Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
A report presented to Russian Deputy Prime Minister Dmitry Rogozin concludes that the primary source of the failure of Russia's Phobos-Grunt Mars spacecraft launched on 9 Nov 2011 was a programing error that "led to a simultaneous reboot of two working channels of an onboard computer" that prevented the probe from escaping earth orbit. http://news.discovery.com/space/programming-error-doomed-mars-probe.html
http://www.newscientist.com/blogs/shortsharpscience/2012/02/space-radiation-killed-russian.html
This bill would make it illegal to require researchers to make their work available publicly. [Does the Research Works Act work? Probably not. Do Research Works act? No, although this act might seem theatrical! Does Research work? Yes. Sometimes it can be very valuable, even if often ignored in development communities. However, much past research is widely ignored. On the other hand, the answer is No, if its existence is hidden or otherwise obscured! PGN] > Date: Thu, 26 Jan 2012 17:21:43 -0500 > From: David Farber <dave@farber.net> > Subject: [IP] A small bill in the US, a giant impact for research worldwide > http://theconversation.edu.au/a-small-bill-in-the-us-a-giant-impact-for-research-worldwide-4996
Satellite telephony was thought to be secure against eavesdropping. Researchers at the Horst Goertz Institute for IT-Security (HGI) at the Ruhr University Bochum have cracked the encryption algorithms of the European Telecommunications Standards Institute (ETSI), which is used globally for satellite telephones, and revealed significant weaknesses. With simple equipment, they found the crypto key which is needed to intercept telephone conversations. Using open-source software and building on their previous research results, they were able to exploit the security weaknesses. Telephoning via satellite In some regions of the world standard cell phone communication is still not available. In war zones, developing countries and on the high seas, satellite phones are used instead. Here, the telephone is connected via radio directly to a satellite. This passes the incoming call to a station on the ground. From there, the call is fed into the public telephone network. So far this method, with the ETSI’s encryption algorithms A5-GMR-1 and A5-GMR-2, was considered secure. Simple equipment—fast decryption For their project, the interdisciplinary group of researchers from the areas of Embedded Security and System Security used commercially available equipment, and randomly selected two widely used satellite phones. A simple firmware update was then loaded from the provider's website for each phone and the encryption mechanism reconstructed. Based on the analysis, the encryption of the GMR-1 standard demonstrated similarities to the one used in GSM, the most common mobile phone system. “Since the GSM cipher had already been cracked, we were able to adopt the method and use it for our attack,'' explained Benedikt Driessen, of the Chair for Embedded Security (Prof. Christof Paar). To verify the results in practice, the research group recorded their own satellite telephone conversations and developed a new attack based on the analysis. “We were surprised by the total lack of protection measures, which would have complicated our work drastically'', said Carsten Willems of the Chair for System Security at the RUB. Invasion of privacy Encryption algorithms are implemented to protect the privacy of the user. “Our results show that the use of satellite phones harbours dangers and the current encryption algorithms are not sufficient'', emphasized Ralf Hund of the Chair for System Security (Prof. Thorsten Holz). There is, as yet, no alternative to the current standards. Since users cannot rely on their security against interception, similar to the security of standard cell phones, they will have to wait for the development of new technologies and standards, or make use of other means of communication for confidential calls. "We were able to completely reverse engineer the encryption algorithms employed," said Benedikt Driessen and Ralf Hund of Ruhr University Bochum as they announced their report, "Don't Trust Satellite Phones".
Last week I received an e-mail from PayPal with the subject Your action is needed to continue using your PayPal account and containing lines like Log in to agree to our Electronic Communications Delivery Policy ... an important NOTICE FROM PayPal: YOUR CONSENT IS REQUIRED LOGIN TO CONSENT [link] Of course, this looks *exactly* like the millions of other phishing e-mails that are this very moment flying across the Internet. But this one looked really well put together, unlike most others, so I took a look at the source. It's real. All the links are legit, and when I logged in (by typing in the PayPal URL, not clicking a link) there indeed was a notice of updated terms. As we all know, the e-mail should have contained no login links and should have advised the recipient to login by entering the URL manually. Somebody at PayPal deserves a dope-slap. I decided to submit it to PayPal's spoof-investigation address to point out the error of their ways, and today received this: Our security team is working to identify if the e-mail you forwarded to us is a phishing e-mail. We will get in touch shortly to let you know our findings. I await their findings with interest :-)
Antony Savvas, App would crawl Twitter and Facebook, *IT Business*, 27 Jan 2012 The US Federal Bureau of Investigation (FBI) is planning to develop an application that can track the public's postings to Facebook, Twitter and other social networks, in order to aid how it predicts and reacts to criminal behaviour, including public disorder and terrorism. ... http://www.itbusiness.ca/it/client/en/CDN/News.asp?id=65839
Stephen Lawson, *IT Business*, 27 Jan 2012 http://www.itbusiness.ca/IT/client/en/CDN/News.asp?id=65840 The messages would be visible elsewhere in the world and the removal would be clearly marked, Twitter said.
Evidence of massive Iranian Internet blocking—SSL, etc. [From NNSquad] http://j.mp/wmu13o (Google+) http://j.mp/AaJ27E (Google+)
(From Dave Farber's IP) Trustwave, a Certificate Authority, issued a certificate that allowed the owner to issue any valid certificate to facilitate man-in-the-middle attacks on their employees. http://www.h-online.com/security/news/item/Trustwave-issued-a-man-in-the-middle-certificate-1429982.html They say that they used a special hardware container to ensure that this could not be used for anything other than the intended purpose, but this still indicates that a long-suspected weakness in the CA infrastructure is being exploited to eavesdrop on traffic. http://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-ca-policy-update.html EFF sent out an alert about the fact that Iran was doing this a few months ago, but this is the first I have heard of a corporation doing it. https://www.eff.org/deeplinks/2011/08/iranian-man-middle-attack-against-google
Symantec pcAnywhere Security Recommendations Introduction Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006. We believe that source code for the 2006-era versions of the following products was exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere. With this incident pcAnywhere customers have increased risk. Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits. Additionally, customers that are not following general security best practices are susceptible to man-in-the-middle attacks which can reveal authentication and session information. General security best practices include endpoint, network, remote access, and physical security, as well as configuring pcAnywhere in a way that minimizes potential risks. At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks. For customers that require pcAnywhere for business critical purposes, it is recommended that customers understand the current risks, ensure pcAnywhere 12.5 is installed, apply all relevant patches as they are released, and follow the general security best practices discussed herein. This document is designed to help customers understand the situation and to provide remediation steps to maintain the protection of their devices and information. ... http://www.symantec.com/connect/sites/default/files/pcAnywhere%20Security%20Recommendations%20WP_01_23_Final.pdf
http://www.infoworld.com/t/application-security/got-remote-access-lock-it-down-186194 Robert Lemos, InfoWorld, 10 Feb 2012 Got remote access? Lock it down Poorly configured remote-access software is to blame for the majority of data breaches by hackers, according to security reports from Verizon and Trustwave opening text: While the theft of source code for Symantec's pcAnywhere has put the remote-access program in the spotlight, the security issues posed by remote management products are not new. In fact, data released over the last year shows that poorly configured remote-access programs routinely account for a significant portion of data breaches and network security incidents. Remote-access software, for example, led to a stunning 62 percent of breaches studied by security firm Trustwave in its recently released global security report.
http://j.mp/wYfWgu (CNET via NNSquad) Hawaii's legislature is weighing an unprecedented proposal to curb the privacy of Aloha State residents: requiring Internet providers to keep track of every Web site their customers visit.
communications data retention http://j.mp/A5Opfx (Slashdot via NNSquad) Australia would like to follow the EU down the 'European Directive on Data Retention' path. Law enforcement agencies may have the option to request a log of all a users of interest telco usage without any review or time limits.
http://j.mp/xhJiCo (FOX via NNSquad) But in Matt's case, his "slanderer" isn't so anonymous. In fact, Amanda Ryncarz, Matt's former girlfriend, fully admits posting on the site about their three-year relationship. "I posted on liarscheatersrus.com," she said in a written statement, "because I wanted to warn other women in order to protect them from what I suffered." Couloute is now suing Ryncarz for "tortuous interference with prospective business relations. It's a case that could determine what people are and are not allowed to post on the Web.
http://j.mp/yILrSa (Full Comment, via NNSquad) China's censorship system is complex and multilayered. The outer layer is generally known as the "great firewall" of China, through which hundreds of thousands of websites are blocked from view on the Chinese Internet. What this system means in practice is that when one goes online from an ordinary commercial Internet connection inside China and tries to visit a website such as hrw.org, the website belonging to Human Rights Watch, the web browser shows an error message saying, "This page cannot be found." This blocking is easily accomplished because the global Internet connects to the Chinese Internet through only eight "gateways," which are easily "filtered."
handling of Occupy Boston protest http://www.boston.com/Boston/metrodesk/2012/02/hackers-take-over-boston-police-department-website/mKzINebAXJWcv7uBZKZB0K/index.html
Hooray! Two people running a card swipe scam mainly in Perth Australia have been convicted on $3.5 million dollar scam. Over 400 people were defrauded. http://au.news.yahoo.com/thewest/a/-/breaking/12804738/man-found-guilty-of-mcdonalds-card-scam/ The expert witness for the DA and the lay jury bravely handled the attempt by the highly technically savvy defence team to throw doubt on the technical testimony. A small group of Perth gurus, with backgrounds in design of card reader hardware, software and security, aided the police investigation and provided support for the DA's team. This scam was achieved by substituting at fast food drive-throughs, modified same make handheld terminals that were previously stolen. Yet, how this substitution could be done without anyone noticing, is described later on. The criminals applied a set of clever modifications INSIDE the terminal. Undetectable from the outside. These bugged terminals were then handed over to customers, in cars at fast food drive throughs, throughout the Perth area. The modified terminals sent the customer's CARD swipe and PIN codes by radio link to a nearby cars staffed by yet uncaught associates. New cards were created with this information and all the funds sucked out of many accounts. Caveat- some of the below is based on off the record rumours : Security failures: [1] There was no inside job: Sadly the drive through sites themselves provided the "Open Sesame" for these baddies quite by accident. The card terminals that were handed to the car, had the spiral cable security clamps REMOVED because of the habit of this brand of terminals to lock up and ONLY by unplugging would the terminal reset. This fault occurred so often that the under pressure staff worked out a "solution" and just left the cable's security clamp off! Terminal Swap out technique: The crook's car enters the drive through as normal. They order, the staff hands over a (unclamped) terminal, a normal transaction occurs. Then the modified terminal is substituted in just a few seconds, and handed back. This clean terminal is then modified and taken to a new store. A nearly perfect Do While loop with one exit case, "If Police" then break. [2] So why was this swap not detected? My guess is that there was software in the card host controller which allowed new or different terminals to be rapidly connected and re-activated without causing any alarms or requiring a manual log-in. Many possible reasons: Code flaws, poor testing, misguided directions from a client? I do hope this may be made public one day. Do not treat this as a one off down under crime. This crime is likely to be part of a worldwide scam. A smart techno crook has noticed the physically unprotected terminal cable and worked out how to get rich quick. Notify the store, police or newspaper in your area if you see an unclamped cable when you are handed a terminal in a drive through. If you can unplug it so can the crooks. Len Spyker Perth Australia.
Public Domain in Other Countries? [From Dave Farber's IP distribution. PGN] Would The US Extradite UK Blogger For Linking To Works In The Public Domain In Other Countries? from the insanity-of-today's-copyright-laws dept http://www.techdirt.com/articles/20120201/00455517613/would-us-extradite-uk-blogger-linking-to-works-public-domain-other-countries.shtml James Firth has an interesting post, talking about some of the more ridiculous consequences of current US law enforcement interpretation of copyright law. Looking at the case of Richard O'Dwyer, the computer science student that the US is getting closer to extraditing to the US to face criminal copyright infringement charges for merely linking to infringing works (something that had already been found legal in the UK multiple times), Firth takes it to its logical ends. He points out that George Orwell's works, Animal Farm and 1984 have gone into the public domain in South Africa, Canada or Australia. And thus, there are completely legal free copies of such works online. But they're only legal in those countries. In the US and the UK, both remain under the yoke of copyright thanks to copyright extensions. This leads to a simple fear. If he merely pointed people to the location of these completely legalversions of the work, he would now be just as "guilty" as Richard O'Dwyer under the interpretation of the US Justice Department. After all, he is using a .com domain (American property, according to the stretched interpretation of the DOJ) to link to works that technically infringe in both the UK—where he is—and the US, where the DOJ has suddenly become the US entertainment industry's private police force. ...
Electronic Frontier Foundation Media Release For Immediate Release: Friday, February 10, 2012 The Heartbreaking Truth About Online Dating Privacy Users Beware: Many Sites Have Serious Security Holes San Francisco - Millions of people use Internet dating sites to search for love and connection every day, but it could come a big cost for their privacy and security. The Electronic Frontier Foundation (EFF) has found that many services are taking shortcuts in safeguarding users' profiles and other sensitive data. In "Six Heartbreaking Truths About Online Dating Privacy," EFF identifies serious security holes and counter-intuitive privacy settings that could expose daters' private information. For example, your dating profile =96 including your photo =96 can hang around long after you think you've taken yourself off the market. Some sites are also sucking up the vast quantity of data their users share and selling it to online marketers. If you aren't careful, your profile can also be indexed by Google, perhaps popping up in search results if you have an unusual nickname or other unique ways of describing yourself. "Whether you signed up on a lark or maintained an active profile for years, you may be exposing more information about yourself than you know," said EFF Activism Director Rainey Reitman. "There are a number of ways your online dating profile can be connected to your real identity, exposing things like religious and political beliefs, drug and alcohol use, and sexual preferences. That's why we created this list of the biggest risks, and included some simple tips for online daters who want to protect themselves." As part of its campaign to raise awareness about the privacy and security risks on popular online dating sites, EFF analyzed the security practices of eight major sites. Many of the most popular sites, like eHarmony and Match.com, don't offer secure access through HTTPS by default, and OkCupid doesn't provide HTTPS access at all. That means every OkCupid username, e-mail, chat session, search, and page viewed are all transmitted in plaintext instead of in encrypted form. "OkCupid says it can limit who sees your profile—for example, users who identify as gay or bisexual may opt out of being seen by straight people," said EFF Senior Staff Technologist Seth Schoen. "But without HTTPS, the fact that you identify as gay and don't want to be seen by some groups is sent in plaintext, making it easy for someone with the right skills to uncover it. Major sites like Twitter and Facebook have implemented HTTPS recently to protect their users. But dating sites like OkCupid are sadly lagging behind." Six Heartbreaking Truths About Online Dating Privacy: https://www.eff.org/deeplinks/**2012/02/six-heartbreaking-** truths-about-online-dating-**privacy<https://www.eff.org/deeplinks/2012/02/= six-heartbreaking-truths-about-online-dating-privacy> Comparing Privacy and Security Practices on Online Dating Sites: https://www.eff.org/deeplinks/**2012/02/comparing-privacy-and-** security-online-dating-sites<https://www.eff.org/deeplinks/2012/02/comparin= g-privacy-and-security-online-dating-sites> Find out more at https://www.eff.org. Contacts: Rainey Reitman Activist, Electronic Frontier Foundation, rainey@eff.org +1 415 436-9333 x140 Seth Schoen Senior Staff Technologist, Electronic Frontier Foundation, seth@eff.org +1 415 436-9333 x107
[From nnsquad@nnsquad.org] "Facebook is still working on deleting photos from its servers in a timely manner nearly three years after Ars first brought attention to the topic. The company admitted on Friday that its older systems for storing uploaded content "did not always delete images from content delivery networks in a reasonable period of time even though they were immediately removed from the site," but said it's currently finishing up a newer system that makes the process much quicker. In the meantime, photos that users thought they "deleted" from the social network months or even years ago remain accessible via direct link." http://j.mp/xMjyV9 (ars technica)
In RISKS-26.71, PGN drew our attention to a *WiReD* article by Jonah Lehrer. I've read that article carefully, and have to say that it has some large leaps of illogic. A better title that 'Why Science is Failing Us' would have been 'Trials and Errors: How Scientific Testing Prevented Millions of People Being Killed'. Let me offer a translation for programmers: (1) Pfizer's scientific understanding of the cholesterol pathways was soundly based and their drug design rightly worth exploring. The drug had the immediate effects on that system that they expected it to. A closely related drug with the *same* target (that is, based on the same science) looks as though it may work, with less bad. (2) However, their understanding was *limited*. As is by now pretty well known, *most* drugs have multiple effects in many systems of the body. Pfizer's scientists understood quite well that understanding what a drug will do to the cholesterol pathway is NOT the same as understanding what it will do in a whole person. (3) The thing that makes scientific drug development science is TESTING. As Risks readers will surely understand, when the test phase said "OOPS!", that was NOT science failing, that was science working brilliantly. If the *drug* fails the test, that means the *test* did NOT fail. There are obvious lessons for programmers here. They are not the lessons ("causality is hallucination", "science is failing us") that Jonah Lehrer learned. The lesson is that the real world is always more complicated than our models of it (otherwise there wouldn't be any point in _having_ models); that there are always unexpected interactions in complex systems; and that there is no substitute for testing in the best approximation to the real world that you can get; and that failed tests count as successes of the testing process. It is *better* that Pfizer should lose $21e9 in value on the questionably real stock market than that millions of people should die from an untested drug. Anyone who expects (program or drug or bridge or highway or ...) designs to work without testing and without unexpected consequences must have slept through the entire 20th century.
Risks-Forum Digest, Volume 26 : Issue 71, had the following (excerpted) From: msb@vex.net (Mark Brader) Subject: Pocket-dialed 911 calls increasingly common [snip... regarding "butt dialing" of 911 calls] Police are now campaigning to ask cellphone users to "lock it before you pocket", but some smartphones can dial 911 even when the phone is locked. - -------- For some value of "smartphones", and for that matter, "dumbphones", approaching pretty close to 100 percent. * A likely contributor to this problem is that a hefty percentage of cellphones will _also_ accept calls to "112", the GSM international standard for emergency calls. (There's another one as well which isn't as common, but many phones will accept that one, too.) And, per FCC (US) and similar rules in Canada, cell phones, even without a service plan, must be allowed to connect to the "911" call receiving centers (PSAPs). If you take, for example, a T-Mobile (USA) or Rogers (Canada) cellphone and remove the SIM card, you can still make calls to "911". And... if you punch in "112", the phone will contact the network, which will then handle is as if you dialed "911". Given the physical layout of keypads, I'd guess that "112" is probably the path for a hefty number of these calls.
Please report problems with the web pages to the maintainer