Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
John Hillabin [John Hillabin has chosen 6 incidents at least partially blamed on bad UIs. As we have noted many times before, blame can usually be more widely distributed. Most of these should be familiar to long-time RISKS readers. PGN-ed from a detailed illustrated item by John Hillabin, cracked.com, 17 Apr 2012] 6. The Vincennes shootdown of an Iranian commercial airliner—inability to distinguish between a fighter and the airliner 5. Three Mile Island—light on a console 4. Air Inter flight 148 crash—display screen too small 3. Herald of Free Enterprise capsized—because of an open door 2. Kegworth air disaster—a digital dial 1. Space Shuttle Columbia burned up—because of PowerPoint http://www.cracked.com/article_19776_6-disasters-caused-by-poorly-designed-user-interfaces.html
[From Steve Greenwald's distribution] Each year an ocean race for sailboats is run from Newport, CA to Ensenada, Mexico. Owing to diminishing entries, the organizers some years ago allowed cruising sailboats to enter. These are generally largish, slowish motor sailors intended for comfortable recreational sailing. Since the race occurs in a time and place known for light winds, the rules permit the cruising sailboats to proceed under motor during nighttime, so that they may reach the finish in time for the party. This year, dawn broke after the first night to reveal a debris field and three bodies near a set of rocky islets known as Coronado Island. The remains were identified as that of an entered boat and three of her four-man crew. The body of the fourth crew member was discovered a week later. These were the first fatalities in the 60 year history of the race. The boat was equipped with every possible electronic aid, and the captain (the fourth crewmember) was an electronics executive and highly experienced sailor. One of the aids was a commercial tracking system called SPOT, which permits shoreside viewing on the Web of the track of the vessel carrying it. When the SPOT track surfaced it showed a dead straight line headed into the northernmost of the Coronados. The point of intersection was a sheer rocky cliff. The most plausible inference (which may be invalidated by later evidence) is that the crew started the motor, set a waypoint at the entrance to Ensenada harbor, and turned on the turned on the autopilot. A further inference is that in doing so they had the electronic chart zoomed out to a point where the Coronado Islands no longer showed up, and so had no warning that their track would take them straight into a rock. It then seems likely that the three crew members went below to sleep and sometime later the captain fell overboard. The robot then motored the boat and the sleeping crew straight into the cliff. Given the sea state and the speed shown on the track it is estimated that impact velocity was in the order of 11 kt, sufficient to split the hull and flood the boat, which was then pounded to pieces by the surf beating against the sheer cliff. Even if the crew had survived the impact, survival that close to the rocks in that sea state was impossible. One comment in a long forum thread about this incident claimed that the UK maritime safety organizations have now adopted an acronym called "SNIG," which stands for "Sat-Nav Induced Grounding." A half-smart robot (smart enough to steer a straight line, but not smart enough to know the line goes through a rock) is a dangerous thing.
Given the obvious dangers, fully autonomous offensive lethal weapons should never be permitted. Jonathan D. Moreno, *The Wall Street Journal [PGN-ed] http://online.wsj.com/article/SB10001424052702304203604577396282717616136.html?mod=WSJ_Opinion_LEFTTopOpinion Much controversy has surrounded the use of remote-controlled drone aircraft or "unmanned aerial vehicles" in the war on terror. But another, still more awe-inducing possibility has emerged: taking human beings out of the decision loop altogether. Emerging brain science could take us there. ... [J,D, Moreno is a professor of medical ethics and health policy at the University of Pennsylvania and a senior fellow of the Center for American Progress. He is the author of "Mind Wars: Brain Research and the Military in the 21st Century" (Bellevue, 2012).] For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml http://johnmacrants.blogspot.com http://johnmac13.pulsememe.com/ Editor - Web2.0 The Magazine—www.web2themag.com http://bit.ly/johnmac
I have read with amusement a lot of pieces such as the BBC article linked below that predicts a rosy future now Google is on its way (sorry) to test its driverless car in Nevada: http://www.bbc.co.uk/news/magazine-18012812 I even came across a piece that predicted a brutal drop in insurance rates somewhere. Not so fast, if you pardon the pun, all of this is based on the assumption that it (a) all will work wonderfully and (b) third parties will not find a way to get creative with it. Point (a) really needs no elaboration - the development of such software is several million dollars of manhours and innovation behind of the telematics that keeps planes in the air, and we're aware of enough bugs in that environment to make a RISK aware professional nervous. Furthermore, Google may be a hothouse of innovation according to some, but if their code controls are so shoddy that an engineer "accidentally" can throw a Wifi snooping application into the Streetview data gathering process (including the required data storage back end) I would hazard a guess that there is room for improvement. It would put a whole new spin on their "I feel lucky" slogan.. I assume point (b) to be an almost instinctive focus for faithful readers of RISKS. I would be rather concerned about ANY data exchange from such a vehicle - not just from the privacy angle (not to harp on about Google), but also from the kind of mischief that could be had from messing with the car. It should no longer be news that present embedded systems in cars can be hacked to the point of disabling the brakes remotely (www.autosec.org) - I dare say that that ought to inspire some better focus on shielding such systems first. For the James Bond fans, this could otherwise work out neater than shipping a dessert portion of polonium abroad.. On the plus side, it does open the perspective of a new era of car tuneups, and I personally would not want a Jetsons style flying car above me without automation (because of the driving styles I encounter daily in the present 2D environment) - there certainly is room for progress. I would simply like to repeat the theme of a Swiss speed awareness campaign: Slow down - take it easy.
Agam Shah http://www.itbusiness.ca/IT/client/en/CDN/News.asp?idg413 Agam Shah, Fire risk: Lenovo expands recall of ThinkCentre all-in-ones Some of Lenovo's ThinkCentre M70z and M90z models could catch fire due a faulty power supply, *IT Business* 9 May 2012
Nick Bilton, 6 May 2012 People once took photographs so they could capture a moment for themselves and keep it forever. Then digital cameras and cellphones turned photos into something more ephemeral and more easily shared. But as the case of Anthony Weiner demonstrated, photos that are shared but are not meant to last, sometimes stick around. Mr. Weiner's downfall does not seem to have discouraged people from sharing risque photos. According to a study by the Pew Research Center's Internet and American Life Project that is due out later this year, 6 percent of adult Americans admit to having sent a "sexually suggestive nude or nearly nude photo or video" using a cellphone. Another 15 percent have received such material. Three percent of teenagers admit to sending sexually explicit content. All of this sexting, as the practice is known, creates an opening for technology that might make the photos less likely to end up in wide circulation. This is where a free and increasingly popular iPhone app called Snapchat comes in. Snapchat allows a person to take and send a picture and control how long it is visible by the person who receives it, up to 10 seconds. After that, the picture disappears and can't be seen again. If the person viewing the picture tries to use an iPhone feature that captures an image of whatever is on the screen, the sender is notified. http://bits.blogs.nytimes.com/2012/05/06/disruptions-indiscreet-photos-glimpsed-then-gone/
If you're a servicemember overseas planning to order the latest smartphone or laptop from the United States, take a second look at your options. Effective 16 May 2012, new U.S. Postal Service restrictions will ban air shipping of any electronics containing lithium batteries - such as iPads, smart phones and digital cameras - between the United States and overseas locations. [stripes.com] rest: http://www.stripes.com/gadgets-using-lithium-to-be-barred-from-overseas-shipments-1.176965 the USPS info sheet clarifies that you can't send lithium batteries, even if in their own box: http://about.usps.com/postal-bulletin/2012/pb22336/html/updt_010.htm "Primary lithium metal or lithium alloy (non-rechargeable) cells and batteries, or secondary lithium-ion cells and batteries (rechargeable), regardless of quantity, size, or watt hours, and regardless of whether the cells or batteries are packed in the equipment they are intended to operate with the equipment they are intended to operate, or without equipment (individual batteries). This standard applies to all APO, FPO, or DPO locations." * and looks like this also applies to Canada/Mexico. Don't know about Hawaii. (The service rep at my local Post Office just got the notice Fri., May 11th, and it left the question of Hawaii up in the air, so to speak). * There are *plenty* of consumer items that have these batteries, sometimes obviously (such as a laptop), but frequently hidden away and/or built in. hmm, wonder what's in my ultrasonic tapeless tape measure?
[*The New York Times* via NNSquad] http://j.mp/Jyv0xe (New York Times) "If I watch last night's 'S.N.L.' episode on my Xbox through the Hulu app, it eats up about one gigabyte of my cap, but if I watch that same episode through the Xfinity Xbox app, it doesn't use up my cap at all," Mr. Hastings wrote on his Facebook page. "In what way is this neutral?" Comcast argues that its Xfinity move is not subject to the Federal Communications Commission's neutrality rules because the video travels exclusively on its network and not on the public Internet. I will note that Comcast's excuse is—in my opinion—specious, since they alone determine how much of their total cable bandwidth they devote to "outside" Internet access services, how much those cost, where arbitrary bandwidth caps are set, and so on. All without any effective regulatory oversight whatsoever. This is *exactly* the anticompetitive scenario that many of us have been warning about for years.
Posted by Erin Mulvaney, 9 May 2012 A Nashville neurosurgeon was pulled off a Carnival cruise suspected of planning to commit a bio-terrorist attack, after a tweet from an impostor account claimed the doctor had a vial of harmful bacteria on board. ... http://blog.chron.com/newswatch/2012/05/neurosurgeon-pulled-off-cruise-after-fake-bioterrorism-tweet/
http://www.infoworld.com/t/social-networking/facebook-file-sharing-could-be-security-piracy-nightmare-192959 InfoWorld Home / InfoWorld Tech Watch May 11, 2012 Facebook file-sharing could be security, piracy nightmare Users won't be able to pass along music or .exe files—but infected PDFs and other forms of pirated content are permissible By Ted Samson | InfoWorld
no iPads, etc... [stripes.com] If you're a servicemember overseas planning to order the latest smartphone or laptop from the United States, take a second look at your options. Effective May 16, new U.S. Postal Service restrictions will ban air shipping of any electronics containing lithium batteries - such as iPads, smart phones and digital cameras - between the United States and overseas locations. ------ rest: http://www.stripes.com/gadgets-using-lithium-to-be-barred-from-overseas-shipments-1.176965 - the USPS website doesn't seem to have any "press releases" or other "recent announcements" menu choice
I like this risk! I would like to see it happen more often. *The Daily News* (Kamloops, British Columbia, Canada); Thurday, May 10, 2012; p. A2: "ODDITIES Man jailed for accepting call in court DUBLIN, Ireland, via the Associated Press": Letting your cellphone ring in a courtroom is rarely a good idea. Taking the call is worse. A Northern Ireland man received a brief jail sentence Wednesday after his phone rang. The judge told him to turn it off, but instead he took the call and had a brief chat. The judge ordered 36-year-old Paddy Sweeney behind bars for two hours, then fined him $322 for willfully interrupting the court in Londonderry, Northern Ireland's second-largest city. Sweeney had been watching a civil trial at the time.
Michael Cooney, FBI says malware lurking in hotel room connections, particularly overseas *Network World*, 9 May 2012 The FBI today warned travelers there has been an uptick in malicious software infecting laptops and other devices linked to hotel Internet connections. The FBI wasn't specific about any particular hotel chain, nor the software involved but stated: "Recent analysis from the FBI and other government agencies demonstrates that malicious actors are targeting travelers abroad through pop-up windows while they are establishing an Internet connection in their hotel rooms. The FBI recommends that all government, private industry, and academic personnel who travel abroad take extra caution before updating software products through their hotel Internet connection. Checking the author or digital certificate of any prompted update to see if it corresponds to the software vendor may reveal an attempted attack. The FBI also recommends that travelers perform software updates on laptops immediately before traveling, and that they download software updates directly from the software vendor's website if updates are necessary while abroad." The FBI said typically travelers attempting to set up a hotel room Internet connection were presented with a pop-up window notifying the user to update a widely used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available. ... http://www.networkworld.com/news/2012/050912-fbi-internet-259125.html
http://j.mp/Ku8Cau (Wired via NNSquad) "A security researcher has won investments of more than $9 million to incorporate a tightly policed section of the Internet reserved for banks, healthcare providers, and other groups that are regularly targeted in malware, phishing, and similar online attacks." Describing the many reasons why this idea is fundamentally flawed will be left as an exercise for the reader—for now.
it is fundamentally flawed More details on the .secure TLD proposal (and why I believe it is fundamentally flawed) http://j.mp/JlSaLU (This message on Google+) You may recall my posting yesterday ( http://j.mp/Ku8pEd [Google+] ) where I suggested that the .secure TLD proposal is fundamentally flawed for many reasons. The CTO of the company involved contacted me this morning, pointing at their blog with more details: http://j.mp/JlRXZ2 (Unhandled) After reviewing this information, which includes their proposals for a broader "domain policy framework," I'm forced to stand by my earlier characterization. I won't get into the technical analysis now, but just point out a few facts. First, the business model for .secure is obvious enough. I mean, hell, if you're not using .secure, you don't care about your users, right? How can you possibly be "secure" if you're not in ... dot-secure? I'm reminded more than a bit of the model used by the dot-xxx slimeballs to try coerce firms into that TLD. Not to say that the .secure folks are slimeballs. Nor that they're not genuinely concerned about security. But their model is not realistic -- except as a profit center for them. There are no obvious benefits to be derived from their model for the Internet community at large, and the most likely outcome is yet another replay of the protective registrations rush. The most common reaction I received yesterday regarding .secure was "LOL" -- but many respondents immediately caught on to one of the most glaring problems with .secure—that it would present an irresistible target for hackers, denial of service attacks, and all manner of other mischief. The concept of .secure is essentially 180 degrees away from the model I believe we should be working towards. Rather than centralizing security, we need to be distributing it, and doing this effectively means more fundamental changes than new policy frameworks can provide, and certainly cannot take place if we buy into the .secure sort of model. Lauren Weinstein (firstname.lastname@example.org): http://www.vortex.com/lauren People For Internet Responsibility: http://www.pfir.org Network Neutrality Squad: http://www.nnsquad.org +1 (818) 225-2800 PRIVACY Forum: http://www.vortex.com Lauren's Blog: http://lauren.vortex.com
I feel well-placed to comment on the article by David Brooks, having recently completed an MSc in Information Security through Royal Holloway, University of London (RHUL) entirely by Distance Learning (DL). I should at this point declare that I am now one of the RHUL DL tutors for the MSc Network Security module, so they do now employ me in a part-time capacity, but it also means that I have seen both sides of the fence - A student and academic staff, in quick succession. The online program opens up qualifications to people who couldn't afford to go to university full-time, and to mature students like me (pulling 40 with a very long rope :) ) who have a mortgage and bills, families, etc. and couldn't afford time off the corporate treadmill to study full-time. I'm now considering doing a PhD by DL, yes I am a glutton for punishment :) There is no question that it is possible to study successfully for a higher level academic qualification by distance learning and remote lecturing/tutoring. All of my learning materials were provided as hard copy books, material on CD and access to the lecture material and a discussion area through a 'Virtual Learning Environment' (VLE) based on Moodle. Four online seminars (three on course material and one exam question revision) were held regularly with distance learning tutors to provide advice and help, and reviewing answers by students to question set for them. I think that the biggest risk/challenge is actually ensuring that DL students are studying effectively and understand the material to a high enough standard. I noticed all the way through my student days, and now as a tutor, that less than half the students participate in the seminars and some don't even log in to the VLE, or do so very rarely. I have no statistics for the drop-out rate or pass rate for those DL students who do sit the exams or pass rates for those who participate on the VLE against those who don't. I can say that I was an active participant all the way through and it helped me a great deal. David Alexander, Towcester, England.
(Mark E Smith, RISKS-26.81) Those who control the processes control the declared result. The blank votes, or refusal to vote, can be overcome just like the elections that declare 99% support for dictators. Roderick Rees, Reliability, Maintainability and Testability B-Q26 425-342-5729
(Mark E Smith, RISKS-26.81) > The only way to get honest elections is to refuse to vote until we do. If > you're willing to vote in elections where your vote doesn't have to be > counted and isn't verifiable, you have no leverage with which to demand > honest elections. Boycott 2012! Isn't boycotting to protest exclusion ironic? Not unlike suicide to ease the executioner's burden. Besides litigation, the way to honest elections is to elect or persuade concerned representatives to enact legislation and enforce existing law such as the Voting Rights Act. Such people most certainly do exist, as in the legislative success of the Verifiable Voting Coalition of Virginia [my state] to ban DREs. It's not hard to judge who most resists enfranchisement and least supports accurate vote counts (granted the contrast is nowhere near as much as it should be!). If you don't vote or influence others to vote, you might as well not exist.
Please report problems with the web pages to the maintainer