Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Very interesting report from the Victorian state government (in Australia) about troubles with public-sector IT projects: <http://www.ombudsman.vic.gov.au/resources/documents/Investigation_into_ICT_enabled_projects_Nov_2011.pdf> Extracts from the Executive summary: 11. National and international research has concluded that ICT-enabled projects are poorly managed and failures are common. Research also indicates that the private sector and overseas institutions have their share of ICT project disasters with reports of cost overruns of 200 per cent, schedule overruns of 70 per cent and some 80-90 per cent failing to meet performance objectives. 12. Despite the research and Ombudsman and Auditor-General reports, there are few signs that any lessons have been learnt in the public sector.
http://j.mp/so4rJu (Bloomberg) [from NNSquad] "When cybersecurity problems arise, the best response is to adopt a patch as soon as it's available. You don't want to wait for an entirely new operating system to be created, and you really don't want to use such a system until it has been debugged. That second approach, though, is what the Obama administration lately has been recommending. Driven by the National Security Agency and the Department of Homeland Security, the administration has been pushing the Senate to ram through an enormous omnibus bill on cybersecurity that hasn't yet won agreement from legislative working groups." ... Luckily, the administration's approach may collapse under its own weight. In October, a House Republican cybersecurity plan that focused on targeted voluntary efforts—rather than the construction of a novel superstructure for the dictation of security standards—grabbed the attention of legislators. This month, Senate Majority Leader Harry Reid wrote to Senate Minority Leader Mitch McConnell saying that the House plan was consistent with his own cybersecurity vision, while noting that bipartisan working groups in the Senate hadn't been able to agree on a comprehensive legislative draft. Four Republican Senators (Kay Bailey Hutchison, Saxby Chambliss, Charles Grassley, and Lisa Murkowski) wrote to President Barack Obama supporting the targeted House approach.
Internet Amorality, and Cutting Thailand Off From the Internet http://j.mp/trJTJn (This message on Google+) [From NNSquad] - - - In a recent posting ( http://j.mp/vuU7RO [Google+] ), I chastised Thailand for demanding the censorship/removal of 10K Facebook links deemed "offensive" to their royal family, Thailand's decree that merely pressing the "like" or "share" button on particular articles is being criminalized, and I noted their new case of a 61-year-old man sentenced to 20 years in prison for text messages deemed "insulting" to their royals. And I added: "How about this for a way to prod these Neanderthals into the 21st century? Cut them off the Net totally until these practices cease." Observant readers realized that I was writing somewhat tongue-in-cheek, but to be honest not totally so. And in fact, I've now received a couple of notes from people horrified by my saying such a thing. How can I support "censorship" of such regimes, no matter how backwards, repressive, and abusive of their own populations? After all, I'm known to be an anti-censorship advocate. This brings up an important question. Are we, as technologists, required to provide the fruits of our labors to the entire world equally, even when those facilities are used for evil purposes? Is it "censorship" to draw some lines in the sand in this regard? The amoral view is obvious enough, both historically and contemporaneously. IBM's support of 1930s Germany (via its subsidiary Deutsche Hollerith Maschinen GmbH) has been long condemned. Various major U.S.-based firms today are currently embroiled in controversies regarding their provision of Internet and other communications technologies to countries where it has been used to battle dissidents, and the U.S. (disingenuously to a significant extent, given SOPA , PIPA, and other legislation here) has condemned such suppression. Export controls have long been a tool of national policy—sometimes in logical manners, sometimes in utterly ridiculous, crazy ways. In any case, I found it disturbing that a least a couple of readers felt comfortable with a stance (amoral at best, more reasonably termed unethical) that no matter how oppressive a regime might be, the global Internet community should be obligated to continue providing equal services to such players as if freedom and slavery were simply equivalent "domestic policies" of no concern to the outside world. I cannot accept such an assertion. And I would add that an analysis of these concerns should extend to repressive U.S. actions as well, of course. These issues come into play not only when a country's demands affect the entire world (e.g., demanding that YouTube videos be removed so nobody can see them anywhere, due to their being deemed to be offensive to the rulers of a single country), but also when "compartmented" domestic repression is involved. If we do not apply basic standards of freedom and civil rights to the Internet and its technologies, if we treat evil as a form of normalcy not subject to sanctions, our wonderful Net will be increasingly morphed into a weapon aimed not only at our global neighbors, but at ourselves as well. Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren Network Neutrality Squad: http://www.nnsquad.org People For Internet Responsibility: http://www.pfir.org PRIVACY Forum: http://www.vortex.com +1 (818) 225-2800 / Skype: vortex.com
Another mass takedown of domains by U.S. authorities + discussion http://j.mp/tE2Xtu (TorrentFreak) [from NNSquad] "TorrentFreak has identified more than 130 domains taken over by the government during the last 24 hours, which makes this the largest seizure round to date. The authorities have yet to comment via official channels, but we assume that they will use the same justification for the domain seizures as they did last year." - - - The authors of the above referenced article ask why there's the big push for SOPA/PIPA when authorities seem able to seize domains on demand even today. I would assert a key factor is wanting to censor sites that provide information that could circumvent those seizures, and that's not limited to search engines like Google. Historical IP address data for the seized sites is widely available, meaning that with a bit of effort, virtually anyone can still connect to those sites (either manually or through automated means). So clearly, the focus of U.S. SOPA/PIPA efforts is an attempt to censor any and all sites that can provide that historical data or other workarounds, which is an ever expanding circle of sites that carry all manner of search results and Internet retrospective data. This has very much an Orwellian feel to it, as the U.S. government wants to delete all references to these sites regardless, it seems, of likely collateral damage. And this is why SOPA and PIPA will not be effective at cutting off access to sites around the world targeted by U.S. authorities, but do carry the potential of creating a vast censorship regime and accompanying "Darknet" workarounds, pushing more and more legitimate Internet activity protectively underground.
(Susan Perschke} [Source: Susan Perschke, *IT Business*, 28 Nov 2011 http://www.itbusiness.ca/IT/client/en/CDN/News.asp?id=65117 selected text: The biggest looming security threat lies in the fact that enterprise networks already have tons of IPv6 enabled devices, including every device running Windows Vista or Windows 7, Mac OS/X, all Linux devices and BSD. Vyncke says the threat is real. "We have observed worldwide that bots are increasing their use of IPv6 as a covert channel to communicate with their botmaster." Among its many disguises, IPv6-enabled malware can take the form of a malicious payload encapsulated in one or more IPv4 messages. Without IPv6-specific security measures such as deep packet inspection, this type of payload may pass through the IPv4 perimeter and DMZ defenses undetected. Security threats aside, there is a growing business case for IPv6 that is getting harder to sweep under the rug. Banks and online brokerages already face the challenge of losing communication with international customers whose networks no longer support IPv4.
(Matt Hamblen) Matt Hamblen, *Computerworld*, 22 NMov 2011 Analysts suggest a PIN or password is a more secure alternative than Google's facial recognition software for unlocking smartphones http://www.infoworld.com/d/security/face-unlock-feature-in-galaxy-nexus-poses-security-risk-179813 opening text: Face Unlock, the facial recognition software offered in Android 4.0 on the Galaxy Nexus, is being promoted by Google as an alternative to using a PIN to unlock a phone. But early reviewers have noticed that Face Unlock sometimes can be spoofed by a photograph of the owner of the phone, posing a security risk.
(Lucian Constantin) Lucian Constantin, *InfoWorld*, 23 Nov 2011 HTTPS-enabled Google services now implement a special encryption technique to mitigate future key recovery attacks https://www.infoworld.com/d/security/google-protects-its-current-https-traffic-against-future-attacks-179934 selected text: Google has modified the encryption method used by its HTTPS-enabled services including Gmail, Docs, and Google+, in order to prevent current traffic from being decrypted in the future when technological advances make this possible. This approach exposes the connections to so-called retrospective decryption attacks. "In 10 years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today's email traffic," explained Adam Langley, a member of Google's security team, in a blog post.
laser printers http://j.mp/vYfGoJ (MSNBC) [From NNSquad] "Could a hacker from half-way around the planet control your printer and give it instructions so frantic that it could eventually catch fire? Or use a hijacked printer as a copy machine for criminals, making it easy to commit identity theft or even take control of entire networks that would otherwise be secure?" I sense that there may be a bit of grandstanding in the referenced article.
Roger A. Grimes, *InfoWorld*, 29 nov 2011, Recent hacks reveal that admins and vendors have fallen behind on protecting legacy systems http://www.infoworld.com/d/security/doomed-default-passwords-180214 opening text: Many years ago, I was hired to penetration-test a customer's IBM AS/400 system, and the system administrator admonished me for even trying. "AS/400s aren't like cheap and insecure little PC systems," he argued. "They're built from the ground up to be secure." As he completed his last sentence, I logged into his system and took complete control of it. He had not changed the default account password. It had been left as is for almost 20 years. His system was contactable over the Internet, so I had to wonder, as his mouth dropped open, if I'd been the first to try the obvious. The author also mentions doing a password check against default passwords and lists three such sites that he uses.
Galen Gruman, *InfoWorld*, 29 Nov 2011 When mobile apps go bad Mobile apps get frequent updates—whether you want them or not -- and sometimes the result is an inferior product http://www.infoworld.com/d/mobile-technology/when-mobile-apps-go-bad-178063 This article deals with mobile apps, but the situation occurs with other apps, too. Years ago, I downloaded Netscape 6, installed it, saw that it was really bad, and bailed. The risk is losing an app that really works well for you. Even if you can keep your old version, you may be out of luck for support.
http://j.mp/uAzFMh (FTC) [From NNSquad] The social networking service Facebook has agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers' express consent before their information is shared beyond the privacy settings they have established.
The FBI/DHS analysis has been challenged by many, Joe Weiss among them. While I am not in a position to confirm or deny many of the items in dispute, I can confirm Weiss' allegation that many PLC/SCADA systems do not keep the kind of log that is amenable to intrusion analysis. It also seems odd that the Illinois fusion center would release such a report only to be directly contradicted by DHS Central - aren't those centers designed, sponsored and implemented by that very outfit? Seems equally likely that the "nothing to see here, move along" response is the result of reluctance to confirm the breach of a common, critical system that it is presently infeasible to adequately protect. If this is indeed an attempt at obscurity, I think we already know the story-line.
> Telemarketers increasingly are disguising their real identities and > phone numbers... Caller ID [properly, Calling Number ID] is becoming > Fake ID. New FCC rules have been instituted to combat this practice, > but are apparently very limited in their effectiveness... [Source: Matt > Richtel,*The New York Times* front page, 23 Nov 2011; PGN-ed] It is perhaps telling in a political-systems sense (if not a computer-systems one, since the technical hurdles are stacked the other way) that congress is considering making it a federal crime to falsify even a part of the personal information demanded by online services, while deliberately fraudulent provision of identifying information via phone system carries only civil penalties, and even then only at the discretion of an overworked regulatory agency. Perhaps the relative pocket depth of the respective perps has something to do with it.
In Risks 26.64 Bob Frankston says: > As I explain in http://rmf.vc/ThinkingOutsideThePipe networks are not > fundamental. This means that the Internet is not easier to control once > there is a funding model that doesn't require controlling the path. While Frankston's ideas may keep the Internet free, in the sense that we would not have to pay for it (not for each bit individually anyway), IMHO they would not help to keep it free of central control. Public ownership of the infrastructure would necessarily mean public control; which in turns means that the rules would be made by politicians rather than businessmen -- is that any better? Like in the auto industry, the complexity of the devices involved results in most of the devices being made by a few large companies; the requirement that all devices work together on the same infrastructure mandates rules and regulations, which have to be coordinated by a central entity (or a few of those, at most). This leaves a relatively small number of control points, which might not be difficult to be taken over by a ruling body. Surely we can avoid driving licenses by walking or riding bicycles, but we would not get very far...
"Complex systems are intrinsically complex."
This is a topic in its own right as I argue that complexity is about point
of view and framing. My standard example is Ptolemy vs. Copernicus in the
difference that a shift frame makes. Complexity is also relative to purpose
or context.
One risk is in accepting complexity as intrinsic rather than trying to find
the simplicity. What makes this tricky is that we often need to change the
question we are asking. The Internet provides us with many examples as when
we assume that quality is a property of the network and thus we build a
rigid transport rather than defining quality outside the network. But this
requires accepting that there isn't a single measure of quality.
I go into some of this in essays such as http://rmf.vc/PurposeVsDiscovery
and http://rmf.vc/WrongStuff.
[PGN notes: I was rather lazy in writing the line that Bob quotes. I
should have written something more like this:
"Systems that must satisfy inherently complex requirements (e.g., for
trustworthiness in its multidimensional manifestations) are likely to be
inherently difficult to build and maintain—even if they are extremely
carefully designed, implemented, and operated." In the research
community, some of us believe in modular encapsulation, predictable
composability, least privilege, formal analyses, and so on. But all
that is still generally not enough. PGN]
I do need to react to the dig at Microsoft. Sure there is a lot of code that has hung around for 20 to 30 years and it captive to promises made long ago. But I also see Microsoft at the forefront of research in programming practices as with F# feeding into C#. These prejudices have real consequences as people limit their choice of tools and languages including the use of C.
It's been long known in research that you can "discover" a cause-effect relations and even have "proof" by analysing correlations. If you analyse some variables and get strong correlation between A, B (and C?), it's easy to say that A causes B when in fact it could be that C causes A and B. (Even easier when C is unknown!) In this case, it could be that companies that have sensitive material (C) have stronger security measures (A) but even so get higher breaches (B). Risk? Use correlations (undirected) to find cause-effect (directed) relations. Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
Please report problems with the web pages to the maintainer