Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The Curiosity Mars Rover developed memory problems with one of its two identical computers. Control was switched to the second system to enable repairs on the first computer. However, the second system suffered a software-based malfunction on 16 Mar and put itself on standby. Finally, as of the evening of 19 Mar, the second system was commanded back into safe mode, and repairs of the first system continue, [Source; Henry Fountain, *The New York Times*, 20 Mar 2013, PGN-ed]
Israeli officials have been claiming success rates up to 90 percent. Analysis by weapons experts suggests it is more likely 40 percent at best, with some incoming rockets merely crippled or deflected and still able to do considerable damage. [Source: William J. Broad, *The New York Times*, 21 Mar 2013, PGN-ed] [This of course should remind readers of Ted Postol's efforts at MIT in demonstrating that the Patriot defenses were perhaps at best 20% effective rather than the officially regarded 95%—i.e., mostly failing to properly eliminate the scud missiles (R 13 19 and R 13 32). PGN]
Computer networks running three major South Korean banks and two of the country's largest broadcasters were paralyzed on 20 Mar 2013 in DarkSeoul virus attacks suspected of originating from North Korea. This affected ATMs, newcasters staring at blank screens, and so on. DarkSeoul is malware designed to evade popular anti-viral products. Kim Jong-Un was quoted as threatening to destroy government installations in the South and American bases in the Pacific. [Source; Choe Sang-Hun, *The New York Times*, 21 Mar 2013, PGN-ed]
Boulder, CO newspaper "The Daily Camera" reports that the Boulder Community Hospital was without a functioning clinical healthcare information system for several days (http://www.dailycamera.com/news/boulder/ci_22819319). The outage effected the hospital, eight laboratories, and six imaging centers, according to the article. The hospital is: "using manual paper record-keeping systems and traditional paper charts for its inpatients. Hospital officials say the system allows them to continue treating patients, provide diagnostic services and collect important clinical information that will be entered later into each patient's electronic health record." Although a hospital physician reportedly said he doesn't think the outage is compromising the health or safety of patients, the backup system "seems a little haphazard, and it's not an organized plan." One patient is reported to have commented "If they can't keep their computer system running, how can we trust them to perform surgery?" "We apologize for the delays, but this was an unavoidable situation," a hospital official reportedly said. COI declaration: I was the lone dissenting opinion in the Institute of Medicine's report on clinical healthcare information technology (available at http://www.ctlab.org/documents/CookDissent.pdf). Clinical healthcare information technology (CHIT) is a complex endeavor and there are wide differences between the good CHIT and the bad CHIT. Richard I Cook, MD, Professor of Healthcare System Safety STH (Skolan f?r teknik och h?lsa) KTH (Kungliga Tekniska h?gskolan) Alfred Nobels All? 10, 141 52 Huddinge, SWEDEN mobile: +46 70 190 42 16 email: rcook@kth.se<mailto:rcook@kth.se>
As reported by DreamHost: http://www.dreamhoststatus.com/2013/03/19/power-disruption-affecting-us-west-data-center-irvine-ca/ Update from our CEO on the March 19/20, 2013 power outages affecting services in our US-West (Irvine, CA) Data Center I would like to share more details with our customers concerning the power outages and resulting network and systems issues that impacted our services on March 19/20 in our US-West (Irvine, CA) Data Center (the Irvine DC for short). A third party, Alchemy Communications, manages the Irvine DC. We lease a large secure space in their facility. Alchemy is responsible for providing power, cooling, security and related infrastructure services and maintenance. The facility has a good track record on all of these responsibilities—including providing reliable power. However, yesterday at approximately 3pm Pacific Daylight Time (PDT), there was a failure in their Uninterruptible Power Supply (UPS) system that completely shut down power to all network and systems housed in the Irvine DC. This power outage affected all tenants and was not limited to just DreamHost's equipment. The power systems at the Irvine DC are designed to be redundant. The UPS system is in-line and in the event the power grid feeds go down, the UPS provides power until the diesel-powered generators kick in. We believe, at this time, that Alchemy was performing unannounced maintenance on their UPS systems and the systems failed—resulting in a complete power outage. In addition to their UPS systems failing, their generators did not kick in. The power failure lasted just a few minutes, however it created a number of major issues with our network and systems in the Irvine DC that took many hours for our operations teams to recover from. Not the least of which was the loss of several critical pieces of networking hardware which did not survive the power event. Complete details of these issues will be shared once we have completed a detailed review over the next couple of days. All customer-facing systems were largely restored from the first power outage by early this morning 20 Mar 2013 PDT. After the first power outage, we were assured by Alchemy that their power systems would not be worked on further until a detailed, tested plan was in place that would guarantee no additional loss of power. However, at sometime around 4:30am PDT today their UPS system failed for a second time. This resulted in another complete power outage and another intense period of reboots, restores and system checks from our team. The time to restore most services in the wake of this second power outage was much quicker, mainly because there were no resulting hardware failures and we had learned from the first failure. Alchemy has opted to run the Irvine DC on generators until the UPS issues are fully identified and resolved, and we are monitoring the situation closely to do our best to ensure that there are no further power outages or issues that will affect our services in the Irvine DC. Corrective Action: Alchemy has a team of UPS specialists and Edison power engineers on site who have identified potential points of failure in the existing UPS infrastructure. They are currently in the planning phases of a repair to the UPS systems. The proposed power system enhancements will be subject to rigorous review and testing before being implemented. If all goes as planned, the facility will be able to switch back from generators to grid/UPS power. At this time, we do not believe that a public grid power failure contributed to either of these incidents. DreamHost will have additional network, systems and data center engineers assigned to monitor all systems in the Irvine DC during the UPS system upgrade. We also have oversight of the proposed UPS system repair plan being structured by Alchemy. We will post an update on dreamhoststatus.com as soon as the timing of any planned power system maintenance is known. We are working diligently to ensure that the planning and implementation of any UPS upgrades, maintenance and/or the cut back to grid/UPS power will not affect continuous power to our systems and will not impact our customers. Last, but not least, I want to apologize for these service disruptions. I know how critical our services are to our customers and their livelihood. I fully recognize that any disruption to services can affect important production environments and projects. Our team will work diligently to ensure that we mitigate the power issues going forward, including a full audit of all facilities that house DreamHost customer data. We will learn from this event and continuously improve our operations and services. All customers impacted by these service issues can apply for credits or refunds in accordance with our guaranteed uptime policy by contacting support through the panel. Simon Anderson, CEO, DreamHost
http://www.cnn.com/2013/03/18/tech/web/florida-election-cyberattack/index.html?utm_sourceþedburner&utm_mediumþed&utm_campaignþed%3A+rss%2Fcnn_us+%28RSS%3A+U.S.%29
[From Dave Farber's IP and elsewhere] Sean Gallagher on Brian Krebs, 18 Mar 2013 Take a "booter" site survey, earn attacks like ones that targeted Ars, http://arstechnica.com/security/2013/03/details-on-the-denial-of-service-attack-that-targeted-ars-technica/ Last week, Security Editor Dan Goodin posted a story about the "swatting" of security reporter Brian Krebs and the denial of service attack on Krebs' site. Soon after, Ars was targeted by at least one of the individuals behind the Krebs attack. On Friday, at about noon Eastern Daylight Time, a denial of service attack struck our site, making connectivity to Ars problematic for a little less than two hours. The attack continued to run throughout Friday. At 9pm EDT, when our hosting provider brought down one of the filters that had been put in place to thwart it, it quickly became apparent that the attack was still underway, and the filter was restored. The most aggressive filters were finally removed on Saturday. At least in part, the offensive used the same attack tool and user credentials that were involved in the denial-of-service (DoS) attack on Krebs On Security, as Krebs himself revealed in a blog post. The attackers used multiple accounts on TwBooter, a "booter" site that provides denial of service attacks as a paid service (ostensibly for security testing purposes), to launch an automated, denial of service attack on Ars. And at least one of those logins was also used to attack Krebs' site. TwBooter masks all of the complexity of launching attacks against sites. Users of the site can, depending on how much they pay, launch up to three simultaneous automated attacks against sites through a simple Web interface. TwBooter users can even set up multiple accounts and fill up the queue of the service's "attack server." It doesn't cost much to get in on the ground floor with TwBooter—an account with rights to a single automated attack of up to 60 seconds in length is $10 for a month. This means you can launch as many 60 second attacks as you want, one at a time, all month long. The "license" to launch up to three attacks at a time of up to two hours duration is $169 a month -- but there's a 20 percent discount if you pay through Liberty Reserve instead of PayPal. There's also a free plan that allows for attacks up to 300 seconds long. That service requires users to pick an attack type from a pull-down menu in a Web form. PayPal payments for the site are routed to Sebastien Lariviere, a former IT technician for the county government (MRC) of Pierre-De Saurel in Quebec (now operating as Lariviere Security). Lariviere did not respond to e-mails from Ars for comment. Obviously, sites like TwBooter generate a lot of ill will and are ironically the target of DoS attacks themselves. Like many legitimate and "black hat" sites—such as the site exposed.su, a website that recently posted the personal information of many public figures—TwBooter runs behind the CloudFlare content delivery network as a way of shielding itself from attacks. TwBooter may not have been the only service used to launch the attacks on Ars and Krebs. "There are dozens of these booter services out there, most of them based on the same source code," Krebs told Ars. But Krebs received a tip pointing to a dump of TwBooter's customer database—openly accessible on the services' website. It's clear the TwBooter site was part of the attack. A snippet from the SQL dumps Krebs provided to Ars show that multiple attacks (including Slowloris, TCP amplification, and SYN flood attacks) were queued up by multiple accounts on the site. [...]
http://forum.icann.org/lists/comments-closed-generic-05feb13/pdfVMmmFgwpbw.pdf Disappointing - no sense that the DNS is problematic because it guarantees the Internet will unravel. How can we have any long term persistence when the very bonds that hold the Internet together a designed to melt away like surgical thread. I understand that ICANN profits form leasing our identities and thus has every incentive to continue this practice but where is the pushback for a problem so real and obvious? There are other issues in the document like the assumption that words can have persistent meaning out of context like "For example, when you go to a .map domain name you will be confident that you will see some sort of map." The Google search team knows how difficult it is to pin down meaning. But for the moment the high order bit is the lack of stable identifiers. Bob Frankston http://frankston.com
[FYI—Didn't Google just get into a heap of hot water over doing exactly the same thing with WiFi?] Scott MacFarlane, WPXI, 20 Mar 2013 TSA tested, scrapped program that tracked Bluetooth devices http://www.wpxi.com/news/news/local/tsa-tested-scrapped-program-tracked-bluetooth-devi/nWyfh/ Lines can be long at airport security. The Transportation Security Administration knows too. Documents obtained by Eyewitness News showed TSA tested a project to measure how long. Sensors in the terminal found Bluetooth devices, honed in on the signals and tracked how long it took people to get through security. An internal TSA document stated it worked by “detecting signals broadcast to the public by individual devices and calculating a wait time as the signal passes sensors positioned to cover the area in which passengers may wait in line.'' It said the information would be encrypted and destroyed within two hours to protect people's privacy. TSA tested the technology in 2012 in Las Vegas and Indianapolis, but bailed on it. “This is an expensive and needlessly complicated way of estimating wait times, compared with say a ticket agent writing the time at the front of the line," said Julian Sanchez, author of "Wiretapping the Internet.'' TSA has taken criticism in the recent months for its handling of passenger privacy, including enhanced pat downs and whole body scanners. A spokesman for the Association of Airline Passengers Rights said his group isn't comfortable with Bluetooth tracking and TSA has a history of saying it's keeping passenger information private and then changing its story. TSA documents show the agency considered posting warning signs alerting passengers that Bluetooth sensors were active, but officials didn't return comment when Eyewitness News asked if the signs were posted at the cities where the technology was tested. A spokesman confirmed they've scrapped the program before it became public.
"Adoption of this amendment is a gross intrusion into the widely-respected, independent scholarly agenda setting process at NSF that has supported our world-class national science enterprise for over sixty years," the association said in a statement. "The amendment creates an exceptionally dangerous slippery slope. While political science research is most immediately affected, at risk is any and all research in any and all disciplines funded by the NSF. The amendment makes all scientific research vulnerable to the whims of political pressure." http://j.mp/Z3sWWY (Huffington) - - - An information and research control abomination by the Senate, in the finest tradition of Stalinist thinking, Comrade Coburn.
This article reminded me of a wonderful historical episode described by Bazhanov - directly relevant to the voting security. In 1920-ies the Soviet citizens were divided into 2 classes: Party members, who enjoyed full democratic freedoms, and non-members, who were completely at the mercy of the political police. Policy decisions were made by party members by voting on a platform (the Central Committee platform vs the Opposition platform). So, each local organization voted on the issue and sent the results to the Central Committee, and these results were published in the official newspaper Pravda. Stalin, who, allegedly, later said that "it matters who counts the votes, not who votes", came up with a brilliant scheme: Pravda published all results as if they came in favor of the Central Committee platform. E.g., if the local organization A voted 11 votes for CC, 17 votes for Opposition and organization B voted 20 votes for CC and 12 votes for the Opposition, then B was reported as is and the votes in A were switched and reported as if 17 voted for CC and 11 for the Opposition. This way the appearance was that the Central Committee's platform was clearly more popular, and if the chief of A noticed the "typo" and complained, the next issue would carry a small apology (obviously not as prominent as the election results). This way the Party was constantly bombarded by "evidence" that the Central Committee's platform was more popular, which would swing the opportunist vote (also there was always a risk that the supporters of the Opposition might be expelled from the Party). Sam Steingold (http://sds.podval.org/) http://www.childpsy.net/ http://iris.org.il http://dhimmi.com http://www.PetitionOnline.com/tap12009/ http://pmw.org.il http://truepeace.org
As a postscript to Bruce Schneier's fascinating "Hacking the Papal Election" analysis (RISKS-27.20), I would add that it has been widely reported that Vatican authorities laid a false floor in the Sistine Chapel to cover electronic jamming equipment. This was intended to protect against electronic eavesdropping...or unauthorized Cardinal tweets. See: <http://www.theverge.com/2013/3/10/4086176/radio-jammers-in-the-sistine-chapel-will-protect-secrecy-of-papal>.
"Bob Frankston" <bob2-39@bobf.frankston.com> > I'm not sure what the worry is since we are collecting much of this > already. Steve Loughran <steve.loughran@gmail.com> writes: > In Risks 27.19, Dag-Erling Smorgrav considers the fact that the Boeing > 787s will generate 0.5TB of data per flight, and asks "what could > possibly go wrong"? You both missed the most important part of the quote I provided: "every piece of that plane has an Internet connection" I sincerely hope Bulman misspoke, and that these devices are in fact connected to a closed network, although that is no guarantee in itself. Dag-Erling Smørgrav - des@des.no
If the half-terabyte of data per Boeing 787 flight is going to be used for anything important, I'd want it to be kept forensically secure, certain that the data kept are the data gathered, unmodified. And that, I think, is a solvable problem. I'd say the same should go for any important black box data, including cars and trains.
The only surprise here is that anyone should consider this news. And you don't need an expensive 3D printer and the complex software and know-how to operate it to create a prosthesis. In this case, I suspect they just took casts (since they were impersonating accomplices rather than victims). However, given a good copy of the victim's fingerprint, a hundred dollars' worth of hobby electronics supplies and a teaspoon of ,liquid latex, you can trivially create a piece of prosthetic skin which, when glued onto your own finger, will fool fingerprint scanners with liveness detection. Allegedly, some scanners can even be defeated by pressing a balloon filled with warm water onto the sensor plate, causing it to scan the latent fingerprint left behind by the previous user... Dag-Erling Smørgrav - des@des.no
Both Senator Cornyn and the Ted Samson at InfoWorld display a marked lack of understanding in how sentencing for federal criminal convictions works. The news media is very bad about this in general, and has been very bad about it specifically with regards to the Aaron Swartz case. Ken White at the Popehat blog wrote a clear, detailed explanation of how sentencing works and why it's almost always completely bogus to look at the maximum possible sentences for all of the crimes someone has been indicted for, add them all together, and pretend the total bears any relation whatsoever to how long the defendant's sentence will actually be if s/he is convicted. This is required reading for anyone who wants to be an educated news consumer who deals in facts rather than baseless hyperbole: http://www.popehat.com/2013/02/05/crime-whale-sushi-sentence-eleventy-million-years/
[Relatively self-contained response to a message in Dave Farber's IP distribution.] Not sure what the surprise here is. If you don't control your information, you don't *control* your information. That's why I waited for Palm when many others were using dedicated phonebook/note devices - it was open enough that I could backup and view the info. When Palm went to a cloud-only solution, I switched to the iPhone. I bought ToDo for it to manage reminders because Apple won't back them up locally; when an update to ToDo required cloud-backup, I ceased tracking updates.
Please report problems with the web pages to the maintainer