Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Wang Xiuqiong, Wang Yaguang and Chen Yongrong, Xinhua, 29 Jul 2011 An explanation by railway authorities for last Saturday's deadly high-speed train crash has raised even more public doubts about what had actually happened to the accident and to the government investigation itself. A high-speed train rammed into a stalled train near the city of Wenzhou in east China's Zhejiang Province on Saturday, leaving 40 people dead and 191 injured. The accident was caused by "serious design flaws" in railway signaling equipment, an official from the Shanghai Railway Bureau said Thursday morning. A lightning strike triggered the malfunction, which resulted in a green alert light failing to turn red, leaving railway personnel unaware of the stalled train ... The *Beijing Youth Daily* newspaper posed several as-yet unanswered questions in a Friday report on the accident. "Why was such seriously flawed equipment in use for nearly two years without being detected? Why was it installed in as many as 76 rail stations across the country? Are there other problems with the railway apart from equipment flaws?" the report asked. http://news.xinhuanet.com/english2010/china/2011-07/29/c_131018337.htm Jim Reisert AD1C, <jjreisert@alum.mit.edu>, http://www.ad1c.us
[Source: Barry Meier, Study Faults Approval Process for Medical Devices, *The New York Times*, 29 Jul 2011; PGN-ed; thanks to dkross.] http://www.nytimes.com/2011/07/30/business/study-calls-approval-process-for-medical-devices-flawed.html?_r=1&ref=todayspaper `If you want to make sure that a product is safe and effective, you have to start by asking the question whether it is safe and effective.'' The government's system for regulating many medical devices like artificial hips should be abandoned and replaced because it fails to examine their safety and effectiveness before sale, according to a report released Friday by one of the nation's top scientific groups. The report's unequivocal recommendation to scrap the current system was unexpected, and it unleashed reactions ranging from outright rejection by industry officials, an embrace by patient groups and seeming disbelief from federal regulators, who had commissioned the review. The report by the Institute of Medicine follows several recalls of medical devices in recent years, like one involving so-called metal-on-metal hip replacements used in thousands of patients, crippling some of them. In its report, the panel found that existing rules used to approve many devices were never intended to play the critical role of screening out dangerous or ineffective products. The panel urged the Food and Drug Administration to devise a new approval system for so-called moderate-risk devices—a category that now includes artificial hips, external heart defibrillators and hospital pumps—concluding that the current one was not fixable. “If you want to make sure that a product is safe and effective, you have to start by asking the question whether it is safe and effective,'' said William Vodra, a member of the 12-person panel assembled by the Institute of Medicine and a lawyer who has worked closely with device producers. ... The panel also concluded in its report that the F.D.A. should act quickly to determine whether artificial joints, like hips, which are currently approved through the 510(k) process, should have to undergo the type of rigorous scrutiny that high-risk devices now go through before sale. In other recommendations, the report urged the F.D.A. to quickly tighten the way it tracked the performance of devices once they are on the market, and said the agency needed to move more rapidly to stop the sales of harmful ones. In many ways, the report is a rebuke to the medical device industry and its allies, who have been waging a campaign over the last year to dispute the need for any new regulations. [Can we learn anything from this relating to computer systems being trustworthy and effective? PGN]
Ashley Halsey III, Latest counterfeit IDs are so good they're dangerous, 30 Jul 2011, http://wapo.st/nxiKY1 [Long item, PGN-ed] When the fleeing motorcycle hit the curb, scraped past a utility pole and hurled 20-year-old Craig Eney to his death, a bogus South Carolina driver's license was in the hip pocket of his jeans. He spent the final hours of his life trading on that phony license to buy shots for his buddies at two downtown Annapolis bars, places so popular among underage drinkers that bouncers are stationed outside to check everyone's ID. Yet scores of young people flash fake driver's licenses and waltz on by to the bar. The days when faking driver's licenses was a cottage industry—often practiced in college dorm rooms by a computer geek with a laminating machine -- have given way to far more sophisticated and prolific practitioners who operate outside the reach of U.S. law enforcement. In an era when terrorism and illegal immigration have transformed driver's licenses into sophisticated mini-documents festooned with holograms and bar codes, beating the system has never been easier. Just wire money to the `Chinese guy' [a Chinese company that has created thousands of bogus licenses in the U.S.] To the naked eye—even the practiced eye of most bartenders and police officers—the counterfeits look perfect. The photo and physical description are real. So is the signature. The address may be, too. The holograms are exact copies, and even the bar code can pass unsophisticated scans. ... The IDs have shown up in various states, each license carrying a mysterious hidden tip-off in the bar code that points directly to the same Chinese company.
and raking in huge profits "For a few days about every three months, Cash WinFall may be the most reliably lucrative lottery game in the country. Because of a quirk in the rules, when the jackpot reaches roughly $2 million and no one wins, payoffs for smaller prizes swell dramatically, which statisticians say practically assures a profit to anyone who buys at least $100,000 worth of tickets." http://www.boston.com/news/local/massachusetts/articles/2011/07/31/a_lottery_game_with_a_windfall_for_a_knowing_few/ Jim Reisert AD1C, <jjreisert@alum.mit.edu>, http://www.ad1c.us
About one third of of people randomly photographed on the campus of Carnegie Mellon University could later be identified by name using a combination of FaceBook and pittpatt facial recognition software, according to professor Alessandro Acquisti. About 27% of those identified had enough information on their FaceBook profiles (place and date of birth) to allow him to correctly predict the first five digits of their Social Security numbers. Excerpted from the CMU press release: In one experiment, Acquisti's team identified individuals on a popular online dating site where members protect their privacy through pseudonyms. In a second experiment, they identified students walking on campus—based on their profile photos on FaceBook. In a third experiment, the research team predicted personal interests and, in some cases, even the Social Security numbers of the students, beginning with only a photo of their faces. Carnegie Mellon researchers also built a smartphone application to demonstrate the ability of making the same sensitive inferences in real-time. In an example of "augmented reality," the application uses offline and online data to overlay personal and private information over the target's face on the device's screen. More information is available in the *Wall Street Journal*. http://blogs.wsj.com/digits/2011/08/01/tech-today-using-facebook-and-facial-recognition-to-id-random-people/ As if the above isn't sufficiently disturbing on its own, Google just purchased pittpatt, the developer of the facial recognition used for this experiment. Steven J Klein (248) 968-7622
[From Network Neutrality Squad] "FaceBook Founder's Sister says Kill Internet Anonymity" + Counterarguments http://j.mp/pX8PJ9 (This message on Google+) http://j.mp/p5WiHd (Gawker) "I think anonymity on the Internet has to go away. People behave a lot better when they have their real names down. I think people hide behind anonymity and they feel like they can say whatever they want behind closed doors." —Randi Zuckerberg, FaceBook's marketing director - - - Counterarguments: "Real Names, Guilt, Self-Censorship, and the Identity War": http://j.mp/poYMC0 (Lauren's Blog) Addendum: I've received many positive comments related to my suggestion that we consider an "escrow" system for holding people's "real names" in certain situations, so that they would not normally be publicly viewable. As I've noted, we're talking here about innocent, good players in this case, not "bad guy" users who will find a way to subvert any system. I should add that this escrowing arrangement could be through a separate, trusted, third-party organization, to eliminate concerns that one company could unilaterally later decide to change the way they were handling these names. Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren People For Internet Responsibility: http://www.pfir.org - Network Neutrality Squad: http://www.nnsquad.org http://lauren.vortex.com - PRIVACY Forum: http://www.vortex.com +1 (818) 225-2800 Google+: http://vortex.com/g+lauren Twitter: https://twitter.com/laurenweinstein
http://threatpost.com/en_us/blogs/wide-range-gsm-modules-scada-systems-vulnerable-remote-control-072711 Dennis Fisher, Wide Range of GSM Modules, SCADA Systems Vulnerable to Remote Control, *ThreatPost.com*, 27 Jul 2011 [Thanks to Jeremy Epstein] If you think your car is safe and secure sitting in your driveway at night with its fancy alarm system enabled, Don Bailey has some bad news for you: he can unlock it and turn it on. Whenever he wants. From the other side of the country. Bailey, a senior security consultant at iSEC Partners known for his work on hacking GSM and embedded systems, has found a method that enables him to not only identify certain kinds of GSM modules over the mobile network, but also to tell him exactly where they're located via GPS coordinates. He also discovered that he could send his own commands to the modules and essentially have them do whatever he likes. Bailey will demonstrate his attack next week at Black Hat, showing a video of him remotely unlocking and starting a vehicle without the key in the ignition. "I had been doing some research on this GPS locator called the Zoombak and I figured out that it's basically just a microcontroller with a baseband," Bailey said. "So I devised a method for finding these things over the GSM network and started sending them messages. I can send it an SMS message and get it to upload data to a random IP address, tell it to send me its GPS location every so often, whatever I want." Bailey used a variety of methods to fingerprint the devices over the GSM network, building on work that he and Nick DePetrillo had done previously. He knew that the Zoombak, for example, was only on the T-Mobile network and that the billing address for the phone number associated with the devices was the company's, not each individual owner's. Those numbers all show up as unknown in the caller ID database, which reduced the number of possibilities for the device he's trying to find by a lot. Eventually, he found that he could identify GSM devices with a success rate of about 86 percent. Interestingly, the same architecture that's used in the Zoombak is also used in a wide range of other devices, including car security systems, security systems at water treatment facilities and in industrial control systems, as well. That means that the same weaknesses also affect all of those systems, making them susceptible to simple attacks that are quite easy to implement, Bailey said. "This is not technologically advanced. The fact is, you can own these kinds of systems in under a couple of hours," he said. "It's easy. There's no confidentiality or integrity built into the systems. We shouldn't have the equivalent of SQL injection in hardware, and that's what this is. That's the danger. It shouldn't be possible for any fly-by-night 12-year-old to do this." Bailey has been working on the project for some time, along with his colleague Matt Solnik, also of iSEC. After discovering the weakness of the architecture used in the GSM modules, the pair started looking around for other systems to hack that had the same poor security design. It didn't take long for them to have their hands full. "I knew this was in car alarms, so I went and bought one and within two hours of purchasing the device, we had it owned," he said. "Not only is the architecture ubiquitous, no one understands that the module is so weak in its inherent design that I can completely own not just that device, but all the devices attached to it. There are lots of places that security and integrity could have been introduced, but they're not. And it's mostly because of money." Bailey said that as he and Solnik got down into the weeds on their research, they discovered that the auto makers and alarm-manufacturers--which he and Solnik are not naming yet--didn't even try to make it difficult to reverse engineer the systems. "They didn't even go so far as obfuscating the kinds of chips they use as the microcontrollers," Bailey said. "I literally just opened the box and it said it was XYZ chip and in two minutes I had the data sheet and I knew what ports to tap and what to do." As easy as this was for Bailey and Solnik to exploit, it will be equally difficult for manufacturers to fix. "This is infrastructure and it's going to be there for a long time. It's going to take them forever to alter this in a way that I can't fingerprint," he said.
(This is a sort of interacting-systems risk.) The other day I was getting ready to go to the next town to pick someone up at the airport when they called to let me know their flight (on Jetblue) might be delayed. So I went to the company's web site to sign up for their automated flight-status notification. The choices were between voice message and e-mail, my mobile does not do voicemail well, and the area around the airport doesn't have much wifi coverage. So I entered my phone's SMS-gateway address and was quite proud of myself for the workaround. Until I got the first message, complete with GUID and corporate identification, congratulating me on having subscribed to the automated notification system for Flig. And there it ended. Which flight I was being notified about or what had become of the schedule had been truncated by the SMS gateway. Subsequent messages were similarly uninformative. (I finally texted the traveler: "text me when you get off the plane, we may be a bit late".) Seems to me, with the widespread use of SMS gateways (almost all of my texted conversations involve one person on a phone and the other at a PC), that anyone designing an automated e-mail system like Jetblue's should take care to get the essential information into the first 140 characters and let the branding and GUID trail off the back. Because if you do it the other way round, a lot of people will still be reminded of your company name, but not in a good way.
There has been a big commotion over real names with Google+ with accounts being terminated. I wonder what they would do about me. My passport does not have my name on it. I wanted it in the name "Gene Wirchenko" which is the form of my name (full form: "Eugene Michael Wirchenko") that I use. It got messed up on the passport as "Gene Eugene Michael Wirchenko" with no indication that any of the names were of different statuses.
I've seen that report before and wonder if there simply isn't some lousy reporting going on. (Rarely have I seen the press report accurately on anything I know about—always makes me wonder how they are doing on everything else!) As I understand the current system, if, say, the frequency is slow by some number of cycles over some period, they will speed it up that number of cycles the next period, so it will average out to zero. It sounds to me like the only change proposed is lengthening out the period as well, perhaps, as allowing the error to accumulate further before it is corrected. This particular sentence in the referenced article especially makes me wonder if the press version is anything close to accurate: "If the grid averages just over 60 cycles a second, clocks that rely on the grid will gain 14 seconds per day, according to the company's presentation." Umm, how much is "just over"?
> A patient has sued Tufts Medical Center and a primary care doctor there, > alleging that documents including her medical history were sent to a fax > machine at her workplace without her consent. A friend who worked in an NHS hospital a couple of years ago complained that she spent ages filling out lots of forms relating to patients, which were then sent by fax. I asked why she didn't use e-mail like everyone else, and she said that this was not allowed due to "not meeting requirements for patient confidentiality"... Presumably a secure web server would be better, to give password protection *and* an audit trail to see who had accessed what, but as another friend in IT remarked, this would need $$$$s in set-up and running costs for hardware and an administrator.
Ethics Matter (Weinstein, RISKS-26.49) > Yes, questions of ethics and business are complex, and different situations > may be easily confused. Indeed. One approach is to look at it from the other direction; if Microsoft and Cisco *didn't* deal with China, would this benefit Chinese people in general? I have no idea, but (without attempting to defend anyone or take sides here) I suspect not. I'd also venture to suggest that many people outside the US are more concerned with the ups and downs of everyday living than the ideals of "life, liberty, and the pursuit of happiness" -- just getting reliable Internet access at an affordable cost would be quite an achievement.
(1) Like most Western countries, the UK government in recent years has been spending money like it's going out of fashion, because it keeps voters happy. If/when the tax revenues fall short, just borrow the difference -- heck, governments have good credit ratings, and it will be someone else's problem to pay it back. Thus we end up with the government absorbing 40-50% of GDP and having debts of around 100% of GDP. Now that the Credit Crunch has hit, the bills are still piling up, but the tax revenues are flat; some countries are running out of credit, while attempts to reduce government spending result in civil unrest and lost elections, and the stand-off between Democrats and Republicans in Washington over raising the US's debt ceiling is ongoing as I write. The only thing that's kept the UK economy (and others) going for the last 10 years is individuals and the government spending borrowed money. This gave the illusion of prosperity and gave Gordon Brown lots of tax revenues, which he spent on pleasing voters, then his brilliant move was to lose the election in 2010, thus leaving the task of paying off his overdraft to someone else (e.g. me). (2) The UK-specific aspects are (a) what someone called "the over-developed British sense of fair play", which values equality and `fairness' over what works, and (b) there's a strong tradition that "the gentlemen in Whitehall [= government officials] know best", so Brits are prepared to let the government run their lives probably more than people in other countries. Not sure about "elites" (or the Bullingdon Club—ever heard of "Tony's cronies"?), but the problem is that most politicians enter politics straight out of college, and can reach the highest positions in government without any apparent talent apart from being good at politics, and without experiencing the ups and downs of everyday life like us little people. (Tony Blair used to hob-nob with rock stars, but to make him look cool and hip, rather than to rub shoulders with the proletariat.) The trouble with the NHS is that providing health care free on demand to everyone was a mighty big ask in 1948, when people were grateful for whatever they could get. Over 60 years later, we have an ageing population, huge improvements in medical science, and loads of new medications, which all costs big $$$$s, plus people are more knowledgeable and have higher expectations, thus giving rapidly- increasing demand but static tax revenues. In the case of education, in the Good Old Days there was the 11+ exam and grammar/secondary modern set-up, with only about 10% of the population going to university, giving a rigorous education system and degrees that actually meant something. The 11+ was deemed to be discriminatory and thus unfair, so was abolished, while increasing the proportion of schoolchildren going to university to 50% looks good but simply dilutes the value of a degree while hugely increasing the cost of running universities, so young people spend loads of money on degrees that aren't worth much, but they have to have one because everyone else does. And because this is caring sharing Britain, you don't have any choice. There are very small and very expensive paid-for schooling and healthcare sectors, otherwise you have to wait in line for whatever service the government deigns to provide. It's free, but if you want something else you have no choice and you can't pay for it because that would be unfair and discriminatory. > But the daily printed word seems to have become much less trustworthy in > the UK in a way in which, for example, the best newspapers elsewhere have > not. There just seems to be something about the British press in which I > suspect Murdoch&family to have significant influence over content. Obviously newspapers have to sell what people want to buy, or they go out of business. Not (as far as I know) connected to Mr Murdoch is `The Daily Telegraph', for an alternative view (http://www.telegraph.co.uk/). Of course the other aspect—and this *is* connected with RISKS—is that people have access to more alternative sources of information on the Internet now. > Maybe it's time to form a new political party for those who work hard, pay > their taxes, and expect them to go somewhere useful like health care, care > of the elderly, education, effective oversight of finance and critical > infrastructure, public transportation, and effective urban reinvigoration. Indeed, but how far should governments go? Obviously there has to be law & order and defence, but loads of other nice things to have as well, and however much governments spend, they can always spend more. Problems are (1) that government spending is inherently inefficient as politicians and government officials are spending other people's money (taxes) on other people, and (2) there's the risk of those relying on government funding (for welfare or employment) having more votes than the tax payers. As someone said, a politician who robs Peter to pay Paul can usually rely on Paul's vote. The US (as I understand it) is more of a stand-on- your-own-two-feet country, where the government doesn't help much but doesn't get in the way too much either, thus giving huge inequalities, but a very dynamic, innovative economy. Chris Drewe, Essex County, UK (not a taxicab driver).
Please report problems with the web pages to the maintainer