Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
(Nicole Perlroth) Nicole Perlroth, *The New York Times*, 30 May 2012 Olympics enthusiasts: You may want to think twice before opening that PDF e-mail attachment of the 2012 Olympics schedule. On Tuesday, researchers at F-Secure, a Helsinki, Finland-based security firm, discovered a malicious PDF file has been making the rounds on the Internet. The file, which purports to be a schedule of the 2012 London Olympics, is actually a decoy file which creates a backdoor between the user's computer to a Web site registered to "student travel" in Baotou, China. ... http://bits.blogs.nytimes.com/2012/05/30/olympics-themed-threat-makes-rounds-on-the-internet/
to new risks (Robert O'Harrow Jr.) "Matherly and other Shodan users quickly realized they were revealing an astonishing fact: Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers." [Robert O'Harrow Jr., *The Washington Post*, via NNSquad] http://j.mp/KZTZvg Let's get this straight. Search Engines don't expose industrial control systems to risks. The poorly secured control systems do that *to themselves*. Don't blame the messenger!
(Johannes Ullrich) "Microsoft just released an emergency bulletin, and an associated patch, notifying users of Windows that a "unauthorized digital certificates derived from a Microsoft Certificate Authority" was used to sign components of the "Flame" malware." http://j.mp/KZG1to [Johannes Ullrich, SANS via NNSquad]
(Jeffrey R. Young) Technology - The Chronicle of Higher Education, 3 Jun 2012 http://chronicle.com/article/Online-Courses-Can-Offer-Easy/132093/ Easy A's may be even easier to score these days, with the growing popularity of online courses. Tech-savvy students are finding ways to cheat that let them ace online courses with minimal effort, in ways that are difficult to detect. Take Bob Smith, a student at a public university in the United States. This past semester, he spent just 25 to 30 minutes each week on an online science course, the time it took him to take the weekly test. He never read the online materials for the course and never cracked open a textbook. He learned almost nothing. He got an A. His secret was to cheat, and he's proud of the method he came up with -- though he asked that his real name and college not be used, because he doesn't want to get caught. It involved four friends and a shared Google Doc, an online word-processing file that all five of them could read and add to at the same time during the test. More on his method in a minute. You've probably already heard of plenty of clever ways students cheat, and this might simply add one more to the list. But the issue of online cheating may rise in prominence, as more and more institutions embrace online courses, and as reformers try new systems of educational badges, certifying skills and abilities learned online. The promise of such systems is that education can be delivered cheaply and conveniently online. Yet as access improves, so will the number of people gaming the system, unless courses are designed carefully. ... IP Archives: https://www.listbox.com/member/archive/247/=3Dnow RSS Feed: https://www.listbox.com/member/archive/rss/247/126123-51093ba0
(Robert X. Cringely) Robert X. Cringely, *InfoWorld*, 4 Jun 2012 Facebook's real goal: selling games to tweens and teens, but the move could make Facebook safer and better overall, if done right http://www.infoworld.com/t/cringely/facebook-takes-baby-steps-toward-kids-social-network-194782 "Cringely" covers some of the obvious risks.
Robbie Brown, *The New York Times*, 2 Jun 2012 In Florida, they are as much a part of the landscape as palm trees and oceanfront hotels: plastic signs cluttering roadsides with messages like "We Buy Houses!" "Junk Cars!" and "Avoid Foreclosure!" But now, worried about the impact on tourism and the state's natural beauty, some coastal communities have begun aggressive campaigns against the signs - by robocalling the advertisers' phone numbers. "It's the only crime I know of where a person deliberately leaves their phone number behind," said Mayor Peter Bober of Hollywood, which uses computer software to call the phone numbers, up to 20 times per day, until offenders pay a $75 fine. "They want us to call. So let's call. And keep calling." Think of it as fighting one nuisance with another. The advertisements, known as snipe signs, are illegal in many Florida communities on public property like highway medians or telephone poles. But they are also cheap to print and hard to eradicate. After years of removing the signs by hand, officials in Hollywood, Oakland Park and St. Johns County recently turned to robocalling. Other cities say they are considering the option. ... http://www.nytimes.com/2012/06/03/us/in-florida-fighting-sign-pollution-with-robocalls.html
(MacFie, RISKS-26.87) [From Dave Farber's IP distribution. PGN] > Don't bittorrent magnet links do this already? There are several levels and times at which you can do this sort of thing. For example: - DNS: the name is mapped to an IP address - early binding to a location. - Magnet links, if I understand correctly: like DNS, but with just in time binding to where they direct you. - Directors of various sorts: the IP address is essentially virtualized, referring to one of several possible servers. Early binding to the server group, late binding to the actual server. - Layers 4 and above deal only with a "service id". An IP option is inserted in the packets, to be read by special middleboxes that guide the packet in the right direction (how they determine the right direction, and cache such information, is orthogonal) - medium to late binding. - Layers 4 and above deal only with a service id. A shim below Layer 4 maps the service id to an IP address of the next smart middlebox. Late binding. - IP addresses are eliminated entirely, and packets are routed only on "interest" names. There is never a binding to an IP address. It seems to me that people's preferences for different layers and binding times depend on the time frame of deployment they are interested in.
[Geoff and Andrew Douglass thought this private reply to Geoff from Andrew might be RISKS-worthy, so I am including it here. PGN] Here's what Andrew said: I erred by including too many hypotheticals, distracting from the central issues of (1) can you spy and (2) if so, with what scope? Does it matter whether the target is the thief? What if the thief is innocent (maybe you mistakenly accuse them of having bought the thing with a bad check). I think you could very well get in civil and criminal trouble for violating their privacy under existing law, but I've seen no mention of this. Certainly it would be a 4th amendment issue if law enforcement did it. Even if you have a privilege to poke around (self-help or whatever) obviously it should be a minimal intrusion. Caveat snoop. You're right about good-faith purchasers—they take no title. That doesn't open them to privacy rape. I was just trying to get readers away from the vapid criminals-have-no-rights perspective.
Peter Houppermans <peter@houppermans.com> writes: > Siri has been on my "list of things to avoid" pretty much from before > I obtained the new iPhone. [...] An iPhone doesn't have the local > power to process voice commands, so it sends them to a US hosted service. The same goes for Android's voice search feature, which is annoyingly easy to trigger by accident. Luckily, it is also easy to disable: Settings -> Apps -> All -> Google Search -> Disable
Irritation (Alina Tugend) For many years now, my outgoing answering-machine message has begun with the Service Interruption Tone: the three rising beeps that you get when you dial a seriously bogus number. For obvious reasons, most telemarketing autodialers are programmed to delete a number from their database when they encounter that tone. The result is that we get fewer than one telemarketing call per week; the primary offenders are local construction companies who appear to be dialing by hand. (The rate goes up during election season, but even then it's not too bad.) The only downside is that a *very* few legitimate callers will hang up at the tone rather than waiting long enough to hear our familiar voice say "Hello, you've reached the Kuennings." But it hasn't really been a problem. Google for "sit.wav" (with or without quotes) to download the tone so you can add it to your own answering machine. Geoff Kuenning geoff@cs.hmc.edu http://www.cs.hmc.edu/~geoff/
Irritation (Solomon, RISKS-26.87) > Readers told me that the Do Not Call Registry seemed to work just fine at > blocking calls when it began in 2003 and for several years after that. It is a misconception that the DNC list blocks anything. The DNC list is nothing more than that: a list. Marketers are required to search the list at least every 31 days and drop from their own calling lists any number they find on the federal list, after considering any of the multitude of barn-door-wide exceptions. The system worked well for awhile because the phone service providers and telespammers had not yet deployed the systems that allow a phone spammer to display any information they want to via caller ID. Now that a crook hawking his "cheaper credit card rates" can pretend to be calling from "Illinois" or "Florida" (two of the recent caller ID 'ids' I've seen from these people) and display a completely fictitious number, there is very little that a consumer can use to make a complaint to the FTC.
This is not a leap-year issue; it is putting off a mission-critical operation until the very last minute. That is a human failure, not a computer failure. There was a 180-day window for filing; the decision was made to wait until day 180, which turned out to be day 181. There are any number of reasons why paperwork can be delayed by a day, so anyone who waits until the very last day is inviting failure. Blaming it on a day planner, either computerized or manual, is ridiculous. Failure to plan is planning to fail, I think the saying goes.
That's not new. For example
http://www.bbc.co.uk/news/uk-england-beds-bucks-herts-16676871
("Juror Theodora Dallas jailed for contempt of court")
http://www.bbc.co.uk/news/uk-england-beds-bucks-herts-16742365
("Juror who researched defendant refused leave to appeal"—same case)
http://www.bbc.co.uk/news/uk-15939922
("Juror faces contempt proceedings over 'case research'"—same case)
http://www.bbc.co.uk/news/uk-16101533
("Lord Chief Justice warns juries over Internet research")
http://www.bbc.co.uk/news/uk-13792080
("Facebook juror sentenced to eight months for contempt")
http://www.bbc.co.uk/news/uk-england-south-yorkshire-12632587
("Sun and Daily Mail in contempt over online gun photos")
http://news.bbc.co.uk/1/hi/england/kent/4270957.stm
("Retrial after jury web page found")
http://news.bbc.co.uk/1/hi/scotland/1628431.stm
("Judge details Beggs 'Internet ruling'")
the last of these being from 2001.
George D M Ross MSc PhD CEng MBCS CITP, University of Edinburgh,
Informatics, 10 Crichton Street, Edinburgh, Scotland, EH8 9AB 0131 650 5147
Please report problems with the web pages to the maintainer