Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Kate Dailey, BBC News Magazine, 17 April 2013 More personal videos are being shot now than ever before, and such footage could help identify the Boston Marathon bomber[s]. But how is that footage processed - and could civilians really solve the crime? There was the marathon runner closing in on the finish line, and the businessman with offices in a prime position over Boylston Street. And there were thousands of others crowding the last stretch of the Boston Marathon, all capturing the events before and after the bombs exploded. "The reality is with the number of people who are carrying with them the equivalent of video camera, history is being documented by millions of people every day," says Karen North, director of University of Southern California's Annenberg Program on online communities. Infusing video In just over a decade, she says, the amount of video being shot by amateurs has increased dramatically - and so too, has the evidence available to law enforcement officials. ... http://www.bbc.co.uk/news/magazine-22191029
Online morons nearly ruin innocent lives after Boston bombings (*New York Post*, 18 Apr 2013) How the Internet Accused a High School Student of Terrorism Online sleuths thought they nailed two suspects in the Boston bombing—and there they were on the cover of the *New York Post* the next day. But now everyone's backpedaling in a big way." http://j.mp/17sAfJA (Daily Beast) [Paul Saffo noted to me some remarkable annotated by-stander footage before and after the Boston Marathon bombing: http://imgur.com/a/sUrnA He later noted that "Now people are photoshopping pics with the FBI's suspects in them..." PGN] http://gawker.com/5995025/did-reddits-boston-bomber-sleuthing-actually-turn-up-a-decent-piece-of-evidence-update?tag=marathon-bombing
*Wall Street Journal*, 17 Apr 2013, Geoffrey A. Fowler, Joel Schectman [via ACM TechNews, 19 Apr 2013] The proliferation of surveillance technology to popular commercial products such as smartphones is proving to be a boon for criminal investigations, as evidenced by the U.S. Federal Bureau of Investigation using video surveillance from department store and restaurant cameras, along with photos from citizens, news organizations, and others, to help identify a suspicious individual at the Boston Marathon. Forrester Research says video surveillance technologies have been adopted by 68 percent of public-sector and 59 percent of private-sector companies, with another 9 percent planning to adopt them in the next two years. Furthermore, more than 1 billion people now own camera-equipped, Web-linked smartphones. Integrating forensic data from professional and personal sources has helped with earlier investigations, although a lack of full-frontal images makes facial recognition problematic in large probes. Moreover, collecting and sifting through the data is a major challenge, as Boston has one of 77 nationwide intelligence fusion centers used to pool data and conduct analysis, notes the Northern California Regional Intelligence Center's Mike Sena. Meanwhile, researchers at Boston's Northeastern University have organized a 10-person social media research team to run a project that would let people upload video from the marathon bombing to tag clues. http://online.wsj.com/article/SB10001424127887324763404578429220091342796.html [This morning's news media report the seemingly definitive identification of the two suspected brothers, the shooting of one, and the manhunt in progress for the other. Not quite incidentally, some analysts report a considerable increase in popular acceptance of ubiquitous surveillance -- despite the privacy implications frequently discussed in RISKS. PGN]
The Shame of Boston's Wireless Woes Anthony Townsend, The Atlantic Cities, 17 Apr 2013 http://www.theatlanticcities.com/technology/2013/04/shame-bostons-wireless-woes/5320/ Almost immediately after Monday's tragic bombings at the Boston Marathon, the city's cellular networks collapsed. The Associated Press initially reported what many of us suspected, that law enforcement officials had requested a communications blackout to prevent the remote detonation of additional explosives. But the claim was soon redacted as the truth became clear. It didn't take government fiat to shut down the cellular networks. They fell apart all on their own. As cell service sputtered under a surge of calls, runners were left in the dark, families couldn't reach loved ones, and even investigators were stymied in making calls related to their pursuit of suspects. Admirably, Boston residents and businesses responded quickly by opening up Wi-Fi hotspots to help evacuees communicate with loved ones. The same thing happens every time there is a crisis in a large city. But most, even the super-connected elite, were knocked offline. As his Twitter followers know, it took Dennis Crowley, a Massachusetts native and CEO of New York City-based social network Foursquare, an hour to reunite with his fiance and family, who were scattered around the finish line as the bombs went off. Their reunion was coordinated by a handful of SMS messages he was able to squeeze through the crippled network. He also reported helping several stunned senior citizens discover the value of their own phones' texting functions for the first time. We shouldn't be surprised by the collapse of Boston's cellular networks. The same thing happens every time there is a crisis in a large city. On an average day, Americans make nearly 400,000 emergency 911 calls on their mobile phones. Yet during large-scale crises this vital lifeline is all-too-frequently cut off. The culprit is usually congestion. During a disaster, call volumes spike and overwhelm the over-subscribed capacity of wireless carriers' networks. On September 11, 2001, fewer than 1 in 20 mobile phone calls in New York City was connected. The same thing happened after the August 2011 earthquake that shook the East Coast. And on Monday, in Boston. But, as we learned in the aftermath of Hurricane Sandy, wireless carriers have also neglected to harden their networks against extended losses of electrical power. Thousands of towers were knocked offline in the New York region alone when backup batteries failed. Yet as a member of Governor Andrew Cuomo's NYS Ready Commission this fall, I was stunned to learn that wireless carriers had never formally discussed plans with the region's electric utilities to restore power to cell sites after a major disaster. The loss of vital wireless communications during disasters is all the more dismaying because it is largely preventable. After 9/11 a system was put in place to give government officials priority access to cellular channels during periods of high demand. (Though it requires pre-registration and a special code be used when dialing). In the wake of Sandy, New York Senator Charles Schumer called for stricter federal oversight of backup power and landline network connections for cell sites. Yet these reforms have been stalled by industry lobbying. Lacking a redundant cellular system, Americans will continue to resort to the century-old technology of amateur radio for lifeline communications during and after large disasters. In Boston, this technology is still widely used during the marathon because of past experience with cellular traffic jams. With over 320 million active wireless subscriber connections, Americans are a fully untethered people. Our smart phones keep our complicated lives choreographed across the sprawling metropolitan areas we inhabit. Psychologists and sociologists have found that we think of these devices as extensions of our bodies and minds. In Boston, this was all too apparent. Even when runners, whose mobile batteries were drained after the long run, could locate a phone, they couldn't recall what numbers to dial, having long ago given up memorizing phone numbers in favor of their smart phone's electronic address book. [snip] Dewayne-Net RSS Feed: <http://www.warpspeed.com/wordpress>
American Airlines had to ground all its flights across the US for several hours on Tuesday due to a fault with its computerized reservation system. The carrier halted all departures from about 13:30 ET (18:30 GMT), saying that it was working ""to resolve this issue as quickly as we can". [Source: BBC News Business: 17 Apr 2013] [Gene Wirchenko noted an article by Ashley Halsey III in *The Washington Post* giving the number 900 for flights grounded. PGN] http://www.washingtonpost.com/local/trafficandcommuting/computer-problem-grounds-american-airlines/2013/04/16/75d4c410-a6d3-11e2-a8e2-5b98cb59187f_story.html [Bob Heuman noted a Fox News report that “American Airlines has fixed the computer glitch but not told anyone precisely what happened.'' PGN] http://www.foxnews.com/us/2013/04/16/american-airlines-reservations-system-down-flights-grounded-nationwide/
The Constitution forbids manual recounting of votes in a Presidential Election You can read the full article, but the following is a quick summary of what I consider a risk we have discussed forever and a load of bull.... if they have really implemented a system that makes manual checking impossible. CARACAS, 17 Apr 2013 (Xinhua)—Manual vote counting is not possible in Venezuela, the president of the Supreme Court said Wednesday amid opposition's request for an audit. "The electoral system is fully automated, so there is no manual counting. Anyone who thought that could really happen has been deceived," Luisa Estella Morales said at a press conference. Manual counting was canceled in Venezuela by the 1999 constitution, she said, adding [that] the majority of those asking for a manual count know it. http://news.xinhuanet.com/english/world/2013-04/18/c_132319635.htm R. S. (Bob) Heuman North York, ON, Canada
Reclaiming the American Republic from the corruption of election funding April 3, 2013 http://www.kurzweilai.net/reclaiming-the-american-republic-from-the-corruption-of-election-funding There is a corruption at the heart of American politics, caused by the dependence of Congressional candidates on funding from the tiniest percentage of citizens That's the argument at the core of a new just-posted TED talk by legal scholar Lawrence Lessig... “He shows how the funding process weakens the Republic in the most fundamental way, and issues a rallying bipartisan cry that will resonate with many in the U.S. and beyond,'' says TED Curator Chris Anderson. Lawrence Lessig has already transformed intellectual-property law with his Creative Commons innovation. Now he's focused on an even bigger problem: The U.S.'s broken political system. TED is also introducing a media innovation, simultaneously launching a TED-talk video and accompanying TED Book.LESTERLAND: The Corruption of Congress and How To End It, which outlines the path to a solution in much greater detail. Dewayne-Net RSS Feed: <http://www.warpspeed.com/wordpress>
Joe Weisenthal, *Business Insider*, 17 Apr 2013 http://www.businessinsider.com/reinhart-and-rogoff-admit-excel-blunder-2013-4 The big talk in the world of economics continues to be the famous study by Carmen Reinhart and Ken Rogoff, which claimed that as countries see debt/GDP going above 90%, growth slows dramatically. Economists have always been skeptical of the correlation/causality on this. But yesterday, a new study emerged which claimed that Reinhart and Rogoff used a faulty dataset to make that claim and (most stunningly) had an excel error that exacerbated the growth dropoff for countries with debt/GDP higher than 90%. After the report dropped (and proceeded to blow up the Internet), Reinhart and Rogoff rushed out a quick statement claiming that the new study (which was done by some UMass professors) supported their thesis that growth slowed as debt to GDP got higher. And Reinhart and Rogoff were quick to reiterate that even they weren't necessarily implying causation on this (which may be true, but the fact that they say this is not well known to the politicians who are always citing the dreaded 90% level). But in a new response, Reinhart and Rogoff admit they did make an Excel blunder, and that it mattered! Here's the key part:... http://www.businessinsider.com/reinhart-and-rogoff-admit-excel-blunder-2013-4 http://geoff.livejournal.com * Geoff@iconia.com <javascript:;>
An error in a formula in an Excel spreadsheet seems to have led to some incorrect results about the effects of government debt, and thereby may have affected economic policy. The error, which was in a formula developed by the authors of a key paper and not in the Excel software itself, was that a cell contained the formula AVERAGE(L30:L44) where it should have said AVERAGE(L30:L49). The error led to a small but significant discrepancy in conclusions, although the authors of the original paper are disputing how important the error is. Perhaps we need methods for spreadsheet assurance, just as we need methods for assuring the security and reliability of our operating systems and applications? WashPost: "The paper in question is Carmen Reinhart and Kenneth Rogoff's famous 2010 study—Growth in a Time of Debt—which found that economic growth severely suffers when a country's public debt level reaches 90 percent of GDP. " A further description and a rebuttal by Reinhart & Rogoff can be found at http://www.washingtonpost.com/blogs/wonkblog/wp/2013/04/16/is-the-best-evidence-for-austerity-based-on-an-excel-spreadsheet-error/ Another article (http://blogs.marketwatch.com/thetell/2013/04/16/the-spreadsheet-error-in-reinhart-and-rogoffs-famous-paper-on-debt-sustainability/) notes "Reinhart and Rogoff are not the only people to have difficulty navigating the Microsoft product. One of the reasons behind the so-called London Whale incident at J.P. Morgan, in which the bank took a $6.2 billion trading loss, was a spreadsheet error in their model."
In today's *New York Magazine*, Thomas Herndon explains how he found a problem with Reinhart and Rogoff's work that has been used as a basis for austerity spending by governments. "I clicked on cell L51, and saw that they had only averaged rows 30 through 44, instead of rows 30 through 49." Given the economic damage done by austerity spending over the past few years, this is quite likely by far the most expensive programming error ever made. http://nymag.com/daily/intelligencer/2013/04/grad-student-who-shook-global-austerity-movement.html
Quite apart from being "clumsy" with their Excel model, they forgot the first rule of research: correlation does not imply causation. So when are they going to resign, and when are the various central bankers who used their model to impose austerity going to change tack? Or will they just brush it aside and get on with screwing the working man?
Stacey Higginbotham, Google's Vint Cerf Explains How to Make SDN as Successful as the Internet (GigaOm.com) 16 Apr 2013 Google chief Internet evangelist and ACM president Vint Cerf believes that software defined networking (SDN) could benefit from some of the Internet's design flaws and lessons learned in creating the Internet. For example, open standards should be implemented, with differentiation stemming from branded versions of standard protocols rather than from patented protocols. Interoperability is essential for stable networks, and that requires standards, notes Cerf. As companies create SDNs, they also should take into account the successful design features of the Internet, including the loose pairing of underlying equipment instead of a heavily integrated solution, the modular approach, and open source technologies. However, he says SDNs can improve on the Internet's traffic routing, which now relies on sending packets to a physical port. Instead of this physical port, the OpenFlow protocol changes the destination address to a table entry, enabling a new type of networking that is better suited to the collaborative Web of the future. Another option could be content-based routing, in which the content of a packet determines its destiny. SDN's basic principal, dividing the control plane and the data plane, should have been incorporated into the Internet's design, Cerf notes. In the future, SDN could improve controlled access to intellectual property to help prevent piracy, and could bring together various existing networks. http://gigaom.com/2013/04/16/googles-vint-cerf-explains-how-to-make-sdn-as-successful-as-the-internet/
"The Internet was one of the greatest disasters to befall mankind. Now its survivors share their experiences of the tragedy." http://j.mp/14A3HBy (YouTube via NNSquad) [Caution: Grain of Salt required. PGN]
The average bandwidth seen in distributed denial-of-service (DDoS) attacks has recently increased by a factor of seven, jumping from 6 Gbps to 48 Gbps. Furthermore, 10% of DDoS attacks now exceed 60 Gbps. Those findings come from a new report released Wednesday by DDoS mitigation service provider Prolexic Technologies, which saw across-the-board increases in DDoS attack metrics involving the company's customers... http://www.prolexic.com/knowledge-center-ddos-attack-report-2013-q1.html http://www.informationweek.com/security/attacks/ddos-attack-bandwidth-jumps-718/240153084 http://geoff.livejournal.com * Geoff@iconia.com
Jordan Graham, *Boston Herald*, 7 Apr 2013 90 Framingham students displaced An overheated laptop burst into flames inside a Framingham State University dorm room Friday in what officials warn is the latest in a string of computer-related fires. Firefighters also were called to a blaze caused by a laptop in Western Massachusetts several weeks ago, and crews declared a Milford home a total loss two weeks ago after an unattended laptop left on some cardboard sparked an inferno, State Fire Marshal Stephen D. Coan said. ... http://bostonherald.com/news_opinion/local_coverage/2013/04/laptop_goes_up_in_flames
Here's a screed I wrote for a journalist who asked "how do you code a secure system." First, you don't code secure systems, you design them. All the important stuff takes place at a level of abstraction above that of coding. Once you have a design you have internalized both your problem and your solution. Coding is then mechanical, and code verification will be straightforward. So how do you get a design? Start by studying exploits that have defeated the kinds of systems you're interested in. The various development life cycles attempt to sanitize the inherently dirty and reactive business of secure systems design. The late Rick Proto, who retired as the director of research for the National Security Agency said it best: "Theories of Security come from Theories of Insecurity." Or, in my favorite quote from Seneca, "There is a great deal of difference between a person who chooses not to sin and one who doesn't know how." Your goal in this phase is to become like Sherlock Holmes and have a first-class criminal mind without a criminal temperament. Being a good guy who thinks like a bad guy lets you have all the intellectual fun without running the risk of coming to a sticky end. Your study of exploits should focus on forming Theories of Insecurity, factors that are common to whole classes of exploits. Stack games are a well known example. A good approach is to analyze exploits using the "bindings model." A binding is an important association between two values. For example, a system may maintain a binding between a user name and a set of privileges. A second binding may be between that user name and a human being. Important systems decisions may assume that both bindings are valuable, i.e., my access to my files. Exploits then can be characterized as breaking or forging significant bindings. Looking at things this way will get you familiar with two valuable concepts: bindings and dependencies. After you've developed your Theories of Insecurity you then invert them to form your Theories of Security. If you're up on your systems engineering (which you should be) then the Theories of Security are, in effect, the specifications of the desired emergent properties of your system. They will almost all expressed as negatives, that is, things that aren't supposed to happen. As such they will not be testable and must be verified (as far as possible) by analytic methods. What you've done so far will provide the basis for your analysis plan. Your object, and the best you can probably do, is to force attackers to expend the resources to come up with a new class of exploit, instead of sticking it to you by putting a systems-specific spin on something they already know how to do. And of course you have to do the functional requirements, the stuff that pays the rent, whatever problem your system is supposed to solve while being secure. Then you go through the design process du jour and come up with a modular decomposition in the descriptive notation du jour and submit progress reports in the life cycle process du jour to keep the marketeers and spreadsheet jockeys happy. To keep yourself up on progress I strongly recommend the use of Earned Value Management, which you can implement with a sheet of graph paper you keep up on a nearby bulletin board. Within all this you submit your design to an intensive analysis from every direction you can think of. As a minimum you should understand how it enforces critical bindings and you should also construct a dependency diagram. This is a tree based on the "uses" concept Dave Parnas came up with 40 years ago or so. Module A "uses" Module B if the correctness of A depends on the correctness of B. Modules at the bottom (those that lots of things depend on) should be scheduled for extra scrutiny in the implementation stage. Circularities in the diagram are deadly. These are spots where A depends on B and B depends on A. A circularity means your modularity is an illusion, A and B are actually one "blob." After you've got the cleanest design you can devise it's just a problem of pounding code in the implementation language du jour and integrating. The motto of the integration team should be "integrate early, integrate often." Put stuff together as soon as it's ready and feed it test cases that only touch the modules you have. When it all works you have the victory celebration and deploy. Sooner or later you're going to get whacked. First thing you do after rolling the alert PR squadron is to analyze the exploit (which you should be good at by now) and determine if it is a variation on a class you thought you handled or something completely different. If it's a variation on a class you thought you handled then the chances are good there's a low-level coding flaw that can be patched. If it's something completely different then it's time for Rev 2, starting with a rethink of your Theory of Security and going all the way down to code. And so it goes, round and round, white hats vs. black hats. Computer security fits the description a diplomat once gave of diplomacy: all you do is buy time, and if you buy enough time you get to die in bed and it becomes somebody else's problem :-)
Fake followers and fake retweets have become a large and growing market. "There are now more than two dozen services that sell fake Twitter accounts, but Mr. Stroppa and Mr. De Micheli said they limited themselves to the most popular networks, forums and Web sites, which include Fiverr, SeoClerks, InterTwitter, FanMeNow, LikedSocial, SocialPresence and Viral Media Boost. Based on the number of accounts for sale through those services -- and eliminating overlapping accounts—they estimate that there are now as many as 20 million fake follower accounts." http://bits.blogs.nytimes.com/2013/04/05/fake-twitter-followers-becomes-multimillion-dollar-business/ As the technology of software to create and manage large numbers of fake entities is refined, how will people discern real from fake? They won't, and a putative Twitter follower will have as little value as a review on Yelp.
http://j.mp/16C8Cxn (Wikimedia France) "Unhappy with the Foundation's answer, the DCRI summoned a Wikipedia volunteer in their offices on April 4th. This volunteer, which was one of those having access to the tools that allow the deletion of pages, was forced to delete the article while in the DCRI offices, on the understanding that he would have been held in custody and prosecuted if he did not comply. Under pressure, he had no other choice than to delete the article, despite explaining to the DCRI this is not how Wikipedia works. He warned the other sysops that trying to undelete the article would engage their responsibility before the law. This volunteer had no link with that article, having never edited it and not even knowing of its existence before entering the DCRI offices. He was chosen and summoned because he was easily identifiable, given his regular promotional actions of Wikipedia and Wikimedia projects in France." The return of "Vichy France" mentalities, apparently.
Here is apparently an English language version of the article that France attempted to censor with threats http://j.mp/16CbqKF (Google+) This apparently is a newly translated version of the French Wikipedia article that France attempted to censor by threatening a non-associated Wikipedia volunteer in France. And it wasn't lobbying—it was direct threats. (English and French material.) "Streisand Effect" fully engaged.
I just received an e-mail on 11 April from AMEX touting a few current offers, but the name in the message was not mine—luckily the final digits *were* from my card, though it could also have been his and, though unlikely, just happened to be the same. When I contacted AMEX about it I received the following: - ------ Dear Cardmember, On the 11th April 2013 you received an e-mail from us entitled 'Enjoy more rewards in more places'. Due to a technical issue this e-mail was incorrectly addressed. We confirm this e-mail and the offers enclosed were intended for you. We would also like to assure you that your privacy and security has not been compromised in any way. We would like to sincerely apologise for any confusion this may have caused to you. Yours sincerely, American Express Australia - ------ This apparently went out to everyone who received the original message. The real problem for me was the lack of awareness on the part of the person with whom I spoke at AMEX. It took a long time to convince them that this sort of stuff-up is a real problem. I'm also not completely convinced of the statements in the second paragraph.
Please report problems with the web pages to the maintainer