Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
"Facebook users in Washington state will have something else to brag about to their online friends: that they registered to vote on Facebook. The secretary of state's office said Tuesday it will have an application on its Facebook page that allows residents to register to vote and then "like" the application and recommend it to their friends. It's expected to launch as early as next week." http://hosted.ap.org/dynamic/stories/U/US_VOTER_REGISTRATION_FACEBOOK?SITE=CAANR&SECTION=HOME&TEMPLATE=DEFAULT Pay particular attention to the bright idea to get users used to trusting page overlays on Facebook. With "friends" like that.. [... presumably with multiple aliases and personas, as well. An obvious next step might be legislation requiring would-be voters to cast their votes on Facebook or other social networking media. That would clearly solve all our concerns for security, integrity, equal access, and privacy? PGN]
Antone Gonsalves, *InfoWorld*, 13 Jul 2012 Facebook security 'checkpoint' hits user roadblock; Some Facebook users say their accounts were locked when they tried to use the new Malware Checkpoint service https://www.infoworld.com/d/security/facebook-security-checkpoint-hits-user-roadblock-197716
(Stephen Lawson) Stephen Lawson, *InfoWorld*, 13 Jul 2012 Passwords leaked from Yahoo: Boozy, preachy, angry—and easy; The account passwords taken from a Yahoo database reveal much about users, good and bad https://www.infoworld.com/d/security/passwords-leaked-yahoo-boozy-preachy-angry-and-easy-197696
After the Bitcoinica exchange for the Bitcoin cryptocybercurrency was hacked in May, they changed all their passwords but they did not change an uncompromised password they used on another system. Unfortunately that password was the same as one of the compromised passwords. Oops. About USD$350,000 gone. http://siliconangle.com/blog/2012/07/16/bitcoinica-cant-catch-a-break-recent-breach-hemorrhages-40000-btc/
Don't forget your units, programmer dudes. http://en.wikipedia.org/wiki/Metrication#Accidents_and_incidents ... ran out of fuel in mid-flight. The incident was caused, in a large part, by the confusion over the conversion among litres, kilograms, and pounds, resulting in the aircraft receiving 22,300 pounds of fuel instead of the required 22,300 kg. ... approximately 10 - 12% of bridge strikes involved foreign lorries. This is disproportionately high in terms of the number of foreign lorries on the road network.
Summary: A former secretary successfully changed her daughter's grade from an F to an M and her son's grade from a 98 to a 99. She used the school district's superintendent's password to pull off the deeds. 45-year-old Catherine Venusto allegedly changed her children's grades by using passwords she obtained while working for their school district. She was charged with three counts each of unlawful use of a computer and computer trespass. The former secretary was arraigned Wednesday on a half-dozen felony counts and released on $30,000 unsecured bail, court records show. State police say she admitted changing the grades, and while she agreed her actions were unethical, she didn't think they were illegal. ... [Source: Emil Protalinski, ZDNet, 19 Jul 2012] http://www.zdnet.com/mom-accessed-school-system-110-times-to-change-kids-grades-7000001230/
Summary: Following the recent slew of attacks against various websites that resulted in millions of user accounts being compromised, comes this little statistic: fraudsters traded 12 million pieces of personal information online in just Q1 2012. In Q1 2012, fraudsters traded 12 million pieces of personal information online, or a 200 percent increase over 2010. Most people were unaware their identity had been stolen until they were denied access to something. Identity theft victims commonly experience refusal of loans or credit cards (14 percent), debts being run up in their name (9 percent), refusal of mobile phone contracts (7 percent), and being chased by debt collectors for money they do not owe (7 percent). ... [Source: Emil Protalinski, ZDNet, 19 Jul 2012] http://www.zdnet.com/online-identity-theft-up-200-since-2010-7000001170/
(Emil Protalinski) Summary: This year's Summer Olympics are less than two weeks away. That means you should already be wary of scams and spam heading your way. Be sure to remind family and friends to avoid e-mails and websites claiming you've won something related to the Games. Source: Emil Protalinski, ZDNet, 18 Jul 2012 http://www.zdnet.com/warning-scams-surrounding-2012-olympics-have-already-begun-7000001151/
(Christine Wong) Christine Wong, *IT Business*, 17 Jul 2012 GPS watch to keep tabs on kids, seniors could hit Canada by autumn A U.S. startup is marketing the watches as back-to-school items. It's also keeping a close eye on Canadian Eric Migicovsky's Pebble watch story.7 http://www.itbusiness.ca/it/client/en/Home/News.asp?id=68279 What kid is going to want to be tracked 24-7? "Oh, I left it in my locker." Or aesthetics. "Suzie's was a nicer colour, so we traded."
In RISKS-26.92, Peter Houppermans linked to a *New York Times* article about the FDA tracking email sent by its scientists. Mr Houppermans submission included this: Note that the FDA has come up with a new "crime": people are guilty of RECEIVING confidential information. The article does not say the FDA considered it a crime, and the phrase he puts in quotes does not appear anywhere in the article. The article mentioned some people were "were suspected of receiving confidential information,'' which is very different from what Mr Houppermans implied.
Crime of receiving confidential Info? Re: Peter Houppermans, RISKS-26.92, noting that the FDA has come up with a new `crime' - that of being “guilty of RECEIVING confidential information'', an obvious thought: Couldn't Julian Assange and WikiLeaks have fun with that! For that matter, is there anyone in the country who is not already guilty?
[I received several complaints about the cited item in the previous issue. Actually, it was not submitted to RISKS, but when I saw it elsewhere, I thought it was worth including as a heads-up either for a bad policy, or a very bad / perhaps inaccurate / misguided piece of so-called journalism. The SUBJECT line was mine, including the question mark. PGN] I have just read the item in the link about encryption law in the UK. Oh dear. I'm sorry but this is scaremongering and sloppy journalism of the very worst sort. The Regulation of Investigatory Powers Act 2000 (RIPA) has been in effect for over 10 years, and to my knowledge there hasn't been a single instance in which an miscarriage of justice of this sort has occurred. Contrary to popular belief the Criminal Justice Organizations in the UK do have access to expert and competent advisors in this field. We have a National Technical Authority that does know about these matters and isn't afraid to consult external experts if appropriate. I can tell you that, before this law came into effect, there was a case of a suspected paedophile who had his data seized, under correct forensic procedures, and the CJOs couldn't break the encryption used to protect it. The person in question refused to divulge the key and had to be released. There is no doubt that RIPA has contributed materially to the safety of the citizen and state in the UK from terrorist and organized criminal activity. As far as I am concerned there is a wholly justifiable case to be made for this legislation and no sane, responsible individual can possibly argue otherwise. The phrase "You can have security or privacy. Pick one." is very emotive and requires qualification about the people who have control and oversight, but it's a good debating point. My choice is "Security, with as much privacy as possible." Let's keep this in proportion, more than 99.999% of the population will never have their data examined by the UK authorities. I can't vouch for other nation states, and can understand why Americans are so touchy when abuses of power of this nature (e.g the FDA spying item in Volume 26 issue 92 of the Risks List) are identified on a regular basis but please judge us in the UK by your standards. In the interest of fairness and objectivity, I should say that other areas of the RIPA do appear to have been abused by local authorities in the UK. Some surveillance powers appear to have been used for the purposes other than that for which they were originally intended. Debate is going on about how to fix that right now.
A minor clarification: this election wasn't for any national or regional political unit. It was an election for members of a community-owned trust which in turn owns half of the local power utility. TECT is the Tauranga Energy Consumer Trust, which is a part owner of energy utility TrustPower. It's still an unforgivable, and easily prevented, snafu, all the same - but our NZ government is not at stake here, just the board of a local power company. Gregor Ronald, Christchurch, New Zealand http://gregorronald.blogspot.com/
On the gripping hand, many of the webpages I consider actually useful will still work in lynx or mosaic. Whereas search for "software updates" in RISKS yields "zombieware", "distributes malware", and "a menace and a problem", to pick a few. Thank you Microsoft for Windows 7, specifically for intercepting all 3rd party auto-updaters and letting me click "No" whenever firefox wants to wrap itself in yet another layer of bloat. I hope they'll add "remember my answer and do this automagically from now on" check box in Windows 8, then I will upgrade my PC to stop it from automatically upgrading (at least some parts of) itself. Dimitri Maziuk Programmer/sysadmin BioMagResBank, UW-Madison—http://www.bmrb.wisc.edu
Normally, I might agree with Jonathan, but this isn't just a browser issue. He is blithely assuming that newer browsers are better browsers, and that all progress is "forward" progress. I've noticed that with every browser "update", the browser gets noticeably slower & bigger, and noticeably more vulnerable to unpleasant hacking: there's usually a flurry of 5-10 fixes for each new update to fix all the new security flaws that the "update" introduced. Many of the browser "updates" also appear to enhance the ability of websites to spy on their visitors with new capabilities. Also, the browsers on many older machines are no longer updated—e.g., older Macs, phones, etc., so this is effectively a disenfranchisement of those with older machines. I've been forced to use "NoScript" to run with Javascript _normally disabled_, and only selectively enable Javascript on the smallest subset of sites that enables minimal functionality. In particular, Google's Javascript cleverness is so annoying that I have had to block Javascript on all of Google's sites. All of Adobe's & Semantec's bloatware have been removed from my machines, as 95% of their code does nothing for me but open up huge security holes. I have to manually disable "automatic updates" (aka "automatic virus installers") on each and every program; among other things, these "updates" appear to be for the sole purpose of turning their stupid & often dangerous default settings back on (e.g., Apple iTunes). I have to disable the camera & microphone at the operating system level to deter some spyware; I suppose on the next generation of Windows, I'll have to physically destroy the camera & microphone with my power drill before starting to use the machine. Virtually every "improvement" has its downside: look at the swath of damage caused by the "autorun" feature of Windows that begs for the opportunity to install a new virus every time you plug something into your machine.
Henry, You cannot defeat the inexorable tide of progress in computer hardware and software. You may not view it as progress, but in that view you are in a small minority, and that is not likely to change. The vast majority of users who are using very old browsers are not doing so because of carefully considered concerns about security. They are doing so because they haven't bothered to update for whatever reason. Because they have not taken the precautions you have taken to make their old browsers secure, they are vulnerable. There are a lot more of them than there are of people like you. Therefore, in terms of measuring the greatest good for the greatest number of people, forcing people to upgrade their browsers is clearly a net positive. As for your point about "disenfranchising" users of old computers, I don't hear anybody complaining that it's unfair that you can't get any decent software for the Apple ][+ nowadays. Hardware becomes obsolete, and as the pace of advances in hardware has increased, the pace of its obsolescence has as well. As I started with, you can't fight progress and expect to win.
From an economic point of view, the evolution and roll-out of new browsers is a bane on the existence of web developers. It costs companies real money in terms of rewriting perfectly good code to take advantage of the latest bells and whistles that *someone* in the company thinks the web site should have or support. The old site will support the new browsers fine with no changes. From a progress point of view, the resources spent taking advantage of new features for no other reason than that those features exist raises the question, "Is this progress, or is this just change?" All of the new browsers support everything the old browsers do. If you want to save money, add content, not bling. The economic problem is not supporting old browsers, but trying to take advantage of every new feature of every new browser that comes along. I use an old browser. I know all of the keyboard shortcuts. I know what click does, what shift-click does, what shift-ctrl-click does, etc. I'd be wasting a lot of my own time constantly learning how to use new browsers, and, more importantly, trying to forget years worth of old habits. You are free to write your site in a way that requires new browsers. I am free to go elsewhere. If you have a site, you probably want people to use it. Why drive people to your competitors?
The cited article misses the point. To many American people, privacy is not the main issue. Rather they perceive our own government and big business as the primary risks. In the name of cybersecurity, the fox is asking for the keys to the hen house. It sounds less controversial to say that we are concerned about privacy, than to say that government is the problem, not the solution.
This is patentable? Mark Hattersley, Apple wins patent for transparent scroll bar: Apple has secured a patent to a major interface design motif in the ongoing patent wars, *IT Business*, 18 Jul 2012 http://www.itbusiness.ca/it/client/en/cdn/News.asp?id=68298
The ordinary people, who are the democratic majority, want local civil time - LCT - to be 24 hours of 60 minutes of 60 seconds per mean solar day. They can tolerate seasonal clock changes, and time zone changes when traveling. They can have no rational objection to the occasional sub-ppm-scale change in the length of a civil second. Scientists - physicists and astronomers in particular - need a numbered scale of exact SI seconds, without separation into minutes, hours, days, etc. The answer, then, is to disseminate, in principle from BIPM/BIH, both the SI seconds scale and, every few months, the duration to be used, in integer SI nanoseconds, for the civil second. That announced figure will be used for an integer number of GMT months, changing at GMT month turnover. Let us say at the beginning of each quarter- or half- GMT year. Effectively, leap seconds are issued in tiny pieces, once per civil second. Engineers of all sorts can use one or the other of those scales, or if essential generate whatever variety their profession needs - they are clever enough to do it. The electronics needed to lock GMT to SI in that fashion should be within the capability of any National time lab, any major observatory, any GMT disseminator - and could be provided commercially. Those who disseminate LCT would include time zone and summer time contributions for the locality. http://www.merlyn.demon.co.uk/ http://www.merlyn.demon.co.uk/programs/ Dates - miscdate.htm estrdate.htm js-dates.htm pas-time.htm critdate.htm etc.
Excerpted from Teaching After The Test: An argument for a national school schedule http://scienceblogs.com/gregladen/2012/05/16/teaching-after-the-test-an-arg/ From another teacher at a different school I heard a horror story about a bunch of students who, part way through the two day long state test, pressed the wrong button and are now locked out of finishing the rest of it having only done half. (One of those "Are you done, click continue to end test OK to continue test?: OK, Continue, Cancel" dialogs where "OK" means you are done and "Continue" you are—no wait, I have that backwards.)
Please report problems with the web pages to the maintainer