Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Ahead of Malaysia's elections on Sunday, independent online media say they are being targeted in Internet attacks which filter content and throttle access to websites, threatening to deprive voters of their main source of independent reporting. http://j.mp/17EJvfJ (Reuters via NNSquad)
The *World Street Journal* (16 May 2013) ran an article on systems that allow pilots and air traffic controllers to communicate via text messages [1]. The article claims that the system can increase the communication's accuracy and the ATC's productivity. It also has a pilot lauding the system's accuracy and speed. All these benefits sound probable. However, the risks of the new technology seem to get a short shrift. I was struck by the following phrase: "Controllers have pop-up windows with various choices of standard messages for altitude changes, frequency changes and some re-routings." What could possibly go wrong? [1] http://online.wsj.com/article/SB10001424127887324767004578485061565368992.html?modâtw Diomidis Spinellis - http://www.spinellis.gr
Aviation Week & Space Technology reports that an American Airlines official attributed a facet of the problem in the 16 April 2013 flight cancellations as an inability to print out flight plans The airline's internal Flight Operations System (FOS) in Dallas crashed on Tuesday afternoon, stranding the airline's entire domestic and international route structure, estimated to last until 5 p.m. central time. At issue in part is the inability for pilots to print out their flight plans, a legacy process that requires a dot-matrix printer and 19 ft. of paper at the gate for each flight. (http://www.aviationweek.com/Article.aspx?id=/article-xml/awx_04_16_2013_p0-569921.xml)
[We infrequently run an obit notice, but I don't recall ever running one for an organization. However, if organizations are people, then this does not really set a new precedent. Incidentally, CPSR was mention twice in the very first issue of RISKS in 1985, and Gary Chapman contributed to RISKS-1.37 and 1.46, as then director of CPSR. Created by Severo Ornstein, and subsequently led by Gary and Marc Rotenberg, CPSR was a major player in activities related to RISKS, as Doug notes here. Posthumously giving the final Norbert Wiener Award to Gary is very fitting. I hope the CPSR website can survive (cpsr.org) as an historically relevant site. PGN] It is my unenviable task to announce that Computer Professionals for Social Responsibility (CPSR), a non-profit educational corporation, has been dissolved. CPSR was launched in 1981 in Palo Alto, California, to question the computerization of war in the United States via the Strategic Computing Initiative to use artificial intelligence in war, and, soon after, the Strategic Defense Initiative—`Star Wars'. Over the years CPSR evolved into a `big tent' organization that addressed a variety of computer-related areas including workplace issues, privacy, participatory design, freedom of information, community networks, and many others. Now, of course, there are hundreds, if not thousands, of organizations and movements that are concerned not only about the misuses of ICT by governments and corporations (and others) but also about trying to develop approaches that help communities work together to address issues related to economic and other inequalities and environmental degradation—as well as broader issues such as war and peace. CPSR to me provided a vital link to important ideas and to inspirational and creative people. These people believed that positive social change was possible and that the use of ICT could play a significant role. For example, in 1993, CPSR developed a document designed to help shape the National Information Infrastructure (NII) program promoted by the Clinton/Gore administration to help guide the evolution of networked digital communication. Through a variety of conferences, workshops and reports, CPSR encouraged conversations about computers and society that went beyond hyperbole and conventional wisdom. Although in many ways the issues that CPSR helped publicize have changed forms they generally still remain. The ethical and other issues surrounding the computerization of war, for one thing, have not gone away just because they're not prominent on the public agenda. CPSR's original focus on the use of artificial intelligence in `battle management', etc. and the possibility of launch on warning is probably still pertinent. The advent of ubiquitous and inexpensive drones definitely is. Apparently, as many people know, the age of the participatory membership organizations is over—their numbers are certainly way down—and we in CPSR had certainly noticed that trend. I personally suspect that this development is not necessarily a good thing. I certainly would welcome another membership organization with CPSR's Big Tent orientation. On the occasion of CPSR's dissolution we've developed two small projects for keeping CPSR's spirit alive. The first is that it would be a good opportunity to catalog the groups and organizations around the world that would be natural allies to CPSR if it still existed. We've started this cataloging (see http://www.publicsphereproject.org/civic_organizations) but presumably have only captured a small fraction of these organizations. Please open an account on the Public Sphere Project site and add the information about your organization. The second is less concrete but probably no less important. To help the current and future generation of activists as we envision possible futures and interventions, we'd like to put these two related questions forward: What applications of ICT are the most important to human development and sustainability? And, on the other hand, What are the strongest challenges to these applications? Please e-mail me your thoughts on this and I will do my best to compile the thoughts and make them public. - - - - With this note I also want to announce that CPSR's final Norbert Wiener Award for Social and Professional Responsibility winner is Gary Chapman, who served as CPSR's first executive director from 1985 to 1992. The award recognizes outstanding contributions for social responsibility in computing technology. Named for Norbert Wiener (1894-1964), who, in addition to a long and active scientific career that brought the word "cybernetics" (and, hence, cyberspace) into the language, was also a leader in assessing the social implications of computerization. Writing in Science (1960) Wiener reminds us that, “...even when the individual believes that science contributes to the human ends which he has at heart, his belief needs a continual scanning and re-evaluation which is only partly possible. For the individual scientist, even the partial appraisal of the liaison between the man and the historical process requires an imaginative forward glance at history which is difficult, exacting, and only limitedly achievable...We must always exert the full strength of our imagination.'' Gary (who died in 2010), spent nearly three decades working towards peace and social justice as it related to information technology. As Marc Rotenberg of the Electronic Privacy and Information Center (EPIC) stated, Gary “made many people stop and ask hard questions about technology. Not just Is it cool?, but Does it make our lives better, or more just? And does it make our world more secure?'' Gary's technology column, "Digital Nation," was carried in over 200 newspapers and websites. He taught and lectured all over the world, most recently as a guest faculty member at the University of Porto in Porto, Portugal. Since his time at CPSR he had been involved in a multitude of related projects including the International School for Digital Transformation (ISDT) that he and others at the University of Texas convened annually in Porto, Portugal. Gary was on the faculty of the Lyndon B. Johnson School of Public Affairs at the University of Texas, Austin. On the local level, he also worked to bridge the digital divide, the gulf between those with access to technology and those without. In 1995, for example, he worked on the successful grant application that led to the establishment of Austin Free-Net (www.austinfree.net), which installed the first public access Internet stations in Austin, and continues today as a national model for bringing digital opportunities to low-income and digitally challenged residents. And in 2010, Gary co-founded Big Gig Austin (www.biggigaustin.org), which anchored the successful community campaign to bring the Google gigabit fiber network to Austin. Gary was a principled and untiring advocate for the use of the Internet a tool for collaboration and other means to bring people together. Also, as a former medic with the Army Special Forces, Gary was especially concerned about the uses of computing in warfare. In his articles in the CPSR Newsletter, he warned that “Automating our ignorance of how to cope with war will produce only more disaster.'' With David Bellin he co-edited Computers in Battle: Will They Work?, a book on the implications of computer technology in war, and was involved for many years in a rich collaboration with the Pugwash-USPID (Unione Scienziati Per Il Disarmo)-ISODARCO (International School on Disarmament and Research on Conflicts) community in Italy and elsewhere. Gary contributed chapters to several books that I was involved with. Most recently, he contributed The Good Life, one of the patterns (publicsphereproject.org/patterns/lv) in Liberating Voices, a book that I wrote (with the help of 85 others). The verbiage from the pattern card abridged from the full text reminds us of Gary's humane values, and serves as an important challenge for all of us: People who hope for a better world feel the need for a shared vision of the "good life" that is flexible enough for innumerable individual circumstances but comprehensive enough to unite people in optimistic, deliberate, progressive social change. This shared vision of The Good Life should promote and sustain conviviality and solidarity among people, as well as feelings of individual effectiveness, self-worth and purpose. A shared vision of The Good Life is always adapting; it encompasses suffering, loss and conflict as well as pleasures, reverence and common goals of improvement. An emergent framework for the modern "good life" is based on some form of humanism, particularly pragmatic or civic humanism, with room for a spiritual dimension that does not seek domination. Finally, the environmental crises of the planet require a broad vision of a "good life" that can harmonize human aspirations with natural limits. All this needs to be an ongoing and open-ended "conversation," best suited to small geographic groups that can craft and then live an identity that reflects their vision of a "good life." Although this will be CPSR's final Weiner award, the work that Gary and other activists from CPSR and other organizations helped launch over two decades ago is now being carried forward by scores of organizations and thousands of activists all over the world, as digital information and communication systems have assumed such a central location on the world's stage. Several projects including a Festschrift or other book project or event related to CPSR and social responsibility have been discussed although no firm plans have been made. Gary Chapman was patient but persistent in his pursuit of progressive goals and a better life for all. Sadly, Gary left us before he could see his vision brought to fruition. He'll be missed but we all must push forward with his vision. Douglas Schuler <douglas@publicsphereproject.org>
David E. Sanger, Nicole Perlroth, and Michael S. Schmidt [PGN-truncated] http://www.nytimes.com/2013/05/13/us/cyberattacks-on-rise-against-us-corporations.html?pagewanted=1&hpw A new wave of cyberattacks is striking American corporations, prompting warnings from federal officials, including a vague one issued last week by the Department of Homeland Security. This time, officials say, the attackers' aim is not espionage but sabotage, and the source seems to be somewhere in the Middle East. <http://topics.nytimes.com/top/reference/timestopics/organizations/h/homeland_security_department/index.html?inline=nyt-org>. The targets have primarily been energy companies, and the attacks appeared to be probes, looking for ways to seize control of their processing systems. The attacks are continuing, officials said. But two senior administration officials said Sunday that they were still not certain exactly where the attacks were coming from, or whether they were state-sponsored or the work of hackers or criminals. [...]
Marc Santoram, 9 May 2013 It was a brazen bank heist, but a 21st-century version in which the criminals never wore ski masks, threatened a teller or set foot in a vault. In two precision operations that involved people in more than two dozen countries acting in close coordination and with surgical precision, thieves stole $45 million from thousands of ATM's in a matter of hours. In New York City alone, the thieves responsible for ATM withdrawals struck 2,904 machines over 10 hours starting on Feb. 19, withdrawing $2.4 million. The operation included sophisticated computer experts operating in the shadowy world of Internet hacking, manipulating financial information with the stroke of a few keys, as well as common street criminals, who used that information to loot the automated teller machines. The first to be caught was a street crew operating in New York, their pictures captured as, prosecutors said, they traveled the city withdrawing money and stuffing backpacks with cash. ... http://www.nytimes.com/2013/05/10/nyregion/eight-charged-in-45-million-global-cyber-bank-thefts.html
Michael Wilson, *The New York Times*, 3 May 2013 The woman was talking on her iPhone, and never saw coming her induction into a large and growing subset of crime victims. But there it happened shortly after noon on April 15, on a busy corner of Main Street in Flushing, Queens. A teenager zipped past, snatching the phone out of her hand and kept running. Devices like hers were stolen 16,000 times last year in New York City. But what happened on this afternoon was anything but commonplace. The closest comparison that leaps to mind is a classic chase scene from a 1971 thriller. The teenager, soon out of sight, had every reason to believe his getaway was whistle clean. The woman, with just as many reasons to believe that was the last she would see of her phone, flagged a police officer, who put a call over the radio with a description of the young man wearing a yellow hooded sweatshirt. Another officer pulled out his own iPhone, and together with the victim, logged into the Find My iPhone feature, which should work if the thief had not turned the victim's phone off. He had not. A telltale dot appeared on the screen of the officer's phone. The victim's phone was nearby, at 126th Street and Roosevelt Avenue. ... http://www.nytimes.com/2013/05/04/nyregion/crime-scene-chasing-down-a-gps-blip-to-a-stolen-iphone.html
Lucian Constantin, InfoWorld Home, 14 May 2013 The Android threat landscape is starting to resemble that of Windows, according to F-Secure's Mobile Threat Report https://www.infoworld.com/d/mobile-technology/android-threats-growing-in-number-and-complexity-report-says-218523
Amy Chozick and Ben Protess, *The New York Times*, 10 May 2013 Privacy Breach on Bloomberg's Data Terminals A shudder went through Wall Street on Friday after the revelation that Bloomberg News reporters had extracted subscribers' private information through the company's ubiquitous data terminals to break news. The company confirmed that reporters at Bloomberg News, the journalism arm of Bloomberg L.P., had for years used the company's terminals to monitor when subscribers had logged onto the service and to find out what types of functions, like the news wire, corporate bond trades or an equities index, they had looked at. Bloomberg terminals, which cost an average of more than $20,000 a year, are found in nearly every banking and trading company. Bloomberg said the functions that allowed journalists to monitor subscribers were a mistake and were promptly disabled after Goldman Sachs complained that a Bloomberg reporter had, while inquiring about a partner's employment status, pointed out that the partner had not logged onto his Bloomberg terminal lately. The incident led to broader concerns about the line at Bloomberg between its lucrative terminal business and the hypercompetitive newsroom, threatening to undermine the credibility of both. In a secretive world that thrives on opacity, traders and financial firms jealously guard every speck of information about their activity to avoid tipping their hand on their trades and investments. ... http://www.nytimes.com/2013/05/11/business/media/privacy-breach-on-bloombergs-data-terminals.html
Chris Paoli, Redmond Magazine, 14 May 2013 http://redmondmag.com/articles/2013/05/14/microsoft-warns-of-facebook-hijack.aspx
Gregg Keizer, Computerworld, InfoWorld, 06 May 2013 Security experts suspect Chinese hackers are using the flaw to target nuclear weapons researchers using IE8, the most widely used of Microsoft's five supported browsers http://www.infoworld.com/d/security/microsoft-admits-zero-day-bug-in-ie8-pledges-patch-217927
Computerworld - For a few months earlier this year, the personal data of customers of the Schnucks supermarket chain was exposed to hackers whose work went undetected until after a card processing company issued an alert about fraudulent activity on a handful of credit and debit cards used at the stores. http://www.computerworld.com/s/article/9238891 /Security_tools_can_t_keep_hackers_at_bay?source=IDGENTERPRISENLE_nlt_insider_2013-05-09 [More like 'Schmucks']
http://metro.co.uk/2013/05/03/man-messages-the-entire-internet-the-internet-replies-i-am-easy-to-exploit-3710848/ Man messages the entire Internet. The Internet replies: I am easy to exploit. Most of the world spent the past year just drifting through life, he took that time to message every Internet-connected device on the planet. In order to carry out a survey that would examine the flaws which make us vulnerable to cyber attacks, Moore messaged almost 4billion Internet Protocol (IP) addresses belonging to our devices, getting replies from 310m of them. The goal was to collate a mountain of data and then go through it to determine what security flaws exist which leave individuals and businesses exposed to online criminals. According to the study, attackers could potentially access company servers to gain individuals' personal details. Other vulnerabilities could allow criminals to gain control of certain infrastructure, from traffic lights to factories to oil pipelines. “Off-hand, at least 100m devices are directly connected to the Internet and expose a common security weakness. The surprising part wasn't the type of systems exposed, but the sheer number of them and the concentration of vulnerable systems by geography and industry.''
"A Comstock Park woman faces criminal charges after police say she admitted to creating false Facebook accounts with her ex-boyfriend's personal information to make it appear that his new girlfriend was threatening her." http://j.mp/103pqNG (MLive via NNSquad)
Internet registrar Name.com on Wednesday revealed it was hit by a security breach. The company sent an e-mail to its customers informing them that their usernames, e-mail addresses, passwords, and credit card account information "may have been accessed by unauthorized individuals." The good news is that the last two were encrypted, according to Name.com's e-mail. http://j.mp/11kBuxI (TNW)
Many of the volunteers in the personal genome project also volunteered their 5-digit zip codes, gender and date of birth, which made it easy to re-identify them. The data privacy lab has set up a web page http://aboutmyinfo.org/ so that US residents can see how many other people have the same details as their own.
[DOJ press release] " These defendants allegedly formed the New York-based cell of an international cybercrime organization that used sophisticated intrusion techniques to hack into the systems of global financial institutions, steal prepaid debit card data, and eliminate withdrawal limits. " .... "The "Unlimited Operation" begins when the cybercrime organization hacks into the computer systems of a credit card processor, compromises prepaid debit card accounts, and essentially eliminates the withdrawal limits and account balances of those accounts. The elimination of withdrawal limits enables the participants to withdraw literally unlimited amounts of cash until the operation is shut down. rest: http://www.justice.gov/usao/nye/pr/2013/2013may09.html
[Google Glass has been hacked.] http://www.saurik.com/id/16 Exploiting a Bug in Google's Glass
David Streitfeld, *The New York Times*, May 6, 2013 SAN FRANCISCO - Google's wearable computer, the most anticipated piece of electronic wizardry since the iPad and iPhone, will not go on sale for many months. But the resistance is already under way. The glasseslike device, which allows users to access the Internet, take photos and film short snippets, has been preemptively banned by a Seattle bar. Large parts of Las Vegas will not welcome wearers. West Virginia legislators tried to make it illegal to use the gadget, known as Google Glass, while driving. ... http://www.nytimes.com/2013/05/07/technology/personaltech/google-glass-picks-up-early-signal-keep-out.html
In RISKS-27.26 and 27.27, Amos Shapir states that Microsoft's failure to provide symbolic naming in Excel is the root cause of Reinhart and Rogoff's errors ("I'm not surprised that Microsoft would force such antediluvian practices upon all of us", "Leaving Excel in this primitive state is certainly MS's fault."), as well as a host of other evils. However, this accusation is clearly erroneous, as Excel supports "named references" and "named ranges", and has done so for at least a decade (I don't have Excel documentation handy for versions prior to 2003). Perhaps the RISK here is the temptation to blame familiar bogeymen for what you assume their shortcomings must be without bothering to check whether or not those shortcomings exist. [Also noted by James Geissman. PGN]
"Define Name" The mouse-over explanation is, "Name cells so that you can refer to them in formulas by that name. ... "Names can be used in formulas to make them easier to understand." That the binding is to a specific cell is also significant (and can be fixed or floating to follow the cell when its coordinates change as the result of other actions). I don't have any older version of Excel installed at the moment, but I would be surprised if this feature does not exist in the still-popular Excel 2003. It seems that, in this case, Kohne's observations about folks lacking a combination of subject-matter expertise and fluency with chosen digital tools is more compelling than dwelling on the absence of features that are actually present. I have no recipe for increasing the empowerment of individuals to master their handy tools. It is at least as challenging as encouraging safe password practices and explaining two-factor authentication to those who thinks multiplicity of the same factor accomplishes anything. [I deal reluctantly with an institution that requires me to choose a safe *user* ID (8-to-16 mixed character types) and obscures the entry field of my own ID, while only providing a numeric passcode of not more than 8 digits [;<).] PS: I just looked at a handy guide, "Microsoft Office Professional 2013 Plain & Simple" an overview of the current version that is probably most useful for those with some fluency with earlier versions. I see in Chapter 13, Analyzing Your Excel 2013 Data, that the "Define Name" feature is clearly visible in the illustrative screen captures. The author provides some nice tips. Naming cells is not one of them. PPS: In an alternative, open-source spreadsheet implementation, I found similar capability after working down the Insert | Names ... | Define menu selection, reaching a dialog titled "Define Name" with brief description "Define the name and range or formula expression."
This seems to be rather hard on Microsoft; if you just want to store and manipulate alphanumeric data, then Excel is widely available and easy to use. In my very limited experience, with purpose-made database programs you have to design the whole 'table' structure first, whereas with Excel you can just enter data as you go along. And as mentioned, Excel comes with the Office package that everyone has, while Access, say, is a separate paid-for program that you need a business case for, or at least it was where I worked. (The problem in RISKS 24.20 was Excel silently changing the format of data already entered.)
"McAfee suggests that Adobe Reader users disable JavaScript until a patch is released." The best advice: "Disable JavaScript in Adobe Reader _forever_", or better still, find a pdf reader that doesn't even bother implementing JavaScript at all.
I think the WORST aspect may be: "Castles said there were no reports of passengers evacuating the terminal ... " "She said airport officials are looking into ways to ensure a similar problem does not occur again." Which problem? The false alarm, or the fact that nobody took any notice?
The biggest issue "that should not occur again" is clearly that no passengers reacted to the message for 10 minutes. So if there is a real emergency, the on-screen messages are just about useless. What happens if this is "fixed" by adding automated pre-recorded loudspeaker messages telling everyone to evacuate? Then people WILL leave. So then one slip of the finger on the keyboard can cause major disruption. Some hard thinking is needed on the whole issue of design and operation of such automated public alarm systems. There are also non- negligible issues of liability in case of "false positives" and "false negatives". Dr. Eric T. Ferguson, Consultant for Energy and Development, van Reenenweg 3, 3702 SB ZEIST Netherlands tel: +31 30-2673638
Please report problems with the web pages to the maintainer