Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Dan Gillmor, *The Guardian*, 24 Jan 2014 A few corporations and government are strangling democratized technology. We have to fight back, but it takes money. http://www.theguardian.com/commentisfree/2014/jan/24/save-the-open-internet-foundations The best foundations and philanthropies exist to address market failure, working to solve problems that business and government ignore or make worse. Andrew Carnegie funded public libraries in America. Bill and Melinda Gates are working to save lives in the developing world. The Ford Foundation puts social justice at the core of its programs. Now it's time for our major foundations and philanthropists to address an impending new failure. They can help save the kinds of open, decentralized systems that gave us personal computing and the Internet. Like a python that suffocates its prey, the forces of centralization -- corporate and governmental—are inexorably strangling democratized technology and communications. They have power, and they have money, and they're not even slightly interested in allowing tomorrow's technology and communications to be controlled by the users, because that would threaten their power and profits. They don't do this because they necessarily have evil goals. Rather, like the python, it is in their nature. I'm hardly the first to notice any of this. Far-seeing people have been warning for years about the way users of technology and communications have been herded—often willingly—into various kinds of walled gardens and centralized services. Companies like Facebook, Google, Apple and Microsoft have built dominant positions in key areas of the overall ecosystem by offering genuine value. Governments create or permit oligopolies, even monopolies, in telecommunications service; and politicians fan public fears of violence and terrorism so they can spy on, if not lock down, our communications. The result: the devices we buy are increasingly controlled by the sellers, not us. What we say and do is increasingly recorded. Innovation moves from the edge of networks to the center, because we need permission from the ones in control. It's not a lost cause, not yet. A number of efforts, some longstanding and others fledgling, are under way in the US and around the world to alert people to what's at stake. Activist groups such as the Electronic Frontier Foundation, among a number of others, work hard to get the public's attention. The EFF and others are also trying to do something about the situation, beyond talking, by working on technological measures to boost security and -- this is key—keep user control at the edges, by effectively re-decentralizing. These efforts range from the decades-old free software movement (often called "open source") to the more recent "Indie Web" and Open Technology Instituteprojects. In an upcoming column I'll talk in more detail about some of the newer technological initiatives. However useful they are, they may well be over-matched on this most tilted of playing fields. Which is where foundations enter the picture. Here's my plea to them: First, direct some resources toward education. Help the public understand the issues. This is necessary because on issue after issue, major media tend to reflect corporate and governmental values, not the public's. Copyright, for example, has become a major control issue, with Hollywood and its allies working constantly for ever-tougher laws restricting access to and use of copyrighted material, and using existing laws to thwart innovative new services that threaten their business model. The major TV networks' news programs have barely addressed copyright, because they are part of the cartel that wants more control. [...]
Robert Westervelt, CRN, 27 Jan 2014 [Re: previous item in RISKS-27.72. PGN] Coca-Cola is notifying employees, contractors and people associated with its suppliers following a data breach at its Atlanta headquarters that resulted in the theft of laptops and information exposure on at least 74,000 people. The laptops, which have been recovered, were stolen by a former employee, according to the Wall Street Journal, which first reported the security incident Monday. A Coca-Cola spokesperson did not return repeated requests from CRN for a comment on Monday. Coca-Cola told the newspaper that the laptop was not encrypted and contained the names, Social Security numbers and addresses of the individuals and included other details, such as driver's license numbers, compensation and ethnicity. The firm said the laptops were stolen by an employee who was assigned to properly dispose of the equipment. The newspaper reported that Coca-Cola is sending out notification letters to 18,000 people whose names and Social Security numbers were found on the laptops as well as 56,000 people who had other personal information potentially exposed. ... http://www.crn.com/news/security/240165711/coca-cola-laptop-breach-a-common-failure-of-encryption-security-basics.htm
Heather Long, *The Guardian*, 27 Jan 2014 Perhaps the Target data breach involving 100m credit and debit cards will finally wake up the US on its outdated technology http://www.theguardian.com/commentisfree/2014/jan/27/target-credit-card-breach-chip-pin-technology-europe If you live in the US, you probably heard about the 100m credit and debit card numbers that were stolen from Target's databases recently. (Target initially stated 40m cards were at risk and then revised the figure up). While Target tries to limit the damage (they recently sent out an email offering free credit monitoring), the bigger question people are rightly asking is why is the US a decade behind Europe on issuing safer "chip and pin" credit and debit cards? How did we let it get this bad? I remember arriving in the UK for graduate school in 2004 and being issued credit and debit cards after opening a British bank account. My American colleagues and I were fascinated by these pieces of plastic. They were black and red - we called them "Darth Maul cards" after the Star Wars character - and they had microchips embedded in them, something few of us had ever seen before. It was relatively new technology at the time, used to protect against fraud. It's now in place across Europe (and beyond) and has greatly reduced data theft (pdf). Yet here we are in 2014 and America, a supposed leader in all things financial, has yet to implement this technology (more commonly referred to on this side of the pond as EMV or "smart cards", which only reinforces that the US is still in the "dumb card" era). Some question whether chip and pin would have stopped the Target case entirely, but it sure would have made using the stolen data a lot harder. Things are starting to change - at least for high-end Americans. A number of banks are quietly rolling out smart cards. Citi and Chase, for example, offer several premier credit cards with chip and pin, but only for certain accounts. Curiously, HSBC, one of the UK's leading banks that has issued chip and pin cards in Europe for years, does not give them out yet to American customers as "standard practice", according to a spokesman. So what's keeping the US in the "dumb card" era? 1. Scale Sometimes size isn't a plus. The US has over 10m credit card terminals and 1.2bn cards, according to Smart Card Alliance, an industry group that tries to educate and push for the widespread adoption of this technology in the US. The Alliance estimates that less than 2% of Americans have smart cards. It's difficult to get such a large market to adopt. As the Wall Street Journal reported last week, Target actually tried to roll out smart cards from 2001-04, but the rest of the market didn't follow. 2. Who pays for the updates? The credit card market in the US is complex (pdf). You have retailers, big banks and then card associations like Visa and Mastercard. So you have to get three sectors of the market to work together to implement any new technology. US retailers and credit card companies have been at war for years over who pays what transaction fees. Now they're trying to sort out who will pay for the estimated $8bn costs (pdf) for chip and pin technology. 3. The US has low fraud rates America has strong legal protections for people whose credit cards numbers are stolen and historically low fraud rates compared to the rest of the world, so there was a "what's the problem?" mentality here. Randy Vanderhoof, executive director of the Smart Card Alliance also says, "There is not the equivalent of the UK Card Association in the US to set policy and require all stakeholders to act. It has been a challenge to get everyone to agree on much of anything when it comes to payments and who pays the cost and where the fraud savings will be realized."
It's more like two decades—10 years ago is merely when that author first saw a chip card. The chip and pin infrastructure was fully built out even in small villages in France, Germany, Holland etc almost twenty years ago. I don't remember if those machines even supported a swipe card since I always used a pin. My guess is that it will never happen in the US for a couple of reasons. One reason is the way risk is apportioned: in the States the legal structure forces most of the liability onto the card issuers, so there's little substantive risk in handing the card to a waiter who takes it out of view. I would never do the same with my European credit cards. So why bother to change? The second is that any shift will follow the example of the smart phones. Until the iphone came out, the US mobile infrastructure was also a decade or two behind Europe (I had a friend who would whistle the Flinstones song whenever I would pull out a mobile phone in the US). The US got the crappy old phones, most of which were made by European manufacturers. The iPhone went off like a bomb in that market and now much of the innovation flows the other way. It's more likely that a Square-like player will manage to reimagine the payment infrastructure and skip to a new generation. PS: I got Silicon Valley Bank to issue me a card with a chip in it but it came with no PIN! *facepalm*
[From Dave Farber's IP distribution] We should look at the choice of anti-fraud techniques (whether through chip-and-pin in the EU or statistical anomaly detection in the US) as a decision about what kind of insurance banks and payment processors chose to buy. Both statistical anti-fraud scoring and chip and pin cost money to implement. No doubt the cost of phone calls originally factored into this decision, as Peter suggests. I would probably give more weight to the legal liability for loss that the banks face. European card processors and banks face lower liability for fraud loses because a larger portion of payment transactions in Europe are debit payments rather credit transactions. In this case, the customer bears the lion share of the risk of loss. And my understanding is that even with credit transactions, the banks bear less risk than they do in the US. As US banks bear a greater risk, it seems logical to infer that they've decided (correctly or not) that they can insure against risk more efficiently with statistical techniques than with hardened hardware tokens. Perhaps this calculation will change with these new breed of attacks, but it's not obvious to me that one or another technique is necessarily superior from a cost perspective. The statistical anomaly detection used in the US systems is quite remarkable application of large-scale neural network techniques in generating risk scores based on purchasing habits. My understanding is that they are able to general risks score on every single transaction in more or less the same amount of time as it takes to transmit the transaction from merchant to acquiring bank to issuing bank. Another huge but unsung success for the AI community. :-) We'll leave for another day the interesting privacy questions about this fraud scoring using personal financial data. Daniel J. Weitzner, Director, MIT CSAIL Decentralized Information Group Massachusetts Institute of Technology http://dig.csail.mit.edu/
Comcast and Charter want to split up Time Warner's cable markets http://j.mp/1d5gPN1 (Ars Technica via NNSquad) Comcast and Charter are working out a deal in which Charter would acquire Time Warner Cable (TWC) and then sell some of those assets to Comcast. Previously, Charter offered to buy Time Warner for $61.3 billion or $37.3 billion excluding TWC's debt. Time Warner management rejected the amount, but Charter is attempting to push an acquisition through by appealing to shareholders. Today, Bloomberg reported that Comcast "is near a deal to buy New York City, North Carolina, and New England cable assets from Charter Communications Inc. if shareholders approve Charter's takeover bid for Time Warner Cable Inc." - - - In most industries, this sort of activity would be viewed as illegal restraint of trade. That these firms are so openly talking about divvying up the universe of captive Internet users (that's you and me—though these companies are clearly interested in our dollar value only, not in providing robust Internet services per say) is not only shameful, but a vivid illustration of how the U.S. Internet access industry has become an effective monopoly in all but name. They sound like mobsters splitting up cities for numbers rackets, prostitution, and heroin sales. Disgraceful.
Here's a risk related to NMR spectra. I worked in this field for quite a while and we had similar programs that would "best fit" the data. Problem is."best fit" is a lie.or at least not the whole truth. The process is called multiple linear (or non-linear) regression. At first blush this process looks very straight forward much like a binary bit system. Either some combo of bits is present or not. The problem is all the overlapping items and noise. Anybody that gives "best fit" from one of these systems needs to be sent to the broom closet. One huge problem is the library used for doing the fit.if the library does not cover the universe of things that emit you are doing a woefully incomplete job. And nobody uses a complete library that I know of. They usually use the things they expect to see or some superset of that. The only way to do this job is "all possible combinations" with a statistical test for fit and then rank order the results. We had a statistician from PNL that created such a system for us and in his results you could see the "truth" in the answers (for known ground truth) whereas the "best fit" people almost always produced the wrong answer. I wish I still had that software as there was a trick to the all possible combinations solution.
*Third MIT STAMP/STPA Workshop*, MIT, Cambridge, Mass., 25-27 March, STAMP is a new accident causality model based on systems theory and systems thinking described in Nancy Leveson's book *Engineering a Safer World*. STAMP integrates into engineering analysis the causal factors in our increasingly complex systems such as software, human-decision making and human factors, new technology, social and organizational design, and safety culture. STPA is a powerful new hazard analysis technique based on STAMP while CAST is the equivalent for accident/incident analysis. These tools are now used globally in almost every industry. This free workshop will provide attendees with the opportunity to learn how to use these new tools, to meet with users and to hear about applications, evaluations, and the latest developments in this powerful new approach to system safety engineering. This year, the workshop will include a parallel half-day session on the application of STAMP to security. Presentations will span the application areas of automotive, aeronautics, air transportation (NextGen), railroads, medicine, petrochemicals, etc. and will include presentations of three sets of tools that are being developed (at the University of Stuttgart, Volpe National Transportation Research Center, and MIT) to support STPA. You do not need to make a presentation in order to attend, you can just listen. Information about special rates on hotels and other aspects of the meeting will be posted on http://psas.scripts.mit.edu/home/ If you are interested in attending, we would appreciate it if you would register that interest. It's free, but we need to obtain appropriate space at MIT and want to avoid another big surprise like the first year when we expected 50 and 250 showed up. The registration list will also help us with planning and with detailed announcements about the workshop as I do not want to spam people with multiple unwanted emails. Registration can be done at: https://docs.google.com/forms/d/1kFTrXiqxfhscdt0f0o4bRTit_CD8Czs6n7g1PaaHxsQ/viewform Prof. Nancy Leveson, Aeronautics and Astronautics and Engineering Systems MIT, 77 Mass. Ave., Cambridge, MA 02142 1-617-258-0505 http://sunnyday.mit.edu [Note: The latest Inside Risks article, by Nancy Leveson and William Young, An Integrated Approach to Safety and Security Based on System Theory, is in the February 2014 CACM, and now on the Inside Risks website: http://www.csl.sri.com/neumann/insiderisks.html#232 PGN]
BKRNBSND.RVW 20130525 "Rainbows End", Vernor Vinge, 2006, 0-312-85684-9, U$25.95/C$34.95 %A Vernor Vinge %C 175 Fifth Avenue, New York, NY 10010 %D 2006 %G 0-312-85684-9 %I Tor Books/Tom Doherty Assoc. %O U$25.95/C$34.95 pnh@tor.com www.tor.com %O http://www.amazon.com/exec/obidos/ASIN/0312856849/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0312856849/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0312856849/robsladesin03-20 %O Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation) %P 364 p. %T "Rainbows End" It is always a pleasure to read something from Vinge. His characters are interesting, his plots sufficiently convoluted, and his writing clear and flowing. In addition, for the geek, his understanding of the technology is realistic and fundamental, which makes a change from so many who merely parrot jargon they do not comprehend. Of course, this is future technology we are talking about, so none of it is (currently) real. But it could be, without the wild flights of illogic that so abound in fiction. In this book, we have a future with interconnectedness around the globe. Of course, this means that there are dangers, in regard to identity and authentication. The new technology protects against these dangers with a Secure Hardware Environment. (Or SHE, and, since the DHS mandates that everyone must use it, does that make it SHE-who-must-be-obeyed?) Encryption is, of course, vital to the operations, and so is used a lot, often in multiple layers. It is probably a measure of the enjoyability of Vinge's work that I really didn't take note of the fact that two of the characters were named Alice and Bob. Not, that is, until late in the volume, when the author also briefly introduces a character named Eve Mallory. copyright, Robert M. Slade 2013 BKRNBSND.RVW 20130525 rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org [Note the presumably intentional ambiguity between Rainbow's End (nounal) and Rainbows End (verbal), with Vernor taking Revinge on Alice and Bob. PGN]
Please report problems with the web pages to the maintainer