Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
CareFusion Cortical Stimulator Control Unit: Class 1 Recall - Software Malfunction and Short Circuit Nicolet Cortical Stimulator Control Unit, Nicolet C64 Stimulus Switching Unit (SSU) Amplifier and NicoletOne Software with Cortical Stimulator License U.S. Food and Drug Administration [Posted 02/23/2012] AUDIENCE: Neurology, Risk Managers ISSUE: CareFusion is recalling Nicolet Cortical Stimulator Control Unit, Nicolet C64 Stimulus Switching Unit (SSU) Amplifier and NicoletOne Software with Cortical Stimulator License for two reasons: the device's software incorrectly indicates stimulation is delivered to a different electrode than the one selected and a short circuit may develop between the cortical stimulator control unit and the stimulus switching unit amplifier. Both of these issues may result in the surgeon resecting the wrong brain tissue. The surgeon may also fail to resect pathological tissue, potentially leading to continued pathologic processes and the need for re-operations. ... http://www.fda.gov/Safety/MedWatch/SafetyInformation/SafetyAlertsforHumanMedicalProducts/ucm292975.htm
Baxa Corporation Abacus Total Parenteral Nutrition (TPN) Calculation Software: Class I Recall - Potential Dosing Errors [PGN-ed] U.S. Food and Drug Administration [Posted 05/25/2012] AUDIENCE: Pharmacy, Risk Manager ISSUE: A number of errors have been reported by Abacus software users as a result of ordering salt based parenteral nutrition ingredients on an ion based ordering template. Abacus TPN Calculation Software is designed and intended to allow the ordering of electrolytes in only one of two ways: as a salt (such as calcium gluconate 10%) or as an elemental ion (such as calcium). However, if a dosage is entered into the system based on one method, when the template is configured for the other method, a dosing error can occur. The problem associated with mix-ups related to salt-based or ion-based ordering of electrolytes is not exclusive to calcium gluconate. ... The Abacus TPN Calculation Software was manufactured and distributed from August 7, 2006 through April 15, 2009. Affected catalog numbers include: 8300-0045: Abacus Calculator Only (Abacus CE) 8300-0046: Abacus Single Work Station (Abacus SE) 8300-0047: Abacus Multi-Work Station (Abacus ME) http://www.fda.gov/Safety/MedWatch/SafetyInformation/SafetyAlertsforHumanMedicalProducts/ucm305762.htm
The mayor of a small town in New jersey managed to take down the a website that openly advocated his removal from office by recall. He did not exactly hack the web site, but he managed to hijack the e-mail account associated with the domain of the website, and then used it to cancel the registration for the domain, thereby causing the site to go dark. http://arstechnica.com/security/2012/05/new-jersey-mayor-son-arrested-on-charges-they-nuked-recall-website/ [Thanks to David Jefferson for spotting this one. PGN]
Paul Venezia, *InfoWorld, 14 May 2012 Significant government funds go into snooping on citizens and outrageously sophisticated weaponry. How about a little scratch for the basic instrument of democracy? http://www.infoworld.com/d/data-center/why-voting-machines-still-suck-192988 This article has a good summary of the situation and links to several related articles.
It has been widely reported in many blogs in Japan that a widely used scramble protection system for satellite broadcasting (and for that matter some ground-based broadcasting) in Japan called B-CAS (BS Conditional Access System) has been compromised. Basically, satellite broadcasting relies on an IC card supplied by B-CAS company limited, to handle the management of subscription and duration (and presumably key handling for descrambling). In Japan, TV tuners on the market have the card slot where the card is inserted. Now, there were earlier reports of so called "black" B-CAS card that seems to enable the viewing of all paid such channels earlier this year, which initially seemed to be a hoax, but then turned out to be true(!). The card was imported from Taiwan (or China). Based on the knowledge that someone outside Japan cracked the basic protection mechanism, the hacking community in Japan and elsewhere seems to have been busy cracking the card, and apparently it has been successful. It seems that some IC cards in selected lots seemed to have forgotten to lock the key management file thus allows unauthorized modification. And finding the PIN (8bytes) was brute force, but for some type of chips used in the B-CAS cards, it was easy. (Obviously, B-CAS cards are built using different chips in lots.) They password checking is performed by plain-text comparison using memcmp() and thus immediately return failure when the mismatching occurs. Thus it was vulnerable to timing analysis. If you get the first byte of 8 byte PIN correct, then your NG is returned somewhat late. [These contact IC's clock is often 1-10 MHz range, and thus you can tell.] So you can know that you now obtain the first byte. And then you can find the correct 2nd byte of PIN when your NG result is returned somewhat later than in other cases, etc. (I think the cracker who found this has already disassembled the code inside the chip AFTER he/she (?) figured out the PIN and found ways to dump the code inside the chip.) All in all, the news seems to have spread widely. I have heard it from a friend of mine via e-mail early this week. And by that time, most of the major chip types used in the B-CAS IC card seem to have been cracked. Worse, in one type of the chip, it seems that the programmers can access the internal program cleverly and thus can disassemble the internal routine, thus finding the used encryption algorithm inside, which was never published before. With this knowledge, there are people who are talking of creating a soft-BCAS routine that can decode off-line the scrambled data recorded from satellite broadcast later without the IC card at all. Initially, only a few types of the used chips were reported to be vulnerable, and people who heard the early news seemed to have gone out and bought tuner units with the vulnerable B-CAS IC card with the particular chip types: so there was an usual surge of sales of these otherwise slow selling tuners in the stores in Tokyo last weekend. There has been a severe criticism of this adoption of this B-CAS card: even the ordinary non-paying TV broadcast has to go through this scrambling today and thus the B-CAS card is in EVERY tuner. (This may have been one reason for the demise. The cards are available in the market aplenty. If you buy a new one, and retire the old one, engineering types keep at least this IC card from the old unit for the keeps. Thus crackers have had no qualm of invalidating such cards by mis-programming during trials and errors process.) Strangely or understandably, TV news programs are silent for now. I think B-CAS company and the satellite broadcasting channels have to come up with a clear road map before making an announcement. Then there will be a big TV news, I suppose. On the other hand, there may not. My friends say there are not so many interesting TV programs in paid channels. And people who go out and modify their B-CAS cards in this manner will be in the minority. However, the operator of the paid-channel can not sit idle and must have been pushing B-CAS company to do something in the last few days. Stay tuned :-)
"The Daily News", Kamloops, British Columbia, Canada; May 12, 2012; p. B3: Users of smartphones, such as iPhones and BlackBerrys, have a different sense of privacy and of the appropriateness of public cellphone usage compared to users of more traditional mobile devices, a study shows. Researchers from Tel Aviv University drew this conclusion after studying the attitudes of about 150 people in Israel. Eran Toch, from the school's department of industrial engineering, said in a statement that smartphone users tend to have an illusion of being in a "privacy bubble" when using their devices in public. The research found that people with smartphones were 70 per cent more likely than those with less advanced cellphones to think their devices gave them a fair degree of privacy when using them in public. Smartphone users were also 20 per cent less likely to think talking on their devices in public bothered other people, and 50 per cent less inclined to be annoyed by other people using their phones, the study found.'
I have no issue with the research reported below itself but the statement, "A typical data network consists of an array of nodes—which could be routers on the Internet ...", implies they are talking about information in the everyday sense as in the content of web pages. But that's an entirely different sense of the term and doesn't have a simple mapping into Shannon's abstract measure. While I understand the need to make research appear relevant but we must be wary of, and even critical of, researchers who may do meticulous research and then ignore the difference between their technical use of the terms and the common use. Such reports often become the basis for public policy as when channel limits are used to justify claims of "spectrum scarcity".
UN/ITU Internet Control (and an EU Web Cookie Insanity update!) http://j.mp/KnsgFW (This message on Google+) House to examine plan for United Nations to regulate the Internet http://j.mp/KyoJTK (The Hill) "House lawmakers will consider an international proposal next week to give the United Nations more control over the Internet. The proposal is backed by China, Russia, Brazil, India and other UN members, and would give the UN's International Telecommunication Union (ITU) more control over the governance of the Internet." If the UN/ITU actually did manage to get their clutches on the Internet, the resulting blowback in terms of network fragmentation would be immense. Unfortunately, ICANN's continuing shenanigans pretty much guarantee network fragmentation as well. We need a purpose-built *third way*. On the EU Web Cookie Insanity (WCI) front, reports are (and a quick test seems to confirm for the moment) that the BBC for now appears to have pulled down their wacky, looping cookie warning/control banners. The British Telecom community donations site, however, continues to intercept with a full page of cookie gobbledegook, which users who already block cookies *cannot click past*. As the old song goes, "Quick, send in the clowns—Don't bother, they're here." Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren People For Internet Responsibility: http://www.pfir.org Data Wisdom Explorers League: http://www.dwel.org Network Neutrality Squad: http://www.nnsquad.org Global Coalition for Transparent Internet Performance: http://www.gctip.org PRIVACY Forum: http://www.vortex.com Lauren's Blog: http://lauren.vortex.com Tel: +1 (818) 225-2800 / Skype: vortex.com
"China's biggest microblogging service has introduced a code of conduct explicitly restricting the type of messages that can be posted." http://j.mp/JoeiQa (BBC via NNSquad)
http://j.mp/LzYvxY (the star via NNSquad) PETALING JAYA: The amendment to the Evidence Act transfers the burden of proof to the accused, which is contrary to the principle of justice, said lawyers and Internet users. "At any trial, whether criminal or civil cases, it is up to the prosecutor to prove guilt beyond reasonable doubt. Now the burden will be shifted to the accused to disprove (the allegation against them)," said human rights lawyer Edmund Bon. He added: "All around the world where there is Internet any reasonable person would be against the posting of hate messages. But whether the Government should step in and take such control is another matter."
[By Declan McCullagh, via Dave Farber's IP] http://news.yahoo.com/blogs/technology-blog/big-brother-watching-fbi-forms-internet-surveillance-unit-173958595.html The FBI has recently formed a secretive surveillance unit with an ambitious goal: to invent technology that will let police more readily eavesdrop on Internet and wireless communications. The establishment of the Quantico, Va.-based unit, which is also staffed by agents from the U.S. Marshals Service and the Drug Enforcement Agency, is a response to technological developments that FBI officials believe outpace law enforcement's ability to listen in on private communications. <http://news.cnet.com/8301-31921_3-20032518-281.html> While the FBI has been tight-lipped about the creation of its Domestic Communications Assistance Center, or DCAC—it declined to respond to requests made two days ago about who's running it, for instance—CNET has pieced together information about its operations through interviews and a review of internal government documents. DCAC's mandate is broad, covering everything from trying to intercept and decode Skype conversations to building custom wiretap hardware or analyzing the gigabytes of data that a wireless provider or social network might turn over in response to a court order. It's also designed to serve as a kind of surveillance help desk for state, local, and other federal police. <http://news.cnet.com/8301-31921_3-20035168-281.html> The center represents the technological component of the bureau's "Going Dark" Internet wiretapping push, which was allocated $54 million by a Senate committee last month. The legal component is no less important: as CNET reported on May 4, the FBI wants Internet companies not to oppose a proposed law that would require social-networks and providers of VoIP, instant messaging, and Web e-mail to build in backdoors for government surveillance. <http://news.cnet.com/8301-31921_3-20017671-281.html> <http://news.cnet.com/8301-1009_3-57428067-83/fbi-we-need-wiretap-ready-web-sites-now/> During an appearance last year on Capitol Hill, then-FBI general counsel Valerie Caproni referred in passing, without elaboration, to "individually tailored" surveillance solutions and "very sophisticated criminals." Caproni said that new laws targeting social networks and voice over Internet Protocol conversations were required because "individually tailored solutions have to be the exception and not the rule." <http://news.cnet.com/8301-31921_3-20032518-281.html> on <http://www.fbi.gov/news/testimony/going-dark-lawful-electronic-surveillance-in-the-face-of-new-technologies> <http://news.cnet.com/8301-31921_3-20032910-281.html> Joly MacFie 218 565 9365 VP(Admin), ISOC-NY - http://isoc-ny.org Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com
This new threat appears not to cause physical damage, but to collect huge
amounts of sensitive information, said Kaspersky's chief malware expert
Vitaly Kamluk. "Once a system is infected, Flame begins a complex set of
operations, including sniffing the network traffic, taking screenshots,
recording audio conversations, intercepting the keyboard, and so on." More
than 600 specific targets were hit, ranging from individuals, businesses,
academic institutions and government systems.
Iran's National Computer Emergency Response Team posted a security alert
stating that it believed Flame was responsible for "recent incidents of mass
data loss" in the country.
The malware code itself is 20MB in size - making it some 20 times larger
than the Stuxnet virus. The researchers said it could take several years to
analyse. Kamluk: size and sophistication of Flame suggested it was not the
work of independent cybercriminals, and more likely to be government-backed.
This is an extremely advanced attack. It is more like a toolkit for
compiling different code based weapons than a single tool. It can steal
everything from the keys you are pressing to what is on your screen to what
is being said near the machine. It also has some very unusual data stealing
features including reaching out to any Bluetooth enabled device nearby to
see what it can steal.
Just like Stuxnet, this malware can spread by USB stick, i.e. it doesn't
need to be connected to a network, although it has that capability as well.
This wasn't written by some spotty teenager in his/her bedroom. It is large,
complicated and dedicated to stealing data whilst remaining hidden for a
long time. http://www.bbc.co.uk/news/technology-18238326 [PGN-ed]
Joly MacFie 218 565 9365 VP(Admin), ISOC-NY - http://isoc-ny.org Skype:punkcast
WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com
[George Ledin comments that Flame is heating up.
http://www.securelist.com/en/blog#
http://www.bbc.com/news/technology-18238326
PGN]
Lizette Alvarez, *The New York Times*, 26 May 2012 MIAMI - Besieged by identity theft, Florida now faces a fast-spreading form of fraud so simple and lucrative that some violent criminals have traded their guns for laptops. And the target is the United States Treasury. With nothing more than ledgers of stolen identity information - Social Security numbers and their corresponding birth dates and names - criminals have electronically filed thousands of false tax returns with made-up incomes and have received hundreds of millions of dollars in wrongful refunds, law enforcement officials say. The criminals, some of them former drug dealers, outwit the Internal Revenue Service by filing a return before the legitimate taxpayer files. Then the criminals receive the refund in a convenient but hard-to-trace prepaid debit card, typically sent to them by a bank or a tax software company, which downloads the amount approved by the IRS The swindlers often provide addresses for vacant houses, even buying mailboxes for them, and then collect the refunds there. Postal workers have been harassed, robbed and, in one case, murdered as they have made their rounds with mail trucks full of debit cards and master keys to mailboxes. The fraud, which has spread around the country, is costing taxpayers hundreds of millions of dollars annually, federal and state officials say. The IRS sometimes, in effect, pays two refunds instead of one: first to the criminal who gets a claim approved, and then a second to the legitimate taxpayer, who might have to wait as long as a year while the agency verifies the second claim. ... http://www.nytimes.com/2012/05/27/us/id-thieves-loot-tax-checks-filing-early-and-often.html
Use Twitter and Facebook While Condemning Danger of Web Josh Nathan-Kazis, *Forward*, 14 May 2012, issue of May 18, 2012. An upcoming ultra-Orthodox mega-rally in New York about the dangers posed by the Internet has a promotional Twitter account. The event's box office has an e-mail address. Speeches will be live streamed. And one of the event's organizers owns a Web marketing company specializing in search engine optimization. This isn't your average anti-Internet demonstration. After years of oft-flouted rabbinic bans on Internet use, a group of both Hasidic and non-Hasidic rabbis is pushing a new approach that will be unveiled at the Mets' CitiField on May 20. Organizers project an attendance of some 40,000 Orthodox Jewish men; women were not invited. Without letting up on their severe condemnation of technology and the Internet, the rabbis behind the CitiField event are accepting the Web's inevitability while instructing their followers to use Internet-filtering technology. ... http://forward.com/articles/156102/orthodox-rally-for-a-more-kosher-internet/
Today I got to see first-hand how one class of computer scammers work. I answered the phone and said "Hello", but there was a silence, and then someone with a subcontinental accent comes on and says "Hello". So it sounds like they are using a predictive dialer and came on too late to hear me answer the phone. After a few moments the caller realizes this and starts with the pitch: "We are calling from the Computer Department. Your Microsoft Windows Computer has been sending us many error messages due to viruses and malicious files on your computer. You have not responded to the error messages we sent you so we are calling you about this problem." The caller went into a long pitch about how malicious files were even worse than viruses. They wanted to convince me that my Windows computer had a problem, so they told me to sit down in front of the computer. The caller then asked me to locate the Windows key on my keyboard, and to press Windows - R, then type in "EVENTVWR". I figured this meant they wanted to run the Windows Event Viewer, so I told them OMG, there are many scary messages here! The caller explained that these messages were indications of the "malicious files" that they were warning me about. Once the caller was satisfied that I had bought into their scenario that my computer was "dangerously corrupted", they moved into the payload phase - they asked me to press Windows - R, then type in "www.support.me". This brought me to logmeinrescue.com, a remote login service. They tried to walk me through downloading the remote control console software. At this point I tired of the game and told them the program wouldn't run. They then asked me about "how do you get to your e-mail", but before I could finish giving them an e-mail address they hung up. I reported the scammers to logmeinrescue.com. Apparently they offer free trial accounts, so the scammers don't have to pay for the remote access to their victims' computers. This seems to have been going on for a while: a web search for "support.me scam" shows many reports going back at least to 2010. Here's a recording of one scam session that was using the same script I was called with: http://www.youtube.com/watch?v=_hxXu0qD9Nc From the point of view of a technical person, the entire come-on was laughably lame, but they're still in business after years of operation -- the joke is on us.
"Can an Algorithm Write a Better News Story Than a Human Reporter?" Had Narrative Science—a company that trains computers to write news stories—created this piece, it probably would not mention that the company's Chicago headquarters lie only a long baseball toss from the Tribune newspaper building. Nor would it dwell on the fact that this potentially job-killing technology was incubated in part at Northwestern's Medill School of Journalism, Media, Integrated Marketing Communications. Those ironies are obvious to a human. But not to a computer. http://www.wired.com/gadgetlab/2012/04/can-an-algorithm-write-a-better-news-story-than-a-human-reporter/
As an occasional reader of RISKS this one caught my eye. Electronic systems for navigation and chart display on commercial ships have well established mechanisms for filtering displays specifically to reduce "clutter" but the anti-grounding functions on all of them are mandated to alarm even when data is not being displayed on screen. This is seen as one of the major benefits of electronic chart display systems in that the person using them can be alerted to potential dangers without having to display all categories of chart objects all the time. There are also many many guidelines for how over-reliance can be countered through manual inspection of routes prior to departure. This is very different to car navigation where a "good" display is synonymous with "complete" - i.e all features - the point being the sea doesn't have roads and the fundamental dynamics are different... Jonathan Pritchard, Product Research and Development, United Kingdom Hydrographic Office, Admiralty Way, TAUNTON, Somerset TA1 2DN +44 (0)1823 337900 Ext 4006 jonathan.pritchard@ukho.gov.uk
(Hendricks, RISKS-26.84) > Billions in revenue are lost each year, they claim. But not for long if the > Russian based startup Pirate Pay has its way. ... I had to look again to check the date. Then I noticed it was Pirate *P*ay, not Pirate *B*ay. Even so... do these people think that there will be no response? The Internet does what with censorship? Oh well, if they're willing to invest the $$ to keep changing their methods of attack as the underlying BitTorrent software changes to adapt, they may be able to slow (not stop) the flow of pirated content—over BitTorrent. Leaving... YouTube and various file-sharing sites and a gazillion competitors. A new business model is needed. Until MPAA & RIAA come up with that, they will be fighting a permanent losing battle. Anyway, assuming it's serious.
Geoff Kuenning <geoff@cs.hmc.edu> writes: > If they have a friend nearby during those ten seconds, is it also wiped > from the friend's mind? This reminds me of the following video, which is currently making the rounds on the intertubes: http://www.youtube.com/watch?v=3DIFe9wiDfb0E Dag-Erling Smørgrav - des@des.no
Please report problems with the web pages to the maintainer