Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
[This is the first of three items on this rapidly unfolding thread. PGN] Already having banned close to 40,000 web sites, the religious AKP government is now taking further steps to increase the internet censorship in Turkey. This has been the result of the surfacing of many video and audio recordings of the top government officials, including the prime minister himself, taking bribes and laundering money ranging in the millions of dollars and euros. In one recording for example, just ahead of the recent police raid at their prime minister's house, the prime minister's son is heard to talk to his dad, mentioning that he already got rid of most of the money at home, having a "mere 30 million euros" left at home to disperse of. Anxious to prevent voters from learning about the governmental corruption just ahead of the local elections, the government has hastily passed laws for easier censoring of the internet. the new laws will require all service providers to keep complete records of the activities of all their customers for at least two years, and will allow the government to block any web site by just phoning the head of the internet commission that they have set up. Typically this has so far been done by altering the DNS servers that the service providers maintain, so that the "objectionable" site was not reachable. Many technically-savvy users have soon switched to alternative DNS servers that provide the real information on such sites. However, the new censorship package mentions an IP-based block. In the world where a single IP can service thousands of web sites, it remains to be seen how they intend to do this. So the country slips some more into the dark ages, just so that the corruption remains hidden.
"Reeling from the anonymous release of audio that seems to implicate him in a corruption scandal, Turkey's Prime Minister Recep Tayyip Erdogan said his country would ban Twitter, no matter what the international community says." http://j.mp/OFTxZA (NPR / KUNM via NNSquad) You'll recall he was a guest in Silicon Valley less than a year ago.
Turkish users of Twitter—including the country's president—have flouted a block on the social media platform by using text messaging services or disguising the location of their computers to continue posting messages on the site. Telecom regulators enforced four court orders to restrict access to Twitter on Thursday night, just hours after the prime minister, Recep Tayyip Erdogan, vowed to "eradicate" the micro-blogging platform in an election speech. The disruption followed previous government threats to clamp down on the social media in Turkey and caused widespread outrage both inside and outside of Turkey. In a first reaction to the ban, Neelie Kroes, vice-president of the EU commission, tweeted: "The Twitter ban in #Turkey is groundless, pointless, cowardly. Turkish people and intl community will see this as censorship. It is." The hashtag #TwitterisblockedinTurkey quickly rose to the top trending term globally. Shortly after the Twitter ban came into effect around midnight, the micro-blogging company tweeted instructions to users in Turkey on how to circumvent it using text messaging services in Turkish and English. Turkish tweeters were quick to share other methods of tiptoeing around the ban, using "virtual private networks" (VPNs)—which allow Internet users to connect to the web undetected—or changing the domain name settings on computers and mobile devices to conceal their geographic whereabouts. Some large Turkish news websites also published step-by-step instructions on how to change DNS settings. On Friday morning, Turkey woke up to lively birdsong: according to the alternative online news site Zete.com, almost 2.5m tweets—or 17,000 tweets a minute—have been posted from Turkey since the Twitter ban went into effect, thus setting new records for Twitter use in the country. "Boss, my bird is still tweeting @RT_Erdogan," posted @Fakir_Bey. "And yours?" But it was not just critics of the government who took to Twitter after the site was closed via a court order. Ankara mayor Melih Gukcek, famous for his extensive and rather bullish use of the micro-blogging site, was the first AK party politician to breach the ban. "I am able to tweet because my DNS settings allow it. That will probably be banned tomorrow as well. I hope that all those who are cursing and using fake accounts will have learned their lesson," he tweeted, as usual all in capitals. The first cabinet member to post a tweet after the ban came into effect was the deputy prime minister, Bulent Arinc, who informed his 1.34m followers of an election rally in the city of Manisa. His message was retweeted more than 1,000 times in the first hour, causing much ridicule: "Oh dear, be careful, Twitter has been banned by the "national will"," replied academic and journalist Ayse Cavdar. "Don't show up here. Otherwise the "national will" will close you down, too." Meanwhile, deputy prime minister Ali Babacan said he expected the ban to be temporary. "I don't think this will last too long. A mutual solution needs to be found," Babacan told a local TV channel on Friday. In a rare act of defiance, the Turkish president, Abdullah Gul, openly criticised the ban—via his Twitter account. "The shutdown of an entire social platform is unacceptable," he tweeted. "Besides, as I have said many times before, it is technically impossible to close down communication technologies like Twitter entirely. I hope this measure will not last long." Social media played a major role during last summer's anti-government protest, prompting Erdogan to call Twitter "a menace to society". Twitter has also been used to disseminate a series of incriminating audio recordings revealing massive corruption inside the government. Many expect more explosive revelations to be made via Twitter in the week running up to local elections on 30 March. Two weeks ago Erdogan threatened to ban both Facebook and Twitter, accusing social media users of abusing these platforms for a "smear campaign" against his government. http://www.theguardian.com/world/2014/mar/21/turkey-twitter-users-flout-ban-erdogan Newcastle University, Newcastle upon Tyne, NE1 7RU +44 191 222 7923 Brian.Randell@ncl.ac.uk http://www.cs.ncl.ac.uk/people/brian.randell [Note: The version Brian sent has since been updated, so this is not the current version at the cited URL. Also, I have trimmed the item just a little for RISKS, and eschewed Turkish diacritical marks. PGN] [See also a similar article by Sebnem Arsu and Dan Bilefsky in *The New York Times*, 22 Mar 2014, p.6 in the National Edition. PGN]
Antone Gonsalves, InfoWorld, 20 Mar 2014 As many as 25,000 servers have been infected simultaneously with backdoor Trojan used to steal credentials, send out spam, and redirect Web traffic http://www.infoworld.com/d/security/researchers-discover-credential-stealing-unix-based-server-botnet-238687 opening text: Cyber criminals are using sophisticated malware in compromising thousands of Unix-based servers to spew spam and redirect a half million Web users to malicious content per day, a security firm reported. Dubbed Operation Windigo, the attack has been ongoing for more than two and a half years and has compromised as many as 25,000 servers at one time, anti-virus vendor ESET said Tuesday. Systems infected with the backdoor Trojan are used in stealing credentials, redirecting Web traffic to malicious content and sending as many as 35 million spam messages a day.
Lucian Constantin, InfoWorld, 19 Mar 2014 The administrator says he had enough after a member of the hacker community tried to pressure him to remove unspecified content http://www.infoworld.com/d/security/prominent-security-mailing-list-full-disclosure-shuts-down-indefinitely-238710
Former leaker encourages companies to enable Web encryption. David Rowan, Wired.co.uk, 18 Mar 2014 http://arstechnica.com/tech-policy/2014/03/snowden-big-revelations-to-come-reporting-them-is-not-a-crime/ This story originally appeared on Wired UK. Edward Snowden made a surprise appearance on the TED stage in Vancouver today—using a Beam telepresence robot from "somewhere in Russia." Snowden, in his second remote talk in eight days after an appearance at SXSW Interactive in Texas, urged online businesses to encrypt their websites immediately. "The biggest thing that an Internet company in America can do today, right now, without consulting lawyers, to protect users of the Internet around the world, is to enable Web encryption on every page you visit," he said. "If you look at a copy of 1984 on Amazon, the NSA can see a record of that, the Russians, the French can—the world's library is unencrypted. This is something we need to change, not just for Amazon—all companies need to move to an encrypted browsing habit by default." Snowden said the leaks from his document cache would continue. "There are absolutely more revelations to come," he said. "Some of the most important [publishing] to be done is yet to come." He argued against personalizing his own role in leaking the documents to prompt debate. "Who I am really doesn't matter at all. If I'm the worst person in the world, you can hate me and move on. What really matters is the kind of Internet we want, the kind of relationship with society... I wouldn't use words like hero or traitor. I'm an American and a citizen." He said he struggled to find a way to leak the intelligence documents in as responsible a way as he could. "We did a lot of good things in the intelligence community. But there are also things that go too far... decisions made in secret without the public's awareness, the public's consent... When I really came to struggle with these issues, I thought to myself, how can I do these things in the most responsible way?" That was through responsible media. "The first amendment of the US constitution guarantees us a free press—to challenge the government but also to work together with the government, without putting our national security at risk. By working with journalists, by putting all of my information to the American people, we've had a robust debate with a deep investment by the US government, which is resulting in benefits for everyone." There has been no evidence "of even a single incident" whereby the leaks have caused harm. He said the NSA's PRISM program allowed the US government to "deputize corporate America to do its dirty work for the NSA." "Much of the debate in the US [about PRISM] is it's just [about collecting] metadata. PRISM is about content. Even though some of these companies, Yahoo's one, challenged them in court, they all lost—they weren't tried by an open court but a secret court. Fifteen federal judges have reviewed these programs and found them to be lawful, but what they don't tell you is these are secret judges in secret courts of law." These courts had received 34,000 requests to access information and turned down just 11, he said. "These aren't the people we want deciding what the role of corporate America should be." [...]
Bloomberg, 11 Mar 2014 Someone in Adobe Systems Inc.'s marketing department thought it would be a good idea to send Pentagon personnel solar chargers for their mobile phones. The result was a criminal investigation by the U.S. Navy. To read the entire article, go to http://bloom.bg/1fmHfuR
[Long item, PGN-pruned for RISKS.] http://www.foreignpolicy.com/articles/2014/03/18/exclusive_pentagon_withholds_report_2.7_billion_intel_program Why won't senior officials show Congress evidence of a cheaper, off-the-shelf alternative to the military's Afghan battlefield needs? The Army has spent years defending a multibillion-dollar intelligence system that critics say costs too much and does too little. A new internal report has found that there's a simple, relatively inexpensive program that could handle many of the same jobs at a fraction of the cost. For the past eight months, though, the Pentagon has kept the report hidden away. Members of Congress have been asking Defense Department officials to send them the assessment, a copy of which was obtained by Foreign Policy, but the Pentagon has yet to do so. At issue is the Army's Distributed Common Ground System, expected to cost nearly $11 billion over 30 years and built by a consortium of major Beltway contractors, including Raytheon, Northrop Grumman, Lockheed Martin, and General Dynamics. The system is meant to give troops on the ground an easy way to collect intelligence about terrorists and enemy fighters, and then create detailed reports and maps that they can share with each other to plan and conduct operations. But critics—and even some troops—have long complained that the system doesn't actually work. They say it's too slow and hard to use, and that it has left them searching for alternatives in the war zone. The system's high cost and technical failings prompted a search for other options. Palantir Technologies, a fast-growing Silicon Valley firm, told the Pentagon that its off-the-shelf systems could accomplish most of the same tasks but cost far less—millions, rather than billions. The Marine Corps, Special Operations forces, the CIA, and a host of other government agencies already use it. Army officials, though, said Palantir wasn't up to the job. Now, a 57-page report by the Pentagon's acquisitions arm basically says the Army was wrong to dismiss the Palantir system. The study instead gives Palantir high marks on most of the Army's 20 key requirements for the intelligence system, including the ability to analyze large amounts of information, including critical data about terrorist networks and the locations of explosive devices, and synchronize it in a way that helps troops on the ground combat their enemies more effectively. Palantir "can be utilized to partially meet DCGS-A requirements," the report concludes, using the acronym for the Distributed Common Ground System. The report is likely to sharpen concerns about the Distributed Common Ground System, which has been facing mounting criticism on Capitol Hill. Rep. Jim Moran (D-Va.), one of many long-time detractors, had asked the Pentagon for its findings as recently as last month. "It's a scandal that commercially available, battlefield-proven technology is ready to go at a fraction of the billions of dollars the Pentagon is spending to build a similar analysis tool in-house," Moran said in a statement to FP. "I appreciate [Under Secretary of Defense for Acquisition, Technology and Logistics] Frank Kendall taking this issue seriously, and look forward to hopefully resolving it once and for all when the long overdue report's findings are finally released." The report, commissioned roughly one year ago, won't deal a fatal blow to the controversial Army program. But it raises new questions about why the service is wedded to its own system and why officials have been so quick to dismiss Palantir's capabilities, especially at a time when the Pentagon's budget is shrinking and Congress is pressing Defense Department officials to find ways of saving money. [...]
[John McMullen via Dewayne Hendricks via Dave Farber. I'm on John's list for other items, but apparently not for stuff he sends to Dewayne. PGN] I agree with the content of the article and, is most often the case, everything my friend the erudite Esther Dyson says (she's quoted in the piece). It seems to me that we must arouse public opinion, most importantly in the technology and media sectors, and bring pressure to this surrender. The ITU sanctioning of the cutting off of Internet access by repressive governments is outrageous—it's one thing to recognize that it exists (Putin just showed us that it does); it's another thing to legitimize it -- the US cannot be a party to this. —john OPINION L. Gordon Crovitz, America's Internet Surrender; By unilaterally retreating from online oversight, the White House pleased regimes that want to control the Web. 18 Mar 2014 http://online.wsj.com/news/articles/SB10001424052702303563304579447362610955656 The Internet is often described as a miracle of self-regulation, which is almost true. The exception is that the United States government has had ultimate control from the beginning. Washington has used this oversight only to ensure that the Internet runs efficiently and openly, without political pressure from any country. This was the happy state of affairs until last Friday, when the Obama administration made the surprise announcement it will relinquish its oversight of the Internet Corporation for Assigned Names and Numbers, or Icann, which assigns and maintains domain names and Web addresses for the Internet. Russia, China and other authoritarian governments have already been working to redesign the Internet more to their liking, and now they will no doubt leap to fill the power vacuum caused by America's unilateral retreat. Why would the U.S. put the open Internet at risk by ceding control over Icann? Administration officials deny that the move is a sop to critics of the National Security Agency's global surveillance. But many foreign leaders have invoked the Edward Snowden leaks as reason to remove U.S. control—even though surveillance is an entirely separate topic from Internet governance. According to the administration's announcement, the Commerce Department will not renew its agreement with Icann, which dates to 1998. This means, effective next year, the U.S. will no longer oversee the "root zone file," which contains all names and addresses for websites world-wide. If authoritarian regimes in Russia, China and elsewhere get their way, domains could be banned and new ones not approved for meddlesome groups such as Ukrainian-independence organizations or Tibetan human-rights activists. Until late last week, other countries knew that Washington would use its control over Icann to block any such censorship. The U.S. has protected engineers and other nongovernment stakeholders so that they can operate an open Internet. Authoritarian regimes from Moscow to Damascus have cut off their own citizens' Internet access, but the regimes have been unable to undermine general access to the Internet, where no one needs any government's permission to launch a website. The Obama administration has now endangered that hallmark of Internet freedom. The U.S. role in protecting the open Internet is similar to its role enforcing freedom of the seas. The U.S. has used its power over the Internet exclusively to protect the interconnected networks from being closed off, just as the U.S. Navy protects sea lanes. Imagine the alarm if America suddenly announced that it would no longer patrol the world's oceans. The Obama administration's move could become a political issue in the U.S. as people realize the risks to the Internet. And Congress may have the ability to force the White House to drop its plan: The general counsel of the Commerce Department opined in 2000 that because there were no imminent plans to transfer the Icann contract, "we have not devoted the possibly substantial staff resources that would be necessary to develop a legal opinion as to whether legislation would be necessary to do so." Until recently, Icann's biggest controversy was its business practice of creating many new domains beyond the familiar .com and .org to boost its revenues. Internet guru Esther Dyson, the founding chairwoman of Icann (1998-2000), has objected to the imposition of these unnecessary costs on businesses and individuals. That concern pales beside the new worries raised by the prospect of Icann leaving Washington's capable hands. "In the end," Ms. Dyson told me in an interview this week, "I'd rather pay a spurious tax to people who want my money than see [Icann] controlled by entities who want my silence." Icann has politicized itself in the past year by lobbying to end U.S. oversight, using the Snowden leaks as a lever. The Icann chief executive, Fadi Chehade', last fall called for a global Internet conference in April to be hosted by Brazilian President Dilma Rousseff. Around that time, Ms. Rousseff, who garnered headlines by canceling a White House state dinner with President Obama, reportedly to protest NSA surveillance of her and her countrymen, also denounced U.S. spying in a speech at the United Nations. Mr. Chehade' said of the speech: "She spoke for all of us that day." The Obama administration has played into the hands of authoritarian regimes. In 2011, Vladimir Putin—who, as Russia took over Crimea in recent days, shut down many online critics and independent media—set a goal of "international control over the Internet." In the past few years, Russia and China have used a U.N. agency called the International Telecommunication Union to challenge the open Internet. They have lobbied for the ITU to replace Washington as the Icann overseer. They want the ITU to outlaw anonymity on the Web (to make identifying dissidents easier) and to add a fee charged to providers when people gain access to the Web "internationally"—in effect, a tax on U.S.-based sites such as Google and Facebook. The unspoken aim is to discourage global Internet companies from giving everyone equal access. The Obama administration was caught flat-footed at an ITU conference in 2012 stage-managed by authoritarian governments. Google organized an online campaign against the ITU, getting three million people to sign a petition saying that "a free and open world depends on a free and open web." Former Obama aide Andrew McLaughlin proposed abolishing the ITU, calling it "the chosen vehicle for regimes for whom the free and open Internet is seen as an existential threat." Congress unanimously opposed any U.N. control over the Internet. But it was too late: By a vote of 89-55, countries in the ITU approved a new treaty granting authority to governments to close off their citizens' access to the global Internet. This treaty, which goes into effect next year, legitimizes censorship of the Web and the blocking of social media. In effect, a digital Iron Curtain will be imposed, dividing the 425,000 global routes of the Internet into less technically resilient pieces. The ITU is now a lead candidate to replace the U.S. in overseeing Icann. The Commerce Department says it doesn't want to transfer responsibility to the ITU or other governments, but has suggested no alternative. Icann's CEO, Mr. Chehad=E9, told reporters after the Obama administration's announcement that U.S. officials are "not saying that they'd exclude governments -- governments are welcome, all governments are welcome." Ms. Dyson calls U.N. oversight a "fate worse than death" for the Internet. The alternative to control over the Internet by the U.S. is not the elimination of any government involvement. It is, rather, the involvement of many other governments, some authoritarian, at the expense of the U.S. Unless the White House plan is reversed, Washington will hand the future of the Web to the majority of countries in the world already on record hoping to close the open Internet. Mr. Crovitz, a former publisher of The Wall Street Journal, writes the weekly Information Age column. Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>
Microsoft Software Leak Inquiry Raises Privacy Issues Microsoft accused the former employee of stealing company trade secrets in the form of software code for the Windows operating system, and leaking the software to a blogger. In an investigation, the company figured out who revealed the information by reading the emails and instant messages of the blogger on his Microsoft-operated Hotmail and message accounts. http://j.mp/1ikJROA (*The New York Times* via NNSquad) Microsoft Says It Will Tighten Policies for Searching Hotmail, Outlook.com Microsoft said late Thursday that it will "evolve" its policies for searching through non-employee Hotmail and Outlook.com mail accounts in the wake of concern over its practices. The company has come after fire after revelations it searched the account of a blogger to whom company information was leaked. http://j.mp/NyXaPU (Recode via NNSquad)
Microsoft security software for product key validation was part of the intellectual property allegedly leaked by a Lebanon-based Microsoft employee to a blogger in France. The ex-employee was arrested in Seattle this week. "[He is] also alleged to have stolen Microsoft's 'Activation Server Software Development Kit,' a propriety system used to prevent the unauthorized copying of Microsoft programs. Speaking with the FBI, a Microsoft manager said the software development kit 'could help a hacker trying to reverse engineer the code' used to protect against software piracy, according to charging papers. Microsoft came to believe Kibkalo encouraged the blogger to share it online so others could crack protections on Microsoft products, the FBI agent said in charging papers unsealed Wednesday." (http://www.seattlepi.com/local/article/Ex-Microsoft-employee-charged-with-passing-5331715.php) That's in addition to the alleged leak of the Win 8 code. Here is an excerpt from a chat between the MSFT employee A. Kibkalo, PhD and the French blogger (from the FBI report in the federal complaint http://seattletimes.wpengine.netdna-cdn.com/microsoftpri0/files/2014/03/Kibkalo-complaint.pdf): Kibkalo: I would leak enterprise today probably Blogger: Hmm—are you sure you want to do that? lol Kibkalo: why not? Blogger: 1st time I speak with a "real" leaker since Zuko era Kibkalo: Mm—To be honest, in nwin7_rtm and nwin7_sp1 I leaked 250GB :) MSFT relied on the terms of use to access the content of the blogger's hotmail account and didn't get a subpoena.
[via Dave Farber] http://geer.tinho.net/geer.rsa.28ii14.txt my favorite quote, so far: "We know, and have known for some time, that traffic analysis is more powerful than content analysis. If I know everything about to whom you communicate including when, where, with what inter-message latency, in what order, at what length, and by what protocol, then I know you. If all I have is the undated, unaddressed text of your messages, then I am an archaeologist, not a case officer. The soothing mendacity of proxies for the President saying "It's only metadata" relies on the ignorance of the listener. Surely no one here is convinced by "It's only metadata" but let me be clear: you are providing that metadata and, in the evolving definition of the word "public," there is no fault in its being observed and retained indefinitely. Harvard Law professor Jonathan Zittrain famously noted that if you preferentially use online services that are free, "You are not the customer, you're the product." Why? Because what is observable is observed, what is observed is sold, and users are always observable, even when they are anonymous."
CALL FOR PAPERS [Trimmed for RISKS. PGN] 11th International Conference on integrated Formal Methods, iFM 2014 Co-located with the 11th International Symposium on Formal Aspects of Component Software, FACS 2014 September 9—12, 2014, Bertinoro, Italy http://ifm2014.cs.unibo.it IMPORTANT DATES - Abstract Submission: April 17, 2014 - Paper submission: April 25, 2014 - Paper notification: June 6, 2014 - Final version paper: June 27, 2014 OBJECTIVES AND SCOPE Applying formal methods may involve modeling different aspects of a system which are best expressed using different formalisms. Correspondingly, different analysis techniques may be used to examine different system views, different kinds of properties, or simply in order to cope with the sheer complexity of the system. The iFM conference series seeks to further research into hybrid approaches to formal modeling and analysis; i.e., the combination of (formal and semi-formal) methods for system development, regarding modeling and analysis, and covering all aspects from language design through verification and analysis techniques to tools and their integration into software engineering practice. Areas of interest include but are not limited to: - Formal and semiformal modeling notations; - Integration of formal methods into software engineering practice; - Refinement; - Theorem proving; - Tools; - Logics; - Model checking; - Model transformations; - Semantics; - Static Analysis; - Type Systems; - Verification; - Case Studies; - Experience reports CONFERENCE LOCATION iFM 2014 is organized by the University of Bologna and will take place at the Centro Residenziale Universitario in Bertinoro, a small medieval hilltop town 50km east of Bologna. INVITED SPEAKERS iFM 2014 will have the following keynote speakers jointly with FACS 2014: - Rocco De Nicola (IMT Lucca) - Sophia Drossopoulou (Imperial College) - Jean-Bernard Stefani (INRIA) - Helmut Veith (TU Wien) WORKSHOPS There are four workshops on two days, on September 9 and September 12, 2014; iFM takes place September 9—11, FMCO takes place September 10—12: - Harnessing Theories for Tool Support in Software (TTSS) - Logics and Model-checking for Self-* Systems (MOD*) - Tools and Methods for Cyber-Physical Systems of Systems - ENVISAGE Contracts for SLAs Further information is on the web site. SUBMISSION GUIDELINES [see the website] https://www.easychair.org/account/signin.cgi?conf=ifm2014 GENERAL CHAIR - Gianluigi Zavattaro, University of Bologna, Italy iFM PROGRAMME COMMITTEE CHAIRS: - Elvira Albert, Complutense University of Madrid, Spain - Emil Sekerinski, McMaster University, Canada FMCO and iFM WORKSHOP CHAIR - Elena Giachino, University of Bologna, Italy
Please report problems with the web pages to the maintainer