Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
[Via Dave Farber] *United Airlines Reservation System Crashes (Again) <http://www.frequentbusinesstraveler.com/2014/02/united-airlines-reservation-system-crashes-again/> http://accura.cc/59hctv "United Airlines' computer systems failed Wednesday [19 Feb 2014] morning and the problem caused significant disruptions for passengers who had planned travel on the airline. A spokesman for the airline said that its Shares passenger service system failed at 9 a.m. Eastern Time. The disruption lasted approximately 30 minutes but it was followed by sporadic failures that continued throughout the morning., ..."
Michael Lloyd and Yuxing Zheng, *The Oregonian* Oregon Secretary of State Kate Brown warned businesses Thursday about a fraudulent invoice making the rounds. http://www.oregonlive.com/politics/index.ssf/2014/02/frustrations_mount_as_oregon_s.html Frustrations are mounting more than a week after a breach of the Oregon secretary of state's website caused elections and business databases to go offline. State officials say they're still investigating how the intrusion from a foreign entity occurred and don't know when the databases will return. The attack "appears to be an orchestrated intrusion from a foreign entity and not the result of any employee activities," the agency reported on its website this week. The department's Central Business Registry and ORESTAR, the state's online campaign finance reporting system, were temporarily taken offline as a precaution after officials detected "an intrusion" around 4 Feb. Since then, business attorneys haven't been able to look up existing business names, and campaign finance officials have not been able to report transactions. The outage could lead to missed deadlines and increased costs for businesses as attorneys spend extra time filing documents, said Shawn Lindsay, a business attorney and a Republican former state representative. The breach also raises questions about the security of the agency's other databases, including the voters database, which contains personal information that isn't publicly available, Lindsay said. The voters database is on a separate server and was not affected by last week's breach, state officials say. Credit card data is also safe.
In my most recent Velocity talk I made the point that applications gradually take on safety implications as their use becomes wider and they become more integrated into work. This is surely true for the Electronic Medical Records and will become true for many applications now considered `nice' or `useful' -- i.e., nonessential. Although not directed towards a safety goal (and therefore exempt from the usual requirements for devices intended to make or assure safety) useful artifacts gradually insinuate themselves into operations that are themselves essentially risky. It is then that their safety-ness becomes apparent. Unfortunately, the shift in use is not accompanied by reliability improvements. It is the same COTS stuff at the end as the beginning. The reaction of those responsible to accomplish the tasks that the apps do will be to develop low-cost and easily-deployed means to accomplish the functions when the IT doesn't work. Much of this is in the form of paper: Copies of schedules, copies of availability, printed versions of planning guides are easy to maintain and cost very little.
[Via Dave Farber's IP list] The Snowden privacy panic has spread to medical research. This is a problem. *The Daily Telegraph* http://blogs.telegraph.co.uk/technology/marthagilltech/100012335/the-snowden-privacy-panic-has-spread-to-medical-research-this-is-a-problem/ Since the Snowden revelations everyone has been panicking about privacy. Google, Twitter, Facebook and Yahoo are racing to show users how well they can protect their data. Government contractors are double-scrutinising new hires and encrypting everything in sight. But there's about to be one cautious move too many, and it's a serious threat to medical research. The European Parliament is proposing a new law which will effectively illegalise a NHS database of patient records, along with many large research projects. The idea had been kicking around for a while, but progress ground to a halt last year. After Snowden though, the kicking enthusiastically returned.
David E. Sanger and Eric Schmitt, *The New York Times, 11 Feb 2014 http://www.nytimes.com/2014/02/12/us/politics/spy-chief-says-snowden-took-advantage-of-perfect-storm-of-security-lapses.html?hp&_r=0 WASHINGTON—The director of national intelligence acknowledged Tuesday that nearly a year after the contractor Edward J. Snowden `scraped' highly classified documents from the National Security Agency's networks, the technology was not yet fully in place to prevent another insider from stealing top-secret data on a similarly large scale. The director, James R. Clapper Jr., testifying before the Senate Armed Services Committee, said Mr. Snowden had taken advantage of a `perfect storm' of security lapses. He also suggested that as a highly trained systems administrator working for Booz Allen Hamilton, which provides computer services to the agency, Mr. Snowden knew how to evade the protections in place. “He knew exactly what he was doing,'' Mr. Clapper said. “And he was pretty skilled at staying below the radar, so what he was doing wasn't visible.'' But Mr. Clapper confirmed the outlines of a New York Times report that the former N.S.A. contractor had used a web crawler, a commonly available piece of software, to sweep up a huge trove of documents. Mr. Clapper also said, for the first time, that some of the information Mr. Snowden is believed to possess could expose the identities of undercover American operatives as well as foreigners who have been recruited by United States spy agencies. The information Mr. Snowden has released so far through several newspapers and a new digital news organization that began publishing on Monday has not revealed the names of agents or operatives, and it is unclear how much of that information he took with him when he fled the United States. [Truncated for RISKS...]
Lucian Constantin, InfoWorld, 18 Feb 2014 A self-replicating program infects Linksys routers by exploiting an authentication bypass vulnerability http://www.infoworld.com/d/security/themoon-worm-infects-linksys-routers-236404
Candice So, *IT Business*. 18 Feb 2014 http://www.itbusiness.ca/news/well-ca-loses-customer-credit-card-data-in-security-breach/46993 selected text: In an e-mail to its customers today, Well.ca said one of its service providers was "illegally compromised" between 22 Dec 2013 and 7 Jan 2014. ... The service provider then informed Well.ca about two weeks ago [a delay of about one month], and Well.ca got further confirmation about the breach from its credit card provider less than a week ago.
Cyrus Farivar, Ars Technica, 14 Feb 2014 "Transaction malleability," which worried Mt. Gox and Bitstamp, strikes again. http://arstechnica.com/security/2014/02/new-silk-road-hit-with-2-6-million-heist-due-to-known-bitcoin-flaw/
Another company, Steelcase, which puts sensors in office furniture and buildings to see how workers interact, thinks the real opportunity for workplace monitoring is far from the call-centre floor—in opaque creative departments and even boardrooms, where time is especially precious. David Lathrop, its director of research and strategy, says the sensors are now so cheap they can be put "practically everywhere", arguing that employees could benefit by tracking their own performance. Improving the productivity of top executives "has a disproportionate effect on the company", he adds. http://www.ft.com/cms/s/2/d56004b0-9581-11e3-9fd6-00144feab7de.html
My cell phone just rang with caller-id announcing that it was my teenage daughter. I answered in a rush because being a typical teenager she would rather use any other method of communication rather than a voice call - so I figured it must be urgent. It wasn't. It wasn't even her. It was the "Card Holder Services" spammers saying they wanted to reduce my interest rates. But the question is - How did they decide spoof her number when calling me? Possibly they managed to scrape her "contacts" from her phone using some rogue application? Perhaps they have scraped the caller-id database and noticed that we have phone numbers close together and the same last name? However they did it - the value of caller-id when deciding whether to take a call just hit zero.
"Secure program obfuscation would be useful for many applications, such as
protecting software patches, obscuring the workings of the chips that read
encrypted DVDs, or encrypting the software controlling military
drones. More futuristically, it would allow people to create autonomous
virtual agents that they could send out into the computing "cloud" to act
on their behalf. If, for example, you were heading to a remote cabin in
the woods for a vacation, you could create and then obfuscate a computer
program that would inform your boss about e-mails you received from an
important client, or alert your sister if your bank balance dropped too
low. Your passwords and other secrets inside the program would be safe."
http://j.mp/1dZ6bHP (*WiRed*)
- - -
And so handy to hide viruses, spies, and other evil in, too!
http://j.mp/1oYIQ29 (EFF via NNSquad) "For the last month, Venezuela has been caught up in widespread protests against its government. The Maduro administration has responded by cracking down on what it claims as being foreign interference online. As that social unrest has escalated, the state's censorship has widened: from the removal of television stations from cable networks, to the targeted blocking of social networking services, and the announcement of new government powers to censor and monitor online. Last night, EFF received reports from Venezuelans of the shutdown of the state Internet provider in San Cristbal, a regional capital in the west of the country."
http://j.mp/1m4Epns (*The Guardian* via NNSquad) "Microsoft's search engine Bing appears to be censoring information for Chinese language users in the US in the same way it filters results in mainland China. Searches first conducted by anti-censorship campaigners at FreeWeibo, a tool that allows uncensored search of Chinese blogs, found that Bing returns radically different results in the US for English and Chinese language searches on a series of controversial terms. These include Dalai Lama, June 4 incident (how the Chinese refer to the Tiananmen Square protests of 1989), Falun Gong and FreeGate, a popular Internet workaround for government censorship."
Gwen Ackerman, Bloomberg, 19 Feb 2014 http://www.bloomberg.com/news/2014-02-19/israel-electric-opens-cyber-war-room-to-defend-against-power-grid-hacks.html Israel's main power company opened a cyber "war room" this week to defend its systems around the clock from hackers. Technicians at Israel Electric will monitor as many as 400 million cyber-attacks and hacking attempts a day. "There are hundreds of thousands of attempts to infiltrate Israel Electric's networks every day," Israel Electric Chairman Yiftach Ron-Tal said in an e-mailed statement yesterday. "We are talking here about a threat on a national level." Prime Minister Benjamin Netanyahu has said that one goal of his government is to turn Israel into a world leader in cyber-technologies. In 2012, Netanyahu formed the National Cyber Bureau, which said last month that it plans to establish an emergency-response team for cyber-attacks. President Shimon Peres has spent the last month making public appearances to promote Israeli technology, including cyber-security. In the past three years, the country's cyber-security industry has grown from a few dozen companies to about 220 that have raised more than $400 million, according to the Tel Aviv-based IVC Research Center. Twenty multinational companies now operate online-security development centers in Israel. [...]
Patrick Tucker, *Defense One*, 6 Feb 2014 U.S. Defense Advanced Research Projects Agency (DARPA) Information Innovation Office director Dan Kaufman says an innovation gap exists as the private sector advances in areas in which the government was once primarily responsible for research breakthroughs. Kaufman hopes to close that gap, and notes that DARPA has made its most recent big data research effort part of the DARPA Open Catalog, which aims to open more of the agency's software and science research to the public. For example, he says improved encryption can help provide both privacy and security. "What if there was a way to collect the data but encrypt it so that people couldn't use it in a way that wasn't approved?" Kaufman asks. In the future, spying on data will be more difficult even as data proliferates across multiple channels, says Kaufman, pointing to DARPA's PROCEED program, which successfully demonstrated fully homomorphic encryption for cloud environments, previously thought to be impossible. DARPA also will use advanced machine learning to help the Defense Department manage threats, enabling security experts to interact with an algorithm that learns what to look for and improves results through continued interaction. http://www.defenseone.com/technology/2014/02/darpa-thinks-future-surveillance-looks-siri/78419/?oref=d-interstitial-continue
Rick Falkvinge, *Torrent Freak*, 9 Feb 2014 [via Dave Farber] http://torrentfreak.com/drm-entire-copyright-monopoly-legislation-lie-140209/> Cory Doctorow had a brilliant column in The Guardian, which was very long and went into quite a bit of legislative history, but the key takeaway hit the nail right on the head. The entire copyright legislation is a lie, a facade, a mirage. There are no exceptions, there are no expirations, there is no fair use. The reason the situation has been allowed to degrade to this point is a small but important detail called DRM (Digital Restriction Measures). Since the turn of the century publishers are allowed to embed technical obstacles called Digital Restriction Measures in anything they publish, and these measures set and enforce a vastly expanded set of restrictions over and above ordinary copyright monopoly law. The original law loses its effect in the clause that says that any disabling of such Digital Restriction Measures is illegal in the US and EU. The net effect of this is that the DRM portion of copyright law, as it stands today, is permitting publishers to dictate whatever terms they like and call it `copyright', overriding the rest of that law. Ordinary copyright monopoly law says that the monopoly eventually expires. That's just not true, because mostly everything published today has DRM, which says the monopoly does not expire. Ordinary copyright monopoly law says you have a right to enjoy your purchased works in various formats, places, and ways (in your car, in your home, on your bike, when you like). DRM has made sure that's not in the lawbooks anymore, because publishers didn't want it that way. So let's look closer at what the copyright monopoly law really look like, with DRM in place and protected by law as is today. Publishers don't want you to buy stories in another country and enjoy them at home? At odds with ordinary copyright law, but with DRM, publishers can totally override that. Publishers want the copyright law to say that purchased books can't even be shared between family members? Perfectly doable with DRM-fabricated copyright law, even if the ordinary copyright law would have dropped a ton of bricks on those publishers. Publishers want the ability to remotely remove a book you've bought from your bookshelf, even as you have it in your home? Say, Just fine with DRM. Digital Restriction Measures were never—never—supposed to prevent copying. If you wanted to copy a DRM-ridden work, you could do so without problem; the DRM would follow along to the copy just fine. DRM is a usage restriction, not a copy restriction, and most importantly, as Doctorow puts it: DRM is the right for publishers to make up their own copyright law. [...]
Chip and PIN doesn't actually increase security. Chip & PIN cards have a fall-back mode when the chip fails and revert to standard magnetic stripe operation or even mechanical imprint. It's trivial to create a card with a broken chip and forged or broken magnetic stripe. It gets slightly more complex with the RFID version of Chip and PIN. The cards have three levels of degradation. Either the RFID fails or the RFID reader fails - both quite common in my experience. Then the Chip can fail - again common, and finally the stripe can fail forcing a reversion to mechanical imprint. There is also the issue of bank terminal acceptance of cards. In one store I am obliged to initially present my RFID card which is declined as not accepted at that terminal. Then I have to insert the card to have the chip read and it is again declined because the terminal won't accept electronic AMEX. Finally I am allowed to swipe the card. I must do it in that order because of the store rules. There is also the issue of Card-not-present purchases such as telephone or Internet purchases in which the chip plays no part whatsoever. What RFID cards do do is decrease security due to various scams involving portable RFID readers. A second risk is banks have different automatic authorisation levels depending on the type of verification used. In my case RFID authentication has a relatively high dollar value for automatic authorisation, so anyone taking my card can make multiple purchases up to $100 each with no signature or PIN. If the card reverts to simple chip mode or swipe mode then a PIN is required for all purchases. All in all Chip cards and in particular RFID Chip cards are convenient but overall less secure than ordinary swipe cards—at least from a user perspective.
The state of education around the world is often a source of innocent amusement, but this particular item is perhaps not as "bad" as it seems. Firstly, it is certain that the great majority of humans throughout history have believed this, if they have thought about the problem at all. Secondly, it's not a problem that impinges on the daily life of anyone. Thirdly, if the theory of General Relativity is to be accepted, then heliocentrism is no better a belief than geocentrism [or galactocentrism or ...]; we should pick co-ordinates for convenience, not dogma.
> NSF: 1/4 of Americans think sun goes 'round the earth... This is cherry picking from the NSF report. (Read it.) Although the state of American science knowledge is spotty, this particular example overstates the problem. Note also that Americans stack up reasonably well compared with people in other developed countries. As an aside, I'll level a couple of other quibbles. a) "Which goes around which" is science trivia, unimportant to everyday life. Ask people about the freezing temperature for water. b) I'm allowed to choose my frame of reference. For practical purposes, the earth is stationary and the sun goes around the earth once a day.
Rather than depend upon a biased source (reason.org is an arm of the
Koch Brothers Reason Foundation, which would probably like to abolish
the FAA and allow the invisible hand of the free market to rule the air
spaces), why don't we look at the job posting itself:
http://www.doleta.gov/usworkforce/whatsnew/eta_default.cfm?id=6050
Air Traffic Control Specialist Recruitment: Alert on Upcoming
Recruitment and Outreach Campaign by FAA
29 Jan 2014
The Federal Aviation Administration (FAA) has announced a nation-wide air
traffic control specialist recruitment, outreach, and education program,
extending the invitation for the workforce system to share this
information with its program participants in advance of a public vacancy
announcement expected on or about 10 Feb 2014. There are air traffic
control positions available at FAA locations across the country, and the
FAA encourages all interested individuals who are eligible to apply for
these positions.
Some background:
The Federal Aviation Administration (FAA) has re-opened its Academy for
training Air Traffic Controllers since it closed in the spring of
2013. The FAA intends to hire around 3,000 people over the next year for
these positions across the country. The FAA anticipates that they will be
hiring in significant numbers over the next several years, given the fact
that that Air Traffic Controllers must retire by age 56.
Below are some key points of this new FAA hiring initiative:
* FAA will post these positions on the USA Jobs website during the 10--21
Feb period.
* FAA will recruit nationwide.
* The pay scale for Air Traffic Controllers ranges from GS-9 to GS-15
(depending on the local area).
* Individuals must start the FAA Academy or be conditionally hired by
their 31st birthday.
* Individuals must have 3 years of progressively responsible work
experience, or a Bachelor's degree, or combination of education and work
experience.
* Individuals must meet medical and security requirements of being a
government employee.
* Veterans will receive Preference through the normal Federal Hiring
process.
* FAA is hosting a Virtual Career Fair on 12 Feb.
Please visit www.FAA.gov/jobs jobs for Employment FAQs, Air Traffic
Controller Fact Sheets, and promotional videos.
FAA has also created 'Digital Kits' created for outreach and promotion,
addressing eligibility for the position, application instructions, and
other FAA positions in addition to the air traffic control jobs. Please
visit www.faa.gov/jobs/recruiting_kit/
The FAA is not hiring J Random Dropout off the street and plopping them into
a controller's chair at LAX. They're simply restarting an already existing
program that has been in hiatus.
http://www.nybooks.com/articles/archives/2014/mar/06/can-privacy-be-saved/
The Royal Academy report that was mentioned in the latest RISKS digest is here: http://raeng.org.uk/news/publications/list/reports/Global_Navigation_Systems.pdf
One approach is to harden the system but shouldn't we also be thinking about a more generalized approach to getting location information that doesn't depend on line-of-sight to satellites? We already do this using information from cell towers and other sources but such approaches need to be resilient and not naively trusting in the information they receive.
http://j.mp/M5rqkU (Techdirt via NNSquad) "The UK government's futile and ham-fisted attempts to purge the Internet of all of its rough edges and naughty bits are about to see international escalation. The country is only really just kicking off their campaign to impose porn filters that not only often don't work, but also have so far managed to accidentally block numerous entirely legal and useful websites including technology news sites like Slashdot, digital rights groups like the EFF, rape counseling websites, and more. David Cameron's government has long-stated they want this filtering to eventually extend to websites deemed "extremist" by the government, and it appears that new proposals being drafted hope to make that a reality sooner rather than later." Here's a plan. Cameron can just use "*" as his filter block directive and avoid all the intermediate steps. No Web! No Problem!
Please report problems with the web pages to the maintainer