A report in the Lancet by Michael Ardagh et al. describes the initial health-system response to the earthquake in Christchurch, New Zealand, in February 2011, with a focus on the Christchurch Hospital emergency department. While the response is assessed as effective, the report notes "Power was lost immediately. Within seconds, six diesel-fueled generators activated to provide power to electrical outlets designated as essential services. However, the severe shaking disturbed sump sludge within the diesel tanks. Consequently during subsequent hours, a generator failed several times, leaving the emergency department clinical areas, ICU, blood bank, radiology department, and other areas with no power." Under Lessons learned, the report states, "The back-up generator diesel tanks have since been drained and cleaned." http://www.thelancet.com/journals/lancet/article/PIIS0140-6736(12)60313-4/fulltext (registration required)
[from the IG report looking into a Long Island RR (NYC suburban commuter line) failure last year] At approximately 4:30 p.m. on 29 Sep 2011, the beginning of the evening rush, lightning struck near Long Island Rail Road (LIRR) tracks, creating a power surge that disabled the signal system controlling the train interlocking just west of Jamaica Station Approximately three and a half hours after the strike, in an attempt to repair a computer server believed to have been damaged by the power surge, a LIRR employee erroneously disabled the separate signaling system controlling the train interlocking just east of Jamaica Station. At that point, all service was suspended. * So, how did lightning get through the various safeguards? The report continues: Specifically, OIG found that: In accordance with its contract, ASTS designed the new signaling system for the Jamaica Interlocking but LIRR employees installed it. During the installation, LIRR added a piece of computer equipment called a "serial server", which was not part of the ASTS design. This server allows LIRR to remotely monitor various pieces of the equipment. In the course of attaching the server to the new signaling equipment, a LIRR employee used one incorrect connector. ASTS, LIRR, and Systra all agree that this connector created the pathway by which the power surge generated by the lightning damaged the signal system and brought it down. rest: http://mtaig.state.ny.us/assets/pdf/12-01.pdf
Interesting convergence of different underestimated issues - insider attacks (frequently ignored) and smart meters (largely ignored). [Thanks to Jeremy Epstein for spotting this one. PGN] FBI Concerned About Smart Meter Hacking, 9 Apr 2012 According to an FBI cyber bulletin, an unnamed utility company in Puerto Rico was the target of attacks against smart meters, costing the company hundreds of millions of dollars. This appears to be the first report of such attacks and the FBI expects that the occurrence of similar attacks will rise as the smart grid technology is more widely adopted. The FBI believes that former employees of the meter manufacturer reprogrammed meters for between US $300 and US $3,000 so that the associated buildings appeared to be consuming less power than they actually used. Most meters are read remotely, making fraud detection difficult. The alterations require physical access. http://krebsonsecurity.com/2012/04/fbi-smart-meter-hacks-likely-to-spread/
Outlaw, the blog of the respected UK IT law firm Pinocent Masons has a thorough article on the risks of installing 'smart' utility (Gas and/or electricity) meters at: http://www.out-law.com/en/articles/2012/april/government-to-give-consumers-control-over-smart-meter-data-amidst-privacy-concerns/?utm_source=twitterfeed&utm_medium=twitter&utm_campaign=Feed%3A+out-law-NewsRoundUP+%28OUT-LAW+News-RoundUP%29 <http://www.out-law.com/en/articles/2012/april/government-to-give-consumers-control-over-smart-meter-data-amidst-privacy-concerns/?utm_source=twitterfeed&utm_medium=twitter&utm_campaign=Feed:+out-law-NewsRoundUP+%28OUT-LAW+News-RoundUP%29> It refers to a paper by Ross Anderson and Shailendra Fuloria ("Who controls the off switch?") http://www.cl.cam.ac.uk/~rja14/Papers/meters-offswitch.pdf Both are well worth reading. There are risks to switching to computerised metering / systems including * unwanted intruders to the data held your house, in transit or at the utility, accessing when you are in/out or being able to have a good guess at when you are watching TV, or even using the bedroom? * various other privacy beaches involving an individual or household's personal data There are an additional set of risks if such a meter incorporates an 'off' switch to the supply at your location. especially if unauthorised access to such functionality is a possibility. I know the suppliers will claim their security is (will be) so perfect that it is ridiculous to consider this as feasible. If it is a business of course, it might be a ripe source of potential blackmail (greenmail or any colour of your choice). I'm sure the data will be a tempting target at all stages of its journey from home or business to utility's database. Robert (Bob) Waixel, MBCS, MCInstM, FHEA, CITP RW Systems, Cambridge, UK, email@example.com
"Even though the Internet has become a key tool for accessing services, getting an education, finding jobs, getting the news, keeping up with people you know and much more, one in five U.S. adults still does not use the Internet at all, according to a new Pew report. Why? Mostly they're just not interested—not in the Web, e-mail, YouTube, Facebook or anything else that happens online." http://j.mp/HSPgL7 (CNN)
correcting them isn't easy http://j.mp/IuII3Q (Science News) When respondents attempted to engage editors through Wikipedia's "Talk" pages to request factual corrections to entries, 40 percent said it took "days" to receive a response, 12 percent indicated "weeks," while 24 percent never received any type of response. According to Wikipedia, the standard response time to requests for corrections is between two and five days. Only 35 percent of respondents were able to engage with Wikipedia, either by using its "Talk" pages to converse with editors or through direct editing of a client's entry. Respondents indicated this figure is low partly because some fear media backlash over making edits to clients' entries. Respondents also expressed a certain level of uncertainty regarding how to properly edit Wikipedia entries. Of those who were familiar with the process of editing Wikipedia entries, 23 percent said making changes was "near impossible." Twenty-nine percent said their interactions with Wikipedia editors were "never productive."
It has finally happened. The Federal Computer Fraud and Abuse Act has been limited. See http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2012/04/11/BU7P1O1AST.DTL The Ninth U.S. Circuit Court of Appeals said: "Under the prosecution's interpretation [of the Act], "millions of unsuspecting individuals would find that they are engaging in criminal conduct," said Chief Judge Alex Kozinski in the majority opinion." The defendant in the case is still being prosecuted for engaging in other criminal acts. Although I supported with testimony, helped write, and assisted in getting the original Computer Fraud and Abuse Act adopted, I pointed out that all violations it covered seemed to be covered by existing criminal laws (as was this case) and in most cases had stronger penalties. Several prosecutors told me that they wouldn't apply the new law anyway because violation of existing laws would be more easily understood by the courts. However, there is still value in the Computer Fraud and Abuse Act for three reasons. It has drawn public attention onto crimes in the new IT environments, it encouraged potential victims to protect themselves, and it helped law enforcement agencies get funding and motivation for gaining the skills and knowledge to investigate and prosecute the old crimes in the new IT environments. When I write "new IT environments", I mean where a computer plays one or more of four roles, object of attack, subject (unique environment), tool, and symbol (for deception.) Donn
"GPS is a humanitarian weapon system" says Dr Bradford W Parkinson, Chief Architect of Global Positioning System http://mycoordinates.org/his-coordinates-2/ "Just before the first Iraq war, the US had turned on the GPS Selective Availability feature. But the irony was that, as soon as the war started, they decided to turn it off since many of the soldiers had civilian GPS sets. It was hurting themselves. We never should have done it in the first place." "Incidentally, I was very instrumental in getting that turned off; my argument always was that wiggling the signal with selective availability was only going to speed up the introduction of differential systems and that is exactly what happened. By 1978 we had already demonstrated differential GPS that could reduce errors to about 2 meters, so I said why on earth would you try and put something in place that is so trivially defeated."
Begin forwarded message (via Dave Farber's IP distribution): Steve Johnson, Homeland Security chief contemplating proactive cyber attacks *San Jose Mercury News*, 16 Apr 2012 firstname.lastname@example.org, Posted: 04/16/2012 07:35:38 PM PDT Updated: 04/16/2012 09:08:36 PM PDT http://www.mercurynews.com/rss/ci_20410915 Homeland Security Secretary Janet Napolitano said Monday she would consider having tech companies participate with the government in "proactive" efforts to combat hackers based in foreign countries. Napolitano, who made the comments during a meeting at the *San Jose Mercury News* with the editorial board and reporters, declined to say what steps corporations and federal agencies might take against foreign cybercrooks, who have been blamed for numerous computerized incursions against the United States. She made the remarks in response to a question, and emphasized the idea is merely one she would consider and that no decisions have been made. In discussing the private partnerships she is promoting to combat cyberattacks, Napolitano was asked if instead of just taking defensive measures, the government and companies should be launching proactive counterattacks against foreign-based culprits. "Should there be some aspect that is in a way proactive instead of reactive?" she responded, and then answered her own question with "yes." She added, "it is not something that we haven't been thinking about," noting someone else had raised the subject with her earlier Monday. However, Napolitano said some restrictions might have to be placed on businesses participating in such cyber activities because "what you are doing is authorizing a private entity to do what might otherwise be construed as an attack on another entity." [Long item truncated for RISKS. PGN]
One of the major objections to the Bitcoin cryptocurrency is it isn't backed up by anything, no hard assets or government. MintChip aims to succeed where Bitcoin faltered by having the backing of the Royal Canadian Mint. http://www2.macleans.ca/2012/04/10/mintchip-is-a-fresh-idea/ Is it secure? Of course it's secure! It has the dual advantages of a (presumably) cryptologically reliable technology combined with a totally secret implementation. http://mintchipchallenge.com/forum_topics/759
ICANN data breach exposes gTLD applicant data, leads to deadline extension http://j.mp/IlHuaN (ars technica) "The group that oversees the Internet's address system has extended the application deadline for new generic top level domains (TLDs) and warned that a glitch in its processing system exposed potentially sensitive applicant information to competitors." They can't even get the basic application security right.
Who would have guessed that this would happen - high-tech security is getting so good at border crossings that it can actually catch spies. http://www.wired.com/dangerroom/2012/04/cia-spies-biometric-tech/all/1 Robert Schaefer, Atmospheric Sciences Group, MIT Haystack Observatory, Westford MA 01886 http://www.haystack.mit.edu 781-981-5767 email@example.com
http://www.itbusiness.ca/IT/client/en/CDN/News.asp?id=67004 Apple under fire for backing off IPv6 support Presenters at the North American IPv6 Summit expressed annoyance that the latest version of Apple's AirPort Utility is no longer compatible with IPv6 4/13/2012 3:01:00 PM By: Carolyn Duffy Marsan
Lauren Weinstein's Blog Update, April 14, 2012 CISPA, Cybersecurity, and the Devil in the Dark http://lauren.vortex.com/archive/000947.html The threat of "cyberattacks" is real enough. But associated risks have in many cases been vastly overblown, and not by accident of chance. The "cybersecurity" industry has become an increasingly bloated "money machine" for firms wishing to cash in on cyber fears of every stripe, from realistic to ridiculous. And even more alarmingly, it has become an excuse for potential government intrusions into Internet operations on a scope never before imagined. There are warning signs galore. While we can all agree that SCADA systems that operate industrial control and other infrastructure environments are in need of serious security upgrades—most really never should have been connected to the public Internet in the first place—"war game" scenarios now being promulgated to garner political support (and the really big bucks!) for "cyber protection" have become de rigueur for agencies and others hell bent for a ride on the cybersecurity gravy train. Phony demos purporting to illustrate mass cyber attacks are more akin to Fantasyland than reality, and the turf war between the Department of Homeland Security (DHS) and intelligence agencies such as CIA and NSA in this sphere should give all of us cause for significant concern. The Cyber Intelligence Sharing and Protection Act (CISPA - H.R. 3523) has become the embodiment of hopes for those entities who hope to turn overblown fears of cyber attacks into a pipeline for potentially massive access by government into the private data of Internet users. Sponsors of the legislation tout its relative shortness and generality, but those are precisely among the aspects that make this legislation so problematic. CISPA effectively overrides virtually all existing laws related to Internet privacy protections. And since CISPA offers firms access to government cybersecurity "threat data" in exchange for ostensibly voluntary feeding of data back from those firms to the government, and provides for broad protective immunity for companies that choose to do so, a pantheon of tech heavyweights have lined up in support. Just a few of the firms who have to various extents professed direct support of CISPA include Facebook, Symantec, Verizon, IBM, Intel, Microsoft, and Oracle. There are many others. Notably absent from this list is Google, who has not taken a formal position on the existing CISPA legislation and apparently is unlikely to do so. Google's current approach to CISPA seems particularly prescient. While it would be absolutely incorrect to attribute bad motives to the firms supporting CISPA, the legislation itself is in my view so vague and general that it represents largely an "empty vessel" capable of enormous potential damage if deployed and then subjected to the inevitable stream of court interpretations. CISPA claims to ban using data collected under its authority for other than cyber threat activities. But we've seen such data compartmentalization bans fall many times before in other data collection contexts. Since the legislation creates such a broad override of existing privacy protections, and such encompassing immunities for firms that provide associated data to the government, the lack of specificity in so many aspects of CISPA creates what could be the opportunity for a "perfect storm" of abuses down the line. There are indeed genuine risks of serious attacks on the Internet and connected infrastructural systems. But in the fog of the military-industrial complex's rapid push into this area, it has become obvious that realistic assessments are being shoved aside in favor of scare tactics, agency power struggles, and "get rich quick" scheming. This entire area has become a quintessential example of sowing F.U.D. -- Fear, Uncertainly, Doubt—while legitimate questions of privacy and individual rights are purposefully being marginalized. We saw much the same thing happen after 9/11, with the knee-jerk rush to pass the PATRIOT Act and Homeland Security Act, with a range of profiteering and abuses against individual liberties that then resulted—even leading the U.S. down the evil path of torture. We must avoid a repeat of this madness. Information sharing can be a crucial element of cybersecurity, but for legislation addressing this area, the devil is very much in the details, and the lack of details in CISPA is an invitation to possible privacy disasters. To the extent that cybersecurity threats do exist, the desire to quell them must not be permitted to run slipshod over our personal privacy, liberties, and associated protections in existing laws. We can work together to help protect ourselves from actual cyber threats, without allowing ourselves to become cyber schnooks in the process.
"The principles of openness and universal access that underpinned the creation of the Internet three decades ago are under greater threat than ever, according to Google co-founder Sergey Brin. In an interview with the Guardian, Brin warned that there were "very powerful forces that have lined up against the open Internet on all sides and around the world. I am more worried than I have been in the past it's scary." He said the threat to the freedom of the Internet came from a combination of governments increasingly trying to control access and communication by their citizens, the entertainment industry attempting to crack down on piracy, and the rise of "restrictive" so-called walled gardens such as Facebook and Apple, which tightly controlled what software could be released on their platforms." http://j.mp/IJN8Z1 (Guardian) I agree 100% with Sergey. And regardless of how you personally feel about Google, to try deny the truth of his remarks is beyond foolish.
Excerpted from ACM TechNews, Wednesday, April 11, 2012 Read the TechNews Online at: http://technews.acm.org J. Nicholas Hoover, DARPA Challenge Seeks Robots to Drive Into Disasters, *Information Week* 10 Apr 2012 The U.S. Defense Advanced Research Projects Agency (DARPA) announced the Robotics Challenge, which will offer a $2 million prize to anyone who can build a robot capable of navigating disaster-response scenarios and using human devices that range from hand tools to vehicles. The challenge aims to improve the ability of robots to navigate rough terrain at disaster sites, operate vehicles, and use common tools, as well as to make robot hardware and software development more accessible. As part of the challenge, robots will be required to complete several discrete tasks, including traveling across rubble, removing debris from a blocked entryway, climbing a ladder, and entering and driving a car. DARPA says it will provide "a robotic hardware platform with arms, legs, torso, and head" to some entrants, although robots in humanoid form are not required to enter the challenge. "For robots to be useful to [the U.S. Department of Defense], they need to offer gains in either physical protection or productivity," notes DARPA's Kaigham Gabriel. DARPA's announcement says the "proposed research should investigate innovative approaches that enable revolutionary advances in science, devices, or systems." The challenge will take place in two phases and will finish at the end of 2014. http://www.informationweek.com/news/government/info-management/232900054
Battle for the Internet: Walled gardens look rosy for Facebook, Apple - and would-be censors http://j.mp/I3BV2B (Guardian) Zittrain's real worry is that "the personal computer is dead". His conclusion is a call to arms: "We need some angry nerds" - people capable of breaking out of the walled gardens. Indeed, the US government has found some: it has backed projects such as "the Internet in a suitcase", which could set up a telecommunications network inside a country separate from the existing infrastructure. Zittrain acknowledges such projects, but for the wider world, he says, "convenience is great. I wouldn't call for a return to the green blinking cursor of [Microsoft's pre-Windows] MS-DOS or the [text-based] Apple II. But we should build architectures that permit innovation and experimentation if consumers wish to go 'off-roading'."
Panos Ipeirotis writes at the end of his dissection of the click fraud scheme: "The guy essentially realized that this type of fraud is really behaving like a parasite within a much bigger ecosystem." Given that the entire advertising industry is itself a parasite, this makes the guy a parasite on a parasite: which is probably a good thing! Is it really "fraud"? Only in the same sense that running Adblock Plus is fraud, or recording the programmes I want to watch and editing out the adverts before I watch them is fraud. What about going to the kitchen to get a drink when the adverts are on? Or just not paying attention to the adverts? Or paying attention but deciding not to buy the goods advertised? What is the worst that could happen? The collapse of the entire advertising industry? And this would be a bad thing? (Those worried about all the jobs that would be lost needn't worry: they could all get jobs in the stone-throwing-and-reglazing industry, with no loss to the economy as a whole). STRL Reader in Software Engineering and Royal Society Industry Fellow firstname.lastname@example.org http://www.cse.dmu.ac.uk/~mward/
http://www.itbusiness.ca/it/client/en/Home/News.asp?id=66989 Did first DDOS attack sink the Titanic? Well maybe not. But overstressed wireless operators inundated with personal messages played a critical role on the night of the tragic sinking. 4/13/2012 10:12:00 AM By: Sharon Gaudin
Please report problems with the web pages to the maintainer