Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Ban Tourists Posting Photos on Web
BERNE (ZAP)—In a bold move to demonstrate that the Swiss government is as
serious about privacy for its citizens as it has historically been regarding
the protection of illicit foreign assets in Swiss bank accounts, the head of
the newly created Switzerland Federal Department of Facial Anonymity,
Nicolas J. Biellmann, today issued a preliminary order requiring that all
Swiss citizens wear "full head coverage" masks at all times when outside
their homes or places of business within the borders of Switzerland.
This groundbreaking move, being enthusiastically supported by radical
pro-privacy groups in Switzerland and around the world, comes on the heels
of previous Swiss orders that search giant Google must obscure every single
human face—even if this must be done manually—that appears in their
"Street View" images, or else potentially terminate Street View services for
Switzerland ( http://j.mp/gj2V68 [Lauren's Blog] ).
"Upon due reflection," said Biellmann, "we realized that Google Street View
was only the tip of the iceberg. After all, Street View imagery is usually
only updated after months or even years. But there are lots of other people
out there taking photos of Swiss faces every day—whom we must protect our
citizens against as well."
The "mask order" comes in conjunction with other new regulations banning
tourists in Switzerland from posting to the Internet any photos of Swiss
citizens, even taken in public places and gatherings. Under this new law,
any such photos that are subsequently posted to the Web, will bring about
swift action by Swiss authorities. This may involve Web site shutdown
orders, extradition of the tourist photographers back to Switzerland if they
have already left the country, and in extreme cases the so-called Swiss
"doomsday" option—the remote and permanent shutdown of any and all cuckoo
clocks associated with the photos' perpetrators.
At a press conference in downtown Berne today, reporters were provided with
examples of the government-approved masks that would be required under the
new order [editors, see photo DS0393-A3 - http://j.mp/fUrVNf (Lauren's
Blog)]. Officials noted that approved masks would be available in a wide
range of styles, and would include characteristics of popular Swiss folk
heroes, characters from major films, and even a wide range of cute animals.
In answer to a reporter's question, Biellmann explained that approved masks
would be constructed from special materials that are essentially transparent
to government real-time surveillance closed-circuit television (CCTV)
cameras. "We want to assure everyone that the government will still be able
to track your every move via our CCTV systems. Our goal here is simply to
make sure that firms like Google, and individual tourists, are blocked from
citizen photography. You can be confident that law enforcement and other
aspects of the government will have full access to your actual faces at all
times, everywhere you go in public. Your ugliness will not be seen by
anyone else," said Biellmann.
After a brief comment period, the new masking and anti-tourist photography
regulations are expected to become law on April 1, 2011.
http://lauren.vortex.com/archive/000818.html
- - -
Update (February 25, 2011): Yes, except for the part about Switzerland
demanding that Google obscure every single Swiss face in Street View—even
if it has to be done manually—the rest of the story described in this
posting is of course a satire. But you already knew that.
Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren
People For Internet Responsibility: http://www.pfir.org
Network Neutrality Squad: http://www.nnsquad.org
http://lauren.vortex.com Tel: +1 (818) 225-2800
[From Hans Polzer via Will Tracz (Editor of the ACM SIGSOFT Software
Engineering Notes, and General Chair ACM SIGSOFT 2012 - FSE 20
http://www.sigsoft.org/fse20; +1 607 741-2666). PGN]
An Outbreak of Out-of-Order Moles [OoOoOMs!]
What happens when your Whac-A-Moles stop popping up? Well, the game gets
slapped with an out of order sign and no longer generates any revenue...it
just takes up space. So when an unusual outbreak of Whac-A-Mole
malfunctions forced amusement park operators to start making service
requests, did anyone think much of it? Well, yes, and no.
http://www.cfmediaview.com/lp1.aspx?v=13_11270447_688_5
http://www.todaysfacilitymanager.com/facilityblog/2011/02/friday-funny-an-outbreak-of-out-of-order-moles.html
Some time in January, the IEEE apparently quietly revised its copyright policy to explicitly forbid us authors from sharing the "final" versions of our papers on the web, now reserving that privilege to themselves (available to all comers, for the right price). http://www.crypto.com/blog/copywrongs [This item by Matt is very important for you all to read. I am inclined to openly include Matt's entire text here, but it is even more important for RISKS readers to go to the source and see how this item fits in to the rest of what Matt has available. Organizations such as ACM and IEEE are clearly having difficulties adapting to the non-print world of the Internet. But preventing authors who believe in the importance of openness in research from distributing their own publications is a horrendous step backwards. PGN]
Yesterday, Google wiped out the e-mail for an unknown number of users. Early estimates were as high as 150,000, but later estimates have pared that down to a number still in the tens of thousands. http://news.yahoo.com/s/ap/20110228/ap_on_hi_te/us_tec_google_e_mail_problem_3 Google predicts being able to restore all accounts by the end of today (2/28). http://news.yahoo.com/s/afp/20110228/tc_afp/usitcompanyinternetgmailgoogle_20110228205419 I've been skeptical about the whole concept of cloud computing since I first heard about it. You're taking your most important stuff—your data and applications—and placing it out of your control in the cloud. How many more incidents like this will it take to completely discredit cloud computing? When will cloud computing have its Hindenburg disaster?
Geek.com: http://www.geek.com/articles/geek-pick/500000-gmail-accounts-go-offline-som= e-users-lose-all-their-data-20110228/
A number of people have asked me about this incident, especially the "how could multiple copies of data be damaged/lost?" question. While I wouldn't assert that this example is strictly relevant in this particular case, RAID may provide a useful example. I've been warning folks for years that even the higher levels of RAID (Redundant Array of Independent Disks) protection do not necessarily mean that data won't be lost, especially when those disks all share a single controller. If the controller in such a situation fails in a particularly nasty way, it could potentially corrupt enough of the data across the entire array of RAID disks to cause unrecoverable data loss. Even when your redundant data is stored at different locations, it is possible for failure (in this case, likely a software-related problem) to cause data loss or corruption that may not be detected until it has been copied across to other replicated versions of the files. Even if you kept multiple copies of an e-mail index, it's possible to have failure modes where problems in one copy spread to the other copies prior to detection. That's why having completely isolated backups—such as tape in Google's case—makes excellent sense. And for those of you attempting to use this case as an argument against cloud computing, I would simply note that only a relatively small number of Google's users were affected, it appears that their data will be successfully recovered, and when most people's home or business PC disks fail, they probably haven't been backed up at all. Technical term for that: S.O.L. http://j.mp/hN0gYu (Official Gmail Blog) Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren People For Internet Responsibility: http://www.pfir.org Network Neutrality Squad: http://www.nnsquad.org +1 (818) 225-2800 PRIVACY Forum: http://www.vortex.com
Chester Wisniewski. *Sophos*, 26 Feb 2011 It appears there is a new backdoor Trojan in town and it targets users of Mac OS X. As even the malware itself admits, it is not yet finished, but it could be indicative of more underground programmers taking note of Apple's increasing market share. SophosLabs analyzed the sample we received and determined that it is a variant of a well-known Remote Access Trojan (RAT) for Windows known as darkComet. The author of the Trojan refers to it as the 'BlackHole RAT', as you can see from the screenshots, but Sophos calls it OSX/MusMinim-A, or 'MusMinim' for short. The name 'Black Hole' is already used by a legitimate application which actually aims to increase security on your Mac by helping you get rid of potentially sensitive information such as recently-used file lists, data left in the clipboard, and more. MusMinim is very basic and there appears to be a mix of German and English in the user interface. Its functions include: * Placing text files on the desktop * Sending a restart, shutdown or sleep command * Running arbitrary shell commands * Placing a full screen window with a message that only allows you to click reboot * Sending URLs to the client to open a website * Popping up a fake "Administrator Password" window to phish the target... http://nakedsecurity.sophos.com/2011/02/26/mac-os-x-backdoor-trojan-now-in-beta/
[Thanks to dkross] http://online.wsj.com/article/SB10001424052748703312904576146371931841968.html?mod=WSJ_0_0_WP_2715_RIGHTTopCarousel_1 "... What's more, some health-care experts say the number of errors could jump in coming years. That's because the 2009 economic-stimulus legislation included $19 billion in spending to encourage the use of electronic health records—a major source of billing mistakes, says Ross Koppel, a sociology professor at University of Pennsylvania's Center for Clinical Epidemiology and Biostatistics who has studied electronic records extensively. The U.S. Department of Health and Human Services estimates that 80% of hospitals will use electronic records by 2014, up from 16% now. ... But those bills are sometimes inaccurate—often as a result of electronic billing snafus. Among their benefits, electronic records can reduce the risk of duplicate testing by enabling doctors to track patients' care. David Blumenthal, national coordinator for electronic health records at the U.S. Department of Health and Human Services, says the technology helps prevent potentially fatal errors such as prescribing medication that a patient is allergic to. Electronic health records will "improve care for patients and bring about greater cost-effectiveness in our health sector," he says...."
Celeste Katz, Dem Frank Skartados doomed by vague election law crafted by his own lawyer, *New York Daily News*, 21 Feb 2011 http://www.nydailynews.com/authors/Celeste%20Katz Assembly Speaker Sheldon Silver's former adviser wrote the state law that may have cost him his powerful, veto-proof, Democratic supermajority. Democrat Frank Skartados was forced to concede the seat for the 100th Assembly District last week when he was a mere 15 votes behind. In his heart of hearts, he believes he won. But in a double whammy of irony, Skartados was seemingly doomed by a vague election law that was crafted by his own lawyer, Kathleen O'Keefe, while she worked as Silver's chief election counsel. O'Keefe's strict interpretation of her own law walled off one of Skartados' last hopes of fighting for the seat. "I couldn't do anything with the way the law was written," said Skartados, who conceded to Republican Tom Kirwan after one of the most drawn-out contests in state history. "But I feel that justice was not served because the voices of everyone were silenced by the courts." A Brooklyn appeals court ruled unanimously in favor of Kirwan when it tossed out about 60 contested affidavit ballots. That left Skartados just 15 votes behind. In New York City, Board of Elections rules automatically require a hand inspection of the paper trail from voting machines in any election where the margin is 0.5% or less. State election law doesn't - and in races as close as the one for this Hudson Valley seat, it could make all the difference. "New York law offers very little guidance as to when a full recount is required," elections law expert Jerry Goldfeder said. "The law needs to be clarified." http://www.nydailynews.com/ny_local/2011/02/21/2011-02-21_oops_when_not_all_votes_really_count.html#ixzz1EeWe9CI3 http://www.nydailynews.com/ny_local/2011/02/21/2011-02-21_oops_when_not_all_votes_really_count.html#ixzz1EeSlVZzj
InfoWorld Home / InfoWorld Tech Watch
Woody Leonhard, *InfoWorld*, 22 Feb 2011
http://www.infoworld.com/t/solid-state-drives/flash-based-solid-state-drives-nearly-impossible-erase-263
Flash-based solid-state drives nearly impossible to erase
Think you got rid of that confidential information on your SSD?
The results of a new study will come as a rude awakening
selected text:
Researchers from the University of California at San Diego delivered a paper
at the FAST-11 Conference in San Jose, Calif., last week that shows it's
almost impossible to reliably erase data from a solid state drive.
The tome, "Reliably Erasing Data from Flash-Based Solid State Drives" (PDF),
goes through all of the known techniques for erasing data and comes up short
in every case. The study's method is straightforward: They put repeating
data on an SSD or USB drive, tried using various erasing techniques, took
the SSD or USB drive apart, and pulled raw data off the chips. If any of the
original data remained, erasing didn't work.
The culprit? SSD's so-called Flash Translation Layer, a firmware interface
that makes an SSD appear to the PC like a big fat, uh, FAT device. Operating
systems want to work with file allocation tables and clusters. SSDs have to
deal with the vagaries of Flash media, which are quite different from
rotating magnetic layers. For example, SSD blocks have to be erased before
they can be written, and erasing takes a lot of time. FTL figures out how to
erase unused blocks of memory when the SSD isn't doing anything else. SSD
devices wear out faster if the same blocks are written and rewritten, so FTL
balances the write load across all of the available memory.
You might imagine with all of these delayed erases running around and blocks
of data being intentionally scattered to remote corners, there's some
potential for error. Ends up, there's more than just a potential.
Perhaps some day we'll see the recommendations applied to an SSD
device. In the meantime, the only sure way to erase the data on an SSD or
USB drive requires a very large hammer.
- - -
[PGN adds: Lauren Weinstein commented in his various distributions on
this quote:
"Our results show that naively applying techniques designed for
sanitizing hard drives on SSDs, such as overwriting and using
built-in secure erase commands is unreliable and sometimes
results in all the data remaining intact. Furthermore, our
results also show that sanitizing single files on an SSD is much
more difficult than on a traditional hard drive."
With the rise of SSD memory as a replacement for traditional hard disks,
the security and privacy aspects of this situation seem quite noteworthy,
to say the least. You can bet that those parties (legit or not) who wish
to extract data from laptops, iPads, smartphones, or other SSD-based
devices will already be ahead of the curve. Ya' think you really deleted
that cleartext before sending out the encrypted version? You sure you
actually deleted that company confidential material (or that porn!) before
you head back through U.S. Customs? Lauren]
David K. Shipler), Can You Frisk a Hard Drive? *The New York Times*, 19 Feb 2011 http://j.mp/geIRBa My comments: Anyone who travels internationally with a laptop containing anything significant beyond the bare necessities for accessing cloud-based data under password and/or other security controls, is unfortunately simply asking for trouble. This holds especially true for the vast majority of travelers—who have done nothing wrong—but may still have their devices' (laptops, smartphones, etc.) data copied and searched in detail without a warrant or any indication that they are criminals, terrorists, or even overdue library book villains. A laptop similar to Google's CR-48 and a good SSH program (e.g. in a Java applet), can be an enormous help in this regard. In the long run, a more formal approach, as I outlined in: "Urgent Call for Privacy-Enhanced Mobile Data Storage and Self-Destruct Mechanisms - http://j.mp/gE1jUF (Lauren's Blog) would seem useful at least for consideration. Lauren Weinstein (lauren@vortex.com) http://www.vortex.com/lauren People For Internet Responsibility: http://www.pfir.org +1 (818) 225-2800 Network Neutrality Squad: http://www.nnsquad.org
External Sites http://www.huffingtonpost.com/2011/02/28/facebook-home-addresses-phone-numb= ers_n_829459.html
http://socialnetworksecurity.org/en/vulnerable-websites.php 01 facebook.com 600,000,000 02 vk.com 135,000,000 03 bebo.com 130,000,000 04 badoo.com 110,000,000 05 netlog.com 74,000,000... This website was launched with the goal to publish security related vulnerabilities found on any social networking platform. In the past the authors of this website have found lots of security related issues on well known social networking platform and tried to contact the responsible owners to provide detailed information on the found issues. During this we got really frustrated because often there is no secur[e] e-mail available on the social networking platform which means that we had to try to contact the website providers via their "normal" help desk or ticketing system. This had the consequence that in most case we got no answer or it took weeks till we got any answers. When you initially contacted the vendors and asked for a public PGP key or s/mime so that we can send the information encrypted, we often got an answer saying that they don't use PGP or s/mime in their company and that we should provide them the information via clear-text email protocol. Some of them even asked us what is a PGP key or even worse - they sent us their private PGP key (for their luck without the needed password).
I think it's actually pretty clear how mooo.com came to be seized along with
other child porn domains. There must have been trafficking happening on some
of the subdomains created by users underneath mooo.com, and the people
assembling the list of domains to seize categorized the entire second-level
domain, rather than the individual subdomains within it, as a trafficking
domain.
This is not a terribly surprising error. I would imagine that the percentage
of Internet .com domains where subdomains are owned and completely
controlled by different people than the second-level domain is minuscule,
and the community that utilizes such domains tends to be somewhat
self-contained and not familiar to people who aren't part of it.
Perhaps I'm wrong, but I don't think FreeDNS is particularly mainstream.
Note: I'm not trying to excuse the error; I'm just trying to explain how it
happened.
[Note: Simplistic overreactions sometimes lead to simplistic
over-and-under-overreactions:
Mark Rockwell, Bill explicitly prohibits Internet shut down
http://www.gsnmagazine.com/node/22491?c=cyber_security
In hopes of dispelling fears of a federal "Internet kill switch," Senate
homeland security and financial management leaders introduced a
cybersecurity reform bill that would explicitly prohibit the President
from shutting down the Internet.
PGN]
My minimal legal knowledge is that courts have never accepted photographic evidence as incontrovertible. They have always required the testimony of the person who took the photo along with it—i.e., testify that he/she took the photo at the place and time alleged, and didn't alter it.
Susan Landau Surveillance or Security? The Risks Posed by New Wiretapping Technologies MIT Press, 2011 This is an absolutely mandatory source book for everyone interested in the would-be conflicts represented between and within each side of the "or" in the title. It is truly remarkable, incisive, important, timely, superbly researched, and copiously footnoted for those who want to dig even deeper. Please read it. Of course, as RISKS readers are well aware, at the moment we seem to have surveillance without security, and without sufficient controls. However, the challenges of achieving adequate security *and* legitimate surveillance *and* meaningful privacy (however you might wish to define them) may be eternally unreachable—especially in the absence of security. Here's a quote from Jonathan Zittrain from the back jacket of the book: “Susan Landau has taken an exceptionally complex but vital subject and presented it in a clear and compelling way. The ability of a citizen to securely communicate with her peers lies at the heart of the rule of law. Landau demonstrates the necessity of protecting that right amidst the technological changes that can greatly alter the balance of power between citizens and governments.''
Please report problems with the web pages to the maintainer