David Undercoffler, *Los Angeles Times*, 4 Nov 2013 Honda Motor Co. has announced it is voluntarily recalling more than 344,000 Odyssey minivans to correct a problem with the vehicles' stability control software. The recall affects 344,187 Odyssey vans from the 2007 and 2008 model years. In certain circumstances, an error in the software can prevent the system from calibrating correctly, leading to pressure building up in the braking system, the National Highway Traffic Safety Administration said. If pressure builds to a certain point, "the vehicle may suddenly and unexpectedly brake hard, and without illuminating the brake lights, increasing the risk of a crash from behind," the NHTSA said. ... http://www.latimes.com/business/autos/la-fi-hy-honda-odyssey-recall-20131104,0,3097543.story http://www-odi.nhtsa.dot.gov/owners/SearchResults?searchType=ID&targetCategory=R&searchCriteria.nhtsa_idsV500000 http://www-odi.nhtsa.dot.gov/acms/cs/jaxrs/download/doc/UCM445532/RCAK-13V500-8717.pdf http://www-odi.nhtsa.dot.gov/acms/cs/jaxrs/download/doc/UCM445527/RCDNN-13V500-6142P.pdf
Leslie Harris and Joseph Lorenzo Hall Don't gerrymander the Internet http://www.indexoncensorship.org/2013/11/dont-gerrymander-internet/ We can partially blame gerrymandering for the current gridlock in the U.S. Congress. By shaping the electoral map to create politically safe spaces, we have generated a fractious body that often clashes rather than collaborates, limiting our chances of resolving the country's toughest challenges. Unfortunately, revelations about the global reach of American security surveillance programs under the National Security Agency (NSA) are leading some to propose what amounts to gerrymandering for the Internet in order to route around NSA spying. This will shackle the Internet, inherently change its technical infrastructure, throttle innovation, and likely lead to far more dangerous privacy violations around the globe. Nations are rightly upset that the communications of their citizens are swept up in the National Security Agency's pervasive surveillance dragnet. There is no question the United States has overreached and violated human rights in its collection of communications information on innocent people around the globe; however, the solution to this problem should not, and truly cannot, be data localization mandates that restrict data storage and flow. The calls for greater localization of data are not new, but the recent efforts of Brazil's President, Dilma Rousseff, to protect Brazilians from NSA spying reflected the view of many countries suddenly faced with a new threat to the privacy of the communications of their citizens. Rousseff has been an advocate for Internet freedom, so undoubtedly her proposal is well intentioned, though the potential unintended repercussions are alarming. First, it's important to consider the technical reasons why data location requirements are a really bad idea. The Internet developed in a widely organic manner, creating a network that allowed data to flow from all corners of the world—regardless of political boundaries, residing everywhere and nowhere at the same time. This has helped increase the resilience of the Internet and it has promoted significant efficiencies in data flow. As is, the network routes around damage, and data can be wherever it best makes sense and take an optimal route for delivery. Data localization mandates would turn the Internet on its head. Instead of a unified Internet, we would have a fractured Internet that may or may not work seamlessly. We would instead see districts of communications that cater to specific needs and interests—essentially we would see Internet gerrymandering at its finest. Countries and regions would develop localized regulations and rules for the Internet to benefit them in theory, and would certainly aim to disadvantage competitors. The potential for serious winners and losers is huge. Certainly the hope for an Internet that promotes global equality would be lost. Data localization may only be a first step. Countries seeking to keep data out of the United States or that want to exert more control over the Internet may also mandate restrictions on how data flows and how it is routed. This is not far-fetched. Countries such as Russia, the United Arab Emirates, and China have already proposed this at last year's World Conference on International Telecommunications. As Internet traffic begins to demand more bandwidth, especially as we witness more real-time multimedia applications, efficient routing is essential to advance new Internet services. High capacity applications like Apple's FaceTime may slow to the painful crawl reminiscent of the dial-up days of the Internet. This only begins to illustrate the challenges Internet innovators would face, but big established players like Facebook, Google and Microsoft, would potentially have the resources to abide by localization mandates—of course, only if the business case supports working in particular locales. Some countries with local storage rules may be bypassed altogether. For small or emerging businesses, data localization requirements would be a greater challenge. It would build barriers to markets and shut off channels for innovation. Few emerging businesses could afford to locate servers in every new market, and if local data server requirements become ubiquitous, it will be businesses in emerging markets that are most disadvantaged. The reality for developing nations is that protectionist measures such as data localization will further isolate local business from the global market, depriving them of the advantages for growth that are provided by the borderless Internet. Most important though, is the potential for fundamental harm to human rights due to data localization mandates. We recognize that this is a difficult argument to accept in the wake of the revelations about NSA surveillance, but data localization requirements are a double-edged sword. It is important to remember that human rights and civil liberties groups have long been opposed to data localization requirements because if used inappropriately, such requirements can become powerful tools of control, intimidation and oppression. When companies were under intense criticism for turning over the data of Chinese activists to China, Internet freedom activists were united in theirs calls to keep user data out of the country. When Yahoo! entered the Vietnamese market, it placed its servers out of the country in order to better protect the rights of its Vietnamese users. And the dust up between the governments of the United Arab Emirates, Saudi Arabia, India, and Indonesia, among others, demanding local servers for storage of BlackBerry messages in order to ensure legal accountability and meet national security concerns, was met with widespread condemnation. Now with democratic governments such as Brazil and some in Europe touting data localization as a response to American surveillance revelations, these oppressive regimes have new, albeit inadvertent, allies. While some countries will in fact store, use and protect data responsibly, the validation of data localization will unquestionably lead to many regimes abusing it to silence critics and spy on citizens. Beyond this, data server localization requirements are unlikely to prevent the NSA from accessing the data. U.S. companies and those with a U.S. presence will be compelled to meet NSA orders, and there appear to be NSA access points around the world. Data localization is a proposed solution that is distracting from the important work needed to improve the Internet's core infrastructural elements to make it more secure, resilient and accessible to all. This work includes expanding the number of routes, such as more undersea cables and fiber runs, and exchange points, so that much more of the world has convenient and fast Internet access. If less data is routed through the U.S., let it be for the right reason: that it makes the Internet stronger and more accessible for people worldwide. We also need to work to develop better Internet standards that provide usable privacy and security by default, and encourage broad adoption. Protecting privacy rights in an era of transborder surveillance won't be solved by ring fencing the Internet. It requires countries, including the U.S., to commit to the exceedingly tough work of coming to the negotiating table to work out agreements that set standards on surveillance practices and provide protections for the rights of privacy and free expression for people. Germany and France have just called for just such an agreement with the U.S. This is the right way forward. In the U.S., we must reform our surveillance laws, adopt a warrant requirement for stored email and other digital data, and implement a consumer privacy law. The standards for government access to online data in all countries must likewise be raised. These measures are of course much more difficult in the short run that than data localization requirements, but they are forward-looking, long-term solutions that can advance a free and open Internet that benefits us all. https://josephhall.org/
When Ban Ki-moon, the United Nations secretary general, sat down with President Obama at the White House in April to discuss Syrian chemical weapons, Israeli-Palestinian peace talks and climate change, it was a cordial, routine exchange. The National Security Agency nonetheless went to work in advance and intercepted Mr. Ban's talking points for the meeting, a feat the agency later reported as an "operational highlight" in a weekly internal brag sheet. It is hard to imagine what edge this could have given Mr. Obama in a friendly chat, if he even saw the N.S.A.'s modest scoop. (The White House won't say.) But it was emblematic of an agency that for decades has operated on the principle that any eavesdropping that can be done on a foreign target of any conceivable interest - now or in the future - should be done. After all, American intelligence officials reasoned, who's going to find out? From thousands of classified documents, the National Security Agency emerges as an electronic omnivore of staggering capabilities, eavesdropping and hacking its way around the world to strip governments and other targets of their secrets, all the while enforcing the utmost secrecy about its own operations. It spies routinely on friends as well as foes, as has become obvious in recent weeks; the agency's official mission list includes using its surveillance powers to achieve "diplomatic advantage" over such allies as France and Germany and "economic advantage" over Japan and Brazil, among other countries. Mr. Obama found himself in September standing uncomfortably beside the president of Brazil, Dilma Rousseff, who was furious at being named as a target of N.S.A. eavesdropping. Since then, there has been a parade of such protests, from the European Union, Mexico, France, Germany and Spain. Chagrined American officials joke that soon there will be complaints from foreign leaders feeling slighted because the agency had not targeted them. James R. Clapper Jr., the director of national intelligence, has repeatedly dismissed such objections as brazen hypocrisy from countries that do their own share of spying. But in a recent interview, he acknowledged that the scale of eavesdropping by the N.S.A., with 35,000 workers and $10.8 billion a year, sets it apart. "There's no question that from a capability standpoint we probably dwarf everybody on the planet, just about, with perhaps the exception of Russia and China," he said. Since Edward J. Snowden began releasing the agency's documents in June, the unrelenting stream of disclosures has opened the most extended debate on the agency's mission since its creation in 1952. The scrutiny has ignited a crisis of purpose and legitimacy for the N.S.A., the nation's largest intelligence agency, and the White House has ordered a review of both its domestic and its foreign intelligence collection. While much of the focus has been on whether the agency violates Americans' privacy, an issue under examination by Congress and two review panels, the anger expressed around the world about American surveillance has prompted far broader questions. If secrecy can no longer be taken for granted, when does the political risk of eavesdropping overseas outweigh its intelligence benefits? Should foreign citizens, many of whom now rely on American companies for email and Internet services, have any privacy protections from the N.S.A.? Will the American Internet giants' collaboration with the agency, voluntary or otherwise, damage them in international markets? And are the agency's clandestine efforts to weaken encryption making the Internet less secure for everyone? Matthew M. Aid, an intelligence historian and author of a 2009 book on the N.S.A., said there is no precedent for the hostile questions coming at the agency from all directions. ... http://www.nytimes.com/2013/11/03/world/no-morsel-too-minuscule-for-all-consuming-nsa.html?pagewanted=all
Ron Nixon, *The New York Times*, 3 Jul 2013 WASHINGTON - Leslie James Pickering noticed something odd in his mail last September: a handwritten card, apparently delivered by mistake, with instructions for postal workers to pay special attention to the letters and packages sent to his home. "Show all mail to supv" - supervisor - "for copying prior to going out on the street," read the card. It included Mr. Pickering's name, address and the type of mail that needed to be monitored. The word "confidential" was highlighted in green. "It was a bit of a shock to see it," said Mr. Pickering, who with his wife owns a small bookstore in Buffalo. More than a decade ago, he was a spokesman for the Earth Liberation Front, a radical environmental group labeled eco-terrorists by the Federal Bureau of Investigation. Postal officials subsequently confirmed they were indeed tracking Mr. Pickering's mail but told him nothing else. As the world focuses on the high-tech spying of the National Security Agency, the misplaced card offers a rare glimpse inside the seemingly low-tech but prevalent snooping of the United States Postal Service. Mr. Pickering was targeted by a longtime surveillance system called mail covers, a forerunner of a vastly more expansive effort, the Mail Isolation Control and Tracking program, in which Postal Service computers photograph the exterior of every piece of paper mail that is processed in the United States - about 160 billion pieces last year. It is not known how long the government saves the images. Together, the two programs show that postal mail is subject to the same kind of scrutiny that the National Security Agency has given to telephone calls and e-mail. ... http://www.nytimes.com/2013/07/04/us/monitoring-of-snail-mail.html
"Airgaps" are a long-accepted precaution. In principle, an isolated system cannot be contaminated or compromised by way of its network connections. A report in Ars Technica discusses how this long-accepted wisdom may be somewhat incomplete in the age of audio-visual enabled devices. The affair at a Philadelphia-area school, where IT technical staff remotely enabled student's integral laptop cameras demonstrated the dangers of remotely enabled cameras; we now have a preliminary report of malware communicating with other infected systems via integral speakers and microphones. Besides the tongue in cheek renaming of "air gaps" as "opaque vacuums", perhaps physical (non-software intermediated) On/Off switches on integral devices would be a good privacy feature. The original article [* by Dan Goodin] is at: http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/ Bob Gezelter, http://www.rlgsc.com [* Note: Don Goodin's article is a really fascinating one, and worth a careful read. The website also includes a response to questioning comments from readers, saying that as a journalist for more than 17 years, he has never written a spoof story, and it is completely coincidental that this one ran on Hallow'en. PGN]
"End-users must also recognize that, despite the best intentions of those stakeholders and the imprimaturs of widely-used federated credentialing technologies like OAuth, there's no guarantee that their identities cannot be stolen and abused for impersonation. Vulnerabilities exist, especially as a result of the implementation decisions that vary from developer to developer and API provider to API provider." http://j.mp/HwYZdY (Programmable Web via NNSquad) [Also noted by Prashanth Mundkur. PGN] http://blog.programmableweb.com/2013/11/04/why-the-attack-on-buffer-was-a-serious-wake-up-call-for-the-web/
My physicians expect me to sleep at night without drugs. I tried to pay my property taxes on-line. It didn't work. I got an error message of "unknown." So I e-mailed them. I got the following response. Do not read with liquid in mouth. Please. - - - - Dear Taxpayer, We apologize for the inconvenience you're getting with our new system. Please try again to submit your payment by following the instructions below: * Clear browsing history. Go to the Tools Option on the top of the page, delete browsing history. * Shut down the Internet. During the time of transaction, do not use the back arrow key. Thank you for contacting us, Miami-Dade Tax Collection <Proptax@miamidade.gov> "Delivering Excellence Every Day" [Lovely follow-up to this message omitted by Steve, including discussion of the implications of someone actually shutting down the Internet! PGN]
Salvador Rodriguez, *Los Angeles Times*, 30 Oct 2013 After originally saying that fewer than 3 million users had been affected by a cyber security breach earlier this month, Adobe is now saying that at least 38 million users' accounts were compromised. The software company, known for Photoshop and other programs, said hackers were able to obtain the Adobe IDs and encrypted passwords for about 38 million users who are active with their accounts. ... http://www.latimes.com/business/technology/la-fi-tn-adobe-cyber-breach-38-million-20131030,0,5964601.story
The denigration of degrees as a measure of angles is a particularly unfortunate example, as the various units are far more complex, and far less standard, than might have been imagined. In particular, in countries close to Finland--e.g., Sweden & Russia--local standards were traditionally different, and it took NATO (?!?) to standardize the "mil": "Note: Do not confuse the angular mil with the minute of arc (MOA). 1 trigonometric milliradian (mrad) ˜ 3.43774677078493 MOA. 1 NATO mil = 3.375 MOA (exactly)." http://en.wikipedia.org/wiki/Angular_mil http://en.wikipedia.org/wiki/Radian The risk here is in using the wrong unit of angle to aim your artillery.
> In my school days, I don't recall ever seeing non-metric measures in the > lab, and they ended before 1975. That was exactly my point: that the metric system is presented as good for use only by scientists, and has no bearing on everyday life. This is an indicator of the general attitude against science in the US, which leads to willful ignorance (of which Creationism is just one extreme example).
With what we know today, that utility network protection project may have been killed at the order of NSA, because it was secure. It seems clear that NSA feels that if anyone anywhere has a truly secure system that NSA can't monitor, then terrorists could use it, and it must be corrupted or thwarted. Who is to say that NSA is wrong? If anyone brags about having a really secure system, they would become a target for terrorists who would like to duplicate their system, or at least learn how they did it. NSA's dual role to spy on foreigners and to help assure secure domestic networking is hopelessly conflicted. I was once an electric utility employee. Today, if I was really serious about power grid security, I would be forced to reject anything recommended or mandated by government, and to nix any cooperation or reporting of security related information to government. But if I did so, then I become even more a choice terrorist target. It is a lose lose situation. That is the true extent of the damage caused by NSA's overreach. [Killed "because it was secure"? Perhaps a little overstated, where "too secure" might have been a little more realistic. As most RISKS readers know, there is no such thing as a system that cannot be compromised somehow, considering insiders, design flaws, and inherent practical limitations. It's just a question of how much effort it might take. PGN]
Amy O'Leary's item was billed as a "success story". I don't dispute that -- it is a success story. However, the *article* as quoted, is worthy of a RISKS item. Firstly, an ambiguity [* See PGN Note, below]: > This week, the start-up heard from its 10,000th user > who said the site saved her life. So is that: 10,000 (female) users each say the site has saved her life, or that the 10,000th user alone says the site saved her life? If the former, then the app probably deserves a Nobel prize for medicine: somehow it has identified a previously unknown, significant threat to female health. If the latter, then one of those remarkable that only seem to happen in press releases where [$convenient round number]th user has a major, life-threatening condition rather than a bunion. Let's assume the latter, on balance of probabilities. So has that 10,000th user just recently visited the site? > Since its founding in 2012, the site has logged nearly a billion questions > and answers, from simple queries about headaches or the flu, to more > complicated ones, like whether mechlorethamine is a cancer medication. Wow, that's... [gets out calculator to divide 1bn by 10k ;-) ]... 100,000 queries per user. Those people must be really sick! Okay, so the site must clearly have had more than 10K visitors, and the story is a follow-up on the 10,000th visited long after she visited the site. So how many people do we think have visited the site? Assuming 5 questions per user, a billion questions equates to 200m users. Hmm, that's virtually all of the US population old enough to use a computer. All using the site in the last year. It's all starting to look a bit iffy. And then we are told: > None of that would be possible without the participation > of nearly 50,000 doctors who contribute their advice free So 50k doctors answering a billion questions equals 20k questions each. Assuming 5 mins per question to answer, and 8 hour days, that's 208 days of full-time work *each* doctor has given free since the site was founded only a year ago. However do they manage to find time to see their paying patients? Okay, so enough cheap shots at an over-inflated site usage figure. The RISKS: Don't take a newspaper headline at face value (but you knew that anyway). Web site statistics given out by the sites themselves need to be independently verified (but you knew that anyway). Only in some dim, distant past did journalists question or verify the information they were given. Finally, this is absolutely not a shot at Monty Solomon nor PGN for raising and including the item: I too would like to see more success stories—I just wish that journalists would write them better. Bruce Horrocks, Hampshire, UK [PGN notes, actually, there is no *ambiguity* as written. Perhaps what Bruce is suggesting is that instead of > This week, the start-up heard from its 10,000th user > who said the site saved her life. the author should have written > This week, the start-up heard from its 10,000th user, > who said the site saved her life. Yes, the original could have been very sloppy writing, but it might even be that the author may have actually written it correctly with the comma, which got dropped by the editor. Also, in Bruce's second version, the "alone" is clearly gratuitous, because some number of women less than 10,000 might have also noted that the site had saved her life. PGN]
Please report problems with the web pages to the maintainer