Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Alaska Airlines said flights were running close to normal late Monday after a fiber-optic outage shut down its ticketing system for more than four hours, causing the airline and its regional carrier to cancel 78 flights (roughly 10 percent of their daily flights), affecting nearly 7,000 customers. More than 130 other flights departed during the disruption, but some were delayed for as long as four hours, the airline said. "Flights are running real close to schedule right now in all major cities. We expect tomorrow to be back on track completely," airline spokeswoman Marianne Lindsey said Monday evening. Most affected were Alaska's hub cities of Seattle, Portland, Ore., Los Angeles, Anchorage, Alaska, and the San Francisco area. The problems were caused by a combination of two cut cables in Sprint's fiber-optic network. One occurred at a construction site along railroad tracks between Chicago and Milwaukee and the other was somewhere between Portland and Seattle. The Chicago-Milwaukee cable was cut accidentally due to some kind of work or maintenance, The second cut involved an aerial cable that runs along power lines. "Typically if there's just one cut, traffic reroutes automatically," Davis said. "Because there were two cuts within hours of each other, it caused this disruption." [Source: Doug Esser, Associated Press, 8 Oct 2012; PGN-ed] Read more: http://www.sfgate.com/news/article/Alaska-Airlines-Operations-returning-to-normal-3928410.php#ixzz28lppX4kW
Part of a wonderful NYTimes Science Times focus on IT in medicine [9 Oct 2012], this article goes into more depth on apps that have more risks of false positives and privacy issues. New technology uses standard features on smartphones—GPS and movement tracking—to monitor a patient's behavior and alert the doctor when something seems out of order. *The New York Times* http://nyti.ms/VHdm3A
Every problem that we have in our election system is magnified 10k times in absentee voting. At that point in the process, all eyes and all sides have one thing to focus on—absentee ballots. There are some problems that are unique to absentee voting—major one being the voter is not present to work through any issues with the election officials - but there are many of the same problems we have with all of the other modes of voting. Adam Liptak, *The New York Times*, front page, 7 Oct 2012 http://www.nytimes.com/2012/10/07/us/politics/as-more-vote-by-mail-faulty-ballots-could-impact-elections.html
Stephanie Simon, Reuters, 3 Oct 2012 Virtual public schools, which allow students to take all their classes online, have exploded in popularity across the United States, offering what supporters view as innovative and affordable alternatives to the conventional classroom. Now a backlash is building among public officials and educators who question whether the cyber-schools are truly making the grade. In Maine, New Jersey and North Carolina, officials have refused to allow new cyber-schools to open this year, citing concerns about poor academic performance, high rates of student turnover and funding models that appear to put private-sector profits ahead of student achievement. In Pennsylvania, the auditor general has issued a scathing report calling for revamping a funding formula that he said overpays online schools by at least $105 million a year. In Tennessee, the commissioner of education called test scores at the new Tennessee Virtual Academy "unacceptable." And in Florida, state education officials are investigating a virtual school after it was accused of hiring uncertified teachers; in the past two weeks two local school boards in the state have rejected proposals for virtual schools. Some states, including Michigan, Indiana and Louisiana, are still moving aggressively to embrace online schools. But the anger and skepticism elsewhere is striking, in part because some of it comes from people who have ardently supported opening the public school system to competition. ... http://www.reuters.com/article/2012/10/03/us-usa-education-online-idUSBRE8920J420121003
"The Harvard network scientist and pop theorist Samuel Arbesman stokes our fears of information on the cover of his recent book, The Half-Life of Facts: Why Everything We Know Has an Expiration Date. Watch out, that title says: The truth is melting! But the argument that Arbesman lays out (in a set of loosely connected anecdotes and essays) works to do the opposite. He uses math as a medication for this anxiety, to keep us calm in the face of shifting knowledge. His book works like a data-beta-blocker: By fitting fickle truths to models and equations, it promises a way to handle life's uncertainty and keep abreast of "the vibrations in the facts around us." In the end, though, the prescription runs afoul of a more fundamental ambiguity: What does it mean to call a fact a fact to start with?" http://j.mp/SAKg5n (Slate via NNSquad)
"The Government will announce details this month of a controversial national identity scheme which will allow people to use their mobile phones and social media profiles as official identification documents for accessing public services." http://j.mp/SFDc1a (Independent via NNSquad) Like the article headlines: "What could go wrong?"
http://j.mp/OMWF58 (Torrent Freak via NNSquad) "Claiming to prevent the unauthorized distribution of Windows 8 Beta the software company listed 65 "infringing" web pages. However, nearly half of the URLs that Google was asked to remove from its search results have nothing to do with Windows 8. This apparent screw up in the automated filter mistakenly attempts to censor AMC Theatres, BBC, Buzzfeed, CNN, HuffPo, TechCrunch, RealClearPolitics, Rotten Tomatoes, ScienceDirect, Washington Post, Wikipedia and even the U.S. Government. Judging from the page titles and content the websites in question were targeted because they reference the number "45."
"Six major American banks were hit in a wave of computer attacks last week, by a group claiming Middle Eastern ties, that caused Internet blackouts and delays in online banking. Frustrated customers of Bank of America, JPMorgan Chase, Citigroup, U.S. Bank, Wells Fargo and PNC, who could not get access to their accounts or pay bills online, were upset because the banks had not explained clearly what was going on." http://j.mp/TX1GKi (*The New York Times* via NNSquad) I am extremely skeptical of the blame game being asserted, especially the Iran bashing. Anybody can claim to be anyone in this context, and I see no conceivable upside to Iran deploying an effort to merely slow down access to online banking in the U.S. I've seen the effects myself—extra page reloads required and such, but frankly the explanations the banks are giving stink to high heaven, and the politicos seem to be pulling so-called explanations out of thin air.
"The compromised servers were outfitted with itsoknoproblembro (pronounced "it's OK, no problem, bro") and other DDoS tools that allowed the attackers to unleash network packets based on the UDP, TCP, HTTP, and HTTPS protocols. These flooded the banks' routers, servers, and server applications-layers 3, 4, and 7 of the networking stack-with junk traffic. Even when targets successfully repelled attacks against two of the targets, they would still fall over if their defenses didn't adequately protect against the third. "It's not that we have not seen this style of attacks or even some of these holes before," said Dan Holden, the director of research for the security engineering and response team at Arbor Networks. "Where I give them credit is the blending of the threats and the effort they've done. In other words, it was a focused attack." Adding to its effectiveness was the fact that banks are mandated to provide Web encryption, protected login systems, and other defenses for most online services. These "logic" applications are naturally prone to bottlenecks-and bottlenecks are particularly vulnerable to DDoS techniques. Regulations that prevent certain types of bank traffic from running over third-party proxy servers often deployed to mitigate attacks may also have reduced the mitigation options available once the disruptions started." http://j.mp/PIsE0M (ars technica via NNSquad)
Lloyds TSB says it is suffering from a "temporary system error" that is causing "intermittent problems". Users of the Twitter social network have complained of being unable to use their debit cards, Lloyds TSB ATMs, or the bank's online banking service. The bank says it is sorry for the inconvenience and is trying to sort out the problems. Earlier this summer some account holders at RBS and NatWest suffered disruption due to a computer failure. Lloyds TSB has admitted the problem has affected both its internet and telephone banking service, "but we don't have a definite time scake at this time," it said. http://www.bbc.co.uk/news/business-19846157
"That's because a design flaw in the service, and in competing services offered by Trust Guard and others, makes it easy to discover in almost real time when a customer has had the seal revoked. A revocation is a either a sign the site has failed to pay its bill, has been inaccessible for a sustained period of time, or most crucially, is no longer able to pass the daily security test." http://j.mp/OaLi5z (ars technica via NNSq)
Apple is taking a kicking over their latest Map app. Many sites are making fun of it. In particular http://theamazingios6maps.tumblr.com/ has been a great time so far. I am only on page 24. That page has a sign at a London transit station with an additional information section that reads: "For the benefit of passengers using Apple iOS 6, local area maps are available from the booking office." Ouch! http://theamazingios6maps.tumblr.com/post/31969830493/london-tube
Gun parts are being made by 3D printer, and it may soon be possible to make a complete gun. This raises concerns about how legislation will respond to advances in 3D printer technology. http://techcrunch.com/2012/08/26/the-next-battle-for-internet-freedom-could-be-over-3d-printing/
Kate Gosselin Halts Sale Of Negative Tell-All Book http://www.huffingtonpost.com/2012/10/02/kate-gosselin-book_n_1933185.html "Kate Gosselin has scored a victory. She has gotten her lawyers to halt the sale of a shocking new book that claims that the mom of eight "fooled the world." [...] ""Kate had her own lawyers deal with this," says a network insider. "TLC lawyers were involved as well, since there was some confidential documents in there. "This confidential information that troubled TLC was found in a series of private emails exchanged between Gosselin and the Discovery network. The emails were leaked via computer hard drives that Gosselin had put in the trash." Jim Reisert AD1C, <jjreisert@alum.mit.edu>, http://www.ad1c.us
http://www.csoonline.com/article/716903/phony-facebook-application-security-tests-say-it-ain-t-so-zuckerberg Phony Facebook application security tests? Say it ain't so, Zuckerberg How can we explain the FTC's discovery that, for close to a year, Facebook operated a for-profit application security testing service that was little more than a sham?
http://www.infoworld.com/t/cringely/windows-8-pirates-no-noose-good-noose-204304 InfoWorld, 8 Oct 2012 Windows 8 pirates: No noose is good noose Are the BBC, CNN, and Wikipedia distributing illegal copies of Windows 8? Nope, it's just another example of the Copyright Cartel gone wild By Robert X. Cringely | InfoWorld
Ted Samson, *InfoWorld*, 9 Oct 2012 Hackers exploit Skype API to infect Windows PCs New worm reinforces Skype's reputation as an app with security issues http://www.infoworld.com/t/anti-virus/hackers-exploit-skype-api-infect-windows-pcs-204333
Carl Zimmer, *The New York Times*, 1 Oct 2012 Last year the journal *Nature* reported an alarming increase in the number of retractions of scientific papers - a tenfold rise in the previous decade, to more than 300 a year across the scientific literature. Other studies have suggested that most of these retractions resulted from honest errors. But a deeper analysis of retractions, being published this week, challenges that comforting assumption. In the new study, published in the Proceedings of the National Academy of Sciences, two scientists and a medical communications consultant analyzed 2,047 retracted papers in the biomedical and life sciences. They found that misconduct was the reason for three-quarters of the retractions for which they could determine the cause. ... http://www.nytimes.com/2012/10/02/science/study-finds-fraud-is-widespread-in-retracted-scientific-papers.html
http://www.thedp.com/article/2012/10/hackers-leak-personal-info-of-students-admins-and-alums
I do not use Facebook much, so when my 13-year-old nephew requested to become my "friend", I have accepted without giving it much thought. Every now and then, Facebook suggests a list of people I may want to befriend, including their pictures. This list now includes many 13 year old girls -- some of whose profile pictures may be considered quite provocative... I hope that no computer I use is ever seized by a police investigation, or I might end up in deep trouble!
There are certainly risks there, but I am not certain that any are new, unique, or even uni-directional. Did not the SETI At Home program operate by a similar paradigm (albeit the pay-off was not strictly a cash-equivalent)? As an aside, I've wondered for quite some time to what extent that program served as a prototype for botnets (may have been discussed here, but if so I missed it). How many "cloud" users know the ultimate disposition of their data? How many even read the EULA and privacy agreements (understandable since a half-hour spent wading knee-deep through a fetid swamp of legalese will in many or most cases produce nothing more definitive than a statement allowing data sharing or delegation to _some_ third-party, identity undisclosed or unknown)? A case could probably be made that a commercial third party recipient of delegated cloud customer data would probably have a greater incentive to use that data in some way counter to the interests or desires of the original "owner". My main interest, however, lies in identifying the risk posed to the person "renting" their excess disk space to Symform. Suppose one of Symform customers uploads some electronic contraband (e.g., kiddie porn) to their cloud, and though some coincidence it is discovered by some government authority on the hard drive of a different Symform customer? What is the legal status of the "landlord"? I'm not even certain if Symform is an ISP under the legal doctrine that provides a limited shield from legal liability regarding content uploaded by customers; I very much doubt that any shield that exists would be extended by a court to the customer providing drive space. What little remains of the 4th amendment (US) would also seem to be of little help.
I disagree that the picket, to use the analogy from your note, is high enough. Yes, the Ars Technica article focuses on password length and even Costin Raiu's blog post focuses heavily on length, only touching on the two choices he thinks Microsoft has had to make. What would make me worried about the length restriction is that there is some technical reason why the password cannot be longer. Raiu talks about sha512crypt, but even the weaker SHA-1 or MD5 hashes he talks about do not have length restrictions on the passwords that can be entered. If there is a length restriction, I would be concerned that Hotmail is using some homegrown hash function that limits itself to 16 characters. History has a handful of similar hash functions and they've generally proven to be even weaker than SHA-1. In this case, I agree with Raiu: I don't know which of his two options is worse. Arguably, if the only concern here is local administrative staff at Hotmail having access to the hashes, the risk is moderate or even low. In that case, Microsoft's characterization of the risk is correct and 16 characters is plenty. These days, I don't think security professionals should only be worried about phishing and keystroke loggers, in spite of what was said in the article. We continue to see attacks that result in sizable credential lists posted publicly. The likelihood for any one target may not be significant, but it is, nonetheless, a possibility that should be accounted for. The size of the picket makes no difference if it's not firmly attached to the fence. Neil (mckellar@telusplanet.net)
The story also shows another risk, that of jurisdictions. Who had jurisdiction? The property loss was bad enough, but what if there had been the possibility of loss of life?
Does not seem to be a new issue - I found this 2008 discussion of what seems to be the problem George Michaelson is reporting: https://discussions.apple.com/message/6991955?messageIDi91955#6991955?messageIDi91955
BKLNFOCT.RVW 20120714 "Learning from the Octopus", Rafe Sagarin, 2012, 978-0-465-02183-3, U$26.99/C$30.00 %A Rafe Sagarin %C 387 Park Ave. South, New York, NY 10016-8810 %D 2012 %G 978-0-465-02183-3 0-465-02183-2 %I Basic Books/Perseus Books Group %O U$26.99/C$30.00 800-810-4145 www.basicbooks.com %O http://www.amazon.com/exec/obidos/ASIN/0465021832/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0465021832/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0465021832/robsladesin03-20 %O Audience n+ Tech 1 Writing 2 (see revfaq.htm for explanation) %P 284 p. %T "Learning from the Octopus" The subtitle promises that we will learn "how secrets from nature can help us fight terrorist attacks, natural disasters, and disease." The book does fulfill that aim. However, what it doesn't say (up front) is that it isn't an easy task. The overall tone of the book is almost angry, as Sagarin takes the entire security community to task for not paying sufficient attention to the lessons of biology. The text and examples in the work, however, do not present the reader with particularly useful insights. The prologue drives home the fact that 350 years of fighting nation- state wars did not prepare either society or the military for the guerilla-type terrorist situations current today. No particular surprise: it has long been known that the military is always prepared to fight the previous war, not this one. Chapter one looks to the origins of "natural" security. In this regard, the reader is inescapably reminded of Bruce Schneier's "Liars and Outliers" (cf. BKLRSOTL.RVW), and Schneier's review of evolution, sociobiology, and related factors. But whereas Schneier built a structure and framework for examining security systems, Sagarin simply retails examples and stories, with almost no structure at all. (Sagarin does mention a potentially interesting biology/security working group, but then is strangely reticent about it.) In chapter two, "Tide Pool Security," we are told that the octopus is very fit and functional, and that the US military and government did not listen to biologists in World War II. Learning is a force of nature, we are told in chapter three, but only in regard to one type of learning (and there is no mention at all of education). The learning force that the author lauds is that of evolution, which does tend to modify behaviours for the population over time, but tends to be rather hard on individuals. Sagarin is also opposed to "super efficiency" (and I can agree that it leaves little margin for error), but mostly tells us to be smart and adaptable, without being too specific about how to achieve that. Chapter four tells us that decentralization is better than centralization, but it is interesting to note that one of the examples given in the text demonstrates that over-decentralization is pretty bad, too. Chapter five again denigrates security people for not understanding biology, but that gets a bit hard to take when so much of the material betrays a lack of understanding of security. For example, passwords do not protect against computer viruses. As the topics flip and change it is hard to see whether there is any central thread. It is not clear what we are supposed to learn about Mutual Assured Destruction or fiddler crabs in chapter six. Chapter seven is about bluffing, use and misuse of information, and alarm systems. Yes, we already know about false positives and false negatives, but this material does not help to find a balance. The shared values of salmon and suicide bombers, religion, bacterial addicts, and group identity are discussed in chapter eight. Chapter nine says that cooperation can be helpful. We are told, in chapter ten, that "natural is better," therefore it is ironic to note that the examples seem to pit different natural systems against each other. Also, while Sagarin says that a natural and complex system is flexible and resilient, he fails to mention that it is difficult to verify and tune. This book is interesting, readable, erudite, and contains many interesting and thought-provoking points. For those in security, it may be good bedtime reading material, but it won't be helpful on the job. In the conclusion, the author states that his goal was to develop a framework for dealing with security problems, of whatever type. He didn't. (Schneier did.) copyright, Robert M. Slade 2012 BKLNFOCT.RVW 20120714 rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
Please report problems with the web pages to the maintainer