Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
This is a good one given the fact that the skipper of the minesweeper was
warned over the radio by the park rangers that they were on a collision
course and the skipper told them to "contact the US embassy. Rather like
the old story of the battleship skipper ordering the lighthouse to move! -p
Christopher P. Cavas, Digital Map Error May Have Led To Minesweeper Grounding
blogs.defensenews.com/intercepts/2013/01/digital-map-error-may-have-led-to-mineweeper-grounding/
A digital chart used by the minesweeper USS Guardian to navigate Philippine
waters misplaced the location of a reef by about eight nautical miles, and
may have been a significant factor when the ship drove hard aground on the
reef on 17 Jan 2013.
As of 18 Jan, U.S. Navy ships have been directed to “operate with caution''
when using similar electronic charts and compare the map data with paper
charts, which are considered accurate.
The Guardian drove onto Tubbataha Reef in the Sulu Sea around 2:25 a.m. on
17 Jan (some sources cite a date of 16 Jan, since that was the date in
Washington, D.C. when the incident occurred). The reef is about 80 miles
east-southeast of Palawan Island.
[Long item truncated for RISKS. Worth reading. PGN]
[The original Navy item noted by Bob Gezelter:
http://www.navy.mil/submit/display.asp?story_idq553
PGN]
Even worse than when LA-class nuclear sub San Francisco hit an uncharted
seamount se of Guam in 2005. They were below 500 ft and running at flank
speed and nearly lost the vessel. Though the seamount wasn't on charts,
there was secondary info that there might be a seamount in the area, and
in any case the chart noted that the region has largely uncharted. [...]
[Added note from Paul Saffo. PGN]
http://j.mp/14bnNPH (CNN via NNSquad) "Service had been restored by midday Thursday for tens of thousands of AT&T's U-verse TV, Internet and phone customers after an outage that lasted several days." [It started on Monday. PGN] This is the same AT&T begging the FCC to allow it to abandon traditional POTS phone service and provide *all* phone service via U-verse, et al. This was just a software upgrade problem. Imagine what could happen during a true emergency!
http://www.cbc.ca/news/canada/british-columbia/story/2013/01/29/bc-government-computer-report.html *Report finds flaws in new B.C. government computer system* CBC News Posted: Jan 29, 2013 6:48 AM PT Last Updated: Jan 29, 2013 8:43 AM PT The Ministry of Children and Family Development may have to abandon its use of a $180-million information sharing system that was supposed to help prevent vulnerable children from slipping through the cracks. The Integrated Case Management System is supposed to replace 64 different databases, linking information between social workers, police, service providers and other ministries. But an independent consultant's report has found major flaws, including a lack of knowledge about the system's goals and insufficient resources for training. Minister Stephanie Cadieux admits child protection workers are using the old system while a solution is sought. [[...]] An earlier report on problems with the Integrated Case Management System is at http://www.cbc.ca/news/canada/british-columbia/story/2012/06/06/bc-government-computer-glitches.html
[Video] 1979: "Any day without warning" - How AT&T used to put service during emergencies at the top of their priorities http://j.mp/14hSP8k (AT&T via NNSquad) Today, AT&T is asking the FCC for the right to abandon traditional central-office phone service—and virtually all government regulations -- causing great concerns about how phone services will function in emergencies. Recent history is very disturbing in these regards. Yet, over on the wonderful "AT&T Tech Channel," we can see how AT&T used to put service reliability during emergencies at the top of their priorities, as shown in this video from 1979.
Robyn Preston, *The Sydney Morning Herald*, 18 Jan 2013 Experts are warning people not to replace visits to the doctor with smartphone apps that claim to detect skin cancer after a study found the technology gets it wrong almost a third of the time. http://www.smh.com.au/digital-life/smartphone-apps/skin-cancer-apps-dangerous-20130117-2cva6.html
Dan Goodin, Ars Technica, 24 Jan 2013 Password crackers get an English lesson. When it comes to long phrases used to defeat recent advances in password cracking, bigger isn't necessarily better, particularly when the phrases adhere to grammatical rules. A team of Ph.D. and grad students at Carnegie Mellon University and the Massachusetts Institute of Technology have developed an algorithm that targets passcodes with a minimum number of 16 characters and built it into the freely available John the Ripper cracking program. The result: it was much more efficient at cracking passphrases such as "abiggerbetter password" or "thecommunistfairy" because they followed commonly used grammatical rules-in this case, ordering parts of speech in the sequence "determiner, adjective, noun." When tested against 1,434 passwords containing 16 or more characters, the grammar-aware cracker surpassed other state-of-the-art password crackers when the passcodes had grammatical structures, with 10 percent of the dataset cracked exclusively by the team's algorithm. The approach is significant because it comes as security experts are revising password policies to combat the growing sophistication of modern cracking techniques which make the average password weaker than ever before. A key strategy in making passwords more resilient is to use phrases that result in longer passcodes. Still, passphrases must remain memorable to the end user, so people often pick phrases or sentences. It turns out that grammatical structures dramatically narrow the possible combinations and sequences of words crackers must guess. One surprising outcome of the research is that the passphrase "Th3r3 can only b3 #1!" (with spaces removed) is one order of magnitude weaker than "Hammered asinine requirements" even though it contains more words. Better still is "My passw0rd is $uper str0ng!" because it requires significantly more tries to correctly guess. ... http://arstechnica.com/security/2013/01/grammar-badness-makes-cracking-harder-the-long-password/
Wysopal: “Most Computer Science departments are still living in the pre-Internet era when it comes to computer security. Computer Science is taught in this idealized world separate from reality. They're not dealing with the reality that software has to run in a hostile environment.'' http://securityledger.com/students-expulsion-exposes-computer-science-culture-gap/ Robert Schaefer, Atmospheric Sciences, MIT Haystack Observatory, Westford MA 01886 rps@haystack.mit.edu, 781-981-5767, http://www.haystack.mit.edu
Ted Samson, *InfoWorld*, 22 Jan 2013 http://www.infoworld.com/t/security/school-expelled-student-hacker-may-have-ignored-16-month-old-security-flaw-211314 School that expelled student hacker may have ignored 16-month-old security flaw Dawson College stuck to its policies in expelling Hamed Al-Khabaz, but now the school must answer for its security failings
https://securityblog.verizonbusiness.com/2013/01/14/case-study-pro-active-log-review-might-be-a-good-idea/ "The scenario was as follows. We received a request from a US-based company asking for our help in understanding some anomalous activity that they were witnessing in their VPN logs. This organization had been slowly moving toward a more telecommuting oriented workforce, and they had therefore started to allow their developers to work from home on certain days...As it turns out, Bob had simply outsourced his own job to a Chinese consulting firm. Bob spent less that one fifth of his six-figure salary for a Chinese firm to do his job for him. Authentication was no problem, he physically FedExed his RSA token to China so that the third-party contractor could log-in under his credentials during the workday."
Joanna Kao, *The Tech*, 22 Jan 2013 MIT was hacked on Tuesday around noon, with MIT URLs redirecting to a webpage claiming credit for the attack in remembrance of Aaron Swartz. As a result of the hack, people who visited tried to reach MIT over the Internet were redirected to the hacked Web page pictured here: http://goo.gl/kxdm1. The hack affected all names under mit.edu, including web.mit.edu, tech.mit.edu, etc. The hack and subsequent outages were due to a compromise at EDUCAUSE, the registrar that provides information on all .EDU names. A registrar, which allows users to purchase domain names, also specifies the domain name system (DNS) servers for a domain, which convert domain names to IP addresses - needed to actually load the page. ... http://tech.mit.edu/V132/N62/hack.html
Episciences Project to launch series of community-run, open-access journals. Richard Van Noorden, *Nature*, 17 Jan 2013 [via Dave Farber's IP] http://www.nature.com/news/mathematicians-aim-to-take-publishers-out-of-publishing-1.12243 Mathematicians plan to launch a series of free open-access journals that will host their peer-reviewed articles on the preprint server arXiv. The project was publicly revealed yesterday in a blog post by Tim Gowers, a Fields Medal winner and mathematician at the University of Cambridge, UK. The initiative, called the Episciences Project, hopes to show that researchers can organize the peer review and publication of their work at minimal cost, without involving commercial publishers. “It's a global vision of how the research community should work: we want to offer an alternative to traditional mathematics journals,'' says Jean-Pierre Demailly, a mathematician at the University of Grenoble, France, who is a leader in the effort. Backed by funding from the French government, the initiative may launch as early as April, he says. Many mathematicians—and researchers in other fields—claim that they already do most of the work involved in publishing their research. At no cost, they type up and format their own papers, post them to online servers, join journal editorial boards and review the work of their peers. By creating journals that publish links to peer-reviewed work on servers such as arXiv, Demailly says, the community could run its own publishing system. The extra expense involved would be the cost of maintaining websites and computer equipment, he says. That cost is not small, but it could eventually be provided in part by the journals' users. The arXiv server, for example, costs about US $826,000 a year to run, and is funded by the Cornell University Library in Ithaca, New York; the Simons Foundation in New York and institutional members. Demailly says that he first thought of open-access electronic journals that overlay arXiv eight years ago, but the concept became a reality only last June, when he was contacted by the Centre for Direct Scientific Communication (CCSD), based in Villeurbanne, France. The CCSD, a unit of the French National Centre for Scientific Research, develops open-access repositories such as the multidisciplinary archive HAL, which mirrors the arXiv site. [snip] Dewayne-Net RSS Feed: <http://www.warpspeed.com/wordpress>
ACM TechNews, Monday, January 14, 2013 Cyber Security in 2013: How Vulnerable to Attack Is U.S. Now? Christian Science Monitor (01/09/13) Mark Clayton Last year offered many unsettling revelations for businesses, individuals, and U.S. government officials concerned about their vulnerability to cyberattack. Hackers launched offensives that took aim at a wide range of targets, including ordinary citizens' financial information, bank Web sites, critical infrastructure, and important federal agencies. "The cyberthreat facing the nation has finally been brought to public attention," says the Center for Strategic and International Studies' James Lewis. However, he noted there is more befuddlement than clarity on the subject of cybersecurity, and cultivation of the skills to discuss cybersecurity is progressing at a slower pace than hoped. Although there are many cyberthreat sources, the U.S. Pentagon is chiefly concentrating on the growing cyberwarfare capabilities of China, Russia, and Iran. Adding to the challenge of shoring up defenses is the multitude of cyberattackers with diverse motivations and targets. Meanwhile, the U.S. Cyber Consequences Unit reports that at a corporate level, cyberattacks could potentially generate liabilities and losses of sufficient size to bankrupt most companies. Meanwhile, awareness of cyberthreats is on the rise, with a Central Intelligence Agency cybersecurity index estimating that corporate chief information security officers reported a 50 percent increase in the "measure of perceived risk" since March 2011. http://www.csmonitor.com/USA/2013/0109/Cyber-security-in-2013-How-vulnerable-to-attack-is-US-now-video
Researchers at Kaspersky Lab have uncovered an "advanced cyber espionage network" - dubbed Red October - that has been active for at least five years and is targeting diplomatic and government agencies. Red October: http://www.pcmag.com/article2/0,2817,2414260,00.asp
Major vulnerabilities in Cisco VoIP phones http://t.co/ntF86rH2 (*Science Daily* via NNSquad) "Cisco has since released a patch to repair these vulnerabilities but it is ineffective. "It doesn't solve the fundamental problems we've pointed out to Cisco," Cui observes. "We don't know of any solution to solve the systemic problem with Cisco's IP Phone firmware except for the Symbiote technology or rewriting the firmware. We plan to demonstrate a Symbiote-protected Cisco IP Phone at an upcoming conference." The research conducted by Stolfo and Cui was funded by DARPA (Defense Advanced Research Projects Agency), IARPA (Intelligence Advanced Research Projects Activity), and DHS (Department of Homeland Security)."
Lucian Constantin, InfoWorld, 22 Jan 2013 Twitter flaw gave third-party apps unauthorized access to private messages, researcher says. The issue was fixed, but apps that gained this permission without proper authorization still have it. http://www.infoworld.com/d/security/twitter-flaw-gave-third-party-apps-unauthorized-access-private-messages-researcher-says-211304
Monica Goyal and Jon Mackenzie http://blogs.itbusiness.ca/2013/01/tweeted-photos-not-free-to-publish-judge-rules/ opening paragraph: The debate around ownership of content posted by users of online social media services continues. In the wake of the recent uproar surrounding Instagram's proposed Terms of Service changes designed to allow them to claim ownership over their users' posted photographs, the New York District Court has clarified the issues surrounding ownership of photos posted on Twitter in a recent decision – AFP v Morel. While the ownership and usage rights of content posted by users on their social media accounts will no doubt continue to be debated by social media companies, users, and the courts, this case does clarify some important= points.
http://www.bbc.co.uk/news/technology-18440979 World's first 'tax' on Microsoft's Internet Explorer 7 selected text: "I was constantly on the line to my web team. The amount of work and effort involved in making our website look normal on IE7 equaled the combined time of designing for Chrome, Safari and Firefox."
An item by Roger G. Jonston of the Vulenrability Assessment Team at the Argonne National Laboratory lists 12 myths, and counters each of them with a pithy counter-argument. For any remaining RISKS readers who still believe that election systems are adequately secure, this is crucial reading. http://jps.anl.gov/Volume6_iss1/JohnstonVP.pdf Thanks to Andrew Appel for spotting this one... PGN
Jeff Jedras, Mitigating a different kind of computer-related risk *IT Business*, 23 Jan 2013 The wife of a startup entrepreneur turned venture capitalist shares tips for other startup spouses on making the relationship work. http://www.itbusiness.ca/it/client/en/Home/News.asp?id=69767
Exposure of files on unsecured wireless no excuse to search, judge rules Warrantless search of file violated defendant's Fourth Amendment right, federal judge says in child porn case Jaikumar Vijayan, ComputerWorld , 23 Jan 2013 ComputerWorld - An individual who inadvertently exposes the contents of his computer over an unsecured wireless network still has a reasonable expectation of privacy against a search of those contents by the police, a federal judge in Oregon ruled last week. The ruling involves John Henry Ahrndt, a previously convicted sex offender who was sentenced to 120 months in prison for possession of child pornography on his computer. Ahrndt had argued that some of the evidence that was used against him in court had been gathered illegally. He had filed an appeal asking the U.S. District Court for the District of Oregon in Portland to suppress the evidence on the grounds that his Fourth Amendment rights against unreasonable search had been violated. Oregon District Court Judge Garr King initially denied Ahrndt's motion to suppress but picked up the case again last year after the U.S. Court of Appeals for the Ninth Circuit reversed King's first ruling. In a 34-page ruling last week, King granted Ahrndt's renewed motion to suppress the evidence gathered by police from his hard drive and also ordered his subsequent testimony to them to be suppressed as well. Ahrndt's case goes back to 2007 when one of his neighbors, a woman referred to only as "JH" in court documents, connected to the Internet using her own wireless network. When JH's network temporarily malfunctioned, her computer automatically connected to Ahrndt's unsecured wireless network. When JH subsequently opened her iTunes software to listen to music, she noticed that another user library called "Dads LimeWire Tunes" from Ahrndt's computer, was also available for sharing, court documents said. When JH clicked on the folder, she immediately noticed that it contained a lot of files with names suggesting explicit child pornography. She informed the county sheriff's department, which sent a deputy to take a look at her discovery. ... http://www.computerworld.com/s/article/9236036/Exposure_of_files_on_unsecured_wireless_no_excuse_to_search_judge_rules
http://j.mp/XPYnRl (Scientific American via NNSquad) "If you don't delete or disemvowel inappropriate comments, people will think you are not even reading the comment threads. If you don't show up in person, nobody will know you are even interested in their thoughts. If you don't delete the trolls, the trolls will take over and the nice people will go somewhere else." Yes, yes, and yes!
Please report problems with the web pages to the maintainer