the failures occurred twice. There must a > complete investigation by an independent authority that examines the faulty > machine and goes far into checking on the possibility of broader undetected > failures. > > The Board of Elections cannot be trusted with the inquiry. It's an outdated, > unaccountable, mismanaged operation dominated by the Democratic and > Republican parties. It should be put out of its misery—and the public's >—to be replaced by a professional, nonpartisan [non?]bureaucracy. > > Read more: > http://www.nydailynews.com/opinion/voters-damned-article-1.1028275#ixzz1nb5sB4hP > John Travis, Research Associate, Democracy Program, john.travis@nyu.edu > Brennan Center for Justice at NYU School of Law > 161 Avenue of the Americas, 12th Floor, New York, New York 10013 > (646) 292-8349 Joseph Lorenzo Hall, Postdoctoral Research Fellow, Media, Culture and Communication, New York University https://josephhall.org/
Thanks to Deborah Peel of PatientPrivacyRights.org [PGN-ed] The Office of Civil Rights in the Dept of Health and Human Services (OCR) slapped the wrist of BCBS of Tennessee. One million people's protected health information was breached because Blue Cross Blue Shield (BCBS) of Tennessee violated data security laws. The fine cost BCBS a little more than $1.00 per person—hardly a deterrent to other corporations or adequate punishment. However, that is the highest possible fine permitted by law (HITECH). But criminal charges could have been filed for "willful disregard". OCR's finding that legally-required "adequate administrative and physical safeguards" were lacking is evidence of "willful neglect". Worst of all, the one million victims received NO protection against future ID theft or medical ID theft. *OCR could have also required BCBS to mitigate future patient harms, but didn't*. New technologies can protect against medical ID theft by enabling patients to review all new claims, so they can detect and prevent fraudulent claims and erroneous data from being entered into their records. Why didn't OCR propose that BCBS adopt remedies to protect the patients whose records were breached from further misuse and theft? Shouldn't OCR help protect victims?
*Technology Review* 13 Mar 2012, via ACM TechNews, Wednesday, March 14, 2012 Despite the rising popularity of cloud-based computing, the risks of a full-scale cloud migration have yet to be properly explored, says Yale University professor Bryan Ford. He notes that in the worst-case scenario, a cloud could experience a full meltdown that could seriously threaten any business that relies on it. "This simplistic example might be unlikely to occur in exactly this form on real systems--or might be quickly detected and 'fixed' during development and testing--but it suggests a general risk," Ford says. He notes, for example, that a lack of transparency between different cloud providers could lead to conflicting internal control loop cycles. "Non-transparent layering structures ... may create unexpected and potentially catastrophic failure correlations, reminiscent of financial industry crashes," Ford warns. A more general risk occurs when systems are complex because unrelated parts become intertwined in unexpected ways. He notes that only recently have industry experts begun to realize that bizarre and unpredictable behavior often occurs in systems consisting of networks of networks. "We should study [these unrecognized risks] before our socioeconomic fabric becomes inextricably dependent on a convenient but potentially unstable computing model," Ford says. http://www.technologyreview.com/blog/arxiv/27642/
It's Not All About You: What Privacy Advocates Don't Get About Data Tracking on the Web - Alexander Furnas - Technology - The Atlantic http://www.theatlantic.com/technology/archive/2012/03/its-not-all-about-you-what-privacy-advocates-dont-get-about-data-tracking-on-the-web/254533/#.T2JeAt-uWRY.email Jonathan Zittrain noted last summer, "If what you are getting online is for free, you are not the customer, you are the product." This is just a fact: The Internet of free platforms, free services and free content is wholly subsidized by targeted advertising, the efficacy (and thus profitability) of which relies on collecting and mining user data. We experience this commodification of our attention everyday in virtually everything we do online, whether it's searching, checking email, using Facebook or reading The Atlantic Technology section on this site. That is to say, right now you are a product.
Christine Wong, What the U.S. takedown of billionaire Canadian Calvin Ayre could mean for other Canadian Web domains registered via the U.S.-based top level domains. *IT Business*, 29 Feb 2012 http://www.itbusiness.ca/it/client/en/home/News.asp?id=66320 opening text: The shutdown of a Canadian billionaire's online gambling Web site shows the U.S. government is willing to assert its legal authority over Internet properties outside American boundaries—even those based in Canada, a Toronto domain name registrar warns. Saskatchewan-born Calvin Ayre, 50, and three of his associates were charged Tuesday with allegedly operating an online gambling site, a practice outlawed in the U.S. in 2006. The charges were filed in a federal court in Maryland. The case raises questions about Internet sovereignty because U.S. officials were able to take the site, Bodog.com, off the Net even though it's owned by a Canadian and operated out of various offices overseas.
(Eric Pfeiffer) Cameras at U.K. gas stations will block uninsured drivers from refueling Eric Pfeiffer, The Sideshow, 14 Mar 2012, From johnmacsgroup A new plan from the British government will use closed-circuit television (CCTV) cameras at gas stations that will automatically prevent uninsured drivers from filling up their gas tanks—that is, until their vehicle information has been logged in the system. *The Mirror* reports that the plan is meant to address the 1.4 million uninsured motorists in Britain and act as a deterrent. That may not sound like a huge number compared with the estimated 13.8 percent of uninsured American motorists, but the 1.4 million figure represents four percent of all U.K. drivers. ... http://news.yahoo.com/blogs/sideshow/cameras-u-k-gas-stations-block-uninsur= ed-drivers-155857252.html
http://www.itbusiness.ca/it/client/en/home/News.asp?id=66506 Web security firm Trusteer has uncovered a new method used by cybercriminals to infiltrate online banking security. 3/13/2012 12:01:00 AM By: ITBusiness Staff
Plus Fukushima and infrastructure CyberSecurity issues It is an important topic! It has much more worrying consequences than people's and vehicles' movements being tracked by third parties. The UK's Royal Academy of Engineering (RAEng) published a report a year ago on the vulnerabilities of critical infrastructure to Global Navigation Satellite System (GNSS) disruptions. GNSS is a generic term for systems of which GPS is one, GLONASS another and Galileo to be a third. The Committee that produced the report was chaired by Martyn Thomas (MT), who contributes regularly to RISKS (RISKS). The news got rather lost; it was headlined in the United Kingdom (UK) the day before the Tohoku earthquake (Martyn's 15 minutes of fame on the front page of the British Broadcasting Corporation's (BBC) World-Wide Web (WWW) site :-) ) Martyn recently (7 Feb 2012) gave a Keynote talk on the topic to the 20th Safety-Critical Systems Symposium (SSS'12) in Bristol, which was filmed by the Institution of Engineering and Technology (IET) for its archives. I find Martyn a very entertaining as well as informative speaker, and I encourage people to look at the film. Martyn's Talk on IET.tv: http://scpro.streamuk.com/uk/player/Default.aspx?wid=12667&ptid=32&t=0 RAEng news release: http://www.raeng.org.uk/news/releases/shownews.htm?NewsID=633 Report (read it!!): http://www.raeng.org.uk/news/publications/list/reports/RAoE_Global_Navigation_Systems_Report.pdf Google Preview of SSS'12 paper: http://www.scsc.org.uk/p116 Some more RISKy issues: Readers/viewers might also like to check out an IET.tv film on the Fukushima Daiichi accident at the same conference by a certain PBL. Chris Johnson's talk was not filmed, but his paper on CyberSafety and CyberSecurity is available at http://www.dcs.gla.ac.uk/~johnson/papers/IET_2011/CyberSafety.pdf . Unfortunately you can't necessarily see Google previews of all the content of all these papers on the Safety Critical Systems Club (SCSC) Web site because of restrictions listed there. I was, however, able to reach agreement with the proceedings publisher, Springer Verlag, to present my paper on the WWW in perpetuity, for which I thank Springer. My paper is at and the myriad references are all hyperlinked. http://www.rvs.uni-bielefeld.de/publications/Papers/LadkinFukushimaAccOnlineVersion.pdf Peter Bernard Ladkin, Causalis Limited and University of Bielefeld, Germany www.causalis.com www.rvs.uni-bielefeld.de
Drones by mail: http://www.ilounge.com/index.php/news/comments/parrot-ar.drone-2.0-ships-in-may-pre-orders-start-mar.-1 Also available on Amazon.com.
mobile apps (Jaikumar Vijayan) http://www.itbusiness.ca/it/client/en/Home/News.asp?id=66565 Jaikumar Vijayan, Class action suit charges 18 firms with surreptitiously taking user data. *IT Business*, 15 Mar 2012
Jacqui Cheng, Arstechnica The "Flashback" Mac trojan is back, and it's smarter than ever. Mac security company Intego says the latest variant, Flashback.G, uses three new methods in order to make its way onto Macs, though it won't install itself at all if it detects a number of antivirus or anti-malware security programs already installed. ... http://arstechnica.com/apple/news/2012/02/flashback-mac-trojan-is-back-with-new-and-improved-exploit-strategy.ars
>The door locks popped open. ... > [However, defaulting to all doors locked without manual overrides in cases > of loss of power or fire is also not a happy choice.] Indeed, I believe it was CarTalk who related the saga of leaving a sleeping grandfather in a BMW and locking the door. When he woke up, he could not exit the car, period. Further, I checked with a friend whose job has involved riding in such Suburbans for USG elsewhere in the world, and he remembers a clear UNLOCK OVERRIDE switch on the dashboard.
Nicole Perlroth, 12 Mar 2012 Last December, a group of hackers quietly orchestrated an attack on Stratfor Global Intelligence Service, a company based in Austin, Tex., that analyzes geopolitical risk and publishes a newsletter for various clients, among them the Departments of Homeland Security and Defense. The hackers breached the company's network and, once inside, confided in their fellow hacker, Hector Xavier Monsegur, and, as it turns out, the Federal Bureau of Investigation. Six months earlier, in June, the F.B.I. had arrested Mr. Monsegur and turned him into an informant. With his help, four hackers in Britain and Ireland were charged last Tuesday with computer crimes; a fifth man was arrested Monday in Chicago. Using the information he passed along, F.B.I. officials said it was able to thwart attacks on roughly 300 private companies and government agencies. But with Stratfor, they were not so lucky. ... http://bits.blogs.nytimes.com/2012/03/12/inside-the-stratfor-attack/
http://j.mp/wkRFq8 (*The Washington Post*) "V.A. Shiva Ayyadurai is a clever man, with MIT credentials, and a good sense of public relations plus a P.R. firm working with him. A press release by that P.R. firm got a young reporter/editor interested in his donation of his "EMAIL" documents to a well-respected D.C. institution, The Smithsonian's Museum of American History. Kolawole's interviews with Ayyadurai convinced her that he was interesting and worthy of a profile and online video interviews." Patrick Pexton's detailed mea culpa is honorable. [In case you have not heard of Tom Van Vleck and Noel Morris and their CTSS e-mail system at MIT from the mid-1960s, see this blog item from Noel's brother, film-maker Erol Morris: http://opinionator.blogs.nytimes.com/2011/06/19/did-my-brother-invent-e-mail-with-tom-van-vleck-part-one/ PGN]
Likewise my apologies. This came to me from a "trusted source" and I forwarded to Risks without performing additional checks beforehand. Like Peter, it was an early morning etc. But I must note that I originally found it possibly "real" ... consider: - Cellphone GPS info is available. - Cellphones have information such as their phone numbers and other personal info - Map information is available via GPS location So, for sincere discussion, how long before someone puts all of this together and generates an app to track users by phone number? Maybe I'm too cynical and have lived too long on this planet. Again, my sincere apologies to Peter and RISKS readers for the initial post.
Looking forward to seeing many of you in Seattle this summer! https://www.usenix.org/conference/evtwote12/call-for-papers [This is the pre-eminent combined conference/workshop for those seriously interested in election integrity, associated with USENIX Security. PGN]
Please report problems with the web pages to the maintainer