Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
> The intentional ambiguity of this additional state makes it a perfect > third value for a binary bit. The correct solution is so blatantly obvious that I blush to mention it - but The Security of The Free World, as well as Baseball, Mom, and Apple Pie are at Stake (mmm, steak and apple pie... but I digress), and thus I feel I have no choice. The solution does involve sacrificing one additional 3-state bit (along with the traditional goat), and the truth table would look like this: 0 0 Lawful Good 0 1 Lawful Neutral 0 2 Lawful Evil 1 0 Neutral Good 1 1 Neutral 1 2 Neutral Evil 2 0 Chaotic Good 2 1 Chaotic Neutral 2 2 Chaotic Evil The mechanism for enforcement is trivial, and thus left to the indvidual student - but does involve the classic die-rolling algorithm. We now return you to our scheduled programming. Ben Okopnik 443-250-7895 http://okopnik.com http://twitter.com/okopnik
[See Peter Ladkin's blog on the risks involved in a proposed effort summarized by the subject line above. PGN] http://www.abnormaldistribution.org/2012/03/24/drones-in-civil-airspace-again-bringing-gifts-of-tacos/ Peter Bernard Ladkin, Professor of Computer Networks and Distributed Systems, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany [PBL's blog item is serious, although the concept of remotely programmable special-purpose drones for public use opens up quite a few foolish but not-so-Aprilly possibilities. However, it also reminded me a little of when I was in the Computer Science Lab at Bell Labs in Murray Hill in the 1960s: Vic Vyssotsky came up with the concept of a programmable cable-laying satellite, complete with calculations on how to manage smooth payout despite would-be obstructions and how to avoid snapback when the cable was cut. Vic was also the ghost author of the wonderful article on The Chaostron: An Important Advance in Learning Machine, an AI spoof attributed to J.B. Cadwallader-Cohen, W.W. Zysiczk and R.B. Donnelly -- which was reprinted in a special foolish section that I edited for the April 1984 issue of the ACM Communications, pp. 356--357, a sort of 25th anniversary collection of computer-related humor and whimsey that also included among other contributions Lawrence Clark's COME-FROM statement in response to the GO-TO controversy, Don Knuth's delicious analysis of the Complexity of Songs, and a delightfully self-referential heavily annotated item on an Ada package for automatic footnote generation written by a long-time RISKS contributor (see volume 1 number 1 at www.risks.org) under the anagrammatic pen-name of Preet J Nedginn along with Trebor L. Bworn (whose last name was rather unfortunately and somewhat surprisingly msicorekted to Brown in the table of contents of the issue by the editor (who must have thought it was a typo!). PGN]
The front page of *The New York Times Magazine* on 8 Apr 2012 had this text in a very large font (with interspersed small graphics of birds, a pig, and a monkey): The Hyperaddictive, Time-Sucking, Relationship-Busting, Mind-Crushing Power and Allure of Silly Digital Games Below that, in a much smaller font, is this text: (Which is not to say we don't love them too.) By Sam Anderson On page 28 of the magazine, the cover article begins with the caption Just One More Game ... How time-wasting vidoe games escaped the arcade, jumped into our pockets, and took over our lives. This is a remarkably well-conceived article about computer-related addictions, spanning not only Tetris to Angry Birds (which moved from iPhones to everywhere else), but also Zynga (Draw Something), Frank Lantz's Drop7, Facebook, and much more. The article ends with a discussion with Lantz talking about his relationship with poker: “It was like a tightrope walk between this transcendently beautiful and cerebral thing that gave you all kinds of opportunities to improve yourself—through study and self-discipline, making your mind stronger like a muscle—and at the same time it was pure self-destruction." This is a really important article for game creators, gamers, psychologists, and people trying to understand erratic behaviors of their loved ones.
As far as we've been able to understand it, this "flaw" in the voting system back-end software occurs when someone edits the database after having already printed the ballots. That can knock the contests on a ballot out of sync, which can mean that totals for one contest are assigned to another... unfortunately, it requires that someone detect the error and that a recount or risk-limiting audit be performed to correct this kind of error. One would think that such voting system databases should refuse to allow edits after ballot printing, but apparently that's not the case! Joseph Lorenzo Hall, Postdoctoral Research Fellow, Media, Culture and Communication, New York University https://josephhall.org/ http://www.computerworld.com/s/article/9225816 E-voting system awards election to wrong candidates in Florida village Analysts warn that same Dominion Sequoia machines are used in nearly 300 U.S. municipalities Dominion Voting Inc.'s Sequoia Voting Systems device mistakenly awarded two Wellington Village Council seats to candidates who were found in a post-election audit to have lost their races. The results were officially changed last weekend after a court-sanctioned public hand count of the votes.
http://www.cccblog.org/2012/04/01/computer-science-for-the-rest-of-us/ An article in *The New York Times* (1 Apr 2012) [is] making the rounds -- written by Randall Stross, an author and professor of business at San Jose State University: READING, writing and—refactoring code? Many professors of computer science say college graduates in every major should understand software fundamentals. They don't argue that everyone needs to be a skilled programmer. Rather, they seek to teach "computational thinking"—the general concepts programming languages employ. In 2006, Jeannette M. Wing, head of the computer science department at Carnegie Mellon University, wrote a manifesto arguing that basic literacy should be redefined to include understanding of computer processes. "Computational thinking is a fundamental skill for everyone, not just for computer scientists," she wrote. "To reading, writing and arithmetic, we should add computational thinking to every child's analytical ability." There is little agreement within the field, however, about what exactly are the core elements of computational thinking. Nor is there agreement about how much programming students must do, if any, in order to understand it. Most important, the need for teaching computational thinking to all students remains vague [more after the jump]. Erwin Gianchandani <erwin@cra.org>
(Nestor E. Arellano) Nestor E. Arellano, *IT Business*, 3 Apr 2012 Facial recognition tech could help stop drunk drivers The face recognition software developed by University of Windsor students will prevent drivers from circumventing a vehicle-interlock system which immobilizes a car when its driver is drunk. http://www.itbusiness.ca/it/client/en/Home/News.asp?id=66852&cid=99 selected text: The face recognition system developed by Ray and Saha is designed to authenticate the identity of the driver. Driver ID will take pictures of authorized drivers and store them in the system's database. Only drivers whose photos are in the database can operate the car. A small onboard infrared camera will snap a photo of whoever is on the driver's seat and compare that photo with the image stored in the database. The author expresses concern about how the system could be fooled, but there are other risks. 1) False negatives could be nasty. 2) Going on a picnic or going camping at a remote location could be a real bother if one's host has a heart attack. How do you get him out if you are not on the authorised driver list?
The NIST Information Security & Privacy Advisory Board made the following recommendation about the issue of maintaining security in medical devices. The letter paints a somewhat grim future if the forces at play remain unchecked, but the Board made several recommendations to better manage and mitigate the risks. http://csrc.nist.gov/groups/SMA/ispab/documents/correspondence/ispab-ltr-to-omb_med_device.pdf http://csrc.nist.gov/groups/SMA/ispab/ An audio webcast of the panel appears on http://blog.secure-medicine.org/2012/02/nist-explores-economic-incentives-for.html
At Defcon 2011, Jay Radcliffe looked at the ethics that his insulin pump could be hacked to give too much or too little insulin when needed, possibly causing death. He demonstrated the possibility on stage. [Jack's message is in response to a note from Kenneth Olthoff: Those of us in the security business have speculated for years about how pacemakers and other medical devices could be hacked or attacked, but the BBC today has the first article that I recall seeing in the popular press covering that issue. I'm sure there probably been others that I didn't see or don't recall, but FWIW... http://www.bbc.com/news/technology-17623948 PGN]
This new system upgrades on the fly, he said, the first such in-car application to do so. It's seamless to the customer,'' Link said. “I have a friend who was excited about his system upgrade, which required him to plug in his stick and leave his car running for 45 minutes. Who wants to do that? In a process called reflashing, the Mercedes system can turn on the car operating system (CU), download the new application, then cut itself off. It doesn't require you to do anything at all.'' http://www.txchnologist.com/2012/new-york-auto-show-upgrading-auto-software-in-a-flash It seems so easy, what can go wrong? Robert Schaefer Atmospheric Sciences Group MIT Haystack Observatory Westford, MA 01886 1-781-981-5767 http://www.haystack.mit.edu
"A series of hacks perpetrated against so-called `smart meter' installations over the past several years may have cost a single U.S. electric utility hundreds of millions of dollars annually, the FBI said in a cyber intelligence bulletin obtained by KrebsOnSecurity." http://krebsonsecurity.com/2012/04/fbi-smart-meter-hacks-likely-to-spread/ Robert Schaefer, Atmospheric Sciences Group, MIT Haystack Observatory Westford MA 01886 781-981-5767 http://www.haystack.mit.edu rps@haystack.mit.edu
The U.S. Navy says it is looking to hack into used consoles to extract any sensitive information exchanged through their messaging services. The organization says it will only use the technology on consoles belonging to nations overseas, because the law doesn't allow it to be used on any US persons. http://www.zdnet.com/blog/security/us-government-hires-company-to-hack-into-video-game-consoles/11395
This story (and the judicial opinion linked from it) show what kinds of trouble you can cause (and get into) when you code up financial-transaction software without thinking about the law governing those transactions. <http://www.nakedcapitalism.com/2012/04/judge-rules-wells-fargo-engages-in-reprehensible-systemic-accounting-abuses-on-mortgages-hit-with-3-1-million-punitive-damages-for-one-loan.html> (Among other things, the company apparently wrote its software so that -- contrary to the loan contracts and the law—various fees were silently deducted from payments before applying the payments to the outstanding balance, thus generating additional fees and so on. Even after the loans in question had become part of bankruptcy filings, which apparently bars such fees from being applied.) Given the money to be made (in the no-litigation case) by re-ordering transactions, it seems quite plausible to me that the people familiar with the law and the contract text might have accidentally failed to stress the importance of proper sequence to the people whom wrote the code, or missed the legal implications on review. But with tens or hundreds of thousands of cases nationwide, all presumably handled by the same software, the liability starts adding up.
Uses of materials in a form consisting of particles with at least one dimension less than 100 nanometers (a nanometer is a billionth of a meter) are proliferating at a great rate. We are seeing this exciting new technology applied to increasing numbers of consumer products, industrial materials, and medical procedures. And it appears that this is just the beginning. This is the good news. The bad news is that the same properties that make nanoparticles so useful also make them potentially dangerous, both to humans and to the general environment. What is being done to protect us against us against such hazards? My effort to explain the situation is accessible at: http://www1.cs.columbia.edu/~unger/myBlog/endsandmeansblog.html Stephen H. Unger, Professor Emeritus, Computer Science and Electrical Engineering, Columbia University
(Ted Samson) Ted Samson, *InfoWorld*, 9 Apr 2012 Flawed mobile apps for Facebook, Dropbox, LinkedIn, and likely others save user authentication data as easy-to-swipe plain text files http://www.infoworld.com/t/mobile-security/flaw-in-popular-mobile-apps-exposes-users-identity-theft-190430
[Source: Eric Lichtblau, *The New York Times*, 31 Mar 2012; PGN-ed] http://www.nytimes.com/2012/04/01/us/police-tracking-of-cellphones-raises-privacy-fears.html?_r=1&nl=todaysheadlines&emc=tha2_20120401 Law enforcement tracking of cellphones, once the province mainly of federal agents, has become a powerful and widely used surveillance tool for local police officials, with hundreds of departments, large and small, often using it aggressively with little or no court oversight, documents show. The practice has become big business for cellphone companies, too, with a handful of carriers marketing a catalog of "surveillance fees" to police departments to determine a suspect's location, trace phone calls and texts or provide other services. Some departments log dozens of traces a month for both emergencies and routine investigations. ...
"You have heard about fraud and online advertising. You may have seen the Wall Street Journal video "Porn Sites Scam Advertisers", or even read the story at today's Wall Street Journal about "Off Screen, Porn Sites Trick Advertisers" (Hint: to avoid the WSJ paywall, search the title of the article through Google News and click from there, to read the full article). Since I am intimately familiar with the story covered by WSJ (i.e., I was part of the team at AdSafe that uncovered it), I thought it would be also good to cover the technical aspects in more detail, uncovering the way in which this advertising fraud scheme operated. It is long but (I think) interesting. It is a story of a one-man-making-a-million-dollar-per-month fraud scheme. It shows how a moderately sophisticated advertising fraud scheme can generate very significant monetary benefits for the fraudster: Profits of millions of dollars per year." http://j.mp/HyfRhj (A Computer Scientist in a Business School)
I listen to music off YouTube. Lately, YouTube has changed my listening experience. Yes, advertisements. Longer advertisements. Well, it finally happened. The full advertisement was 2:41 long. The song that I wanted to listen to was 2:33 long. ("Skip Ad" is useful.) I wonder what the advertisers who create these 2+ minute ads are thinking. ["Money?" PGN]
"DRM is supposed to prevent piracy and illegal file sharing. In order to provide DRM, you need at least $10,000 up front to cover software, server, and administration fees, plus ongoing expenses associated with the software. In other words, much bigger operating expenses than a small business can afford. By requiring retailers to encrypt e-books with DRM, big publishers are essentially banning indie retailers from the online marketplace. DRM is like the anti-theft sensors by the doors at the drugstore. The sensors go off all the time, but they still can't stop a crafty teenager who knows how to remove a magnetic tag - nor can they stop criminals who break in and steal directly from the till." http://j.mp/Hqp35O (paidContent, via NNSquad)
"After some sleuthing, Mr. Watt, who has a background in developing Web advertising tools, realized that the quirk was not confined to his site. The hotel's Internet service was secretly injecting lines of code into every page he visited, code that could allow it to insert ads into any Web page without the knowledge of the site visitor or the page's creator." http://j.mp/HqpLjf (*The New York Times* via NNSquad)
Free (via NNSquad) Researchers at Ohio State University found that the Internet spurs pro-democratic attitudes most in countries that already have introduced some reforms in that direction. "Instead of the Internet promoting fundamental political change, it seems to reinforce political change in countries that already have at least some level of democratic freedoms ..."
I'm not sure if I understand Dan's concerns. Letting carriers just shut down PSTN without assuring unfettered IP connectivity would be a disaster. That's a reason to assure connectivity rather increasing our reliance on providers, especially when that reliance is costing us $2 trillion dollars each year. We need to be wary of using moral justifications to preserve the PSTN as an artifact. Remember that many at ATT did indeed believe in the highest traditions of serving the public good. The problem is that tradition allowed for only one definition of "good". The Internet is a very different concept because it provides a way to have multiple definitions of "good". In place of "reliability" we have "resilience"—an important concept for Risks readers. In a sense the net-heads and bell-heads are both trying to do us good by our solving problems in the network. For example, moving 9-1-1 type services outside a network would allow us to rapidly evolve alternatives such as sending rich information directly to fire departments. With multiple services coexisting we don't have to force a single interconnect. What does it even mean to interconnect inside a network? At the heart of the problem is the idea the services are provided by the network operators rather than created using the network. It's that meme that enables Telia to justify blocking VoIP (http://j.mp/H5Uq1T) and Brisbane's police to think they need to protect networks (http://j.mp/GIuwRC).
Please report problems with the web pages to the maintainer