Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
A Boeing 747 LCF Dreamlifter bound from JFK to McConnell Air Force Base in Kansas landed by mistake at the much smaller Jabara Airport about 12 miles to the north, with a runway considered 3000 feet too short for a normal takeoff for that aircraft. [If you build it, they will come—`out in left field', and laboriously wind up in (the) `right field'? PGN] http://news.yahoo.com/dreamlifter-cargo-plane-wrong-airport-wichita-135024064.html http://news.yahoo.com/gigantic-plane-stuck-tiny-airport-153357709.html
Dan Goodin, Ars Technica, 20 Nov 2013 Man-in-the-middle attacks divert data on scale never before seen in the wild. http://arstechnica.com/security/2013/11/repeated-attacks-hijack-huge-chunks-of-internet-traffic-researchers-warn/ Huge chunks of Internet traffic belonging to financial institutions, government agencies, and network service providers have repeatedly been diverted to distant locations under unexplained circumstances that are stoking suspicions the traffic may be surreptitiously monitored or modified before being passed along to its final destination. Researchers from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been improperly redirected to routers at Belarusian or Icelandic service providers. The hacks, which exploit implicit trust placed in the border gateway protocol used to exchange data between large service providers, affected "major financial institutions, governments, and network service providers" in the US, South Korea, Germany, the Czech Republic, Lithuania, Libya, and Iran. The ease of altering or deleting authorized BGP routes, or of creating new ones, has long been considered a potential Achilles Heel for the Internet. Indeed, in 2008, YouTube became unreachable for virtually all Internet users after a Pakistani ISP altered a route in a ham-fisted attempt to block the service in just that country. Later that year, researchers at the Defcon hacker conference showed how BGP routes could be manipulated to redirect huge swaths of Internet traffic. By diverting it to unauthorized routers under control of hackers, they were then free to monitor or tamper with any data that was unencrypted before sending it to its intended recipient with little sign of what had just taken place. "This year, that potential has become reality," Renesys researcher Jim Cowie wrote. "We have actually observed live man-in-the-middle (MitM) hijacks on more than 60 days so far this year. About 1,500 individual IP blocks have been hijacked, in events lasting from minutes to days, by attackers working from various countries." At least one unidentified voice-over-IP provider has also been targeted. In all, data destined for 150 cities have been intercepted. The attacks are serious because they affect the Internet equivalents of a US interstate that can carry data for hundreds of thousands or even millions of people. And unlike the typical BGP glitches that arise from time to time, the attacks observed by Renesys provide few outward signs to users that anything is amiss. "The recipient, perhaps sitting at home in a pleasant Virginia suburb drinking his morning coffee, has no idea that someone in Minsk has the ability to watch him surf the Web," Cowie wrote. "Even if he ran his own traceroute to verify connectivity to the world, the paths he'd see would be the usual ones. The reverse path, carrying content back to him from all over the world, has been invisibly tampered with." Guadalajara to Washington via Belarus Renesys observed the first route hijacking in February when various routes across the globe were mysteriously funneled through Belarusian ISP GlobalOneBel before being delivered to their final destination. One trace, traveling from Guadalajara, Mexico, to Washington, DC, normally would have been handed from Mexican provider Alestra to US provider PCCW in Laredo, Texas, and from there to the DC metro area and then, finally, delivered to users through the Qwest/Centurylink service provider. According to Cowie: Instead, however, PCCW gives it to Level3 (previously Global Crossing), who is advertising a false Belarus route, having heard it from Russia's TransTelecom, who heard it from their customer, Belarus Telecom. Level3 carries the traffic to London, where it delivers it to Transtelecom, who takes it to Moscow and on to Belarus. Beltelecom has a chance to examine the traffic and then sends it back out on the `clean path' through Russian provider ReTN (recently acquired by Rostelecom). ReTN delivers it to Frankfurt and hands it to NTT, who takes it to New York. Finally, NTT hands it off to Qwest/Centurylink in Washington DC, and the traffic is delivered.
"Swedish citizens will get all their phone calls and e-mail traffic wiretapped in real time not just by the Swedish NSA branch, but also by police, customs, the tax authority, and others. These plans were revealed today by the Ny Teknik magazine, sending shockwaves among civil rights activists. This follows a previous law change that gave the Swedish NSA branch, the FRA, realtime access to all Internet traffic that crossed the country borders - effectively wiretapping everybody warrantlessly all the time." http://j.mp/I67Qnu (Falkvinge) http://falkvinge.net/2013/11/19/swedish-regime-to-give-police-customs-tax-authorities-realtime-access-to-citizens-phone-mail-more/
Cyrus Farivar, 19 Nov 2013 http://arstechnica.com/tech-policy/2013/11/us-senators-say-theres-no-evidence-bulk-metadata-surveillance-is-useful/ Sen. Mark Udall (D-CO) and others join as amici to lawsuit filed against NSA. As we reported back in July 2013, the Electronic Frontier Foundation and its allies filed a new federal lawsuit challenging government spying in the wake of the Snowden leaks. This case, First Unitarian Church v. NSA, challenges the government's collection of telephone call information, saying the practice violates the First, Fourth, and Fifth Amendments of the United States Constitution. The complaint states that Verizon, AT&T, and Sprint all participate in the government's collection of data, including originating and terminating phone numbers, trunk identifiers, calling card numbers, and time and duration of calls. Now, the First Unitarian Church and its fellow plaintiffs have new allies in three United States senators who have been at the forefront of surveillance policy reform. In a new amicus brief filed on Tuesday, Senators Mark Udall (D-CO), Ron Wyden (D-OR), and Martin Heinrich (D-NM) say that they “have seen no evidence that the bulk collection of Americans' phone records has provided any intelligence of value that could not have been gathered through less intrusive means.'' In this case, the plaintiffs argue that the National Security Agency's collection of phone data is unconstitutional, not just because it affects their rights to be free of illegal searches but because it affects their free speech rights as well. The lawsuit alleges that the government is impinging on First Amendment rights of activist groups to communicate anonymously, as well as "the right to associate privately and the right to engage in political advocacy free from government interference." The new brief critiques several prominent cases that government officials have used to justify their spying program, including the Najibullah Zazi case and the Basaaly Moalin case. Zazi pleaded guilty in 2010 to an attempted bombing of the New York City subway system and is scheduled for sentencing in February 2014. Moalin's attorneys continue to challenge the government's case. The government has also argued that Khalid al-Mihdhar, one of the September 11, 2001 hijackers who had been living in the United States, could have been identified earlier with the bulk phone records program in place. ... Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>
You are probably aware that some DAs are pushing for phones to support a "kill switch" to reduce phone theft. According to today's *The New York Times*, although the phone manufacturers are willing, the carriers are not. SF's DA says, "the carriers are concerned that the software would eat into the profit they make from the insurance programs many consumers buy to cover lost or stolen phones." Interestingly, Apple (whose customer is the end user, not the carrier) had no problem adding this feature. So now the carriers are hurting not only their customers but their vendors too. http://bits.blogs.nytimes.com/2013/11/19/carriers-reject-a-kill-switch-for-preventing-cellphone-theft/ [Gene Wirchenko noted Martyn Williams, InfoWorld Home, 21 Nov 2013 Law enforcement officials in New York and San Francisco called the carriers' response 'highly disturbing'. PGN] http://www.infoworld.com/d/mobile-technology/mobile-carriers-slammed-rejecting-smartphone-kill-switch-231373
http://arstechnica.com/security/2013/11/op-ed-lavabits-founder-responds-to-cryptographers-criticism/ Ladar Levison, Ars Technica, 7 Nov 2013 "Ladar Levison, who shut down his secure e-mail service under US government pressure, has learned a lot." His vision was protection for e-mail "at rest" in a way that would make government search warrants useless. Instead, he got hit with a demand for the system's "data in transit" keys, implying a network surveillance capability that caught him unawares.
Robert X. Cringely, InfoWorld, 21 Nov 2013 Even more examples of ill-informed thinking lurk in the Trans-Pacific Partnership, the SOPA/CISPA/PIPA redux http://www.infoworld.com/t/cringely/jailbreak-phone-go-jail-copyright-law-the-tpp-way-231331
Dan Goodin, Ars Technica , 8 Nov 2013 http://arstechnica.com/security/2013/11/its-official-computer-scientists-pick-stronger-passwords/ "It's official: Computer scientists pick stronger passwords. Landmark study says people in business school choose weakest passwords." While it seems unsurprising that computer scientists, on the average, choose slightly better passwords than their peers in the arts, it is surprising that those in the arts surpass those in business school. Apparently the profit motive is insufficient.
Lucian Constantin, InfoWorld, 20 Nov 2013 Some GitHub accounts have had their passwords, access tokens, and SSH keys reset http://podcasts.infoworld.com/d/security/github-bans-weak-passwords-after-brute-force-attack-results-in-compromised-accounts-231273
The Web companies say in their papers that Bertelsman interpreted the Communications Decency Act too narrowly. "Virtually every website includes features that invite and encourage users to enter particular types of content," the companies argue. "A site devoted to reviews of restaurants or other businesses might well have specific language explaining the value and importance readers place on 'negative' reviews and soliciting users to submit details of their negative experiences with a business." The companies add that all Web sites that invite negative reviews or contents could lose their immunity for libel, under Bertelsman's view of the law. http://j.mp/1bXYuEZ (Mediapost via NNSquad)
Lucian Constantin, InfoWorld, 18 Nov 2013 Hackers exploit exposed JBoss management interfaces and invokers to install Web shells on servers http://www.infoworld.com/d/security/hackers-actively-exploiting-jboss-vulnerability-compromise-servers-231091
One of the most important public safety laws in Europe is Dir. 2001/95/EC, which regulates general product safety. Public.Resource.Org, in our ongoing quest to make legally-mandated public safety codes available, purchased the German instantiation of 40 of these essential codes and made them available on the Internet. Every country in the EU is required to implement and publish these standards. "Imagine our surprise when we were served notice to appear in Hamburg District Court in Germany." http://j.mp/1bXZSr4 (Boing Boing via NNSquad)
In recent months, much has been about the NSA's collection of phone dialing records and similar information. The government is quick to label what they collect as "metadata", even though that is something of a misnomer in the current situation. The follow-on to that characterization is the claim that metadata doesn't threaten privacy, because the actual *content* of phone calls, texts, and e-mails remains hidden. Many people have pointed out that because large amounts of metadata can reveal important information, it is itself a privacy threat. And they're correct: for example, in the last few days I've searched "Munich weather" several times. It doesn't take much insight to figure out what's in my immediate future. But what the government's argument (quite deliberately) glosses over is another critical difference between metadata and raw data: metadata is designed for computer processing. Anybody who has used a voice recognition or voice transcription system knows how hard it is to successfully eavesdrop on millions of phone calls simultaneously. But the metadata from those millions of calls can easily filter out a few hundred that are then passed to humans for detailed snooping. And *that* is why the collection of metadata is a problem. Geoff Kuenning firstname.lastname@example.org http://www.cs.hmc.edu/~geoff/ Statistics don't bore people, people bore people.
Today I received a package from HP, advertising their new ZBook family of laptop computers. That itself would be unremarkable. What was remarkable was the packaging: - a 13" x 9"x 0.75" chunk of styrofoam, inside a - paper box and brochure, wrapped in - "shrinkwrap" plastic I appreciate their intent—to demonstrate the size of their computer by sending me something of the same dimension. Given the dimensions are basically the same as most low-end laptops for the past 15 years, that seems just a waste of time. What is more disconcerting is *shipping* styrofoam that has no functional use (corrugated paper would have worked equally well). This wins the wasted packaging award IMO. I guess HP isn't all that concerned about environmental issues, despite having a web page dedicated to claiming otherwise: http://www8.hp.com/us/en/hp-information/environment/ I'll let Consumer Reports know (they highlight cases inside the back cover of every issue), but I thought this list might find this interesting too.
Very old, fairly common alternate definition of GIGO is Garbage In, Gospel Out. As when the electric company insists that you used $113,047.15 of electricity last month, "because the computer says so".
All one must do to retroactively remove the entire history of a web page (or entire domain) from the so-called Wayback Machine is publish a "robots.txt" directive under the appropriate url? Is that the correct interpretation here? If so, I'm very disappointed with archive.org. It's one thing to honor "robots.txt" prospectively, it's quite another to allow its use to effectively erase content after the fact. To me, this renders the Internet Archive essentially useless. On further investigation, the retroactive attribute is confirmed by the IA FAQ, and Alexa Internet seems to be the culprit. Not that my conclusions about IA are altered in any way by that finding...
Please report problems with the web pages to the maintainer