Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
In a really egregious piece of so-called journalism relating to the Internet, L. Gordon Crovitz has written item in the *Wall Street Journal*, 23 Jul 2012, with the above Subject line: It's an urban legend that the government launched the Internet. The myth is that the Pentagon created the Internet to keep its communications lines up even in a nuclear strike. The truth is a more interesting story about how innovation happens—and about how hard it is to build successful technology companies even once the government gets out of the way. http://online.wsj.com/article/SB10000872396390444464304577539063008406518.html?mod=WSJ_article_comments#articleTabs%article Crovitz's thesis seems to imply that U.S. Government funding did not have a major role in development network technology, with a perhaps not-so-hidden agenda that government funding is an undesirable interference in private enterprise? His article has led to a huge flurry of corrective items on the Web, pointing out numerous misstatements. To make a long story short, Crovitz seems to confuse The Internet with internetting and networking, confuse internetting with the ethernet, and somehow miss the fact that Vint Cerf and Bob Kahn were first funded by and then worked for ARPA! Hawaii's AlohaNet (Frank Kuo and Norm Abramson) preceded ethernet, also government funded. SRI's packet-switched radio experiment is generally credited as being the first real "internetworking" demonstration, linking 3 different networks (also government funded), and recently celebrated at the Computer History Museum. Without those impeti or impetuses, might we still have only circuit switching and even analog telephony? (By the way, ARPA also contributed considerably to the pioneering Multics development.) Joseph Lorenzo Hall noted in Dave Farber's IP distribution that *ArsTechnica's* Timothy Berners Lee penned a superb rejoinder: WSJ mangles history to argue government didn't launch the Internet http://arstechnica.com/tech-policy/2012/07/wsj-mangles-history-to-argue-government-didnt-launch-the-internet/ Also, see the *Scientific American*: Yes, Government Researchers Really Did Invent the Internet: But perhaps the most damning rebuttal comes from Michael Hiltzik, the author of "Dealers of Lightning," a history of Xerox PARC that Crovitz uses as his main source for material. "While I'm gratified in a sense that he cites my book," writes Hiltzik, "it's my duty to point out that he's wrong. My book bolsters, not contradicts, the argument that the Internet had its roots in the ARPANet, a government project." http://j.mp/NQtACW (Scientific American) Lauren Weinstein commented in his Network Neutrality Squad, Privacy Forum, and People for Internet Responsibility, “This Wall Street Journal "opinion piece" really mucked up big time. And the sense of some associated political motivation is difficult to ignore. The fact is, without ARPA/IPTO, there would not be an Internet as we know it today. Period. Other networks would have very likely developed of course, probably along the lines of various pay-per-packet, walled garden modalities that the dominant ISPs seem hell-bent at deploying today—but not the end-to-end ARPANET/Internet model that has been so very crucial to the spread and wide availability of these technologies.
Security expert Brian Krebs was the target of a malicious e-mail flood. Such attacks are widespread, and can used to mask all sorts of computer crimes. Various plans are offered beginning at $25 for 25,000 e-mails. [Cory Doctorow, Commercial Spamflooding used by crooks to tie up their victims at key moments, BoingBoing, 19 Jul 2012; PGN-ed] http://boingboing.net/2012/07/19/commercial-spamflooding-used-b.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+boingboing%2FiBag+%28Boing+Boing%29 [Proponents of voting over the Internet from hardwired or wireless devices tend to ignore such vulnerabilities, along with many others. PGN]
(Christine Wong) Christine Wong, Think it's too expensive and time consuming to embed 'privacy by design' into your SMB? A security expert and an SMB who've done it tell us how it can be accomplished. *IT Business*, 19 Jul 2012 http://www.itbusiness.ca/it/client/en/home/News.asp?id=68311
> [An obvious next step might be legislation requiring would-be voters to > cast their votes on Facebook or other social networking media. That would > clearly solve all our concerns for security, integrity, equal access, and > privacy? PGN] Not only that, but this might help solve the chronic problem here in the USA of getting the registered voters to actually vote! We might even get over 100% of the population to vote. Reminds me of my time living in Chicago ...
Oh, they soooo much want this.. A BBC article refers to a bright and wonderful future where cars communicate and thus save fuel and are safer. (http://www.bbc.com/future/story/20120719-road-opens-for-connected-cars/1) Security in this context warrants one paragraph, but the article concludes that the rise of the Apps on mobiles should be an indication that an absence of security is not likely to be a hindrance to adoption. Thus, they gloss over a tiny, yet important detail: a breach in this kind of information exchange can get you killed. That's why cars have to be type-certified before they are allowed on the road. The astute reader will also observe a full and complete absence of any reference to the privacy implications of such an enthusiastic data exchange. The simplest example is "If <all registered inhabitants> are not <at location> then ransack <location>".. As I have said before in this context, not so fast..
[The subject line says it all. Apparently, signals from the Groton submarine base are blocking garage door openers in southeastern Connecticut—on the same frequency. For more recent RISKS readers, this is a new manifestation of an old story. Previous cases noted here include garage doors opening and closing as Sputnik transited overhead, and President Reagan's Air Force One interfering as well. PGN] http://news.yahoo.com/navy-radio-might-crippling-conn-garage-doors-183220009.html?_esi=1 Russ Furze, CISSP, Senior Vice President, Chief Information Officer Frontier Bank FSB, dba El Paseo Bank 760.834.3116
Fred Guterl, *The New York Times*, 20 Jul 2012 So far 2012 is on pace to be the hottest year on record. But does this mean that we've reached a threshold - a tipping point that signals a climate disaster? For those warning of global warming, it would be tempting to say so. The problem is, no one knows if there is a point at which a climate system shifts abruptly. But some scientists are now bringing mathematical rigor to the tipping-point argument. Their findings give us fresh cause to worry that sudden changes are in our future. One of them is Marten Scheffer, a biologist at Wageningen University in the Netherlands, who grew up swimming in clear lowland ponds. In the 1980s, many of these ponds turned turbid. The plants would die, algae would cover the surface, and only bottom-feeding fish remained. The cause - fertilizer runoff from nearby farms - was well known, but even after you stopped the runoff, replanted the lilies and restocked the trout, the ponds would stay dark and scummy. Mr. Scheffer solved this problem with a key insight: the ponds behaved according to a branch of mathematics called "dynamical systems," which deals with sudden changes. Once you reach a tipping point, it's very difficult to return things to how they used to be. It's easy to roll a boulder off a cliff, for instance, but much harder to roll it back. Once the ponds turned turbid, it wasn't enough to just replant and restock. You had get them back to their original, clear state. ... http://www.nytimes.com/2012/07/21/opinion/the-climate-change-tipping-point.html
A UK train company has been criticised for producing an Olympics 2012 security poster which reads as "gibberish" in Arabic. First Capital Connect sent posters to 13 stations printed in English and seven other languages. But the Council for Arab-British Understanding called the Arabic lettering "ridiculous" and unreadable since the characters are not joined up and are back to front. http://www.bbc.co.uk/news/uk-england-london-18911599 The posters, which are supposed to warn people not to leave items unattended, have been displayed in stations including Blackfriars, King's Cross, City Thameslink, Farringdon, St Pancras International, Luton and Stevenage. The lame excuse was "... our supplier substituted one font for another so that the wrong alphabet was used for the Arabic message, rendering it meaningless." The risk? Perhaps proof-reading by a native speaker would have been an idea.
"The French Supreme Court has ruled that Google should censor the words 'torrent', 'rapidshare' and 'megaupload' from its Instant and Autocomplete search services." http://j.mp/OKRA66 (*The Register*, via NNSquad) Here's another word: Ridiculous.
Beth Israel Deaconess (Kay Lazar) Kay Lazar, *The Boston Globe*, 20 Jul 2012 Approximately 3,900 Beth Israel Deaconess Medical Center patients will be getting letters alerting them that some of their personal health information may have been breached after a physican's personal laptop computer was stolen from a hospital office. The theft occurred on 22 May 2012, and the stolen laptop, which contained a tracking device, has not been recovered. Police were notified and a suspect has been arrested in the case, the officials said. The hospital hired a national forensic firm to investigate if data were compromised, and it has found no indication that any information has been misused, according to the hospital. ... http://www.boston.com/whitecoatnotes/2012/07/20/patient-information-may-have-been-breached-after-laptop-stolen-beth-israel-deaconess/tgOtdeQBL2QP9JgzsjVn4J/story.html
After two months of availability, Apple has removed a third-party iPhone app from the App Store that informs users about the data being collected by other apps. http://www.securityweek.com/apple-yanks-privacy-app-app-store Interesting statistics collected by the app are: * 42.5 percent of apps do not encrypt users' personal data, even when accessed via public Wi-Fi. * 41.4 percent of apps were shown to track a user's location unbeknownst to them. Almost one in five of the apps analyzed can access a user's entire Address Book, with some even sending user information to the cloud without notification.
(Lucian Constantin) The article names some of the risks that will be presented. Lucian Constantin, *IT Business*, 20 Jul 2012 Mobile and Web security will be major topics at Black Hat Security researchers will disclose new vulnerabilities affecting mobile and Web technologies at security conference http://www.itbusiness.ca/it/client/en/cdn/News.asp?id=68327
(Ron Leuty) Ron Leuty, An OK by any other name: Oops! Vivus awaits weight-loss drug approval, even as story breaks; *San Francisco Business Times*, 17 Jul 2012 Nothing stands in the way of a good FDA drug approval story—except, of course, when the drug isn't yet approved. *USA Today* ran a story online Tuesday about Mountain View-based Vivus Inc. winning approval of its weight-loss drug, Qnexa. The story had new details about the drug—like a new name (Qsymia) and when the drug would be available to consumers (later this year)—as well as quotes attributed to President Peter Tam and a photo of Qsymia pills and bottles. Great news, right? After all, the FDA was expected to rule on the drug Tuesday. Except the FDA has not—at least, not yet—approved Vivus' drug. http://www.bizjournals.com/sanfrancisco/blog/biotech/2012/07/vivus-arena-qne= xa-belviq-weight-loss-fda.html
My favorite instance of this problem was back in the Multics days, when we (Bell Labs) had issued a contract to Digitek to produce the first PL/I compiler, for the Multics development. The contract specified delivery in *six* months. (Digitek was a very experienced developer of Fortran compilers.) During the sixth month, a full-page ad appeared in Datamation: "Here and Now: The world's first PL/I compiler." The only problem was that Digitek defaulted on the contract that month. Doug McIlroy and Bob Morris rushed to the fore, and produced the EPL compiler for a subset of the language just powerful enough for the Multics development, and whipped it together in a few months. That may well have been one of the inspirations for GCC.
While the the Regulation of Investigatory Powers Act 2000 (RIPA) was passed over a decade ago, the present discussion concerns Part 3, which only came into effect on 1 October 2007. Some of the first actual prosecutions for refusing to supply decryption keys were: http://www.theregister.co.uk/2007/11/14/ripa_encryption_key_notice/ *Animal rights activist hit with RIPA key decrypt demand* UK terror law change kicks in http://www.theregister.co.uk/2009/11/24/ripa_jfl/ *UK jails schizophrenic for refusal to decrypt files* Terror squad arrest over model rocket The latter story opens: "The first person jailed under draconian UK police powers that Ministers said were vital to battle terrorism and serious crime has been identified by The Register as a schizophrenic science hobbyist with no previous criminal record. His crime was a persistent refusal to give counter-terrorism police the keys to decrypt his computer file."
Well... the garden-variety laptop computer that I'm typing this on (running Windows 7) has over a million files on it, according to the anti-virus scan log, and I have no idea what most of them are. I've never knowingly stored any files that may get me into trouble, but neither can I tell what gets loaded with updates (see other thread on browsers), and I bought the laptop at a reduced price as 'ex-demonstration' as it had been used in the store before purchase (with the network name TECHSUPPORT already set up!). So if by some chance I do "have my data examined by the UK authorities" and they do find something questionable, where does that leave me? (And if I didn't have a computer or use the Internet, is that evidence of having something to hide?!?) As the poster says, it's worth a debate, but personally I feel that people are becoming more likely to have their lives trashed by a heavy-handed criminal investigation than be blown up by terrorists.
> ... resulting in the aircraft receiving 22,300 pounds of fuel instead of > the required 22,300 kg. PGN forgot to add "See risks 10.12, 11.16, 17.32, 20.30, 24.13, and especially 10.13". [Yup, Mark gets to remind me every time I forget. Thanks! PGN]
Gene Wirchenko noted an Apple patent for a transparent scroll bar. The article he linked to starts "Apple on Tuesday was awarded the patent for a transparent-style of scroll bar that disappears when the window is not being used." I think it was Dan Ingalls who wrote "From the earliest days, Smalltalk used flop-out scroll-bars to economize on screen real estate." So half of the invention was in use before the first Macintosh was built. And Apple certainly knew about Smalltalk. Pretty much since the Morphic GUI library was developed it has been possible to set the colours of the various components that make up a scroll bar in Squeak Smalltalk; that includes TranslucentColor-s. And Apple certainly knew about Squeak and Morphic. I presume other GUI toolkits let you do the same. What then _is_ the invention?
I would like to slightly modify Mr Alexanderro's choice: "Security, with as much privacy as possible." as follows: "Where our privacy (and other liberties) are exposed to official bodies, effective controls (measures) against misuse must be implemented." Of course the problem of defining "effective" and implicitly also "practicable" and "affordable" remains . However this is now a classic risk management problem. It is still a difficult problem, but hopefully more amenable to discussion and even agreement!
Please report problems with the web pages to the maintainer