Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
NSF's review system has a method for program officers to redact text from reviews prior to their release to the person who submitted the proposal (*). I discovered today that it can accidentally get triggered - if the characters <<% are in the review, the following text is redacted. Of course the reviewer who submits a review with these characters doesn't get a warning, which isn't documented. The program officer indirectly gets a warning, in the fact that the text in the review is cut off, but can't tell the system "no, this really isn't a redaction". Of course any form of special sequences is potentially problematical, and the number of errors caused by lack of escaping such sequences is probably uncountably infinite. And yes, I discovered this because a reviewer used that string, and I didn't notice the excised text because I had read the review through a different interface that doesn't excise it. (*) If you're not familiar with the NSF process, consider this to be equivalent to a program chair releasing anonymized reviews written by program committee members to the authors of a paper. [Excise tacks on more problems? PGN]
Marc Caputo and Patricia Mazzei (mcaputo@miamiherald.com) http://www.miamiherald.com/2013/06/15/3453770/online-ballot-fraud-marks-the.html The election scandal dogging Congressman Joe Garcia's campaign and two state House races makes it clear: Computer techies are supplementing old-school, block-walking ballot-brokers known as boleteras. Over just a few days last July, at least two groups of schemers used computers traced to Miami, India and the United Kingdom to fraudulently request the ballots of 2,046 Miami-Dade voters. Garcia said he knew nothing of the plot that recently implicated three former campaign workers, two employed in his congressional office. Investigators, meanwhile, have hit a dead end with a larger fraud involving two state House races. A third incident cropped up Thursday in Miami’s mayoral race, but the case appears unrelated to last year’s fraud when two groups appeared to act separately from each other. They employed different tactics to target different types of voters, a University of Florida/Miami Herald analysis of election data indicates. The ultimate goal was the same: get mail-in ballots into the hands of voters, a job that many boleterasonce handled on the streets of Miami-Dade. Now, it's electronic. [...]
"A German bank employee accidentally transferred 222,222,222.222 euros ($295 million) from a customer's account when he fell asleep at his computer." http://finance.yahoo.com/news/asleep-job-bankers-million-dollar-114949290.html [ZZZZZZZZZZZZ? PGN]
FDA has issued a draft guidance document on cybersecurity for medical devices and hospital networks after several years of growing concern, punctuated by a recent discovery of 300 hard coded passwords across more than 50 medical device manufacturers. In other words, manufacturers have been warned to improve the trustworthiness of medical device software. The normally staid agency is unusually blunt in its recommendations and assessment. Public comment is accepted for 90 days. http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf Further details appear on: http://blog.secure-medicine.org/2013/06/fda-publishes-draft-guidance-on-medical.html Kevin Fu, Associate Professor, EECS Department, The University of Michigan kevinfu@umich.edu, http://spqr.eecs.umich.edu/, 616-594-0385
I have never seen this on a risk register ... It sounds incredible. Could it be true? Martyn An Australian man built up so much static electricity in his clothes as he walked that he burned carpets, melted plastic and sparked a mass evacuation. Frank Clewer, of the western Victorian city of Warrnambool, was wearing a synthetic nylon jacket and a woolen shirt when he went for a job interview. As he walked into the building, the carpet ignited from the 40,000 volts of static electricity that had built up.... ... ... http://news.bbc.co.uk/1/hi/4252692.stm
One Amazing Thing I've Seen or Done http://www.couchsurfing.org/people/emiliemiao/ says I am always terrible with directions. there was this one time when I went to visit my friend in another city. I got lost the moment I got off the taxi. my friend tried her best to guide me via phone yet failed. but I finally found her apartment building all by myself when wandering in that big community, cos my phone got connected to her wifi when approaching that building!
This is interesting: One of my machines got a probe last week, looking for a vulnerable PHP script. Here's the relevant log line: > 50.16.166.199 - - [12/Jun/2013:01:11:13 -0700] "HEAD /wp-login.php HTTP/1.1" 404 - "-" "Googlebot/2.1 (+http://www.googlebot.com/bot.html)" It's not very interesting that they're masquerading as the googlebot, as if Google would ever use HEAD requests. What *is* interesting is the IP address: % host 50.16.166.199 199.166.16.50.in-addr.arpa domain name pointer ec2-50-16-166-199.compute-1.amazonaws.com. So the bad guys are either cracking Amazon Web Services virtual machines, or renting them. Probably the former... Geoff Kuenning geoff@cs.hmc.edu http://www.cs.hmc.edu/~geoff/
Josh Soussan is the team leader on a project called Aegis, which would allow handguns to be disabled by radio transmitter when brought into a school or other such environment. "[Aegis] will not alter the weapon's functionality at all, unless the firearm is within range of [a] signal emitter," he explained. "With the recent massacre in Newton, Connecticut, we believe that this is the next crucial step in providing a safe environment for children in schools." http://cable.poly.edu/issue/spring-2013/news/campus-buzz/innovative-innovention Pervasive disabling of firearms via radio signal—what could possibly go wrong with this? Gabriel Goldberg, Computers and Publishing, Inc., 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433 http://www.linkedin.com/in/gabegold
A woman is $300,000,000 in debt to her bank and neither she nor the bank knows why. ABC News reported that Suntrust decided to debit $100,000,000 from a woman's checking account, then while that was being investigated, they deducted another $100,000,000 from her savings account, then apparently feeling they hadn't taken enough out (to cover additional overdrafts, I guess), deducted a second US$100 million out of her checking account. Suntrust announced they are investigating and have no idea why it happened. The woman says that she would have known if she had spent 300 million dollars. Yeah, I do believe that the woman would have known if she had. Then again, electric bills can be high, maybe the electric company had to auto-deduct a large power bill. (Some utilities you would normally just pay anyway like electric companies, have it set up where you can approve them to make a monthly deduction for the charge each month; they mail you a bill and issue a draft for the amount due, so your bill is automatically paid.) This is also common for some mortgage companies. She probably forgot she had a bill for last month's mortgage on, oh, I guess the entire state of Rhode Island... Maybe she's wrong and she just forgot she withdrew it. Let's see, the average cash machine has about $20,000 - 50,000 in it, loaded in canisters, so the woman would have had to visit - and drain - 3,000 ATM machines, but since the average bank limits you to $500 a day she'd have to do it a little at a time. Let's be generous and say the limit is $3000 a day instead, to make it easier. It would have required she take $3,000 out every day for just shy of 274 years (273.93 years). Gee, she has been busy. That is, she, her mother, her grandmother, her great grandmother, her great-great... The Lessons of history teach us - if they teach us anything - that no one learns the lessons that history teaches us. [Indeed, a motto for RISKS. PGN]
Ubiquitous surveillance and its nefarious impact on those so observed was not originally Orwell's idea. The inspiration for the "1984" novel came from a prison concept developed by the English philosopher and social theorist Jeremy Bentham in the late 18th century called Panoptikon - allow me to refer you to Wikipedia (https://en.wikipedia.org/wiki/Panopticon) for more detail. The reason I'm pointing this out is that it establishes an IMHO fundamentally clearer purpose: said surveillance model was developed to establish mental control over inmates, in other words, people already in prison. Keep this in mind when you are encouraged to agree with any government intercept program. Peter Houppermans, The Privacy Club, privacy advisers, Switzerland
The just-revealed surveillance stretches the law to its breaking point and opens the door to future potential abuses Richard A. Clarke, *New York Daily News*, 12 Jun 2013 (Clarke is a former counterterrorism adviser to Presidents George H.W. Bush, Bill Clinton and George W. Bush.) http://www.nydailynews.com/opinion/worry-nsa-article-1.1369705 None of us want another terrorist attack in the United States. Equally, most of us have nothing to hide from the federal government, which already has so many ways of knowing about us. And we know that the just-revealed National Security Agency program does not actually listen to our calls; it uses the phone numbers, frequency, length and times of the calls for data-mining. So, why is it that many Americans, including me, are so upset with the Obama administration gathering up telephone records? My concerns are twofold. First, the law under which President George W. Bush and now President Obama have acted was not intended to give the government records of all telephone calls. If that had been the intent, the law would have said that. It didn't. Rather, the law envisioned the administration coming to a special court on a case-by-case basis to explain why it needed to have specific records. I am troubled by the precedent of stretching a law on domestic surveillance almost to the breaking point. On issues so fundamental to our civil liberties, elected leaders should not be so needlessly secretive. The argument that this sweeping search must be kept secret from the terrorists is laughable. Terrorists already assume this sort of thing is being done. Only law-abiding American citizens were blissfully ignorant of what their government was doing. Secondly, we should worry about this program because government agencies, particularly the Federal Bureau of Investigation, have a well-established track record of overreaching, exceeding their authority and abusing the law. The FBI has used provisions of the Patriot Act, intended to combat terrorism, for purposes that greatly exceed congressional intent. Even if you trust Obama, should we have programs and interpretations of law that others could abuse now without his knowing it or later in another administration? Obama thought we needed to set up rules about drones because of what the next President might do. Why does he not see the threat from this telephone program? The answer is that he inherited this vacuum cleaner approach to telephone records from Bush. When Obama was briefed on it, there was no forceful and persuasive advocate for changing it. His chief adviser on these things at the time was John Brennan, a life-long CIA officer. Obama must have been told that the government needed everyone's phone logs in the NSA's computers for several reasons. The bureaucrats surely argued that it was easier to run the big data search and correlation program on one database. They said there was no law that could compel the telephone companies to store the records on their own servers. If the telephone companies did so, government and company lawyers then certainly said, they would become legally `an agent' of the government and could be sued by customers for violating the terms of their service agreements. Finally, Obama was certainly told, if the NSA and the FBI had to query telephone company servers, then the phone companies would know whom the government was watching, a violation of need-to-know secrecy traditions. If there had been a vocal and well-informed civil liberties advocate at the table, Obama might have been told that all those objections were either specious or easily addressed. Law already requires Internet service providers to store emails for years so that the government can look at them. An amendment to existing law could have extended that provision to telephone logs and given the companies a `safe harbor' provision so they would not be open to suits. The telephone companies could have been paid to maintain the records. If the government wanted a particular set of records, it could tell the Foreign Intelligence Surveillance Court why—and then be granted permission to access those records directly from specially maintained company servers. The telephone companies would not have to know what data were being accessed. There are no technical disadvantages to doing it that way, although it might be more expensive. Would we, as a nation, be willing to pay a little more for a program designed this way, to avoid a situation in which the government keeps on its own computers a record of every time anyone picks up a telephone? That is a question that should have been openly asked and answered in Congress. The vocal advocate of civil liberties was absent because neither Bush nor Obama had appointed one, despite the recommendation of the 9/11 Commission and a law passed by Congress. Only five years into his administration is our supposedly civil liberties-loving President getting around to activating a long-dormant Privacy and Civil Liberties Oversight Board. It will have a lot of work to do. Richard Clarke is a former counterterrorism adviser to Presidents George H.W. Bush, Bill Clinton and George W. Bush.
Ray Ozzie on NSA spying: We got what we asked for. Now it's time to wake up. The Boston Globe, 7 Jun 213 http://www.boston.com/business/innovation/blogs/inside-the-hive/2013/06/07/ray-ozzie-nsa-spying-got-what-asked-for-now-time-wake/42AqxBSvgu0X3xXGIx7WFK/blog.html Ray Ozzie, the creator of Lotus Notes and Microsoft's former software head, joined the chorus of technical leaders pushing back on the government's far-reaching surveillance program. “I hope that people wake up, truly wake up, to what's happening to society, from both a big brother perspective and little brother perspective,'' he said during the Nantucket Conference. He said that, after Sept. 11, the pendulum had swung too far towards government surveillance and data gathering “We got what we asked for, and now it's time to pull it back,” Ozzie said, referencing the near-unanimous passage of the PATRIOT Act, noting the danger that broad data gathering operations present. “Imagine if you had an administration targeting journalists or groups of people based on political leanings.” The current administration, of course, is facing allegations that it did just that, with the Department of Justice secretly obtaining Associated Press phone records and investigating a Fox News reporter's personal emails while the IRS is facing allegations it focused audits on politically conservative groups. Ozzie has been an advocate of strengthened online privacy and serves on the board of the Electronic Privacy Information Center, a group that has been instrumental in bringing to light much of the government's surveillance. He also said that current protections are simply inadequate and outdated. “The privacy act that we're operating under right now was written in 1974,” he noted. “What's happened since 1974?” For example, he was critical of third-party doctrine, which holds that information given to a third-party — such as a phone company, an email host, or social network like Facebook or Twitter — essentially waives Fourth Amendment protections “against unreasonable searches and seizures.” Given how much information is stored digitally, that means a much wider array of information is now available without probable cause. “It's really dangerous,” Ozzie said. “I hope that what's happened in the past few days gets people riled up. This is a non-partisan issue. I hope people wake up a little bit more and don't just build apps and say, I'm going to sell private information for ads.”
http://www.democracynow.org/2013/6/12/more_intrusive_than_eavesdropping_nsa_collection As the American Civil Liberties Union sues the Obama administration over its secret NSA phone spying program, we look at how the government could use phone records to determine your friends, medical problems, business transactions and the places you've visited. While President Obama insists that nobody is listening to your telephone calls, cybersecurity expert Susan Landau says the metadata being collected by the government may be far more revealing than the content of the actual phone calls. A mathematician and former Sun Microsystems engineer, Landau is the author of the book "Surveillance or Security?: The Risks Posed by New Wiretapping Technologies." Dewayne-Net RSS Feed: <http://www.warpspeed.com/wordpress>
Stephen Benavides, Truthout Right now, companies like Palantir Technologies Inc, Booze Allen Hamilton and i2 are mining your Facebook and Twitter data to discern whether you're a terrorist, have ties to terrorists or maybe just have the potential to someday become one. http://truth-out.org/news/item/16943-outsourced-intelligence-how-the-fbi-and-cia-use-private-contractors-to-monitor-social-media
[Bruce's latest issue is full of commentary on this and related subjects. I've excerpted just the beginning for RISKS. Copyrighted but Intentionally Distributable. PGN] Bruce Schneier, Chief Security Technology Officer, BT [From CRYPTO-GRAM, 15 Jun 2013 [free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.] Recently, we learned that the NSA received all calling records from Verizon customers for a three-month period starting in April. That's everything except the voice content: who called who, where they were, how long the call lasted—for millions of people, both Americans and foreigners. This "metadata" allows the government to track the movements of everyone during that period, and a build a detailed picture of who talks to whom. It's exactly the same data the Justice Department collected about AP journalists. The "Guardian" delivered this revelation after receiving a copy of a secret memo about this—presumably from a whistleblower. We don't know if the other phone companies handed data to the NSA too. We don't know if this was a one-off demand or a continuously renewed demand; the order started a few days after the Boston bombers were captured by police. We don't know a lot about how the government spies on us, but we know some things. We know the FBI has issued tens of thousands of ultra-secret National Security Letters to collect all sorts of data on people—we believe on millions of people—and has been abusing them to spy on cloud-computer users. We know it can collect a wide array of personal data from the Internet without a warrant. We also know that the FBI has been intercepting cell-phone data, all but voice content, for the past 20 years without a warrant, and can use the microphone on some powered-off cell phones as a room bug—presumably only with a warrant. We know that the NSA has many domestic-surveillance and data-mining programs with codenames like Trailblazer, Stellar Wind, and Ragtime—deliberately using different codenames for similar programs to stymie oversight and conceal what's really going on. We know that the NSA is building an enormous computer facility in Utah to store all this data, as well as faster computer networks to process it all. We know the U.S. Cyber Command employs 4,000 people. We know that the DHS is also collecting a massive amount of data on people, and that local police departments are running "fusion centers" to collect and analyze this data, and covering up its failures. This is all part of the militarization of the police. Remember in 2003, when Congress defunded the decidedly creepy Total Information Awareness program? It didn't die; it just changed names and split into many smaller programs. We know that corporations are doing an enormous amount of spying on behalf of the government: all parts. We know all of this not because the government is honest and forthcoming, but mostly through three backchannels—inadvertent hints or outright admissions by government officials in hearings and court cases, information gleaned from government documents received under FOIA, and government whistleblowers. There's much more we don't know, and often what we know is obsolete. We know quite a bit about the NSA's ECHELON program from a 2000 European investigation, and about the DHS's plans for Total Information Awareness from 2002, but much less about how these programs have evolved. We can make inferences about the NSA's Utah facility based on the theoretical amount of data from various sources, the cost of computation, and the power requirements from the facility, but those are rough guesses at best. For a lot of this, we're completely in the dark. And that's wrong. The U.S. government is on a secrecy binge. It overclassifies more information than ever. And we learn, again and again, that our government regularly classifies things not because they need to be secret, but because their release would be embarrassing. Knowing how the government spies on us is important. Not only because so much of it is illegal—or, to be as charitable as possible, based on novel interpretations of the law—but because we have a right to know. Democracy requires an informed citizenry in order to function properly, and transparency and accountability are essential parts of that. That means knowing what our government is doing to us, in our name. That means knowing that the government is operating within the constraints of the law. Otherwise, we're living in a police state. We need whistleblowers. [For lots more, go back to the source. PGN]
"Telecom providers T-Mobile US Inc and Verizon Wireless do not directly contribute to the controversial U.S. surveillance program, partly due to their overseas ownership ties, the Wall Street Journal reported Thursday, citing people familiar with the matter." http://j.mp/197iNgi (Reuters)
Please report problems with the web pages to the maintainer