"Newegg, an online retailer that has made a name for itself fighting the non-practicing patent holders sometimes called "patent trolls," sits on the losing end of a lawsuit tonight. An eight-person jury came back shortly after 7:00pm and found that the company infringed all four asserted claims of a patent owned by TQP Development, a company owned by patent enforcement expert Erich Spangenberg. The jury also found that the patent was valid, apparently rejecting arguments by famed cryptographer Whitfield Diffie. Diffie took the stand on Friday to argue on behalf of Newegg and against the patent." [http://bit.ly/1iaAV0I via NNSquad] [Insanity. Idiocy. LW]
Newegg trial: Crypto legend takes the stand, goes for knockout patent punch http://j.mp/1em2DSC (Ars Technica) "We've heard a good bit in this courtroom about public key encryption," said Albright. "Are you familiar with that?" "Yes, I am," said Diffie, in what surely qualified as the biggest understatement of the trial. "And how is it that you're familiar with public key encryption?" "I invented it."
Lee Vinsel has posted a provocative piece on "Autonomous Vehicles and the Labor Question." The post sets a couple of recent discussion topics - a New Yorker article on self-driving cars, and the 60 Minutes profile of Jeff Bezos [1 Dec 2013]—into a richer context, including the connections between the industrial and digital economies, and what these new technologies might mean for human labor (aka "jobs"). [The highlight of the Charlie Rose's interview with Bezos was clearly the film snippet of an Octocopter drone delivering a book from Amazon to someone at his doorstep. The risks of collisions, spoofing, and so on were never mentioned. PGN] http://leevinsel.com/blog/2013/12/2/autonomous-vehicles-and-the-labor-question
http://www.foreignpolicy.com/articles/2013/11/19/stuxnets_secret_twin_iran_nukes_cyber_attack First two paras: Three years after it was discovered, Stuxnet, the first publicly disclosed cyberweapon, continues to baffle military strategists, computer security experts, political decision-makers, and the general public. A comfortable narrative has formed around the weapon: how it attacked the Iranian nuclear facility at Natanz, how it was designed to be undiscoverable, how it escaped from Natanz against its creators' wishes. Major elements of that story are either incorrect or incomplete. That's because Stuxnet is not really one weapon, but two. The vast majority of the attention has been paid to Stuxnet's smaller and simpler attack routine—the one that changes the speeds of the rotors in a centrifuge, which is used to enrich uranium. But the second and "forgotten" routine is about an order of magnitude more complex and stealthy. It qualifies as a nightmare for those who understand industrial control system security. And strangely, this more sophisticated attack came first. The simpler, more familiar routine followed only years later —and was discovered in comparatively short order.
FYI—This secret number was probably taped to the bottom of the "red phone"... "The Onion" and "SNL" couldn't make up this story; and the people in charge of the PAL program must have laughed hysterically at the movie Dr. Strangelove, but for a totally different reason from the rest of us... http://www.dailymail.co.uk/news/article-2515598/Launch-code-US-nuclear-weapons-easy-00000000.html Dial 00000000 for Armageddon. U.S.'s top secret launch nuclear launch code was frighteningly simple *Daily Mail*, 29 Nov 2013 UPDATED: 21:59 EST For nearly 20 years, the secret code to authorize launching U.S. nuclear missiles, and starting World War III, was terrifyingly simple and even noted down on a checklist. From 1962, when John F Kennedy instituted PAL encoding on nuclear weapons, until 1977, the combination to fire the devastating missiles at the height of the Cold War was just 00000000. This was chosen by Strategic Air Command in an effort to make the weapons as quick and as easy to launch as possible, as reported by Today I Found Out. The Permissive Action Link (PAL) is a security device for nuclear weapons that it is supposed to prevent unauthorized arming or detonation of the nuclear weapon. JFK signed the National Security Action Memorandum 160 in 1962 that required all nuclear missiles to be fitted with a PAL system. But nuclear experts claim the military was worried about the possibility of command centers or communication lines being destroyed in real nuclear war, stopping soldiers getting the codes or authorization to launch missiles when they were actually needed. So they simply left the security code for the weapons as eight zeros, getting around the security safeguards. Dr. Bruce G. Blair, worked as a Minuteman launch officer between 1970 and 1974. He has written several articles about nuclear command and control systems. In a paper called Keeping Presidents in the Nuclear Dark, he wrote that Strategic Air Command 'remained far less concerned about unauthorized launches than about the potential of these safeguards to interfere with the implementation of wartime launch orders.' Incredibly, he also writes that the vital combination for America's nuclear deterrent was even helpfully noted down for the officers. 'Our launch checklist in fact instructed us, the firing crew, to double-check the locking panel in our underground launch bunker to ensure that no digits other than zero had been inadvertently dialed into the panel,' Dr Blair wrote. According to Today I Found Out, Blair wrote an article in 1977 entitled The Terrorist Threat to World Nuclear Programs. This claimed that it would take just four people working together to launch nuclear missiles from the silos he had worked in. That very same year all the PAL systems were activated, and the nuclear codes were changed. Hopefully to something more complicated than 00000000. [Bob Frankston noted a Gizmodo article by Karl Smallwood, 29 Nov 2013: For 20 Years the Nuclear Launch Code at US Minuteman Silos Was 00000000 http://gizmodo.com/for-20-years-the-nuclear-launch-code-at-us-minuteman-si-1473483587 PGN]
"RBS today admitted that it had failed to invest properly in IT systems for decades, as customers woke up to find money had been emptied from their accounts by a computer glitch" . http://www.dailymail.co.uk/news/article-2517106/NatWest-RBS-Cyber-Monday-mel tdown-EMPTIES-customers-bank-accounts.html Curiously frank admission by a bank, that. According to the paper, the CEO said "'I will be outlining plans in the New Year for making RBS the bank that our customers and the UK need it to be. This will include an outline of where we intend to invest for the future." Let's hope the 'outline' is sufficient to support a generous budget request, and 'the future' is not too far off. Being the Daily Mail, the journalism is heavy on emotive stuff such as "I couldn't purchase milk for my four-week-old baby" but RISKS readers ought to be able to guess at how this incident, and the associated adverse publicity and Twitter storm, may have affected the RBS (Royal Bank of Scotland) brand. Dr Gary Hinson, IsecT CEO, http://isect.com http://NoticeBored.com http://SecurityMetametrics.com http://www.iso27001security.com/ ISO27001security.com
Jon Gold, InfoWorld, 26 Nov 2013 Latest Bitcoin security breach affects major European exchange, which shuts down personal wallet service http://www.infoworld.com/d/security/million-dollar-robbery-rocks-bitcoin-exchange-231617 [Gene Wirchenko noted "Bitcointalk.org warns passwords in danger after DNS attack" Jeremy Kirk, InfoWorld, 02 Dec 2013 Some users are advised to change their passwords after the site's DNS registrar was breached http://www.infoworld.com/d/security/bitcointalkorg-warns-passwords-in-danger-after-dns-attack-231842 Also see http://arstechnica.com/security/2013/11/bitcoins-skyrocketing-value-ushers-in-era-of-1-million-hacker-heists/ ]
Report: Bitcoin Miners being planted in programs being surreptitiously installed on users' computers http://j.mp/1eBaID5 (Techienews via NNSquad) "These miners surreptitiously carry out Bitcoin mining operations on the user's system consuming valuable CPU time without explicitly asking for user's consent. Because of the extensive mathematical calculations involved, the mining operation consumes a lot of CPU resource and renders the user's system almost useless for regular operations. Malwarebytes first came across such an instance of a Bitcoin miner when one of the users of its software requested for assistance on November 22 through a forum post."
"Cable tech could hit a gigabit today, but why bother when customers lack choice?" http://j.mp/1gwJ1g8 (Ars Technica via NNSquad)
Nico van Eijk, a Dutch professor in Information Law, is of the opinion that the Dutch intelligence service has crossed the boundaries of Dutch legislation. "They use sweeps to collect data from all users of web forums. The use of these techniques could easily lead to mass surveillance by the government." IT specialist Matthijs Koot says that the exploitation of this technology can lead to a blurring of the lines between normal citizens and legitimate targets of the intelligence services. http://j.mp/1cSrI6f (NRC via NNSquad) [I suppose this is new form of Dutch Treat, where the Dutch and their government split the costs? PGN]
[courtesy of a Netherlands news groups web post. Don't have any info on their veracity] NSA infected 50,000 computer networks with malicious software The American intelligence service - NSA - infected more than 50,000 computer networks worldwide with malicious software designed to steal sensitive information. Documents provided by former NSA-employee Edward Snowden and seen by this newspaper, prove this. A management presentation dating from 2012 explains how the NSA collects information worldwide. In addition, the presentation shows that the intelligence service uses "Computer Network Exploitation" (CNE) in more than 50,000 locations. CNE is the secret infiltration of computer systems achieved by installing malware, malicious software. rest: http://www.nrc.nl/nieuws/2013/11/23/nsa-infected-50000-computer-networks-with-malicious-software/
"The government is to order broadband companies to block extremist websites and empower a specialist unit to identify and report content deemed too dangerous for online publication. The crime and security minister, James Brokenshire, said on Wednesday that measures for censoring extremist content would be announced shortly. The initiative is likely to be controversial, with broadband companies already warning that freedom of speech could be compromised." http://j.mp/1fMvofe (Guardian via NNSquad) Maybe also try block sites of political critics? No matter, a thousand proxies will bloom, for good or ill. That's the reality, like it or not.
http://j.mp/188F4hr (Public Knowledge via NNSquad) Yesterday, new FCC Chairman Tom Wheeler delivered his first formal public address. After a prepared speech that explained his regulatory approach, he moved to a Q&A session. In that session, he appeared to endorse the opposite of net neutrality: allowing ISPs to charge websites and services in order to reach that ISP's subscribers. In other words, giving ISPs the power to pick winners and losers online. This endorsement was all the more unexpected because it followed his explicit endorsement of "net neutrality" and a speech that touted the FCC's role in protecting the public interest. [This might give new meaning to "Wheeler Dealer". PGN]
Serdar Yegulalp | InfoWorld, 22 Nov 2013 Security experts investigate roots and motive behind surprise rerouting of Internet traffic through Belarus and Iceland http://www.infoworld.com/t/network-security/malice-or-mistake-cyber-sleuths-weigh-in-internet-hijack-attack-231445
Sean Gallagher, Ars Technica, 22 Nov 2013 Revenge porn is just the tip of the iceberg when it comes to cyber-domestic abuse. The e-mail's subject line was "Interested in hiring you." The sender, a woman, said she had seen me on a local Baltimore news show talking about revenge porn, and she was "interested in talking to you about some work." She gave an office phone number, and her e-mail address was from a large local hospital system, so I thought it might be for some sort of speaking engagement. It was anything but. When I contacted her, the woman told me her life had been turned upside down by her ex-boyfriend. He had hacked her phones, her voicemail, and her family's computer, and he was blocking her out of her digital life. She was looking for someone to help her regain control. To some, those claims might sound like paranoia. But there are thousands of incidents of this type of abusive use of technology annually, perpetrated by (mostly male) spouses or partners. The most public forms of tech-centered abuse, especially revenge porn, are getting attention from legislators across the US right now. But these incidents are not entirely new. For more than a decade, domestic violence and "intimate partner" stalking and harassment have relied heavily on technology. The most recent comprehensive study on stalking and domestic violence, conducted by the Department of Justice in 2006, found that more than 887,000 people were aware that they were victims of cyber stalking or electronic monitoring in that year alone. And that was a year before the iPhone was released and well before the smartphone boom really began. ... http://arstechnica.com/tech-policy/2013/11/a-spurned-techies-revenge-locking-down-his-exs-digital-life/
"Irene Abezgauz from the Quotium Seeker Research Center identified a security flaw in Facebook privacy controls. The vulnerability allows attackers to see the friends list of any user on Facebook. This attack is carried out by abusing the 'People You May Know' mechanism on Facebook, which is the mechanism by which Facebook suggests new friends to users." http://j.mp/1birbxG (Quotium via NNSquad)
Saleh was so troubled by what he saw that he decided to install video cameras in his store. Not to protect himself from criminals, because he says he has never been robbed. He installed the cameras—15 of them -- to protect him and his customers from police. http://www.miamiherald.com/2013/11/21/v-fullstory/3769823/in-miami-gardens-store-video-catches.html
Gone without any backups! Never do this. http://www.youtube.com/watch?v=xUD0LE0lx6g
[Brian sets the record straight after a RISKS posting 27.5 years ago! PGN] RISKS-2.56 (30 May 1986, http://catless.ncl.ac.uk/Risks/2.56.html#subj1) carried an article passed on by me from the (London) Guardian, under the heading "A joke that went wrong". The newspaper article described a court case in which Mr Dean Talboys "admitted criminal damage at Acton crown court in the first British prosecution for electronic graffiti". A bug in some software that he was creating as a (harmless) practical joke, on a system that was in "test mode", accidentally caused disruption at his employer's headquarters when the computer was switched to "operational mode". (The article does not indicate the cause of this switch, but there is no suggestion that Mr Talboys was responsible.) There has I learn been a long-lasting effect of this incident, in that ever since Internet searches on his (rather unusual) name have frequently led people to this article, and to their drawing unjustified conclusions about him. This followup message to RISKS should from now on also be found by people doing Internet searches on his name, and thus should help alleviate an unfortunate situation. Brian Randell, School of Computing Science, Newcastle University, Newcastle upon Tyne, NE1 7RU, UK Brian.Randell@ncl.ac.uk +44 191 222 7923 http://www.cs.ncl.ac.uk/people/brian.randell - - - - - Begin forwarded message: Date: 27 November 2013 21:00:26 GMT From: <firstname.lastname@example.org<mailto:email@example.com>> To: Brian Randell <firstname.lastname@example.org> Subject: RE: A joke that went wrong Hi Brian, Very well put and much appreciated. With respect to the "switch", it is worth pointing out that this was a typical mainframe environment where systems, operations, and development existed as autonomous units. The only way I could have been held fully responsible for the failure was if I had requested the systems programmer to move the test program into the live environment. Not only was the program incomplete when I left to join a consultancy, it was perhaps three months later that the problem occurred (I had enough of a job explaining it to my QC, who was concerned the public jury would not get it at all). The only reason they came after me was the fact that my employee number was hard coded into a conditional statement - hardly the action of someone intent on damage or financial gain. Personally, I think Dixon's were a little annoyed at me leaving so soon after they had trained me on ManTIS but then it was the 80s and companies were stealing employees left, right and centre. They were no different in that respect. It struck me that there is a cruel irony considering the circumstances, you the contributor to a magazine intended for a limited readership, which through the actions of a third-party, Google, unintentionally leads to a much wider audience. Thanks again and have a nice Christmas! Dean
Willis died at 93. He was a colleague, friend, and continual inspiration. He was one of the nicest people I ever met. It is almost impossible to do his passing justice here, but I thought I would excerpt a few comments. Gene Spafford <email@example.com> https://www.cerias.purdue.edu/site/blog/post/the_passing_of_a_pioneer/ * Willis worked at the Institute for Advanced Studies for John von Neumann, building an early computer system. * He helped build the Johnniac. * He was at RAND for more than 40 years. * He was heavily involved early in the ACM. * He was the founding president of AFIPS. * The Ware Report in 1967 was one of the real landmarks http://www.rand.org/pubs/reports/R609-1/index2.html * In 1972, he chaired the Advisory Committee on Automated Personal Data Systems for HEW (now HHS). "Records, Computers, and the Rights of Citizens http://www.rand.org/content/dam/rand/pubs/papers/2008/P5077.pdf * That influenced the Privacy Act of 1974 http://epic.org/privacy/1974act/ * He was the first chairman of the Information System and Privacy Advisory Board formed under the Computer Security Act of 1987 * He was one of the most honored professionals in computing. [LONG LIST] Dr. Willis H. Ware was truly a pioneer computer scientist, an early innovator in computing education, one of the founders of the field of computer security, and an early proponent of the need to understand appropriate use of computing and the importance of privacy. His dedication to the field and the public interest was both exceptional and seminal. (The New York Times* apparently ran two different obits, http://www.nytimes.com/aponline/2013/11/27/business/ap-us-obit-willis-ware.html?hp&_r=0 and another by John Markoff on 3 Dec 2013, who quoted Willis from 1966: "The computer will touch men everywhere and in every way, almost on a minute-by-minute basis. Every man will communicate through a computer, whatever he does. It will change and reshape his life, modify hs career, and force him to accept a life of continuous change." He was incredibly wise. Overall, he called 'em as he saw 'em. and he was usually right on the mark. PGN
Susan Crawford - Nov 27, 2013 "The technology involved is called cellular interception. The active variety of this, the `IMSI catcher', is a portable device that masquerades as a mobile phone tower...Because the security hole that allows for this snooping is associated with 2G mobile networks, any 2G phone can be fooled by an IMSI catcher. To bring in newer phones, corporate spies and other criminals can easily jam nearby 3G, 4G and long-term evolution, or LTE, networks so that phones associated with them “think” they have to fall back on 2G networks. All phones, no matter how modern, continue to work in 2G mode, because carriers are reluctant to make the investments required to move up from 2G networks nationwide...As things stand, U.S. mobile networks can easily be exploited by criminals and by foreign governments." http://www.bloomberg.com/news/print/2013-11-27/the-spyware-that-enables-mobile-phone-snooping.html robert schaefer, Atmospheric Sciences Group, MIT Haystack Observatory Westford, MA 01886 781-981-5767 http://www.haystack.mit.edu
With all the current kerfuffle over Healthcare in the US and elsewhere, the November-December 2013 IEEE Security and Privacy magazine has a timely special issue devoted to Healthcare IT. The articles (in addition to the Guest Editors' Introduction by Kelly Caine and Michael Lesk, and the concluding Point/Counterpoint with Deborah Peel and Deven McGraw) are * Nonconfidential Patient Types in Emergency Clinical Decision Support * Electronic Medical Regords: Confidentiality, Care, and Epidemiology * Securing Information Technology in Healthcare * Identity Management—In Privacy We Trust: Bridging the Trust Gap in eHealth Environments
Many of us have experimented what it means to be disabled—by sitting in a wheelchair for a few minutes or putting a blindfold over our eyes. In Digital Outcasts: Moving Technology Forward without Leaving People Behind -- author Kel Smith details the innumerable obstacles disabled people have to deal with in their attempts to use computers and the Internet. Smith writes that despite our growing potential to augment human capability and competence through technology—the innovation curve sometimes leaves behind people who could most benefit. Full book review at http://www.rsaconference.com/blogs/447/rothke/digital-outcasts-moving-technology-forward-without-leaving-people-behind
Please report problems with the web pages to the maintainer