Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Human error is being blamed for the TECT election blunder where 10,000 election packs were sent to old or incorrect addresses. [Why did the database have old or incorrect addresses in it in the first place? - CJB] An error in setting the parameters in establishing the TECT election voter database resulted in the error, estimated to cost about NZ$80,000. TrustPower spokesman Graeme Purches says: “the search parameters used when separating eligible voters from the company's everyday database had not been broad enough. It was just a human error, simple as that. It was for a purpose that we don't normally use it for.'' [Using casual NZ-speak for dumbing down the snafu - CJB] he continued: “It involves going into the system and setting a bunch of parameters. The person who did it didn't set the parameters correctly and then the thing wasn't tested.'' [Er - what's a 'bunch of parameters' - ah - yes 'search constraints.'] He added: “This is a request that happens once every two years, so somebody was doing something they don't normally do as part of their job and, unfortunately, we didn't have the checks and balances in place to make sure it was done absolutely correctly.'' [Nothing like a trial run then? -> CJB] http://www.sunlive.co.nz/news/28228-human-error-caused-tect-botchup.html
A absolute classic example of what can happen if surveillance isn't very tightly controlled, the FDA's attempts to find an insider leak came off the rails in a way that will be costly in both financial and human terms. http://www.nytimes.com/2012/07/15/us/fda-surveillance-of-scientists-spread-to-outside-critics.html?_r=1 http://j.mp/PURO0p "In Vast Effort, F.D.A. Spied on E-Mails of Its Own Scientists Eric Lichtblau and Scott Shane, *The New York Times*, 14 Jul 2012 A wide-ranging surveillance operation by the Food and Drug Administration against a group of its own scientists used an enemies list of sorts as it secretly captured thousands of e-mails that the disgruntled scientists sent privately to members of Congress, lawyers, labor officials, journalists and even President Obama, previously undisclosed records show." This is exactly the scenario I offer those who think they have nothing to hide: after abuse of intercept capability, the second risk is not what people in an official capacity see (it's their job), it's what happens when that information escapes into the wild through malice or incompetence. The privilege of the ability to violate the basic human right to privacy to fight crime must be guarded jealously and should only be exercised with oversight. The question "what do you have to hide" is in my opinion reserved for those who seek to avoid accounting for their call on that privilege. Note that the FDA has come up with a new "crime": people are "guilty of RECEIVING confidential information". Unbelievable.. Peter Houppermans, President, Private & Confidential Group (PnCG), Switzerland
http://j.mp/NaSQDz (ars technica) "Examination of a certificate chain generated by a Cyberoam DPI device shows that all such devices share the same CA certificate and hence the same private key," TOR researcher Runa A. Sandvik wrote in a blog post published last Tuesday. "It is therefore possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device-or to extract the key from the device and import it into other DPI devices, and use those for interception." Someone commenting on the post went on to publish the purported private key used by the Cyberoam certificate. Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren People For Internet Responsibility: http://www.pfir.org Network Neutrality Squad: http://www.nnsquad.org
(Lucian Constantin) Lucian Constantin, *InfoWorld*, 9 Jul 2012 Cyberoam issues a hotfix for UTM appliances after the default private key used for SSL traffic inspection gets leaked online http://www.infoworld.com/d/security/cyberoam-fixes-ssl-snooping-hole-in-network-security-appliances-197299
Interesting analysis, in that many people don't understand the implications of the loss of privacy *or* of the nonexistence of meaningful cybersecurity. http://nationaljournal.com/daily/privacy-trumps-cybersecurity-poll-shows-20120710
FitBit is a personal pedometer in a tiny package. Also records your sleep. Connects wirelessly through a very modest "base station" connected by USB to your computer. The wireless connection is ANT 2.4GHz from Nordic, and ANT FS file protocol. Your FitBit data is harvested anytime you are near your base station, sent to their Cloud (a web site) for your inspection. Page displays your data and last sync time. I became suspicious when I found my data was updated when I hadn't been near my base station and computer. As just confirmed by the manufacturer at fitbit.com, every FitBit pedometer syncs through any base station that it happens to encounter. Unless the whole transaction is encrypted, Eve could watch the the communications stack or use the APIs to configure a base station to harvest this data. Risk: Not much in this specific case; my pedometer data isn't very sensitive, but I am more concerned that others might know exactly when I went to sleep, got up, and how many times I awoke during the night. What if a manufacturer of a richer device adopted the same practice? Your contacts or worse, visible to any Eve who wants to collect data?
In The UK, You Will Go To Jail Not Just For Encryption, But For Astronomical Noise, Too http://j.mp/Sf2EwT (Falkvinge via NNSquad) "There was some surprise in the comments of yesterday's post over the fact that the United Kingdom has effectively outlawed encryption: the UK will send its citizens to jail for up to five years if they cannot produce the key to an encrypted data set."
Didi Tang, *CIO Today*, July 12, 2012 [via Dave Farber's IP] At the same time Russia is increasing Internet censorship, so is China. China Tightens Up Online Video Censorship http://www.cio-today.com/news/China-To-Censor-Online-Video-Content-/story.x=html?story_id=030002R9QVAU If you run a video web site in China, you now have a daunting task: Screen all your content and censor out anything questionable before posting. Regulators say video providers should bear responsibility for web programs, though it did not offer specific standards or mention penalties for online providers who fail to comply.
(Brendan Sasso) Brendan Sasso, *The Hill*, 12 Jul 2012 http://thehill.com/blogs/hillicon-valley/technology/237515-fcc-chief-blasts-russia-for-passing-internet-censorship-bill Julius Genachowski, chairman of the Federal Communications Commission (FCC), issued a statement late Wednesday slamming Russia for passing a bill that would allow the government to blacklist certain websites. He said the country had moved in a "troubling and dangerous direction." "The world's experience with the Internet provides a clear lesson: a free and open Internet promotes economic growth and freedom; restricting the free flow of information is bad for consumers, businesses, and societies," he said. The FCC chief explained that he recently attended an economic forum in Russia where he discussed how expanding broadband Internet access can grow a country's economy and improve education, health care and government services. He argued that a free and open Internet is essential to meeting those goals. "I believe this legislation will stifle investment in broadband and impede innovations that could advance Russia's promising Internet economy," Genachowski said. The Russian Duma, its lower house of Parliament, approved the controversial bill unanimously on Wednesday. The measure would give the government the power to force site owners and Internet providers to shut down blacklisted sites. Supporters of the bill say it is aimed at curbing child pornography and sites that promote drug use or suicide. But critics warn it is attempt to stifle political dissent in a country where the government already owns the television stations. The Russian Wikipedia blacked itself out earlier this week in protest, warning the bill would create the Russian version of China's "great firewall," which allows the government to filter Internet content.
Drew Fitzgerald, Yahoo Passwords Stolen in Latest Data Breach, *Wall Street Journal*, 12 Jul 2012 Yahoo Inc. said it is investigating a data breach that allowed a hacker group to download about 453,000 unencrypted user names and passwords in another black eye for the Internet company. The Sunnyvale, Calif., company said Thursday that the compromised user information belongs to Yahoo Voices, a self-publishing service once known as Associated Content. A hacking organization called D33Ds Co. posted the stolen data on its website and appended a note describing the download "as a wake-up call and not as a threat." The group said it aims to expose Yahoo's vulnerabilities. Yahoo said that less than 5% of the Voices accounts had still-valid passwords, though the file disclosed email addresses from hundreds of thousands of users. Some people registered for the Yahoo service using email addresses from other services such as AOL Inc. and Google Inc.'s Gmail, neither of which were hacked. But with users' Yahoo Voices passwords exposed online, those users who shared passwords across several websites could still see other accounts compromised. Yahoo said in an emailed statement that it is fixing the vulnerability that led to the data breach. The company also said it is changing affected users' passwords and notifying companies with accounts that might have been compromised. Constellation Research analyst Ray Wang said Yahoo apparently fell prey to an extremely common kind of database attack that most companies typically take steps to combat. ... http://online.wsj.com/article/SB10001424052702304373804577522613740363638.html
American Express called me today to discuss an issue with my (corporate) card. They left a voicemail message telling me to call them back. The number they gave was different than the number on the back of my card. I called it, and the first thing I heard was a recorded voice asking me to enter my credit card number. I hung up and called the number on the back of the card. It turns out the call was legitimate, but it could just have easily been a social engineering attempt to get my AmEx card number and other data. It's distressing that AmEx, which really should know better, is too stupid to understand that they should not be conditioning their customers to call random telephone numbers based on nothing more than a generic voicemail message. "Please call the number on the back of your card" would be a far better idea.
The company has an official statement: http://www.bigbayboom.com/wp-content/uploads/2012/07/BBBFS-Garden-State-News-Release-July-11-2012.pdf "Before the two files are loaded into each of the five computer controllers, the primary and the secondary file are merged through the software to create a new file that is then loaded into each of the controllers. During the downloading process, an unintentional additional procedural step occurred in the loading process which allowed the creation of an anomaly that 'doubled' the primary firing sequence. The primary sequence then consisted of a sequence that would fire the entire display simultaneously and then proceed to fire the display in the proper sequence." I wonder what that additional procedural step was? Shaky fingers on control-v paste?
There was a substantial exchange of INFORMED professional comment on this incident in the Rumours and News forum of www.pprune.org about two weeks ago - including detailed consideration of the consequences of failure of each of the three hydraulic systems or combinations of them. The original newspaper report is stronger on passenger reports than on hard facts. The professionals did manage to worm out that the crew probably managed to bring one of the "failed" systems back into use before landing (it isn't clear on the limited information available if a second system had actually failed or just overheated as a consequence of the first one's failure). Professional opinion also included the possibility that the passenger nausea was only to be expected in flying a tight holding pattern over hot dessert for three hours, perhaps with yaw stabilisers off-line due to the failure. It's an interesting story and no doubt, since it is in civil aviation and in the USa, we will one day read a full and accurate account/diagnosis of what happened - unlike in most IT disasters - but I've learned over a year or so of consulting PPrune that media accounts like this need to be taken with a pinch of salt - or reviewed by professionals - I'm sure Martin Thomas would agree! Roger Hird <rl.hird@orpheusmail.co.uk> http://roger.hird.orpheusweb.co.uk
Things do indeed go wrong in technology: and this is why it is *essential* to have systems in place to mitigate such failures. The RBS fiasco is a result of two independent, and utterly inexcusable, failings by RBS management *in addition to* the original failure: (1) No means to backtrack an update and restore the system to its original state. It is essential before undertaking any update to a critical system that there should be a means to quickly restore the system, in case of unexpected problems. Not having such a restore function is an inexcusable failure on the part of RBS management. (2) No disaster recovery in place. OK, so your update has rendered a critical system inoperable and you stupidly forgot to implement a system to restore it. There are many potential disasters which can render critical systems inoperable: so disaster recovery systems are essential. Not having a working disaster recovery system is an inexcusable failure on the part of RBS management. Note that customers will be reimbursed for the cost of fines and fees: i.e. the bank will graciously waive the fees *they* would have charged for problems *they* have caused, but they are refusing to pay any compensation for the problems they have caused. So there is no incentive for the bank to spend any money on system restore features or disaster recovery in the future. So we can expect similar failures to occur again. STRL Reader in Software Engineering and Royal Society Industry Fellow martin@gkc.org.uk http://www.cse.dmu.ac.uk/~mward/
As mentioned, UK media have had little technical detail but a tsumani of finger-pointing and pontification (accidents don't happen by accident nowadays, someone always has to be blamed and punished!), though one report commented that historically, British bank branches only opened 9am-3pm Monday-Friday, thus giving plenty of time overnight for processing each day's transactions, and whole weekends for software updates. Nowadays bank branches are open during normal retail store hours and many customers handle their accounts on-line, so banking runs 24/7, hence any hold-up quickly creates a huge backlog of data to be processed.
Comment from a Brit: and if you have the block in place but attempt to access barred sites, is this also recorded? What nobody's really explained is how 'unsuitable' web sites are to be identified and blocked; people talk as if ISP sysadmins just have to uncheck the box marked "allow pornography" and we're safe... I haven't actually done any research here (!), but presumably 'unsuitable' (who decides?) web sites don't always have distinguishing features, so blocking would have to work on a similar basis to spam e-mail filters (e.g. Bayesian), with the same hit-and-miss success rates. The large telecomms company where I used to work had a commercial web filter facility which was laughable in its effectiveness (though in this case it was probably intended more to avoid embarrassing "Employees Download Porn With Company Computers" headlines than protect workers' sensitivities), but each filter 'hit' warning screen had a reminder that the attempt was recorded for possible disciplinary action. (Allegedly in the early days it only used URLs so could be circumvented with the IP address of a banned site.) Incidentally, a woman columnist in the newspaper described her concern at discovering that her husband spent much time on the website http://modelingmadness.com/, which turned out to be about his hobby of scale models of World War 2 fighter aircraft, rather than glamorous women...
Mark Thorson is "disturbed" by a retailer charging an extra fee for users who make purchases using IE7. I am more sanguine. * From an economic point of view, the continued use by many people of extremely old browsers is a bane on the existence of web developers. It costs companies real money in terms of increased development, QA and maintenance time on their web applications. * From a progress point of view, the resources spent supporting old, buggy browsers lacking many of the features of modern ones could otherwise have been spent progressing application technology in useful ways, and thus the continued existence of very old browsers in the user space hampers forward progress. * From a security point of view, while it's true that new vulnerabilities are being identified and patched in modern browsers every day, there are surely also many vulnerabilities in the old, obsolete browsers, and those _aren't_ being patched. Thus, it seems to me that their users are overall more vulnerable to threats than users of modern browsers. (On the other hand, this is merely my personal theory / impression; I concede that one could just as easily argue that attackers don't bother as much to go after really old browsers, and many newly exploited vulnerabilities are in technologies that don't exist in old browsers.) The small-l-libertarian and free-market-capitalist in me says that if this particular retailer has decided that the "IE7 fee" makes economic sense for them, they're perfectly within their rights to impose it, and their customers are perfectly within their rights to shop elsewhere if they don't approve.
"Requirements for UTC and Civil Timekeeping on Earth"
A Colloquium Addressing a Continuous Time Standard
to be held at the University of Virginia, Charlottesville, VA
May 29-31, 2013, http://futureofutc.org
This is a successor to the meeting "Decoupling Civil Timekeeping from Earth
Rotation" held in October 2011, with proceedings available from the American
Astronautical Society (http://www.univelt.com/book=3D3042).
In January 2012, a proposal to redefine Coordinated Universal Time (UTC)=
without leap seconds was discussed at the Radiocommunication Assembly of the
International Telecommunication Union (http://youtu.be/C-2UqYW9SEs).
Decision was postponed to the 2015 RA pending study of the issue. This
meeting will explore the underlying engineering requirements for civil
timekeeping.
Meanwhile the leap second at the end of June 2012 triggered bugs in the
Linux kernel:
http://landslidecoding.blogspot.com/2012/07/linuxs-leap-second-deadlocks.html
While it may not have lived up to the hyperbole ("leap second crashes half
the Internet" - not the half I was using at the time, and no reported issues
from my organization) this points up risks on one side of the issue. These
risks would have been mitigated by more extensive testing of kernel updates,
and by installing the updates that were tested. Google had a completely
different framework for handling the issue:
http://googleblog.blogspot.com/2011/09/time-technology-and-leaping-seconds.html
It will be interesting to see what lessons were learned for future leap
seconds.
However, redefining UTC would also present risks:
http://www.cacr.caltech.edu/futureofutc/2011/preprints/01_AAS_11-660.pdf
We welcome abstracts from diverse communities, with the goal of clarifying
the nature of the problem space before entertaining solutions.
Rob Seaman, National Optical Astronomy Observatory http://futureofutc.org
Please report problems with the web pages to the maintainer