Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
There is some software (called SCIgen) out of MIT that generates scientific-looking papers. And some number of these have actually squeaked through in (supposedly) reviewed conference proceedings, as well as into IEEE and ACM databases! Here's the research paper (not fake but 2 examples are in Appendix A) about the fake papers: http://hal.archives-ouvertes.fr/docs/00/71/35/55/PDF/0-FakeDetectionSci-Perso.pdf A new check-box in paper review forms is suggested: "Utter Bullbleep!" [This is a very unsettling article. The title is Duplicate and Fake Publications in the Scientific Literature: How many SCIgen papers in Computer Science? Cyril Labbe' and Dominique Labbe', Institut d'Etudes Politiques de Grenoble, First.Last@iep-grenoble.fr 22 Jun 2012 ; Scientometrics; DOI 10.1007/s11192-012-0781-y Abstract Two kinds of bibliographic tools are used to retrieve scientific publications and make them available online. For one kind, access is free as they store information made publicly available online. For the other kind, access fees are required as they are compiled on information provided by the major publishers of scientific literature. The former can easily be interfered with, but it is generally assumed that the latter guarantee the integrity of the data they sell. Unfortunately, duplicate and fake publications are appearing in scientific conferences and, as a result, in the bibliographic services. We demonstrate a software method of detecting these duplicate and fake publications. Both the free services (such as Google Scholar and DBLP) and the charged-for services (such as IEEE Xplore) accept and index these publications. keyword: Bibliographic Tools, Scientific Conferences, Fake Publications, Text-Mining, Inter- Textual Distance, Google Scholar, Scopus, WoK Introduction Several factors are substantially changing the way the scientific community shares its knowledge. On the one hand, technological developments have made the writing, publication and dissemination of documents quicker and easier. On the other hand, the "pressure" of individual evaluation of researchers-publish or perish-is changing the publication process. This combination of factors has led to a rapid increase in scientific document production. The three largest tools referencing scientific texts are: Scopus (Elsevier), ISI-Web of Knowledge (WoK Thomson-Reuters) and Google Scholar. Google Scholar is undoubtedly the tool which references the most material. It is free and it offers wide coverage, both of which are extremely useful to the scientific community. Google Scholar allows grey literature to be more visible and more accessible (technical reports, long versions and/or tracts of previously published papers, etc). Google Scholar systematically indexes everything that looks like a scientific publication on the Internet, and, inside these documents and records, it indexes references to other documents. Thus, it gives a picture of which documents are the most popular. However, the tool, much like the search engine Google, is sensitive to "Spam" [2], mainly through techniques, similar to link farms that artificially increase the "ranking" of web pages. Faked papers like those by Ike Antkare [12] (see 2.2 below) may also be mistakenly indexed. This means that documents indexed by Google Scholar are not all bona fide scientific ones, and information on real documents (such as the number of citations found) 1 hal-00641906, version 2 - 2 Jul 2012 Author manuscript, published in "Scientometrics (2012) 10.1007/s11192-012-0781-y" DOI : 10.1007/s11192-012-0781-y can be manipulated. This type of tool, using information publicly and freely available on the Web, faces some reproducibility and quality control problems [22, 10]. The full paper is well worth reading. PGN]
Hugo Beniada, Fueled, 27 Feb 2014 http://www.itbusiness.ca/blog/frances-anti-amazon-law-takes-the-wrong-approach/46802 selected text: After taking aim at U.S. Internet giants, including Yahoo Inc. and Google Inc., France's new target is the online retailer Amazon.com Inc. Last month, the French Senate has approved the so-called "Anti-Amazon" law, aimed to protect local book retailers. Basically, this law modernizes a 1918 law that established a fixed price for books sold in France. The Lang law, which carries the name of Jack Lang (the Minister of Culture of that time), enables book retailers to only discount up to 5 percent below the publisher's price. Created to preserve France's cultural exception, the government happens to really forget about the primordial access to Culture with this law. French rural inhabitants don't always have the chance live right next to a bookshop. Driving to the closest bookshop and paying for gas seems to be really more inconvenient than waiting for a book to be delivered for free to your mailbox. [I just noticed that in addition to selling new copies of my "Computer-Related Risks" (1995) book at a nice discount, Amazon is offering 15 used copies available for $0.01 plus shipping. I'm delighted the book is still recirculating. So much of it is still relevant today, as we keep making the same mistakes over and over again. PGN]
Tony Bradley, InfoWorld, 25 Feb 2014 An analysis of public tax returns from non-profit organizations found an estimated 630,000 Social Security numbers were exposed online PC Worldhttp://www.infoworld.com/d/security/study-irs-exposing-social-security-numbers-online-237089 opening text: This tax season you may have more to worry about than how much you owe. A new study from Identity Finder finds the IRS is not properly protecting social security numbers in some tax returns. Personal tax returns are not public, but the tax returns of non-profit organizations are public domain.
"It's an old legal adage that bad facts lead to bad legal decisions, and today we've got a classic example in Garcia v. Google-the "Innocence of Muslims" case. Based on a copyright claim that is dubious at best, the Ninth Circuit Court of Appeals has ordered Google to take offline a video that is the center of public controversy. We can still talk about it, but we can't see what we are talking about. We're hard-pressed to think of a better example of copyright maximalism trumping free speech." http://j.mp/1hiSWHI (EFF)
Candice So, *IT Business*, 26 Feb 2014 http://www.itbusiness.ca/news/pony-malware-targeting-passwords-and-bitcoins-uncovered/47143
Since 2011, Applied Computer Security Associates, sponsor of the ACSAC and NSPW conferences, has offered scholarships for women in their undergraduate and masters' degree programs through the Scholarships for Women Studying Information Security (SWSIS, www.swsis.org). Thanks to a $250,000 4-year contribution by Hewlett-Packard company, ACSA plans to offer an increased number of scholarships for the 2014-15 academic year. Also new in 2014-15, the Committee on the Status of Women in Computing Research (CRA-W), an arm of the Computing Research Alliance, is joining SWSIS, and will lead selection of scholarship winners. SWSIS winners will be invited to attend flagship conferences sponsored by ACSA, HP, and CRA-W, and will be encouraged to participate in HP's summer internship program. Applicants must provide: * An essay describing their interest and background in the information security field. * A current transcript. * A resume or CV. * Letters of reference (typically from faculty members). * Their university name and class status. The scholarship is renewable for a second year, given proof of satisfactory academic progress. Preference is for US citizens or permanent residents; funds are available for use at any US campus of a US university. Applications may be submitted starting 30 Mar 2014, and will be accepted until 1 May 2014. More information at www.swsis.org or swsis@swsis.org Jeremy Epstein, Director, Scholarship Programs Applied Computer Security Associates, Inc.
Kevin Fu's post notes that proposed legislation exempting health information technology from independent oversight would create "disturbing loopholes" that could compromise safety ... It's even worse than that. Patient safety is already compromised by buggy, poorly usable systems. The legislation would just enshrine the status quo as the state of the art. Robert L Wears, MD, MS, PhD, University of Florida Imperial College London wears@ufl.edu 1-904-244-4405 r.wears@imperial.ac.uk +44 (0)791 015 2219
Lucian Constantin, InfoWorld, 25 Feb 2014 Attack is the equivalent of keylogging, and the captured touch screen data could be used to reconstruct what users type http://www.infoworld.com/d/security/new-ios-flaw-allows-malicious-apps-record-touch-screen-presses-237070
Caroline Craig | InfoWorld, 28 Feb 2014 Apple's SSL encryption fail and iOS keylogging flaw juiced anxiety levels in an industry already reeling from security fatigue http://www.infoworld.com/t/vulnerability-assessment/apples-security-flaws-are-you-paranoid-enough-yet-237332
What horrible coding style. To me it looks like it was specifically written to embed that exploit! The Apple code snippet is a great example of why curly brackets should be mandatory. If I was reviewing that code I'd have made them re-write it along the lines of: err = 0; if ( ( (err = (SSLHashSHA1.update(&hashCtx, &serverRandom)) ) != 0 ) || ( (err = (SSLHashSHA1.update(&hashCtx, &signedParams)) ) != 0 ) || ( (err = (SSLHashSHA1.final(&hashCtx, &hashOut)) ) != 0 ) ) { // Do fail stuff here SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); } return err; Chuck Petras, PE**, Schweitzer Engineering Laboratories, Inc Pullman, WA 99163 USA http://www.selinc.com Tel: +1.509.332.1890
Just as a side note: but there's several scenarios where computer practitioners consider it better than the alternative. The code below is the textbook illustration for one: cleaning up after yourself, in this case: freeing up memory. > SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer > signedParams, uint8_t *signature, UInt16 signatureLen) > > { > OSStatus err; > ... > if <error> > goto fail; ... > if <another error> > goto fail; ... > if <yet another error> > goto fail; > ... > fail: > SSLFreeBuffer(&signedHashes); > SSLFreeBuffer(&hashCtx); > return err; > } Because if you copy-paste the clean-up ("fail") block into a dozen "if" blocks you will mess one of them up. Or somebody updating the code will mess one up eventually. What you'll get then is the dreaded memory leak that every computer scientist knew was considered harmful. Dimitri Maziuk, BioMagResBank, UW-Madison—http://www.bmrb.wisc.edu
This fault demonstrates a dangerous feature of the C language and its derivatives. This programming mistake is not possible in an Algol or Fortran based language, which would read: IF (err ... != 0) THEN goto fail ENDIF; and the (presumed) botched cut and paste edit would fail compilation. So I propose that the use of C is a risk.
>Baker: But every computer scientist already knew that GOTO's are considered harmful! I have for 35 years and continue to take exception to this blanket statement, and do not believe from my reading of the early discussions that this belief was the intention of the original writers. "GOTOs *without discipline* are harmful" is closer to what I believe they meant. In other words, GOTOs *can* make code much less readable, maintainable, stable, reliable, and other good words ending in -ble. But that isn't necessarily the case: indeed, code where the mainline never does a GOTO *except* to branch out to error handlers (yes, I'm mainly talking about non-OO code here) can be far more -ble. Specifically, it reduces the levels of nesting. Consider the following (p-code): Function1() If rc != 0 then... Function2() If rc != 0 then ... Function3() If rc != 0 then ... Function4() If rc != 0 then ... End End End End /* Did everything above work? */ If rc != 0 then ... End Those nested IFs get pretty painful if you use indention (required for some of the -bles!), especially if the blocks are large (another topic for theo logical discussion, but out of scope here). Far more -ble IMHO: Function1() If rc != 0 then goto FAILED1 Function2() If rc != 0 then goto FAILED2 Function3() If rc != 0 then goto FAILED3 Function4() If rc != 0 then goto FAILED4 /* If we get here, everything worked so far */ I would MUCH rather read and maintain the latter: I can see what the mainline is doing, and if I need to know what happens if a specific call fails, I go follow that up. This in no way diminishes the importance of error handling: indeed, it enhances it, by allowing a bunch of error handlers to be adjacent, making it easier to keep their behavior consistent. How many times have you fixed a memory leak caused by an error case that forgot to release a buffer that the other 27 error handlers all remembered to do? If those had all been adjacent, it should (I almost wrote "would", but that's a wish) be easier for the person adding a handler to say "Oh, yeah, look, they all release that, I should at least see whether I need to do that as well". This requires some rigor to make sure that the FAILEDx handlers all themselves wind up at an appropriate exit point, but then, this is all about rigor. It helps if the error handlers actually DO something, of course; in Apple's case, "fail:" didn't do much except assume that an error had occurred. In system-level code, I'd consider that alone to be inexcusably sloppy. Something like this should be returning an error AND a reason: the error handler forces the error, and the reason would be what fell out of the specific call ("rc" vs. "errno", in many cases). So the problem here wasn't the GOTOs per se: it was poorly structured, lazy code. Not a new risk, alas.
Please report problems with the web pages to the maintainer