Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
[Thanks to D Kross] California nurses report that Epic's EMR devices are endangering lives as reported in the linked report: http://www.mercurynews.com/breaking-news/ci_21313174/contra-costas-45-million-computer-health-care-system?refresh=no
Arriving at 4 million Facebook friends, Southwest Airlines offered them half-price tickets. Unfortunately, hundreds of customers were billed multiple times for each flight booked—in at least one case, 20 times for a $69 ticket. The problem was discovered around 5pm on 3 Aug 2012. Complaints apparently mushroomed because of the backlog of callers, and resulted in a flurry of Facebook postings!!! [AP item PGN-ed] http://www.sfgate.com/nation/article/Southwest-glitch-causes-multiple-billings-3763192.php http://www.freep.com/article/20120805/BUSINESS07/120805005/Southwest-says-computer-glitch-caused-ticket-woes
Rocco Parascandola and Tina Moore, *New York Daily News*, 8 Aug 2012 [PGN-ed] The NYPD is starting to look like a flashy, forensic crime TV show thanks to a new super computer system unveiled Wednesday near Wall St. The Domain Awareness System designed by the NYPD and Microsoft Corp. uses data from a network of cameras, radiation detectors, license plate readers and crime reports, officials said. Commissioner Ray Kelly says system is able to access information through live video feeds and allow cops to get reading on radioactive substances. Cops were involved with the programmers throughout the process, earning the city its cut of the proceeds. Mayor Bloomberg: "We're not your mom and pop police department anymore, We are in the next century. We are leading the pack." The system, which cost somewhere between $30 and $40 million to develop, could also help pay for itself with the city expecting to earn 30% of the profits on Microsoft sales to other city's and countries. http://www.nydailynews.com/new-york/nypd-unveils-new-40-million-super-computer-system-data-network-cameras-license-plate-readers-crime-reports-article-1.1132135
By Taylor Armerding, *InfoWorld*, 15 Aug 2012 The man-in-the-browser attack using a Trojan has compromised the VPN at a major hub http://www.infoworld.com/d/security/citadel-exploit-goes-after-weakest-link-airport-employees-200150
[Thanks to Ira Rimson for spotting this one. PGN] Is the FAA *really* capable of dealing with tech progress? "Multilateration"? (From aero-news.net, 18 Aug 2012): *Hacker Says NextGen Is Vulnerable To Attack* 'Ghost Planes' Could Appear On Your ADS-B-Equipped EFIS Every time new technology comes along, someone somewhere begins an effort to see how it can be compromised, manipulated, and sometimes even destroyed. And apparently NextGen is no exception. In a story appearing on NPR, a Canadian computer hacker named Brad Haines said that the data transmitted by ADS-B is unencrypted and unauthenticated. Those are bad words in the computer security world. Haines, who is known in the online community as RenderMan, found he could "spoof" the signals and make your TIS see airplanes where there are none. Haines imagined a scenario where a hacker suddenly added 50 "ghost airplanes" to an ATC screen. He said that such an attack could make a pilot swerve to miss airplanes that aren't there, or potentially shut down an airport. An hours worth of disruption at a major airport could have ripple effects that could spread worldwide, he said. Haines and another hacker named Nick Foster created an ADS-B spoof using the FlightGear flightsim game. They say if they had hooked the game up to a low-power transmitter, they could have convinced controllers that they were an actual airplane. The experiment has reportedly been duplicated in France. Both Haines and the French hacker ... Romanian grad student Andrei Costin ... have published papers and made presentations about their work. The U.S. Air Force has expressed concerns about the potential for "spoofing" NextGen. One cyberwarfare student ... Maj. Donald McCallie ... wrote in a paper last year that NextGen is "on a collision course with history." The FAA has reportedly not yet released the results, or even initial data, from its own security tests. It has been mostly quiet on the reports coming from the Air Force and the hackers. In a one-paragraph statement, the FAA said that an "ADS-B security action plan identified and mitigated risks and monitors the progress of corrective action. These risks are security sensitive and are not publicly available." The FAA told NPR that it will use a system called "multilateration" to discriminate between real and fake airplanes on ADS-B receivers. But the system requires multiple receivers analyzing every ADS-B signal.
A questioner in David Einstein's column in the *San Francisco Chronicle* today (20 Aug 2012) was a victim of Live Security Platinum. He/she wondered (rather naively?) why LSP was able to get by the questioner's collection of Norton Security Suite and Constant Guard (provided free by Comcast) plus the free version of Malwarebytes Anti-Malware and Microsoft Security Essentials, adding that the damage was so bad that the repair center techie suggested the only solution was to wipe the hard drive and start over (with which David Einstein disagrees). Does it surprise any RISKS readers that the anti-malware folks cannot keep up with new malware? Or that their free tools actually might detect novel malware? Furthermore, this is not just a case that suggests that we should always look a gift horse in the mouth. The same questions seem to apply to non-free tools. By the way, the horse is out of the barn, irrespective of how much it costs.
You may recall that the morning the Feds shut down their sanitized / redirected DNS servers that were helping to minimize the effects of the "dns-changer" virus, the NYC transit authority Metrocard Vending Machines were offline during the morning rush hour. A lot of us wondered whether this was related. I FOIAled the Transit Authority for their story. The reply is scanned in at: http://www.dburstein.com/images/nyctransit-102.png They claim "a shortage of cpu processing cycles", without explaining why that happened. So it just might, or might not be, related to DNS changer... Further insights appreciated... [Cursors, FOIAled again! PGN]
answer: you send a trooper... "Collom, who also did not have land or cell service, was notified of the situation when an Isabella County Sheriff's Deputy went to her home to alert her of the problem" [a] - the ILEC (incumbent telco) phone switch hiccuped last night. This knocked out very roughly half the landline service in the area, PLUS some of the cell-cos (conflicting reports as to exactly what was out, since if you hit a tower ten miles away you were ok. Looks like two of the three were clobbered in town. Don't know about their data services). Oh, and killed off the ILEC's DSL internet. The CLEC (independent telco) facility was still ok - yes, we're one of the few areas with a true "overbuild" of telco lines. And the "cable" tv and internet lines did ok. - oh, and this also shut down the main lines to the "911 dispatch center". Sigh. - isn't this where they're supposed to round up all the deputies and buffs, and station their pickup trucks every half mile? But wait, there's MORE. The town here has a local, municipal, radio transmitter which kicks out traffic and related info, and also.. rebroadcasts the National Weather Service station. The NWS "All Hazards Radio" is a *key* portion of the national emergency backbone. It's used for both local issues such as tornadoes, and would be called into action for some super serious and critical disaster scenarios (as in nuclear missile detection). The city's transmitter was just a mess of static. I figured this was simply that it had hiccuped on its own or that it had lost its own feed. I then tried tuning in the NWS station directly. Nothing. their transmitter is only a couple of miles from me. - I was able to pick one up from about 40 miles away, but there's nothing nearby. - As I've mentioned before, the NWS/NOAA/All Hazards Radio is a *key* emergency communications channel, both for local issues (such as tornadoes) and for those really ugly cold war scenarios. They're supposed to withstand *anything* short of a direct nuclear ground strike. Ok, I'm exaggerating. But still, they are very much counted on. To lose one of them for something this mundane is quite disturbing. - NOAA's web page does, kindly enough [b], advise that the transmitter is "out of service" [a] http://www.themorningsun.com/article/20120718/NEWS01/120719712 [b] http://www.nws.noaa.gov/nwr/stations.php?State=MI
http://www.itbusiness.ca/it/client/en/Home/News.asp?id=68439 Christine Wong, *IT Business*, 1 Aug 2012 Cloud security dos and don'ts after the latest Dropbox breach; Here's what businesses and consumers can do to protect themselves from a security breach like the latest one at Dropbox. Dropbox acknowledged this week that thousands of its users had spam sent to other accounts that were linked to their Dropbox accounts. An investigation found that a Dropbox employee had his password stolen for a non-Dropbox account. The thieves then used that password to hack into his Dropbox account, which contained a document with Dropbox user email addresses in it. Those email addresses were used to send massive spam messages to accounts owned by Dropbox users. It was the second serious security breach reported at Dropbox. Just over a year ago, the company accidentally turned off its password authentication system, allowing anyone to access Dropbox user files without a password.
Turnabout is fair play? Jaikumar Vijayan, ComputerWorld, InfoWorld, 15 Aug 2012 Security vendor exposes vulnerabilities in DDoS rootkit Prolexic says the information is designed to help enterprises mitigate attacks http://www.infoworld.com/d/security/security-vendor-exposes-vulnerabilities-in-ddos-rootkit-200148
Lukasz Lindell, 13 Aug 2012 Have you heard the phrase "That's true because I saw it on TV" at some point? It was often the truth in the old days when people only had the TV or newspaper to relate to. What you saw or read was the truth, although it obviously wasn't always so. Today, thanks to the Internet, we consider ourselves much more enlightened. We can discuss and examine the source in a way that was not possible in the past. But are we really aware of all information flowing up over the net? What is really true and what's not? When someone presents a bit of loose facts on Twitter, I usually respond with something like "64% of the facts on the Internet is 48% incorrect according to 52% of respondents", completely made up numbers out of my head, but it makes people think a little extra. It is somewhat disturbing at times when the bandwagon takes of and speeds up, without people being critical. People stand up for situations that may never have happened, and spin on it that ultimately results in what will be treated as facts, or faktoids. We wanted to test this, how easy is it to spread disinformation? ... http://day4.se/how-we-screwed-almost-the-whole-apple-community/
Howard Solomon), *IT Business*, 1 Aug 2012 http://www.itbusiness.ca/IT/client/en/CDN/News.asp?id=68433 The number of Canadians who could be victims of one of the country's biggest losses of personal data could hit four million, according to a privacy official. (The initial number of data loss was thought to be 2.6 million ) Policy called for data put on portable devices to be encrypted. Not only wasn't that done, after the loss was reported the agency gave staff two more data sticks to use with orders to encrypt data—and again that wasn't done. "On what planet do you do the same thing again?" a frustrated Cavoukian asked reporters. In fact, she added, the staff thought encrypting data meant it was to be zipped, or compressed.
Lucian Constantin, *ComputerWorld*, 29 Jul 2012 Researcher creates proof-of-concept malware that infects BIOS, network cards; New Rakshasa hardware backdoor is persistent and hard to detect http://www.computerworld.com/s/article/9229758/Researcher_creates_proof_of_concept_malware_that_infects_BIOS_network_cards IDG News Service - Security researcher Jonathan Brossard created a proof-of-concept hardware backdoor called Rakshasa that replaces a computer's BIOS (Basic Input Output System) and can compromise the operating system at boot time without leaving traces on the hard drive.
Lucian Constantin, IDG News Service, *InfoWorld*, 6 Aug 2012 Nvidia Unix driver 304.32 addresses a privilege escalation vulnerability that can grant local users root access http://www.infoworld.com/d/security/nvidia-releases-unix-driver-fix-high-risk-vulnerability-199424 Nvidia releases Unix driver to fix high-risk vulnerability. Nvidia confirmed the existence of the vulnerability and released version 304.32 of the Nvidia Unix driver for Linux, FreeBSD and Solaris operating systems in order to address it. The new version also includes other changes that the company believes will prevent similar exploits in the future. However, despite the new release, the company still offers version 295.59 [the vulnerable version] as primary download on its Unix drivers page.
A short item in today's free *Daily Post* (self-declared `No. 1 in Palo Alto and the mid-Peninsula') reports that a flaw in Apple's iPhone OS for SMS messages permits senders to enter a reply-to other than the From: line. Is that new news to any of you? (Apple's response is to use its iMessage service rather than SMS.) By the way, you may realize that it was utterly trivial for me to edit the address fields in this message *before* sending it to RISKS. Nobigdeal. But is it from me? Who knows? You want integrity in received e-mail? As Scott McNealy once said about privacy, fuggetaboutit. The spammers and scammers of the world seem to be winning. PGN
Robert X. Cringely, *InfoWorld*, 15 Aug 2012 Fictional Apple screws, phony *New York Times* editorials, bogus sources—is anything on the Net not a fake? http://www.infoworld.com/t/cringely/todays-internet-all-the-fake-news-thats-fit-publish-200172 My favourite sentence: "Gaming the media seems to have become the second-most popular attraction on the Internet besides porn." The conclusion: "We are rapidly approaching a point where no one is credible and nothing can be believed. When you can no longer separate fact from fiction or reality from propaganda, the media simply becomes a megaphone for whoever can shout the loudest. That's a dangerous place to be." [And for those of you who think Robert X. Cringely is a real person responsible for lo these many items noted in RISKS, a little browse'll do ya. PGN]
Somini Sengupta, *The New York Times*, 11 Aug 2012 Las Vegas. Bruce Schneier ordered a Coke, no ice, at the Rio casino on a Saturday afternoon. I ordered Diet Coke, also no ice, and handed the bartender an American Express card. He said he needed to see proof of identity. Credit cards are often stolen around here, and eight casino workers had recently been fired for not demanding ID, he quietly explained. The bartender wanted to keep his job. Mr. Schneier, 49, is a student of interactions like this, offline and on. He is a cryptographer, blogger and iconoclast in the world of computer security, and his latest subject of inquiry is trust: how it is cultivated, destroyed and tweaked in the digital age. Offline, he likes to point out, we have ways to establish trust, as in this casino, where we expect the bartender to serve us a soda, not a poisoned chalice. We establish trust based on how we speak, whether we appear drunk or deranged, whether we meet at a casino or a toy store - and also, irrationally, on attributes like race and age. Online, this becomes even more complicated, Mr. Schneier argues. We no longer think twice about letting our friends see our vacation pictures on Flickr, now owned by Yahoo. So habituated have we become to revealing intimate details, Mr. Schneier writes, that we forget that Facebook, the company, can read our missives at any time, potentially forever. Mr. Schneier is in charge of technology security at BT, the British telecommunications company. His latest book, "Liars and Outliers: Enabling the Trust That Society Needs to Thrive," published earlier this year by Wiley, is filled with foreboding: less about technology than about the vulnerability of the heart and mind. ... http://www.nytimes.com/2012/08/12/sunday-review/bruce-schneier-an-avatar-of-digital-distrust.html
> ... how convenient is that, conspiracy theorists? But you can still see a > description of Abraxas' Tr[a]pWire technology here, at the USPTO. [missing link added] http://tdr.uspto.gov/jsp/DocumentViewPage.jsp?76610388/SPE20060927110512/Specimen/7/26-Sep-2006/sn/false#p=1
> Lawyers, on the other hand, who probably got into law because they hated > math and computers, have not had the computer as strict task-master to > teach them the humility of following errant logic to its mostly bitter > conclusions. You mean like Judge Alsup, overseeing the Oracle v Google lawsuit? Who is, I believe, a PhD Maths graduate. And when Oracle argued that RangeCheck was "oh so valuable" said that he had spent a morning writing it ten different ways, including learning Java so he could write a version in that language. If you follow cases on Groklaw, you rapidly learn that, unlike in other countries, it is very difficult in the US to sanction lawyers for being an idiot. As a result, they tend to make idiotic arguments without any fear of the consequences. In the UK, with its habit of awarding "attorney fees" as a matter of course, silly arguments tend to get knocked on the head by the client as a matter of course. They don't want to have to pay the bill for the other side to refute it!
Building a radio system is so 1920's. Why have a separate single-hop radio system each purpose when we could provide resilient IP coverage that makes it easy to take advantage of any available path? That seems so obvious but ... and as a bonus we wouldn't be limited to predefined interconnections. As long as we continue to make telecommunications a profit center we require assuring that no bits are exchanged unless they are billed for. This funding model must, by necessity be brittle otherwise people would just shun the expensive paths. The term "shun" comes from "shunpike" for people who bypassed toll roads in the heyday of (not for profit) private pikes. More on the policy stuff in http://rmf.vc/PACTLess for those interested.
I want to emphasize Henry's point that this is not necessarily a software problem as such. It seems more a matter of hubris—the same hubris that lets traders bet trillions of dollars on complex derivatives that few, if any, understand. And history has shown those that do think they understand will wind up being wrong at some point. Perhaps programmers have some responsibility for telling their managers that or policies. Understanding the risks should be part of basic literacy but, perhaps, programmers are more aware (or at least, as Henry noted, they should've learned humility) because they fail often and should expect failures. But trying to educate those who see programmers as hired hands might not be a good career move. Saying that we need AI or "hundreds of eyes" to recognize unusual patterns misses the point—you can't anticipate all possibilities especially algorithms and procedures that interact with other systems that one does not control nor may even be aware of. Instead one has to expect failures and deal with them in stride. Sure big trades bring big returns and an adrenalin rush. And, after, all, to many traders it's only a game. It could be worse—we could privatize all public insurance programs such as healthcare and social security on the assumption that each individual could make the right choice about the unknowable future.
I think your proposal is great, and easily implementable. I'd like to support this. Is there a forum to do so? If GMT is defined as currently (Solar), ST (Science Time) is just a timezone. Leap seconds (NOT nanosecond steps !) can be distributed by the normal timekeeping mechanisms ( I regularly get timezone file updates on my Ubuntu en windows systems as well, and leap seconds can be known a year in advance). All timeservers in the world could keep dispersing GMT, no change. Local machines can (in batch mode, converting time in past and future) use the normal timezone converters, with timezone ST. Local machines can (in background mode) use the normal locking of clocks, internally using zone ST. Actually, including the additional time zone ST in linux and windows would be relatively easy to do. This would mark a first simple step. Reading http://www.merlyn.demon.co.uk/leapsecs.htm#TF I would not use NGMT, as update tables are hard, but rather GMT
At least it did not happen on a real tombstone... When my mother had passed away last year, the tombstone maker had trouble generating an inscription which matched the one on my father's stone, who had died 12 years earlier. The reason was that the computerized drawing program he was using could not control precisely the size of blanks! Luckily he was aware of the pitfalls and worked hard to overcome the problems; I can imagine someone else could just as well hit the "print" button to cast their errors in stone. PGN asked: > Did the inaccurate spacing result in changing the meaning? > You kind of left me wondering what the literal content was... No, it was just a matter of formatting, to make the new stone look the same as the old one (which was set by hand). In this case, just hitting the "print" button would only have created bad typesetting, but the encounter with this system made me realize that what had happened in the TV episode could have actually happen on a real tombstone.
Please report problems with the web pages to the maintainer