Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
A newly released risk calculator for figuring out heart disease risk based on cholesterol levels is flawed, and is giving inaccurate results. But the article is unclear whether the specifications for the calculation are wrong, or whether the calculation was implemented incorrectly. As always, if you have a bad specification, of course the results will be wrong. But even if the specification is right, the computation could be wrong. In either case, the result could be putting people on medications that are inappropriate given their risks and have side effects (not to mention the costs of the medications). http://www.nytimes.com/2013/11/18/health/risk-calculator-for-cholesterol-appears-flawed.html [Computer-related? Sure. Bug? Spec error? The old LDL number is calculated, not the result of any testing. And the new "standards" appear to be deeply flawed, still unable to discriminate between harmful small LDL and constructive large LDL, and ignoring the fundamental differences, as well as overendowing statins despite their well-known history of liver damage and other "features" that seem to be relegated to "inconsequential". PGN]
Richard L. Hasen, Voter Suppression's New Pretext, OpEd, *The New York Times* http://www.nytimes.com/2013/11/16/opinion/voter-suppressions-new-pretext.html?ref=opinion&pagewanted=print
The following language (or very similar language) appears in a large number of contracts for software and systems procured in the U.S. There appears to be _no exception_ for NSA backdoors. I'm no lawyer, but perhaps every software & system vendor is liable under these warranties—e.g., for deliberately weakened encryption, Microsoft-installed backdoors (WMF), bugged/compromised routers (D-Link) & name-servers, etc. The potential liabilities could be in the trillions of dollars if any NSA-inspired backdoor were to be utilized for accessing financial information. "No Surreptitious Code Warranty "The Contractor represents and warrants that no copy of licensed Software provided to the [customer] contains or will contain in any Self-Help Code or any Unauthorized Code as defined below. This warranty is referred to in this Contract as the "No Surreptitious Code Warranty." "As used in this Contract, "Self-Help Code" means any back door, time bomb, drop dead device, or other software routine designed to disable a computer program automatically with the passage of time or under the positive control of a person other than the licensee of the software. Self-Help Code does not include Software routines in a computer program, if any, designed to permit an owner of the computer program (or other person acting by authority of the owner) to obtain access to a licensee's computer system(s) (e.g. remote access via modem) for purposes of maintenance or technical support. "As used in this Contract, "Unauthorized Code" means any virus, Trojan horse, spyware, worm or other Software routines or components designed to permit unauthorized access to disable, erase, or otherwise harm software, equipment, or data; or to perform any other such actions. The term Unauthorized Code does not include Self-Help Code. "In addition, Contractor will use up-to-date commercial virus detection software to detect and remove any viruses from any software prior to delivering it to the [customer]. "The Vendor shall defend [customer] against any claim, and indemnify the [customer] against any loss or expense arising out of any breach of the No Surreptitious Code Warranty."
Wanting an explanation, Jen says she tried to call the company but could never reach anyone. So frustrated, she turned to the Internet writing a negative review on ripoffreport.com. "There is absolutely no way to get in touch with a physical human being," it says. And it accuses kleargear.com of having "horrible customer service practices." That was the end of it, Jen thought, until three years later when Jen's husband got an email from Kleargear.com demanding the post be removed or they would be fined. Kleargear.com says Jen violated a non-disparagement clause. It turns out that, hidden within the terms of sale on Kleargear.com there is a clause that reads: "In an effort to ensure fair and honest public feedback, and to prevent the publishing of libelous content in any form, your acceptance of this sales contract prohibits you from taking any action that negatively impacts kleargear.com, its reputation, products, services, management or employees." The clause goes on to say if a consumer violates the contract they will have 72 hours to remove your post or face a $3500 fine. If that fine is not paid, the delinquency will be reported to the nation's credit bureaus. "This is fraud," Jen said. "They're blackmailing us for telling the truth." http://j.mp/17Ynay4 (KTVU via NNSquad)
One problem among many with the rollout of the Chicago Transit Agency's new Ventra system: Riders who kept their Ventra card in their wallet along with another contactless payment card were double-charged: http://www.chicagonow.com/arkielad/2013/09/chicago_ventra_card/ Other problems included riders being charged a second time upon exiting a bus: http://articles.chicagotribune.com/2013-11-06/news/ct-met-ventra-bus-door-exit-20131107_1_ventra-reader-ventra-card-ventra-contractor And, 15,000 free rides due to a system outage: http://articles.chicagotribune.com/2013-11-14/news/chi-ventra-outage-hits-60-cta-stations-results-in-15000-20131113_1_ventra-readers-card-readers-free-rides
Despite the exceedingly dry abstract, the 2007 legal studies research, "Technological Due Process" by Danielle Keats Citron is truly illuminating on the consequences of computer automation on law. http://papers.ssrn.com/sol3/papers.cfm?abstract_id12360 The risks that come from software automation have entered the judicial and executive policy making domain and in turn affect all of us. Automated legal policy software is as invisible to us as software in auto manufacturer's electronic control modules, but has greater consequence, having the rule of law itself. The software programmer now has to power to make legal policy because the lawmakers are unable to, or choose not to, review the code after the decision is make to automate the policy. Where does one go because a computer program denies you your request for say, food stamps, or denies you the right to get on an airplane because of the spelling of your name? Numerous examples of programmers inadvertently making policy through automated legal systems are provided. A selected quote from the text," The rulemaking power that programmers inadvertently wield thus defies the democratic origins and purposes of delegation." Citron's legal paper reminds me of the "in joke" of corporate department decision-making that for any meetin the secretary who takes the minutes wields the greatest power. Lessig's "Code is Law", indeed. robert schaefer, Atmospheric Sciences Group, MIT Haystack Observatory Westford, MA 01886 781-981-5767 http://www.haystack.mit.edu
"The Conservative Party has attempted to erase a 10-year backlog of speeches from the Internet, including pledges for a new kind of transparent politics the prime minister and chancellor made when they were campaigning for election. Prime minister David Cameron and chancellor George Osborne campaigned on a promise to democratise information held by those in power, so people could hold them to account. They wanted to use the Internet transform politics. But the Conservative Party has removed the archive from its public facing website, erasing records of speeches and press releases going back to the year 2000 and up until it was elected in May 2010. It also struck the record of their past speeches off Internet engines including Google, which had been a role model for Cameron and Osborne's "open source politics". And it erased the official record of their speeches from the Internet Archive, the public record of the net —with an effect as alarming as sending Men in Black to strip history books from a public library and burn them in the car park." http://j.mp/1bpaKum (*Computer Weekly* via NNSquad) PGN asked out of band: > ... and how widely is all this stuff mirrored elsewhere? LW replied: It's going to be around, certainly, but perhaps not as widely as one might suppose, and perhaps from less authoritative sources—and if they succeed in pulling the major search engine links, then it becomes harder to find in any case, of course.
[via Dave's IP distribution] http://gizmodo.com/nsa-admits-that-edward-snowden-stole-up-to-200-000-docu-1464703198 It's been nearly half a year since the first revelations from Edward Snowden's leak made it into the press, but until now, we've been in the dark about exactly how big that leak was. Well, ladies and gentlemen, NSA Director General Keith Alexander is finally shining a light in that direction. On Halloween of all days, Alexander told a private gathering of foreign affairs experts that Snowden didn't leak hundreds of documents and he didn't leak thousands of documents. He potentially leaked hundreds of thousands of documents. "I wish there was a way to prevent it," said the soon-to-retire NSA chief. "Snowden has shared somewhere between 50 (thousand) and 200,000 documents with reporters. These will continue to come out." By these, Alexander means reports, revelations, scoops—whatever you want to call the earthshaking stories that Snowden's documents so far have spawned. It's tough to tell how many have already been put into play, but the idea that there are almost 200,000 of them still out there suggests that a number of bombshells are still to land. Evidently, U.S. officials have known the scale of the leak for months now—which might explain why they've been so eager to bring Snowden in. [Reuters]
Dan Goodin, Ars Technica, 12 Nov 2013 Assume your password is known, site's top brass tells account holders. MacRumors user forums have been breached by hackers who may have acquired cryptographically protected passwords belonging to all 860,000 users, one of the top editors of the news website ... http://arstechnica.com/security/2013/11/hack-of-macrumors-forums-exposes-password-data-for-860000-users/ http://www.macrumors.com/2013/11/12/macrumors-forums-security-leak/
Lucian Constantin | InfoWorld, 12 Nov 2013 Users whose Adobe online log-in credentials were exposed and used the same passwords on Facebook will need to change them http://www.infoworld.com/d/security/facebook-forces-some-users-reset-passwords-because-of-adobe-data-breach-230677
[Via Dave Farber's IP. Dave comments: “An interesting approach.''] Cyrus Farivar, Ars Technica, 5 Nov 2013 Apple has never received an order under Section 215 of the USA Patriot Act." http://arstechnica.com/tech-policy/2013/11/apple-takes-strong-privacy-stance-in-new-report-publishes-rare-warrant-canary/> Apple has become one of the first big-name tech companies to use a novel legal tactic to indicate whether the government has requested user information in conjunction with a gag order. Known as a “warrant canary,” this language is encapsulated on Apple's fifth page of its new transparency report (PDF), which was published on Tuesday. “Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge an order if served on us,” the company wrote, referring to the provision of federal law that compels businesses to hand over business records to American authorities, often under gag order. Interestingly, Apple did not mention Section 702 of the Foreign Intelligence Surveillance Act (FISA) Amendments Act, which compels companies to share data on foreigners and provides the legal basis for the National Security Agency's PRISM program. Warrant canaries work like this: a company publishes a notice saying that a warrant has not been served as of a particular date. Should that notice be taken down, users are to surmise that the company has indeed been served with one. The theory is that while a court can compel someone to not speak (a gag order), it cannot compel someone to lie. The only problem is that warrant canaries have yet to be fully tested in court. "If it's really committed to challenging the gag order, it has a ton of resources to apply, and they're a good bet," Neil Richards, a law professor at Washington University in St. Louis, wrote to Ars on Twitter. "Challenging the 215 gag is as much [a function] of resources and commitment as it is a tidy legal [question]. If they succeed, I'll buy a Mac!" The rest of the report argues that Apple is very privacy minded in terms of product design and in terms of its legal response to law enforcement. “When we receive such a demand, our legal team carefully reviews the order. If there is any question about the legitimacy or scope of the court order, we challenge it. Only when we are satisfied that the court order is valid and appropriate do we deliver the narrowest possible set of information responsive to the request," the company added. Apple also takes a not-so-subtle dig at other tech companies like Google, Facebook, and Twitter, which have issued similar transparency reports. Perhaps most important, our business does not depend on collecting personal data. We have no interest in amassing personal information about our customers. We protect personal conversations by providing end-to-end encryption over iMessage and FaceTime. We do not store location data, Maps searches, or Siri requests in any identifiable form. In addition, Apple released the figures of law enforcement requests by American and other national authorities worldwide. As earlier data from other companies has shown, American requests dwarf all others. Apple is also forbidden, as are other companies, from breaking out local law enforcement cases when compared to national security or federal law enforcement situations, which is why it must be released as a range of numbers rather than as a single number. In comparison to the “1,000 to 2,000” requests that Apple received from American law enforcement, the next highest came from the United Kingdom, with 127 requests across 141 accounts. Apple complied with handing over data in 51 of those accounts, objecting to data sharing for 79 accounts, and outright denying compliance for 46 accounts. [...] [snip] Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>
Advocacy Organizations Seek Immediate Ruling on the Legality of the NSA's Mass Collection of Telephone Records Electronic Frontier Foundation Media Release, 7 Nov 2013, davidg@eff.org David Greene, Senior Staff Attorney, Electronic Frontier Foundation San Francisco - The Electronic Frontier Foundation (EFF) has provided a federal judge with testimony from 22 separate advocacy organizations detailing how the National Security Agency's (NSA) mass telephone records collection program has impeded the groups' work, discouraged their members and reduced the numbers of people seeking their help via hotlines. The declarations accompanied a motion for partial summary judgment filed late Wednesday, in which EFF asks the court to declare the surveillance illegal on two levels--the law does not authorize the program, and the Constitution forbids it. In First Unitarian Church of Los Angeles v. NSA, EFF represents a diverse array of environmentalists, gun-rights activists, religious groups, human-rights workers, drug-policy advocates and others that share one major commonality: they each depend on the First Amendment's guarantee of free association. EFF argues that if the government vacuums up the records of every phone call--who made the call, who received the call, when and how long the parties spoke--then people will be afraid to join or engage with organizations that may have dissenting views on political issues of the day. The US government acknowledged the existence of the telephone records collection program this summer, after whistleblower Edward Snowden leaked a copy of a Foreign Intelligence Surveillance Court order authorizing the mass collection of Verizon telephone records. "The plaintiffs, like countless other associations across the country, have suffered real and concrete harm because they have lost the ability to assure their constituents that the fact of their telephone communications between them will be kept confidential from the federal government," EFF Senior Staff Attorney David Greene said. "This has caused constituents to reduce their calling. This is exactly the type of chilling effect on the freedom of association that the First Amendment forbids." In today's motion, EFF asks the US District Court for the Northern District of California to review the undisputed evidence at hand and rule that the NSA's "Associational Tracking Program" is not only unconstitutional, but not authorized under Section 215 of the USA PATRIOT ACT, the law the government has so far used to justify its surveillance. The statute authorizes the government to collect information only if the information "is relevant to an authorized investigation." Because the government collects the records of every telephone call made to, from and within the United States, the vast majority of the records it collects are plainly irrelevant. "Section 215 is a simple statute designed to give the FBI something like the subpoena power available in criminal investigations," attorney Thomas Moore, an EFF special counsel, said. "It was not intended to authorize the dragnet surveillance the NSA has undertaken. A government of the people, by the people, and for the people should not be spying on the people." The motion could be argued as early as February 2014. For the motion for partial summary judgment: https://www.eff.org/document/plaintiffs-motion-partial-summary-judgment-0 For the declarations: https://www.eff.org/document/all-plaintiffs-declarations For this release: https://www.eff.org/press/releases/eff-files-22-firsthand-accounts-how-nsa-surveillance-chilled-right-association [Truncated for RISKS, but worth reading in its entirety.. PGN]
http://j.mp/17vaVIR (Ars Technica via NNSquad) "Local law enforcement is getting the kind of technological boost that used to be limited to three-letter agencies thanks to Web-based software services that mine social media for intelligence. At last month's International Association of Chiefs of Police (IACP) conference in Philadelphia, LexisNexis showed off a new tool it will bundle with its research service for law enforcement agencies-one that will help them "stake out" social media as part of their criminal investigations. Called Social Media Monitor, the cloud-based service will watch social networks for comments and activities that might offer clues to crimes in the physical world. With direct connections into a variety of social media services' feeds, it will help police plow through Twitter and Facebook in search of evidence that could lead to arrests." I wonder how much law enforcement resources might end up being diverted by people purposely planting false leads and rickrolls? LW
Meet the Punk Rocker Who Can Liberate Your FBI File Ryan Shapiro's technique is so effective at unburying sensitive documents, the feds are asking the courts to stop him. http://www.motherjones.com/politics/2013/11/foia-ryan-shapiro-fbi-files-lawsuit
http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html In fact, there is an option in the system settings called "Collection of watching info:" which is set ON by default. This setting requires the user to scroll down to see it and, unlike most other settings, contains no "balloon help" to describe what it does. At this point, I decided to do some traffic analysis to see what was being sent. It turns out that viewing information appears to be being sent regardless of whether this option is set to On or Off. [...] This information appears to be sent back unencrypted and in the clear to LG every time you change channel, even if you have gone to the trouble of changing the setting above to switch collection of viewing information off. The television also logs filenames on attached USB drives. A letter to LG's UK offices produced a particularly unsympathetic response with the brush-off of: The advice we have been given is that unfortunately as you accepted the Terms and Conditions on your TV, your concerns would be best directed to the retailer. Doesn't sound very "Life's Good" (LG ad slogan) to me.
After 2016, Microsoft will stop accepting the collision-prone crypto algorithm. Dan Goodin, Ars Technica, 12 Nov 2013 Microsoft is retiring two widely used cryptographic technologies that are growing increasingly vulnerable to attacks that seemed unlikely just a decade ago. The company's software will stop recognizing the validity of digital certificates that use the SHA1 cryptographic algorithm after 2016, officials said on Tuesday. SHA1 is widely used to underpin secure socket layer (SSL) and transport layer security (TLS) certificates that authenticate websites and encrypt traffic passing between their servers and end users. SHA1-based certificates are also used to digitally verify that specific software applications are legitimate and not imposter programs or programs that have been tampered with to include hidden backdoors. ... http://arstechnica.com/security/2013/11/hoping-to-avert-collision-with-disaster-microsoft-retires-sha1/
Lucian Constantin, InfoWorld, 13 Nov 2013 The vulnerabilities could allow unauthorized remote code execution or remote read access http://www.infoworld.com/d/security/adobe-patches-critical-vulnerabilities-in-flash-player-coldfusion-230772
Woody Leonhard | InfoWorld, 18 Nov 2013 A six-month-old 'fuzzy fonts' bug that affected Firefox and Chrome is still around—and may now affect Windows users who upgrade to IE11 http://www.infoworld.com/t/microsoft-windows/blurry-fonts-bug-kb-2670838-persists-ie11-and-windows-7-231035
Bruce Horrocks takes a rather literalist approach to analyzing the story of a Web site that answers medical questions. And although I agree that this kind of promotional press release should be viewed with skepticism, I also think there might be some truth in between the hype and the literalism. (In particular, I think it's going rather far to take the word "her" to imply that all the saved lives were female.) It seems likely to me that the press release intended to imply that 10K people have said that the site saved their lives. And is that implausible? Note that there's a difference between the users *saying* that site was life-saving and lives actually being saved. I suspect that if you survey a random million people, you'll easily find 10K (that's only one percent) who think their lives were saved by prayer, or a fortune cookie, or getting a dog. As to the number of queries and answers, without visiting the site in question one can safely guess that (a) not every answer comes from a doctor, (b) it doesn't have to take five minutes--even on average--to answer a question, and (c) not every question necessarily produces an answer. And as to the number of users, I frequent a photography site where some individuals have over 40K postings. We know that hypochondria is a real phenomenon, and we know that there are some lay people who are very eager to show off their knowledge even if its' not justified. So I think it's rather RISKy to try to make a seat-of-the-pants guess at any site statistics without knowing a few more details. Geoff Kuenning geoff@cs.hmc.edu http://www.cs.hmc.edu/~geoff/
Today's *Telegraph* has an obituary of Clifford Nass: http://www.telegraph.co.uk/news/obituaries/10433894/Clifford-Nass-Obituary.html Clifford Nass was a sociologist who argued that digital multitasking makes us less sociable, less efficient and less clever. ... Far from making people sharper, jumping around from emailing to texting to posting on social media can scramble the brain, Nass concluded. “People who multitask all the time show worse thinking abilities in every dimension that we know of,'' [...] http://www.telegraph.co.uk/news/obituaries/10433894/Clifford-Nass-Obituary.html
Please report problems with the web pages to the maintainer