Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Why the revolution will not be tweeted; Twitter and Facebook didn't create the Egyptian revolution. But Silicon Valley's belief they did shows the smug, ethnocentric blindness that's damaging the technology industry, *InfoWorld*, 17 Feb 2011 http://www.infoworld.com/d/the-industry-standard/why-the-revolution-will-not-be-tweeted-753 selected text: Paul Revere galloped from Charlestown to Lexington on that famous night in 1775. He couldn't have done it without his horse, so did that mean the American Revolution was really the "horse revolution"? That's silly, of course. But calling the Egyptian revolution the "Facebook (or Twitter) revolution" is just as misguided, and it's a symptom of our ethnocentric habit of viewing the world through the prism of the American experience or -- in the case of Egypt—American technology. There's no doubt that Twitter and Facebook were tools the mostly young Egyptian rebels used to good effect. But that's all they were: tools. After all, the revolution continued—and intensified—when those tools were disabled by the Egyptian government's shutdown of the Internet. Yet we in the media and the technology industry are absolutely convinced that it couldn't have happened without social networking. As New Yorker magazine author Malcolm Gladwell puts it: "Where activists were once defined by their causes, they are now defined by their tools." Exactly. The blind spot that puts the American tech industry at risk If that blind spot extended no further than to foreign news events, it would be crippling enough. But the emergence of the developing world as a key market, supplier, and competitor makes that occluded vision all the more dangerous—and yet another reason why it's so difficult for us to compete against countries such as India, China, South Korea, and Singapore. It's worth noting, for example, that Asia now accounts for 20 percent of world software revenue; when that's added to Europe's 36 percent share, the American market is a minority, according to a study by Pierre Audoin Consultants. The middle class in those countries is growing rapidly, and like the Horatio Alger story of old, many of those newly prosperous people are pulling themselves up by their bootstraps. Still, in the popular discourse, it doesn't seem matter how much logic can be brought to bear: We're convinced that Twitter and Facebook are the engines of everything because they are ours. We invented them, we own them, we know how to use them. They must be important. Such thinking isn't so different than that of the product manager who can't find Singapore on a map and wonders why he can't sell anything in that country or strike a deal with a supplier there. Looking at the world as if it were a shadow of the United States is foolish and shortsighted, as well as a recipe for failure. It is all too easy to consider others as being lesser versions of oneself. U.S. people are rather prone to this, but it can strike anywhere.
[From CRYPTO-GRAM, 15 Feb 2011. PGN] A UK immigration officer decided to get rid of his wife by putting her on the no-fly list, ensuring that she could not return to the UK from abroad. This worked for three years, until he put in for a promotion and—during the routine background check—someone investigated why his wife was on the no-fly list. Okay, so he's an idiot. And a bastard. But the real piece of news here is how easy it is for a UK immigration officer to put someone on the no-fly list with *absolutely no evidence* that that person belongs there. And how little auditing is done on that list. Once someone is on, they're on for good. That's simply no way to run a free country. http://www.cnbc.com/id/41372870 http://www.loweringthebar.net/2011/02/immigration-officer-puts-wife-on-the-no-fly-list.html or http://tinyurl.com/4qghpxg http://www.dailymail.co.uk/news/article-1351937/Immigration-officer-fired-putting-wife-list-terrorists-stop-flying-home.html or http://tinyurl.com/67ofkgo
My commuter train was 90 minutes late on Wednesday evening (2/16/11). Here's why: GPS Blamed For Car On Tracks Hit By Train, 17 Feb 2011 http://www.10news.com/news/26899033/detail.html A 63-year-old Oklahoma woman in San Diego to visit her son narrowly escaped injury when her rental car became stuck on train tracks thanks to bad directions she received from the vehicle's GPS feature. The rented 2009 Hyundai Accent was struck in the rear by a Coaster train at 3298 Kettner Blvd. around 7:20 p.m. 15 Feb 2011, according to San Diego County sheriff's Sgt. Darrell Strohl. It was wet and dark outside, and the GPS directed the woman to turn left onto the railway, which she believed was a street, he said, adding that the car became stuck on some gravel.
cell phone use http://j.mp/gJDb6G (City Business) But the man objected when federal prosecutors moved to make his sentence longer for use of a computer. Prosecutors argued his cellphone qualifies as a computer under the definition in federal law. U.S. District Judge Richard Dorr agreed, sentencing Kramer to 14 years in prison, a term that the judge said was more than two years longer than he otherwise would have imposed. Kramer appealed, arguing he only used his phone to make calls and send text messages, so it shouldn't be considered a computer. But a three-judge panel of the St.Louis-based 8th Circuit upheld the sentence, finding the federal definition of computer is broad enough to encompass cellphones.
Kate Murphy, *The New York Times*, 16 Feb 201 http://www.nytimes.com/2011/02/17/technology/personaltech/17basics.html You may think the only people capable of snooping on your Internet activity are government intelligence agents or possibly a talented teenage hacker holed up in his parents' basement. But some simple software lets just about anyone sitting next to you at your local coffee shop watch you browse the Web and even assume your identity online. "Like it or not, we are now living in a cyberpunk novel," said Darren Kitchen, a systems administrator for an aerospace company in Richmond, Calif., and the host of Hak5, a video podcast about computer hacking and security. "When people find out how trivial and easy it is to see and even modify what you do online, they are shocked." Until recently, only determined and knowledgeable hackers with fancy tools and lots of time on their hands could spy while you used your laptop or smartphone at Wi-Fi hot spots. But a free program called Firesheep, released in October, has made it simple to see what other users of an unsecured Wi-Fi network are doing and then log on as them at the sites they visited. Without issuing any warnings of the possible threat, Web site administrators have since been scrambling to provide added protections.
"At the Non-volatile Systems Laboratory we have designed a procedure to bypass the flash translation layer (FTL) on SSDs and directly access the raw NAND flash chips to audit the success of any given sanitization technique. Our results show that naively applying techniques designed for sanitizing hard drives on SSDs, such as overwriting and using built-in secure erase commands is unreliable and sometimes results in all the data remaining intact. Furthermore, our results also show that sanitizing single files on an SSD is much more difficult than on a traditional hard drive." http://nvsl.ucsd.edu/sanitize/ Jim Reisert AD1C, <jjreisert@alum.mit.edu>, http://www.ad1c.us
http://www.irs.gov/efile/article/0,,id=218049,00.html : "Can I electronically file using Free File Fillable Forms if my address is in a foreign country? No, if the address on Form 1040, Form 1040A or Form 1040EZ is in a foreign country you will not be able to electronically file your return." So junior/aka/bozo/aka/me fills in his mom's address. And gets hit with a hefty Illinois tax bill.
Ted Samson, Feds wrongly links 84,000 seized sites to child porn; Homeland Security overshoots as it takes down popular mooo.com domain alongside child porn sites, *InfoWorld*, 17 Feb 2011 http://www.infoworld.com/t/regulation/feds-wrongly-links-84000-seized-sites-child-porn-966 Imagine, if you will, that you're a respectable, law-abiding owner of a small-business. You show up to your shop one fine morning only to find the doors barred and a big sign in front window reading, "The Federal government has seized this business as it's affiliated with creating, distributing, and/or storing child pornography." As part of the successful seizure of 10 Web domains suspected of storing, displaying, or peddling child pornography, The Department of Justice and Homeland Security's ICE (Immigration and Customs Enforcement) office also seized a domain called mooo.com, the most popular shared domain at afraid.org, which belongs to a DNS provider called FreeDNS. According to FreeDNS, mooo.com isn't a domain used for anything related to child porn; rather, it's home to some 84,000 Web sites primarily belonging to individuals and small businesses. Yet in pulling the plug on mooo.com, the Feds effectively shut down all 84,000 of those sites. But visitors to those sites wouldn't simply get an error along the lines of "This site is currently down," or even "This site has been temporarily seized by Homeland Security." Nope, instead, a visitor would be taken to a banner with the logos of the Homeland Security and the Department of Justice, beneath which text reading: "This domain name has been seized by ICE—Homeland Security Investigations pursuant to a seizure warrant ... under the authority of Title 17 USC 2254. Advertisement, distribution, transportation, receipt, and possession of child pornography constitute federal crimes...." One of the big questions here is, how did this happen? Under Federal law, the ICE simply needs to convince a district court judge to sign a seizure warrant, then to order the domain registries to redirect the seized domains to warning message. What's not clear, though, is how or why mooo.com ended up seized. Clerical error? Typo? Who knows?
Greetings. In the vein of making lemonade when you have lemons, it occurs to me that the upcoming damage from ICANN's TLD expansion madness may have an unexpected solution—the folks at DHS/ICE. Here's the simple plan. All we have to do is convince ICE to confiscate domains faster than ICANN can issue TLDs for new ones. Given how ICE managed to shut down 84K innocent domains in one fell swoop and tarnish them with c-porn allegations for site visitors, this should be easy as pie for those guys, especially since due process isn't required! After all, much of the world is going to block dot-ex-ex-ex from day one anyway. And probably dot-gay. And who knows what else ... All it should take is a few allegations of illicit Disney videos hosted on (or even just linked from) a TLD, and ICE will be out at the registry ordering them to flip the domain "off" switch. In fact, to make this even easier, perhaps the government should have direct access to DNS databases so that they can terminate domains without all the muss and fuss of dealing with the registries and registrars at all! Or is that already in pending legislation? Gotta go check that again. It's all so much simpler when you just toss Internet Freedoms out the window. Phew. Problem solved. http://j.mp/euQaAB (Google Buzz) Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren Network Neutrality Squad: http://www.nnsquad.org Tel: +1 (818) 225-2800 Blog: http://lauren.vortex.com Twitter: https://twitter.com/laurenweinstein
http://j.mp/hdBHRE (CNET) [From Network Neutrality Squad]
David Segal, The Dirty Little Secrets of Search, 12 Feb 2011 http://www.nytimes.com/2011/02/13/business/13search.html PRETEND for a moment that you are Google's search engine. Someone types the word "dresses" and hits enter. What will be the very first result? There are, of course, a lot of possibilities. Macy's comes to mind. Maybe a specialty chain, like J. Crew or the Gap. Perhaps a Wikipedia entry on the history of hemlines. O.K., how about the word "bedding"? Bed Bath & Beyond seems a candidate. Or Wal-Mart, or perhaps the bedding section of Amazon.com. "Area rugs"? Crate & Barrel is a possibility. Home Depot, too, and Sears, Pier 1 or any of those Web sites with "area rug" in the name, like arearugs.com. You could imagine a dozen contenders for each of these searches. But in the last several months, one name turned up, with uncanny regularity, in the No. 1 spot for each and every term: J. C. Penney. The company bested millions of sites - and not just in searches for dresses, bedding and area rugs. For months, it was consistently at or near the top in searches for "skinny jeans," "home decor," "comforter sets," "furniture" and dozens of other words and phrases, from the blandly generic ("tablecloths") to the strangely specific ("grommet top curtains"). This striking performance lasted for months, most crucially through the holiday season, when there is a huge spike in online shopping. J. C. Penney even beat out the sites of manufacturers in searches for the products of those manufacturers. Type in "Samsonite carry on luggage," for instance, and Penney for months was first on the list, ahead of Samsonite.com. With more than 1,100 stores and $17.8 billion in total revenue in 2010, Penney is certainly a major player in American retailing. But Google's stated goal is to sift through every corner of the Internet and find the most important, relevant Web sites. Does the collective wisdom of the Web really say that Penney has the most essential site when it comes to dresses? And bedding? And area rugs? And dozens of other words and phrases? ...
Nabble is a public forum where all users' messages are public records. With Nabble, your user account is for public posting and identification, and contains no valuable private information. Because of this public nature, we do not see a need to encrypt password. Your password is stored in our secure database but is not encrypted. If you forget your password, you can retrieve it through our website and the password will be emailed to you in clear text. http://old.nabble.com/help/Answer.jtp?id=25
Andrew Mcafee, 18 Feb 2011 A little while back I was putting together an iTunes playlist to give to my Mom as a gift, and found myself frustrated by the application's user interface. It kept telling me that Mom already had one song after another, and refusing to let me complete the gifting process until I removed the duplicate song from the playlist. After I did this three or four times I gave up, complaining to my girlfriend how clunky the process was. She replied "That's not the real problem. The real problem is that iTunes is telling you what music someone else has." http://andrewmcafee.org/2011/02/mcafee-apple-itunes-privacy-hole-violation/
Inapt price comparisons are all too common. Comparing the price of a with the price of an equal weight of precious metal might seem to be one, but. Keir Thomas, High prices threaten to kill tablet adoption; With the Motorola Xoom rumored to cost $1199, a high-price niche could turn people away from tablet computing. *ITBusiness*, 15 Feb 2011 http://www.itbusiness.ca/it/client/en/cdn/News.asp?id=61312 This sounds like a grouchy (and obvious) question, but are tablet computers too expensive? Are high prices going to push the nascent tablet computing platform into a nose dive it can't recover from? The Galaxy Tab weighs 368 grams. If you decided to invest in the equivalent weight of pure silver, it'd cost half the price of a Tab ($356 for 368 grams of silver vs. $600 for the Tab at $0.97 per gram of silver). The top-range, Wi-Fi-only iPad is also more expensive as its own weight in silver: $659.60 for 680 grams of silver vs. $699 for a 64GB Wi-Fi iPad. Comparisons to precious metals are apt. I've yet to invest in a tablet and there's a reason: I'm seriously concerned about theft. Like jewelry, tablet computers are highly portable by design. A computer journalist friend of mine wanted to write about the practicality of tablets so he used one on subway trains, and in the park, and on buses. It was going very well until one particular bus came to a stop, and somebody snatched the tablet out of his hands before sprinting away.
As a follow-up from my note 15 years ago in RISKS-17.50, (http://catless.ncl.ac.uk/Risks/17.50.html#subj6.1)... this article from *The Boston Globe* does a good job relating risks of medical alarm systems. http://www.boston.com/news/local/massachusetts/articles/2011/02/14/no_easy_solutions_for_alarm_fatigue/ "Alarm fatigue" is a good term, I think most people can grasp the concept. The article also talks about "unintended consequences," a major component of risk assessment.
Seeing should not always be believing. Do a web search on BBC Spaghetti Harvest. West Coast Pioneering photographers found they could earn money making and selling composite photos of fish superimposed on railway flatcars and similar spectacles. One result of the recent proliferation of using edited digital photos in court and other arenas is that some people, at least, are beginning to realize that "photographic evidence" may not be all that it claims to be.
When we released our paper on Stuxnet by Nicolas Falliere, Liam O Murchu, and Eric Chien in September, we mentioned we=E2=80=99d likely continue to make revisions. We have two major updates to the paper and some other minor changes throughout. A summary of these updates follows and more detailed information can be found in the paper. [Symantec] http://www.symantec.com/connect/fr/blogs/updated-w32stuxnet-dossier-available
BKEXTDET.RVW 20101023 "Extrusion Detection", Richard Bejtlich, 2006, 0-321-34996-2, U$49.99/C$69.99 %A Richard Bejtlich www.taosecurity.com taosecurity.blogspot.com %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2006 %G 0-321-34996-2 %I Addison-Wesley Publishing Co. %O U$49.99/C$69.99 416-447-5101 800-822-6339 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0321349962/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0321349962/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0321349962/robsladesin03-20 %O Audience a+ Tech 3 Writing 2 (see revfaq.htm for explanation) %P 385 p. %T "Extrusion Detection:Security Monitoring for Internal Intrusions" According to the preface, this book explains the use of extrusion detection (related to egress scanning), to detect intruders who are using client-side attacks to enter or work within your network. The audience is intended to be architects, engineers, analysts, operators and managers with an intermediate to advanced knowledge of network security. Background for readers should include knowledge of scripting, network attack tools and controls, basic system administration, TCP/IP, as well as management and policy. (It should also be understood that those who will get the most out of the text should know not only the concepts of TCP/IP, but advanced level details of packet and log structures.) Bejtlich notes that he is not explicitly addressing malware or phishing, and provides references for those areas. (It appears that the work is not directed at information which might detect insider attacks.) Part one is about detecting and controlling intrusions. Chapter one reviews network security monitoring, with a basic introduction to security (brief but clear), and then gives an overview of monitoring and listing of some tools. Defensible network architecture, in chapter two, provides lucid explanations of the basics, but the later sections delve deeply into packets, scripts and configurations. Managers will understand the fundamental points being made, but pages of the material will be impenetrable unless you have serious hands-on experience with traffic analysis. Extrusion detection itself is illustrated with intelligible concepts and examples (and a useful survey of the literature) in chapter three. Chapter four examines both hardware and software instruments for viewing enterprise network traffic. Useful but limited instances of layer three network access controls are reviewed in chapter five. Part two addresses network security operations. Chapter six delves into traffic threat assessment, and, oddly, at this point explains the details of logs, packets, and sessions clearly and in more detail. A decent outline of the advance planning and basic concepts necessary for network incident response is detailed in chapter seven (although the material is generic and has limited relation to the rest of the content of the book). Network forensics gets an excellent overview in chapter eight: not just technical points, but stressing the importance of documentation and transparent procedures. Part three turns to internal intrusions. Chapter nine is a case study of a traffic threat assessment. It is, somewhat of necessity, dependent upon detailed examination of logs, but the material demands an advanced background in packet analysis. The (somewhat outdated) use of IRC channels in botnet command and control is reviewed in chapter ten. Bejtlich's prose is clear, informative, and even has touches of humour. The content is well-organized. (There is a tendency to use idiosyncratic acronyms, sometimes before they've been expanded or defined.) This work is demanding, particularly for those still at the intermediate level, but does examine an area of security which does not get sufficient attention. copyright, Robert M. Slade 2010 BKEXTDET.RVW 20101023 rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/
The 2011 Computers Freedom and Privacy annual conference will convene at the Georgetown Law Center located in Washington DC on 14-16 Jun 2011. This year's CFP will explore the intersection of policy, technology, and action. The meeting will involve technology and policy experts and activists in forums designed to engage the public and policymakers in discussions about the information society and the future of technology, innovation, and freedom. For more on the meeting visit: http://cfp.org/2011 A research poster session is planned for 16 Jun 2011. To submit for the research poster session visit: https://www.easychair.org/account/signin.cgi?conf=cfp21research To submit proposals for panels, workshops, plenaries, speakers or BoFs visit: http://www.cfp.org/2011/wiki/index.php/Submission_guidelines You are encouraged to share information regarding the meeting with your online and offline network.
Please report problems with the web pages to the maintainer