I'm sure the final paragraph will cause long-time RISKS-listers to raise an eyebrow, perhaps both: "Nees previously told Fox News that the fraud was clearly evident, "because page after page of signatures are all in the same handwriting," and that nobody raised any red flags "because election workers in charge of verifying their validity were the same people faking the signatures." http://www.foxnews.com/politics/2013/04/26/officials-found-guilty-in-obama-clinton-ballot-petition-fraud/ We don' need no steenkin' divisions of responsibility. Gary Hinson, CEO IsecT Ltd, NZ, www.SecurityMetametrics.com, PRAGMATIC metrics www.NoticeBored.com; non-stop awareness www.ISO27001security.com ...
Jeremy Kirk, InfoWorld, 29 Apr 2013 The flaw in Adobe Reader could allow an attacker to see when and where a PDF is opened. http://www.infoworld.com/d/security/mcafee-spots-adobe-reader-pdf-tracking-flaw-217461
When a teenage boy snatched the iPhone out of Rose Cha's hand at a bus stop in the Bronx in March, she reported the theft to her carrier and to the police - just as she had done two other times when she was the victim of cellphone theft. Again, the police said they could not help her. Ms. Cha's phone was entered in a new nationwide database for stolen cellphones, which tracks a phone's unique identifying number to prevent it from being activated, theoretically discouraging thefts. But police officials say the database has not helped stanch the ever-rising numbers of phone thefts, in part because many stolen phones end up overseas, out of the database's reach, and in part because the identifiers are easily modified. Some law enforcement authorities, though, say there is a bigger issue - that carriers and handset makers have little incentive to fix the problem. ... http://www.nytimes.com/2013/05/02/technology/cellphone-thefts-grow-but-the-industry-looks-the-other-way.html
LulzSec arrest in Australia Federal police charge IT worker, 24, with attacking government website and say he has claimed to be a leader of hacker group LulzSec hacking suspect arrested in Sydney http://www.guardian.co.uk/technology/video/2013/apr/24/lulzsec-hacking-arrested-sydney-video Australian police have arrested a man they say is affiliated with the international hacking collective LulzSec on a charge of attacking and defacing a government website. http://www.guardian.co.uk/technology/lulzsec The 24-year-old senior IT worker, whose name was not released, was arrested on Tuesday night at his Sydney office, the Australian Federal Police said. The man, who police say has claimed to be a high-level member of the hacking group, was charged with two counts of unauthorised modification of data to cause impairment, and one count of unauthorised access to, or modification of, restricted data. If convicted he could face up to 12 years in jail. http://www.guardian.co.uk/technology/2013/apr/24/lulzsec-arrest-australia [Thanks to Don Hutson for noting this item. PGN]
"Prosecutors say a Dutch citizen has been arrested in Spain in connection with what experts described as the biggest cyberattack in the history of the Internet, launched against an anti-spam watchdog group last month. The Netherlands National Prosecution Office said a 35-year-old suspect it identified only by his initials, S.K., was arrested Thursday at his home in Barcelona. Authorities also seized computers and mobile phones." http://j.mp/14WmE1m (New Tribune / AP, via NNSquad)
A new report presents overwhelming evidence that sophisticated spying software is being abused by governments around the world. The findings by The Citizen Lab, a digital research laboratory at the University of Toronto, detail how the software marketed to track criminals is being used against dissidents and human rights activists. Titled "For Their Eyes Only: The Commercialization of Digital Spying," the report focuses on a type of surveillance software called FinSpy that can remotely monitor webmail and social networks in real time as well as collect encrypted data and communications of unsuspecting targets... http://www.businessinsider.com/countries-with-finfisher-spying-software-2013-5
http://www.greenheartgames.com/2013/04/29/what-happens-when-pirates-play-a-game-development-simulator-and-then-go-bankrupt-because-of-piracy/ Patrick April 29, 2013 256 Comments When we released our very first game, Game Dev Tycoon (for Mac, Windows and Linux) yesterday, we did something unusual and as far as I know unique. We released a cracked version of the game ourselves, minutes after opening our Store. ...
Jeremy Kirk, InfoWorld Home, 23 Apr 2013 Trusteer has found malicious software that leverages Twitter to infect more computers http://www.infoworld.com/d/security/malware-hijacks-twitter-accounts-send-dangerous-links-217054
Caroline Craig, InfoWorld, 03 May 2013 Cash-strapped states are enacting new taxes on computing and cloud-based services, opening a possible Pandora's box of confusion and lost cost savings http://www.infoworld.com/t/cloud-computing/the-taxman-cometh-cloud-services-217814
http://www.computerdealernews.com/news/cloud-computing-gets-cia-endorsement/24774 Cloud Services Infrastructure, 23 Apr 2013 Cloud computing gets CIA endorsement "Say what you will about the Central Intelligence Agency (CIA), but the American spy shop is usually pretty concerned about security. So their endorsement of cloud computing is certainly of note. According to a report from FCW, the CIA has inked a cloud computing contract with Amazon Web Services (AWS) worth as much as $600 million over 10 years." [But what sort of note is it?]
http://j.mp/ZYYP0a (The Register via NNSquad) "How so? Previously, and in most of the world today, ownership of your creation is automatic, and legally considered to be an individual's property. That's enshrined in the Berne Convention and other international treaties, where it's considered to be a basic human right. What this means in practice is that you can go after somebody who exploits it without your permission - even if pursuing them is cumbersome and expensive. The UK coalition government's new law reverses this human right. When last year Instagram attempted to do something similar, it met a furious backlash. But the Enterprise and Regulatory Reform Act has sailed through without most amateurs or semi-professionals even realising the consequences."
http://news.sciencemag.org/scienceinsider/2013/04/us-lawmaker-proposes-new-criteri-1.html?ref=hp#.UX6Vp6SF8zk.email The new chair of the House of Representatives science committee has drafted a bill that, in effect, would replace peer review at the National Science Foundation (NSF) with a set of funding criteria chosen by Congress. For good measure, it would also set in motion a process to determine whether the same criteria should be adopted by every other federal science agency. The legislation, being worked up by Representative Lamar Smith (R-TX), represents the latest—and bluntest—attack on NSF by congressional Republicans seeking to halt what they believe is frivolous and wasteful research being funded in the social sciences. Last month, Senator Tom Coburn (R-OK) successfully attached language to a 2013 spending bill that prohibits NSF from funding any political science research for the rest of the fiscal year unless its director certifies that it pertains to economic development or national security. Smith's draft bill, called the "High Quality Research Act," would apply similar language to NSF's entire research portfolio across all the disciplines that it supports. ScienceInsider has obtained a copy of the legislation, labeled "Discussion Draft" and dated 18 April, which has begun to circulate among members of Congress and science lobbyists. In effect, the proposed bill would force NSF to adopt three criteria in judging every grant. Specifically, the draft would require the NSF director to post on NSF's Web site, prior to any award, a declaration that certifies the research is: 1) "... in the interests of the United States to advance the national health, prosperity, or welfare, and to secure the national defense by promoting the progress of science; 2) "... the finest quality, is groundbreaking, and answers questions or solves problems that are of utmost importance to society at large; and 3) "... not duplicative of other research projects being funded by the Foundation or other Federal science agencies." NSF's current guidelines ask reviewers to consider the "intellectual merit" of a proposed research project as well as its "broader impacts" on the scientific community and society. Two weeks ago, Republicans on the science committee took to task both John Holdren, the president's science adviser, and Cora Marrett, the acting NSF director, during hearings on President Barack Obama's proposed 2014 science budget. They read the titles of several grants, questioned the value of the research, and asked both administration officials to defend NSF's decision to fund the work. On Thursday, Smith sent a letter to Marrett asking for more information on five recent NSF grants. In particular, he requested copies of the comments from each reviewer, as well as the notes of the NSF program officer managing the awards. In his letter, a copy of which ScienceInsider obtained, Smith wrote: "I have concerns regarding some grants approved by the Foundation and how closely they adhere to NSF's 'intellectual merit' guideline." Today, Smith told ScienceInsider in a statement that "the proposals about which I have requested further information do not seem to meet the high standards of most NSF funded projects." Smith's request to NSF didn't sit well with the top Democrat on the science committee, Representative Eddie Bernice Johnson (D-TX). On Friday, she sent a blistering missive to Smith questioning his judgment and his motives. "In the history of this committee, no chairman has ever put themselves forward as an expert in the science that underlies specific grant proposals funded by NSF," Johnson wrote in a letter obtained by ScienceInsider. "I have never seen a chairman decide to go after specific grants simply because the chairman does not believe them to be of high value." In her letter, Johnson warns Smith that "the moment you compromise both the merit review process and the basic research mission of NSF is the moment you undo everything that has enabled NSF to contribute so profoundly to our national health, prosperity, and welfare." She asks him to "withdraw" his letter and offers to work with him "to identify a less destructive, but more effective, effort" to make sure NSF is meeting that mission. Smith's bill would require NSF's oversight body, the National Science Board, to monitor the director's actions and issue a report in a year. It also asks Holdren's office to tell Congress how the principles laid down in the legislation "may be implemented in other Federal science agencies."
Of all the enemies of true liberty, war is, perhaps, the most to be dreaded, because it comprises and develops the germ of every other. War is the parent of armies; from these proceed debts and taxes; and armies, and debts, and taxes are the known instruments for bringing the many under the domination of the few. In war, too, the discretionary power of the executive is extended; its influence in dealing out offices, honors and emoluments is multiplied; and all the means of seducing the minds are added to those of subduing the force, of the people. The same malignant aspect in republicanism may be traced in the inequality of fortunes, and the opportunities of fraud, growing out of a state of war, and in the degeneracy of manner and of morals, engendered in both. No nation can preserve its freedom in the midst of continual warfare. James Madison (1809-1817), 4th US president, "father" of the Constitution and Bill of Rights Richard S. Russell, 2642 Kendall Av. #2, Madison WI 53705-3736 608+233-5640 RichardSRussell@tds.net http://richardsrussell.livejournal.com/
Woody Leonhard, InfoWorld, 24 Apr 2013 The saga of botched patch MS13-036 takes new twists and turns -- including a problem with Multiple Master fonts http://www.infoworld.com/t/microsoft-windows/microsoft-re-releases-botched-patch-kb-2840149-problems-remain-217213 According to this article, not only are there continuing problems, but the details were not properly disseminated and details are lacking: In an obscure Microsoft Security Response Center post on Thursday, Microsoft recommended that "all customers who have installed security update 2823324 should follow the guidance that we have provided in KB2839011 to uninstall it." Just about every Vista and Win7 customer who had Windows Automatic Update turned on got the patch, but I'd guess that only about one in 100,000 customers saw the notice to uninstall the patch—and of those, maybe one in 10 actually did it. But wait, that's only part of the story. MS13-036 had two different patches. This botched patch fixed the system file ntfs.sys ... eventually. The other patch—known as KB 2808735—replaced the file win32k.sys on all versions of Windows and Server since Windows XP, up to and including Windows 8, Windows RT, and Windows Server 2012. (There's a full list at the end of Security Bulletin MS13-036.) The KB article says that "[a]fter you install this security update, certain Multiple Master fonts cannot be installed." Unfortunately, Microsoft doesn't mention which Multiple Master fonts can't be installed, whether installed MM fonts would get zapped, or if there are modified versions of the MM fonts that might work. The KB article also doesn't say why the MM fonts can't be installed, so it begs the question of whether this is a highly isolated incident, or if symptoms might manifest with other installers or other fonts.
[Note: This item comes from friend Bruce Kushnick. DLH] Date: May 2, 2013 9:56:08 PM PDT From: Bruce Kushnick <email@example.com> Subject: Shame on Verizon:: Some Customers in Manhattan, NYC Out Since Sandy—186 Days and Counting. New Networks Shame on Verizon: There Are Customers in Manhattan, New York City Who Still Don't Have Service After Sandy—186 Days and Counting. Read the article <http://www.newnetworks.com/VerizonNYC.htm> Download the article. <http://www.newnetworks.com/VerizonNYCSandy.pdf> This is a foreboding glimpse into your future communications services if you live in the USA. I'm sitting in a high ceiling parlor in an aged brownstone at the E.9th Street Block Association meeting. People are telling me, somewhat muting their anger, that some have had no phone service since Sandy, October 28th 2012 ---- 186 days ago, almost 6 months, almost half a year. Some had their service restored over the last month, only being out for about 5 months. I'm in a roomful of people in the middle of Manhattan, New York City, and I can't believe my ears. I've been a telecom analyst for 31 years and thought I'd heard everything before - but this? Mayor Bloomberg, with claims that New York City is a world center for technology announced his new campaign, “We Are Made in NY'' in 2013, stating we're “strengthening the city as a global hub for innovation.'' Being out of service is only one of the Manhattanites' problems. Almost all of those without Verizon service have continued to be billed for services that THEY DO NOT RECEIVE. What's the problem? How could this be happening in America? To read the rest of this article: <http://www.newnetworks.com/VerizonNYC.htm> Download the article: <http://www.newnetworks.com/VerizonNYCSandy.pdf> Dewayne-Net RSS Feed: <http://www.warpspeed.com/wordpress>
Robert X. Cringely, InfoWorld, 01 May 2013 EFF rates how Apple, AT&T, Google, Twitter, and more share data with Uncle Sam—see which tech leaders come out on top http://www.infoworld.com/t/cringely/eff-reports-reveals-techs-loosest-lips-tightest-grips-217710
It was an accident... LAX worker accidentally puts up order to evacuate terminals on monitors Brian Sumers, Daily Breeze Monitors at Los Angeles International Airport's international terminal briefly told passengers there was an emergency and asked them to leave the facility Monday night because of an error made by a contracted airline employee. At a little before 9:47 p.m., the message read: "An emergency has been declared in the terminal. Please evacuate." An airport police source said officers responded to the scene at the Tom Bradley International Terminal, believing the system had been hacked. But an airport spokeswoman said it was an honest mistake. "After investigating what caused the erroneous posting, LAX Airport Ops and Information Technology staffers reported that an airline contract employee, who is authorized to access the display system, was programming airline check-in information into a set of monitors for a particular flight when he accidentally activated the preprogrammed emergency message," airport spokeswoman Nancy Castles said in a statement. Castles said there were no reports of passengers evacuating the terminal and the problem was fixed within about 10 minutes. She said airport officials are looking into ways to ensure a similar problem does not occur again. Brian Sumers
http://j.mp/ZwjUDS (*New Republic* via NNSquad) "As online communication proliferates-and the ethical and financial costs of misjudgments rise-the Internet giants are grappling with the challenge of enforcing their community guidelines for free speech. Some Deciders see a solution in limiting the nuance involved in their protocols, so that only truly dangerous content is removed from circulation. But other parties have very different ideas about what's best for the Web. Increasingly, some of the Deciders have become convinced that the greatest threats to free speech during the next decade will come not just from authoritarian countries like China, Russia, and Iran, who practice political censorship and have been pushing the United Nations to empower more of it, but also from a less obvious place: European democracies contemplating broad new laws that would require Internet companies to remove posts that offend the dignity of an individual, group, or religion."
> "Bob Frankston (RISKS-26.25) > There is a real risk in confusing technical and economic problems. Well... when I worked in telecoms, lore indeed was that if you didn't have some congestion in busy times, you had too much capacity, and it's obviously a matter of commercial judgement as to balancing the cost of losing revenue-earning traffic in the peaks against having expensive equipment lying idle much of the time. I don't know how cellphone or Wi-Fi networks 'scale', but presumably having enough capacity always available to work normally during Boston-type once-in-a-lifetime (we hope!) events would be mighty costly, which has be be paid for somehow, either by telecoms companies' customers, or taxpayers if run by a Government department as a public service (like transit). Looks like the problem here is managing people's expectations; yes you can have a service that stands up to sudden spikes in demand better, but how much more are you willing to pay? And do you want to cope with the once-in-5-years event, or once-in-15, or once-in-50..? After all, when emergencies happened years ago, everyone knew that it would be difficult to find what happened or trace loved ones, now they get angry if they can't do this immediately. It's a bit like readers' letters in the travel section of the newspaper, complaining about the high price and limited availability of the Internet on cruise ships at sea; there's no land-lines in the middle of the ocean, and those satellites are expensive...
First off, MS (for all that I dislike many things about them) isn't forcing anything on this one. They provide a tool that does what it claims to do (give a grid to put stuff in, add, subtract, fold, spindle and mutilate as directed). The fact that it's a bad one for sophisticated economic modeling isn't really their fault. No one is forcing companies to buy this tool, or forcing them to create their simulations and economic models in it. They do it because it seems EASY, and it's the tool they've got handy (it came with their word processor, after all). Dump the numbers in, put a couple formulas in and BANG - there's the answer! And that's the root of the problem - it's easy to do, and no one has to show you how. So no one ever mentions that you should find some way to test the thing. No one ever explains all subtleties that happen when you insert cells mid-row. No one ever looks over your shoulder to see if anything coming out of your model makes any sense at all. No one ever lets on that you are in fact PROGRAMMING. And that perhaps some care should be taken. As to alternatives - there's more than one package out there that lets you manipulate numbers. But they aren't 'grid of numbers' simple, and a single license can in some cases cost more than the entire MS Office suite! If it's something that has to go through the budget committee, then it's not going to get bought at many companies. So yes, there's a problem, but blaming MS will not fix it, and detracts from any real thinking on the problem.
Michael, My point is this: since the MS Office is what the system is designed to work with, it is de facto bundled. Surely anyone can use any utility, but the fact is, a vast majority of Windows users who need a spreadsheet, end up using Excel. In principle, the basic utilities of the system—those which are in common use by laypersons—should be made as simple, robust and intuitive as possible. NotePad is a good example, Word used to be, Excel is not. As you say, casual users may not even be aware they are programming. Well, they should, and should be given the tools to do the job; symbolic names for variables is the most basic of these, and has been around since the 1950's. Leaving Excel in this primitive state is certainly MS's fault.
> What's new is that someone has managed to turn the weaknesses into a real > exploit, albeit one that needs at least 224 and preferably 230 encryptions > of the same plaintext to work. > > Except he almost certainly didn't write that; the numbers were presumably > 2**24 and 2**30, expressed in some notation that didn't survive some > reformatting process somewhere. Yup. If you click on the link to the original post, you'll see that I wrote it correctly—using the <sup>...</sup> HTML tags. It's perfectly valid HTML 4 (http://www.w3.org/TR/REC-html40/struct/text.html#edef-SUP) -- but copy/paste to ASCII turns 2<sup>24</sup> into 224. (It will be amusing to see how this paragraph gets translated to HTML.) It's possible to handle copy/paste correctly. On a Mac, I did a copy/paste of some footnoted text from a Word document into an ASCII email message. It rendered the footnote references as  and . I was impressed. Steve Bellovin, https://www.cs.columbia.edu/~smb
I had a very similar color confusion after asking my office manager to order numbered labels for equipment with one color for borrowed (red) and another for the equipment we owned. It never occurred to me I'd get labels with the same number in each series. But then why should someone not versed in databases and computer technology realize that color was not normally stored with other information in the database? For that matter, before the advent of xerography, fax, Mylar typewriter ribbons and computer printers typewriters had two color ribbons so that negative numbers could be typed in red.
There are multiple risks in building technology policy such as "don't text" into devices. Such policies put implicit assumptions about context and usage in between us and the technologies we use. In the case of texting in particular do we ban apps that might semi-automatically text on our behalf? That's aside from the practical implementation issues such as determine whether the user is a passenger or a driver. Today would Motor-ola have been able to introduce the distractions of car radios? Of course basing policies on studies is something that should be done very cautiously as this note appeared in the same issue of Risks as reports of flawed economic studies that served as the basis for major public policy decisions. We also need to remember that bans on using devices in airplanes seem as much if not more due to the social concerns about people talking on a cell phone than real issues with the technology. The larger issue is more subtle and part of the problem of tying technology to specific purposes. When we do so we are throwing sand into the engine of "innovation" - the opportunity to reimagine our technologies in the same way IP allowed us to repurpose the telecom infrastructure. In the 1970s computers become much more valuable to society when IBM was forced to sell its hardware without limiting it their applications.
This item is slightly misleading. The laptop was left on a bed with the power on. The heat from the laptop caused the bedding to catch fire .. and then the laptop went up in flames. http://www.metrowestdailynews.com/news/x2082727297/Fire-at-Framingham-State-caused-by-overheated-laptop
> [Lots of new risks as well, much faster and with lower power? PGN] " 2,000 times more powerful " is LOWER power ? That is not a risk - that's dangerous! [PGN is either silly or preoccupied, or else he meant something like this: “[Lots of new risks as well, much faster and even with lower power?]''? PGN]
The Organizing Committee for LASER 2013 would like to invite you to submit a paper for this year's workshop. The goal of this workshop is to help the security community quickly identify and learn from both success and failure. The workshop focuses on research that has a valid hypothesis and reproducible experimental methodology, but where the results were unexpected or did not validate the hypotheses, where the methodology addressed difficult and/or unexpected issues, or where unsuspected confounding issues were found in prior work. Topics include, but are not limited to: - Unsuccessful research in experimental security - Methods and designs for security experiments - Experimental confounds, mistakes, and mitigations - Successes and failures reproducing experimental techniques and/or results - Hypothesis and methods development (e.g., realism, fidelity, scale) The specific security results of experiments are of secondary interest for this workshop. *June 27, 2013* is the submission deadline for LASER 2013. You can find out more about the workshop at http://www.laser-workshop.org. The website has a link to the CFP but I've copied the CFP along with Submission Guidelines below for your convenience. Remember that the purpose of this workshop is to quickly identify and learn from both success and failure, so unexpected results are welcome.
Please report problems with the web pages to the maintainer