Michelle Singletary, *The Washington Post*, 30 Jul 2013 The health of our economy relies on people finding and keeping jobs. If there are electronic-record systems that are preventing qualified people from getting hired or staying employed, they [the systems, not the people notes PGN] need to be fixed. That's why it's important to take note of a report from the National Employment Law Project, which estimates that 1.8 million workers every year are subjected to FBI background checks that contain incorrect or incomplete information. [...] http://www.washingtonpost.com/business/surviving-the-data-blame-game/2013/07/30/3ad80f48-f890-11e2-8e84-c56731a202fb_story.html?tid=pp_stream
A pair of security researchers found that so-called smart houses have serious security vulnerabilities. A discontinued home automation system from Insteon is connected to the Internet with a web server—and did not even provide a robots.txt file to tell search engines to stay away. The result is that all the house controls are visible if you know the right keywords to search for. The researcher was able (after contacting the homeowner and getting permission) to turn the lights on and off, control TV sets, garage doors, cameras, etc. All the things that the owner can control remotely with a smartphone app. The system is shipped from the manufacturer with a default setting of no username or password. Other manufacturers have similar problems. The Satis Smart Toilet can be controlled by anybody with an Android, the right app, and close enough to communicate with the toilet. More details at http://onforb.es/159JEcM http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/?google_editors_picks=true
I'm often frustrated in trying to explain that the Internet isn't just the web or a series of tubes. The problem is that those views work well for those who look at the surface and want more of what they see. It's hard to explain that the web and benefits come from the days of an Internet without borders in which we were free to experiment. Today we're back to the time when you had a network suitable for phone calls or other enumerated applications. This is not a new issue but I recently posted http://rmf.vc/CILight which might help people understand the issue by using a very simple example - the ability to maintain a relationship between two end points. If we can't do that then how can we innovate ahead of what offered by the incumbent providers? For that matter why do we use words like "provide" and "access" when we talk about the Internet which came from our innovation at the edge despite the service providers. Maybe this the about the risks of language and using words like communicate, information, broadband which allow us to talk without really communicating. http://frankston.com
Various sources have reported that Stanford University has alerted its network users that their accounts may have been compromised (for the second time in about a month), and recommended that passwords should be changed as a precautionary measure while the Stanford IT folks are trying to assess the scope of the breach. Five days later, I've heard nothing further. Perhaps a RISKS reader at Stanford can contribute an update.
I run a small Web site (http://iotta.snia.org) that distributes large scientific files to researchers. For unjustifiable reasons, it has an absurdly slow link (10 Mbits) to the outside world. Yes, I'd like to fix that. Recently we observed an enormous spike in download attempts--all of which failed. After investigating and contacting the responsible parties (fortunately, we ask our users to provide an e-mail address and most tell the truth) we learned that they were using "Internet Download Manager", a Windows application that purports to speed up and simplify downloads. In this case, IDM was opening dozens of simultaneous connections, each of which attempted to acquire a different file. The resulting logjam caused ALL of the downloads to time out, at which point the package would try again. Telling the users to disable IDM and be patient cured the problem. (In the longer term, we'll be activating per-IP connection limits, which are an imperfect but helpful solution.) RISK: The TCP/IP specification is extensive and explicit, but doesn't address simultaneous connections from the same client. As far as I can figure out, the HTTP specification doesn't offer a way for servers to suggest a maximum (let alone a way to enforce one). And overeager developers are welcome to ignore conventions and common courtesy in an attempt to gain personal benefit. Geoff Kuenning firstname.lastname@example.org http://www.cs.hmc.edu/~geoff/
Lucian Constantin, *ITBusiness*, 26 Jul 2013 http://www.itbusiness.ca/article/microsoft-almost-90-percent-of-citadel-botnets-in-the-world-disrupted-in-june selected text: But one security researcher says he believes Microsoft had already been controlling about 1,000 of the 4,000 Citadel-related domain names, since its researchers were using them to track the botnets. He also adds Microsoft modified settings on people's computers without getting their permission, as it sent configuration files to infected computers connecting to the sinkhole servers. [Said researcher posted https://www.abuse.ch/?pS62 about this.]
David Linthicum, InfoWorld, 30 Jul 2013 Due to PRISM, non-U.S. firms are avoiding Stateside cloud providers, but government access to cloud data can't be stopped http://www.infoworld.com/d/cloud-computing/cloud-adoption-suffers-in-the-wake-of-nsa-snooping-223606 opening text: According to a survey by the Cloud Security Alliance, 10 percent of the CSA's non-U.S. members have canceled a contract with a U.S.-based cloud provider due to fears of U.S. government abuse of their citizens' data, a fear stoked by revelations of extensive spying on electronic communications by the U.S. National Security Agency through its PRISM program. Moreover, 56 percent said they were now less likely to use an American company.
Margaret Sullivan, *The New York Times*, 28 Jul 2013 Sometimes James Risen feels like Jean Valjean, the beleaguered protagonist of "Les Miserables," hounded for years by the authorities. "They just keep coming at me," Mr. Risen, a Times reporter in Washington, told me by phone last week. It has been 10 years since he learned of a secret C.I.A. program to interfere with Iran's quest for nuclear weapons, and six since he got an ominous FedEx package containing a government subpoena. Since then, it has been one legal hurdle after another, trying to stay out of court. Just over a week ago, another blow came: A federal appeals court panel ruled, 2 to 1, against his effort to avoid testifying in the government's case against Jeffrey Sterling, a former C.I.A. official charged with leaking secret information about the matter. Mr. Risen's lawyers, backed by a flotilla of press organizations and journalists, argue that his testimony isn't necessary and that First Amendment protections, combined with legal precedent, should keep him out of court. Unwilling to testify, Mr. Risen may end up in jail. Meanwhile, the distractions and the continued scrutiny of government investigators - sure to make sources skittish - have hurt his ability to do his job. That's a shame given the importance of his work: it was Mr. Risen and his Times colleague Eric Lichtblau who disclosed the Bush administration's eavesdropping on American citizens without warrants, and the recent revelations of National Security Agency surveillance have built on that foundation. The chilling ruling by the United States Court of Appeals for the Fourth Circuit said that even though a journalist has promised confidentiality to a source, "there is no First Amendment testimonial privilege, absolute or qualified, that protects a reporter from being compelled to testify by the prosecution or the defense in criminal proceedings about criminal conduct that the reporter personally witnessed or participated in." National security necessitates that those who illegally leak classified information be brought to justice, the court said. It added that it saw no clear legal justification for treating a reporter differently than any other citizen, and that "other than Sterling himself, Risen is the only witness who can identify Sterling as a source (or not) of the illegal leak." ... http://www.nytimes.com/2013/07/28/public-editor/a-blow-for-the-press-and-for-democracy.html
[More on the item in RISKS-27.39] Samantha Henry, Associated Press. 25 Jul 2013 NEWARK, N.J. (AP) - Four Russian nationals and a Ukrainian have been charged with running a sophisticated hacking organization that penetrated computer networks of more than a dozen major American and international corporations over seven years, stealing and selling at least 160 million credit and debit card numbers, resulting in losses of hundreds of millions of dollars. Indictments were announced Thursday in Newark, where U.S. Attorney Paul Fishman called the case the largest hacking and data breach scheme ever prosecuted in the United States. Princeton-based Heartland Payment Systems Inc., which processes credit and debit cards for small to mid-sized businesses, was identified as taking the biggest hit in a scheme starting in 2007 - the theft of more than 130 million card numbers at a loss of about $200 million. Atlanta-based Global Payment Systems, another major payment processing company, had nearly 1 million card numbers stolen, with losses of nearly $93 million, prosecutors said. The indictment did not put a loss figure on the thefts at some other major corporations, including Commidea Ltd., a European provider of electronic payment processing for retailers. The government said hackers in 2008 covertly removed about 30 million card numbers from its computer network. About 800,000 card numbers were stolen in an attack on the Visa network, but the indictment did not cite any loss figure. ... http://www.boston.com/business/news/2013/07/25/russians-ukrainian-charged-massive-hacking/zj9q9jvyKAKT6FTgD7YdLI/singlepage.html
For the first time in many years, I suddenly feel ahead of the technology. I have two cable boxes, one to feed the actual television and a secondary box to feed the (antiquated) VCR. Since they are located close to each other, I fabricated a sliding cover to obscure the sensor on the secondary box. Should these intrusive cable boxes become real products, I foresee a niche market for similar covers that would obscure the spy sensors while still allowing desired remote functions.
> If a car is scanned that shows a potential offence, an alert sounds and > displays the reason why the car is suspected to be illegal. Wow. So failure to pay a tax is now grounds for immediate arrest. Gotta catch those tax evaders right away! It'd be unforgivably dangerous to let them drive another ten miles and catch them the old-fashioned way. (Note that by definition, the government knows who they are, so most of them aren't going to be dodging the tax man for very long.) If you're "disqualified for some other offence" then anybody who happens to borrow your car is at risk of false arrest, at best wasting both their time and that of the police. That's not what I'd call good design. And in the future, what a great tool this will be for apprehending the dastardly mastermind who dared to post a video of a burning poppy. Or, if you're not afraid of government overreaching, there's always the fact that The Sun might bribe somebody to search the records to prove that a particular politician was cheating on his wife. I'll take my privacy, thanks. I can stand to live in a world with a few tax evaders and even the occasional faulty brakes. Geoff Kuenning email@example.com http://www.cs.hmc.edu/~geoff/
>>The changes duly took place this year, in anticipation of the benefits of >>the new system... I wonder if any of the decision-makers had heard of >>"counting your chickens before they're hatched"? This situation reminded me that this is the 20th anniversary of the publication of my favourite book about computing of all time, namely "Digital Woes: Why We Should Not Depend on Software" by Lauren Ruth Wiener. Inspired partly by stories from RISKs as well as by the author's personal experiences as a writer of software documentation and observer of the development process, this book is still as relevant today as it was in 1993, despite containing not one reference to the World-Wide Web, or indeed, as far as I can recall, any other part of the Internet. Everyone who is even remotely connected to any software development process should read this book. Wiener gave examples of projects similar to this one, where exaggerated savings on personnel and other overheads from the new computer system were used to pay for the system, thus creating a double bind for executives when the system failed to materialise, leaving them with no staff and no money to re-hire them. It seems that we have learned very little in the intervening 20 years.
Please report problems with the web pages to the maintainer