Between Superstorm Sandy and the U.S. election, it has been a busy month, and the verdict of the l'Aquila Earthquake trial has yet to be discussed on RISKS. In engineering it is unsurprising that with expertise comes responsibility, occasionally rising to criminal penalties when a bridge falls down or a programming mistake causes a medical mishap or modern infrastructure to fail. Yet early opinions on the conviction of seven seismologists and other experts resulting from public comments they made prior to the 2009 earthquake in l'Aquila, Italy suggested a great resistance in the scientific community to similar penalties, here in "failing to predict an earthquake". For example: http://www.wired.com/wiredscience/2012/10/the-verdict-of-the-laquila-earthquake-trial-sends-the-wrong-message/ Contrasting opinions, well worth reading and mulling over, are beginning to emerge from others in the scientific community: http://arxiv.org/abs/1211.3175 and: http://theconversation.edu.au/laquila-charges-leave-earthquake-scientists-on-shaky-ground-10301 Perhaps the definition of "pure science" is "science I can't be thrown in jail over". Rob Seaman, National Optical Astronomy Observatory
I think the title says it all. "A pilot program for red-light cameras in New Jersey appears to be changing drivers' behavior, state officials said, noting an overall decline in traffic citations and right-angle crashes. The Department of Transportation also said, however, that rear-end crashes have risen by 20% and total crashes are up by 0.9% at intersections where cameras have operated for at least a year." http://www.courierpostonline.com/article/20121127/NEWS01/311270020 Jim Reisert AD1C, <email@example.com>, http://www.ad1c.us [Fascinating! Collateral damage becomes collinear damage. In NYC, I long ago observed that you should never stop for a light changing to red, particularly on a staggered-timing north-south avenue. If you do, you are likely to be rear-ended by a pile-up of perhaps three taxis. PGN]
The *Anchorage Daily News* reports that Alaska will conduct a recount of votes in one contest for the state senate. The race was certified at 7593 to 7542 votes—a margin of 51. The nominal loser has requested a recount, which will be conducted in Anchorage according to the title of the article, and in Juneau according to the last sentence of the article! http://www.adn.com/2012/11/27/2705685/recount-will-be-conducted-in-anchorage.html
Sylvia Hui, Associated Press item (25 Nov 2012) via ACM TechNews, Wednesday, November 28, 2012 The potential risks that super-intelligent technologies pose to humans will be the focus of the proposed Center for the Study of Existential Risk at Cambridge University. The center will bring together philosophers and scientists to study the idea that in this or the next century machines with artificial intelligence could pursue their own interests. "It tends to be regarded as a flaky concern, but given that we don't know how serious the risks are, that we don't know the time scale, dismissing the concerns is dangerous," says Cambridge philosophy professor Huw Price. "What we're trying to do is to push it forward in the respectable scientific community." Price says the precise nature of the risks is hard to forecast, but advanced technology could be a threat when computers start to channel resources toward their own goals at the expense of human concerns such as environmental sustainability. Price is co-founding the project with Martin Rees, a professor of cosmology and astrophysics, and Jann Tallinn, one of the founders of the Internet phone service Skype. Cambridge plans to launch the center next year. http://news.yahoo.com/cambridge-study-technologys-risk-humans-190948884--finance.html
This morning, I testified in the U.S. House on the risks of technology to combat waste, fraud and abuse in the Medicare program. My testimony focuses on the expectations of smart cards to reduce fraud. My testimony also highlights the types of fraud that remain in countries already using smart cards for national health programs. In short, there are several subtle risks in the proposed pilot program---ranging from questionable effectiveness and questionable evaluation methods to negative impact on patient care. I recommend ways to improve the utility of a pilot study. http://www.govtrack.us/congress/bills/112/hr2925/text http://energycommerce.house.gov/hearing/examining-options-combat-health-care-waste-fraud-and-abuse http://energycommerce.house.gov/sites/republicans.energycommerce.house.gov/files/Hearings/Health/20121128/HHRG-112-IF14-WState-FuK-20121128.pdf http://blog.secure-medicine.org/2012/11/dr-fu-goes-to-washington.html Kevin Fu, Associate Professor, Computer Science & Engineering University of Michigan, http://spqr.cs.umass.edu/ (lab moves to MI 1 Jan)
http://j.mp/StvI4l (Addison Independent via NNSquad) "Farmhouses surrounded with many acres of fields, houses that may be miles apart. It's the geography and demographics of the area," Souza says. "It's the same reason that there's limited cell service in these areas. You might put up one cell tower, but the six it would take to provide complete coverage in the terrain are just not cost-justified." A rural phone service provider like Shoreham Tel maintains a small network of its own copper wires, then connects with the rest of the world via "trunking" or switching centers connecting with a larger carrier. Shoreham Tel's lines have trunking with the network maintained by FairPoint. "People in Sprint or Verizon don't have direct switching with us, but they do have direct with FairPoint's tandem switching. So FairPoint turns the call over to us and we terminate the call. The system has worked flawlessly for years," Souza says. "Then the least-cost routing issue emerged in the last three years. Entities started doing this, shaving every last penny out of it. Our customers aren't happy, and we understand that. But we can't control the other side of the system with calls coming at us."
Woody Leonhard, *InfoWorld*, 14 Nov 2012 Microsoft sat by for months before plugging a security hole that could have allowed others to see all your stored Skype data http://www.infoworld.com/t/cloud-security/skype-vulnerability-may-have-exposed-your-messages-207051
From IEEE Spectrum blog by Robert N. Charette: [On 14 Nov 2012,] NASA sent a message to all NASA employees informing them of a data breach involving an agency stolen laptop. According to the NASA message posted at SpaceRef.com on 31 Oct 2012, a NASA laptop and official NASA documents issued to a Headquarters employee were stolen from the employee's locked vehicle. The laptop contained records of sensitive personally identifiable information (PII) for a large number of NASA employees, contractors, and others. Although the laptop was password protected, it did not have whole disk encryption software, which means the information on the laptop could be accessible to unauthorized individuals. We are thoroughly assessing and investigating the incident, and taking every possible action to mitigate the risk of harm or inconvenience to affected employees. <http://www.spaceref.com/news/viewsr.html?pidB609> More: http://spectrum.ieee.org/riskfactor/telecom/security/nasa-suffers-large-data-breach-affecting-employees-contractors-and-others/?utm_source=techalert&utm_medium=email&utm_campaign111Q2
CDN CURATED: Toronto MSP posts a blog about the risks of public clouds, 19 Nov 2012 http://www.itbusiness.ca/it/client/en/CDN/News.asp?id=69373 opening paragraph: If there was ever an example of why Public Cloud storage can be hazardous, it was Go Daddy's service outage earlier this week. Thousands (or millions -- depending on whom you ask) of domains were taken off line. Businesses not only lost their websites, a number of them lost access to their e-mail. This lasted for 6 hours.
An exploit revealed at the Black Hat conference is now suspected to be the method by which hotel rooms are being burglarized. A simple tool can plug into a port on the locks, reveal the secret key, and open them. The manufacturer is refusing to upgrade the locks for free, which places many hotel customers at risk. http://www.forbes.com/sites/andygreenberg/2012/11/26/security-flaw-in-common-keycard-locks-exploited-in-string-of-hotel-room-break-ins/ Now you've got something to take your mind off the bedbugs.
The BBC reports (http://www.bbc.co.uk/news/technology-20461752) that a school in Texas is using RFID tags to track student movements around campus, apparently to satisfy a reporting requirement (apparently there is a monotonic relationship between the number of students attending on any given day and state funding, which is a whole separate discussion). What I found surprising in this case is that the only (reported) opposition to this seems to have been on religious grounds; one student claims* that "an individual's acceptance of a certain code, identified with his or her person, as a pass conferring certain privileges from a secular ruling authority, is a form of idolatry or submission to a false god". I'm not in a position to judge whether that is a sincerely-held point of view, or whether protests based on more secular reasoning --- such as, for example, "this is a really, really terrible idea" --- have been rejected out of hand. (After all, what could possibly go wrong with a system that displays and records the exact whereabouts of teenagers throughout the day?) * https://www.rutherford.org/files_images/general/11-21-2012_TRO-Petition_Hernandez.pdf
Tim Cushing, Court Temporarily Blocks School District From Suspending Student For Refusing To Wear Student ID/Tracking Device, Techdirt, 27 Nov 2012 http://www.techdirt.com/articles/20121125/15041521137/court-temporarily-blocks-school-district-suspending-student-refusing-to-wear-student-idtracking-device.shtml
Tim Cushing, Barnes & Noble Decides That Purchased Ebooks Are Only Yours Until Your Credit Card Expires, Techdirt, 27 Nov 2012 http://www.techdirt.com/articles/20121126/18084721154/barnes-noble-decides-that-purchased-ebooks-are-only-yours-until-your-credit-card-expires.shtml
This is a first—a countrywide Internet blackout. It is going to have all sorts of unexpected consequences, but frankly I am surprised it took them so long to do it (they probably didn't know how)... An Akamai chart shows the shutdown pretty dramatically. Here is the original report of the blackout with continuing coverage—note the charts: http://www.renesys.com/blog/2012/11/syria-off-the-air.shtml [See also techcrunch. PGN] http://techcrunch.com/2012/11/29/syria-shuts-down-internet-mobile-services-and-land-lines-partially-down-in-midst-of-uprising/
Philipp Winter and Jedidiah R. Crandall, The Great Firewall of China: How it blocks Tor and why it is hard to pinpoint usenix;login: December 2012 vol 37 no 6
Some of us have pledged our allegiance to Google: We have Gmail accounts, we use Google Calendar and Google Docs, and we have Android phones. Others have pledged allegiance to Apple: We have Macintosh laptops, iPhones, and iPads; and we let iCloud automatically synchronize and back up everything. Still others of us let Microsoft do it all. Or we buy our music and e-books from Amazon, which keeps records of what we own and allows downloading to a Kindle, computer, or phone. Some of us have pretty much abandoned e-mail altogether—for Facebook. http://www.wired.com/opinion/2012/11/feudal-security/
Lucian Constantin, IDG News Service, *InfoWorld*, 19 Nov 2012 Backdoor.Makadocs variant uses Google Drive Viewer feature to receive instructions from its real command and control server http://www.infoworld.com/d/security/malware-uses-google-docs-proxy-command-and-control-server-207428
In a few very public cases, backdoor trojan (Japanese press calls it virus) sent threatening blackmails from unsuspecting people's PCs. It is believed that the trojan probably was inside a free software like photo-touching utility, etc. that the unsuspecting people downloaded from bulletin board, etc. But the transfer vector is still sketchy. These incidents happened this summer (2012). These threatening messages caused complaints from the receivers and the police moved. However, the Japanese police branches were misled to believe that the owners of the PCs sent these threatening messages. The PCs were identified by the IP address used for sending the e-mail, or posted a message to web interface of the recipients. Since IP-address is a unique identifier, the PC can be uniquely identified. And naturally, the owners of the PCs are suspect, correct? One man in Osaka, from whose PC a threatening message (close to 250 bytes or so) was uploaded within one second of the initial access to the city's web page on July 29th was approached by the police and interrogated. He told the police investigator he had no knowledge of it, and suggested maybe someone could have hijacked the Wi-Fi he was using and other possibilities. He denied sending the message vehemently to the repeated investigations. Bu no avail. He was detained on 26 Aug 2012, and charged with a crime on 14 Sep. Access log record of the time period of the blackmailing on his PC's seemed to have been erased by the trojan. This missing record of the crucial date made the police more suspicious of the man and they thought that he tried to hide his act. So he was awaiting a trial. However, a police in Mie prefecture who had charged another man in a similar blackmail message case in early September, noticed a trace of strange file in the man's PC. The COTS (commercial off-the-shelf) virus checker, etc. could not identify it. With the help from certain unnamed security firms, Mie police concluded that there was a trojan on the man's computer and the possibility of the trojan sending out or posting threatening messages could not be ruled out. So the man was freed one week after the arrest. The Mie police further told the police in Osaka of their finding and the suspicious file name (iesys.exe). Osaka police based on this new information studied the first man's PC more carefully (I suppose. It did check the first man's PC with COTS virus scanner and such but found nothing before the original arrest.) Osaka police now figured that the same or similar trojan had been on the computer. Trojan seems to have erased itself after the crime and that is why it was not spotted earlier (but it seems the files could be recovered by the police's tools now with the new knowledge.). After considering this infection and that uploading 250+ bytes message in one second is not humanly possible with simple typing, and choosing buttons using mouses to navigate the web manually, etc., the man facing trial was freed on 21 Sep. After these two publicised cases were reported on TV news and the danger of these trojans and the ordeal of the two men were covered for about a week, the media uncovered another case of a man in Tokyo, and he "admitted" that he sent a threatening e-mail from a PC in the house. (He thought he was trying to protect another family member who he thought had sent out the threatening e-mail. We learned later that a trojan sent the threatening e-mail.) We still learned of another case: a youth in his teens also admitted sending a threatening blackmail from his PC in a similar case, and his case was closed quickly as no contest since the youth also "admitted" that he sent the blackmail. (In this case, it seems that the youth figured he would not be charged a harsh penalty and could come of the case quickly by "admitting" the charge falsely.) Now, whoever masterminded the operation of these trojans, came out from the dark and sent the details of his/her operation to a lawyer who appeared in a TV news segment covering these cases. The e-mail sent from a server in a foreign country contained the detail of the blackmail messages which only the recipient and the police knew. So now police believes these messages from the purported mastermind are genuine. This mastermind told the lawyer that the teenager is innocent, and his/her act was meant to make fun of the police and prosecutor's offices whose IT skills are laughing stock of the town in his/her opinion. He/she was sorry to cause griefs to the owners of the computers and thus came out from the dark. After the general outline of e-mails from the mastermind became public, police and prosecutor's offices formerly apologized the suspected / arrested / charged people and the national police agency sent a notice about not trusting IP address alone as a key evidence in a similar case. To people in IT industry and readers of Risks, this is no brainer, but before Japanese police and prosecutor's offices are made keenly aware of it, some people suffered a very frustrating summer months. Also, there has been heavy criticism of high-handed police investigation that forced a few people to "admit" the crime which they did not commit after all. There have been cases of police and prosecutor mistakes that caused innocent people to be in jail for many years, and so Japanese public is very critical of these issues today. Even the court, which has been very prosecutor-friendly, seems to think more carefully about police evidence in some publicised cases. Now, the Japanese police is asking for cooperation from overseas police organizations and ISPs to trace the e-mails sent to the lawyers in the slim hope that it may lead to the origin. These all happened just because of recorded IP addresses. I am reporting this now since English coverage of these incidents seem to be rare (or is swamped with the flood of voting related issues this Fall).
Cyber Security and Information Intelligence Research Workshop (CSIIRW) RESCHEDULED. See www.csiir.ornl.gov/csiirw The workshop will be help at Oak Ridge National Laboratory. In the aftermath of Hurricane Sandy, it seems fortuitous that we delayed the workshop to 8-10 Jan 2013. I'm certain that many people would not have been able to attend. To register for the event, you can simply go to: www.csiir.ornl.gov/csiirw and click on registration. There are some points-of-interest starting with the advance program: http://csiir.ornl.gov/csiirw/12/files/csiirw8-schedule.pdf and invited speakers: http://csiir.ornl.gov/csiirw/12/keynotes.html This year's theme is Federal Cyber Security R&D Program Thrusts, which is based on the Federal Cybersecurity R&D Strategic Plan: http://www.whitehouse.gov/blog/2011/12/06/federal-cybersecurity-rd-strategic-plan-released Frederick T. Sheldon, Ph.D., CSIIRW General Co-chiar Oak Ridge National Laboratory, 576-1339 Office 576-5943 Fax
Please report problems with the web pages to the maintainer