Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Blog/comment: On January 2nd , IMS Health Holdings announced it will sell stock on the New York Stock Exchange. IMS joins other major NYSE-listed corporations that derive significant revenue from selling sensitive personal health data, including General Electric, IBM, United Health Group, CVS Caremark, Medco Health Solutions, Express Scripts, and Quest Diagnostics. * IMS buys and aggregates sensitive "prescription" records, "electronic medical records", "claims data", and more to create "comprehensive", "longitudinal" health records on "400 million" patients. * All purchases and subsequent sales of personal health records are hidden from patients. Patients are not asked for informed consent or given meaningful notice. * IMS Health Holdings sells health data to "5,000 clients", including the US Government. * Despite claims that the data sold is "anonymous", computer science has long established that re-identification is easy. * See brief 3-page paper by Narayanan and Shmatikov at: http://www. cs.utexas.edu/~shmat/shmat_cacm10.pdf) * See Prof. Sweeney's paper on re-identifying patient data sold by states like WA at: http://thedatamap.org/risks.html * "Our solutions, which are designed to provide our clients access to our deep healthcare-specific subject matter expertise, take various forms, including information, tailored analytics, subscription software and expert services." (from IMS Health Holding's SEC filing <http://www.sec.gov/Archives/edgar/data/1595262/000119312514000659/d628679ds1.htm>) Quotes from IMS Health Holding's SEC filing<http://www.sec.gov/Archives/edgar/data/1595262/000119312514000659/d628679ds1.htm>: "We have one of the largest and most comprehensive collections of healthcare information in the world, spanning sales, prescription and promotional data, medical claims, electronic medical records and social media. Our scaled and growing data set, containing over 10 petabytes of unique data, includes over 85% of the world's prescriptions by sales revenue and approximately 400 million comprehensive, longitudinal, anonymous patient records." IMS buys "proprietary data sourced from over 100,000 data suppliers covering over 780,000 data feeds globally". How can this business model be legal? How can companies that US citizens' personal health data is "proprietary data", a corporate asset, and sell it? If personal health data 'belongs' to anyone, surely it belongs to the individual, not to any corporation that handles, stores, or transmits that information. Americans' strongest rights to control personal information are our rights to control personal health information. We have constitutional rights to health information privacy which are not trumped by the 2001 elimination of the right of consent from HIPAA (see: http://patientprivacyrights.org/truth-hipaa/ ). HIPAA is the "floor" for privacy rights, not the ceiling. Strong state and federal laws, and medical ethics require consent before patient data is used or disclosed. 10 state constitutions grant residents a right to privacy, and other states constitutions have been interpreted as giving residents a right to privacy (like TX). Surely FTC would regard the statement filed with the SEC as evidence of unfair and deceptive trade practices. US patients' health data is being unfairly and deceptively bought and sold. Can the SEC deny IMS Health the opportunity to offer an IPO, since its business model is predicated on hidden purchase and sale of Americans' personal health data? If we can't control the use and sale of our most sensitive personal information, data about our minds and bodies, isn't our right to privacy worthless? deb [http://www.modernhealthcare.com/> [http://modernhealthcare.com/graphics/mh_spacer.gif] Healthcare Business News http://www.modernhealthcare.com/article/20140103/NEWS/301039958 [http://www.modernhealthcare.com/apps/pbcsi.dll/storyimage/CH/20140103/NEWS/301039958/AR/0/AR-301039958.jpg> IMS Health files for IPO Rachel Landen, Modern Health Care, 3 Jan 2014 <mailto:rlanden@modernhealthcare.com> Healthcare information technology<http://www.modernhealthcare.com/section/articles?tagID=66> company IMS Health Holdings<http://www.modernhealthcare.com/section/articles?tagID=4307> is going public. The Danbury, Conn.-based company, which provides analytics and consulting services to more than 5,000 clients in the healthcare sector, filed Thursday with the Securities and Exchange Commission<http://www.sec.gov/Archives/edgar/data/1595262/000119312514000659/d628679ds1.htm> for an initial public offering of $100 million. The $100 million figure is used to calculate registration fees with the SEC and could become upwards of $750 million when the deal occurs, according to IPO investment firm Renaissance Capital. IMS Health was acquired nearly four years ago when affiliates of TPG Global, CPP Investment Board Private Holdings and Leonard Green & Partners purchased the company in a leveraged buyout for just under $6 billion. In the succeeding years, IMS Health has invested approximately $587 million in 22 acquisitions, including Seattle-based software-as-a-service company Appature and Web-based analytics company PharmaDeals. The company plans to use the net proceeds from the IPO to repay a portion of its long-term debt, which was approximately $4.9 million when the company reported its most recent quarterly earnings as of Sept. 30, 2013, according to a release from IMS Health. For the nine months ended Sept. 30, IMS Health showed revenue of close to $1.9 billion. JPMorgan Chase & Co., Goldman Sachs Group and Morgan Stanley are managing the IPO. IMS Health said the company plans to apply to list its common stock on the New York Stock Exchange using the symbol IMS.
Kira Peikoff, *The New York Times*, 30 Dec 2013 I like to plan ahead; that much I knew about myself before I plunged into exploring my genetic code. I'm a healthy 28-year-old woman, but some nasty diseases run in my family: coronary heart disease, rheumatoid arthritis, Alzheimer's and breast cancer. So I decided to read the tea leaves of my DNA. I reasoned that it was worth learning painful information if it might help me avert future illness. Like others, I turned to genetic testing, but I wondered if I could trust the nascent field to give me reliable results. In recent years, a handful of studies have found substantial variations in the risks for common diseases predicted by direct-to-consumer companies. I set out to test the tests: Could three of them agree on me? The answers were eye-opening - and I received them just as one of the companies, 23andMe, received a stern warning from the Food and Drug Administration over concerns about the accuracy of its product. At a time when the future of such companies hangs in the balance, their ability to deliver standardized results remains dubious, with far-reaching implications for consumers. ... http://www.nytimes.com/2013/12/31/science/i-had-my-dna-picture-taken-with-varying-results.html
Marilynn Marchione | AP Chief Medical Writer, 2 Jan 2014 A sophisticated, real-world study confirms that dialing, texting or reaching for a cellphone while driving raises the risk of a crash or near-miss, especially for younger drivers. But the research also produced a surprise: Simply talking on the phone did not prove dangerous, as it has in other studies. This one did not distinguish between handheld and hands-free devices -- a major weakness. And even though talking doesn't require drivers to take their eyes off the road, it's hard to talk on a phone without first reaching for it or dialing a number -things that raise the risk of a crash, researchers note. Earlier work with simulators, test-tracks and cellphone records suggests that risky driving increases when people are on cellphones, especially teens. The 15-to-20-year-old age group accounts for 6 percent of all drivers but 10 percent of traffic deaths and 14 percent of police-reported crashes with injuries. For the new study, researchers at the Virginia Tech Transportation Institute installed video cameras, global positioning systems, lane trackers, gadgets to measure speed and acceleration, and other sensors in the cars of 42 newly licensed drivers 16 or 17 years old, and 109 adults with an average of 20 years behind the wheel. ... http://www.bostonglobe.com/news/nation/2014/01/01/study-documents-dangers-texting-dialing-while-driving/vf6KfSfRwFGRIIXNRIcviM/story.html?s_campaignƒ15
Sheila G. Klauer, Ph.D., Feng Guo, Ph.D., Bruce G. Simons-Morton, Ed.D., M.P.H., Marie Claude Ouimet, Ph.D., Suzanne E. Lee, Ph.D., and Thomas A. Dingus, Ph.D. N Engl J Med 2014; 370:54-59, 2 Jan 2014 DOI: 10.1056/NEJMsa1204142 From the Virginia Tech Transportation Institute (S.G.K., F.G., S.E.L., T.A.D.) and the Department of Statistics, Virginia Polytechnic Institute and State University (F.G.) - both in Blacksburg; the Eunice Kennedy Shriver National Institute of Child Health and Human Development, Bethesda, MD (B.G.S.-M.); and the University of Sherbrooke, Sherbrooke, QC, Canada (M.C.O.). Abstract BACKGROUND Distracted driving attributable to the performance of secondary tasks is a major cause of motor vehicle crashes both among teenagers who are novice drivers and among adults who are experienced drivers. METHODS We conducted two studies on the relationship between the performance of secondary tasks, including cell-phone use, and the risk of crashes and near-crashes. To facilitate objective assessment, accelerometers, cameras, global positioning systems, and other sensors were installed in the vehicles of 42 newly licensed drivers (16.3 to 17.0 years of age) and 109 adults with more driving experience. RESULTS During the study periods, 167 crashes and near-crashes among novice drivers and 518 crashes and near-crashes among experienced drivers were identified. The risk of a crash or near-crash among novice drivers increased significantly if they were dialing a cell phone (odds ratio, 8.32; 95% confidence interval [CI], 2.83 to 24.42), reaching for a cell phone (odds ratio, 7.05; 95% CI, 2.64 to 18.83), sending or receiving text messages (odds ratio, 3.87; 95% CI, 1.62 to 9.25), reaching for an object other than a cell phone (odds ratio, 8.00; 95% CI, 3.67 to 17.50), looking at a roadside object (odds ratio, 3.90; 95% CI, 1.72 to 8.81), or eating (odds ratio, 2.99; 95% CI, 1.30 to 6.91). Among experienced drivers, dialing a cell phone was associated with a significantly increased risk of a crash or near-crash (odds ratio, 2.49; 95% CI, 1.38 to 4.54); the risk associated with texting or accessing the Internet was not assessed in this population. The prevalence of high-risk attention to secondary tasks increased over time among novice drivers but not among experienced drivers. CONCLUSIONS The risk of a crash or near-crash among novice drivers increased with the performance of many secondary tasks, including texting and dialing cell phones. (Funded by the Eunice Kennedy Shriver National Institute of Child Health and Human Development and the National Highway Traffic Safety Administration.) ... Full text http://www.nejm.org/doi/full/10.1056/NEJMsa1204142 PDF http://www.nejm.org/doi/pdf/10.1056/NEJMsa1204142
John Markoff, *The New York Times*, online 29 Dec 2013, print 30 Dec 2013 Palo Alto, Calif. Computers have entered the age when they are able to learn from their own mistakes, a development that is about to turn the digital world on its head. http://www.nytimes.com/2013/12/29/science/brainlike-computers-learning-from-experience.html Yeah, well no matter how slick you make them, I bet I can always run around their backside and put my hands over their eyes and say "guess who?"
My time-travel experiments have always worked. Unfortunately, I am only able to move forward in time. [TNX! You are very lucky person. Knowing what you now know, you can simply leap ahead to avoid certain foreseen risks. PGN]
Ransomware is one of the most blatant and obvious criminal's money making
schemes out there, and increasing rapidly. Prison Locker uses Blowfish to
encrypt all available files each with a different key. It then encrypts all
of those keys with RSA 2048, and sends the results back to the attacker.
Sudhir K. Bansal, The Hacker News, 3 Jan 2014 [PGN-ed]
http://thehackernews.com/2014/01/power-locker-ransomware-upcoming_3.html#
[I note that in the middle of this item is an ad for United Airlines
flights to Boston. Might this be a useful clue to the source? Or is
United suggesting ransomware on flights, where they might charge more to
let you OFF THE PLANE?]
[People sometimes ask me why there is so much security-related content
in RISKS, when I have always tried to keep a balance between safety,
reliability, survivability, and other -ilities. Once again, the answer
seems to be that's where things have been focused lately. The
low-hanging fruit of security seems to be MUCH LOWER HANGING than that
of safety and other RISKS concerns. Some of you may have noticed, as is
the case in this issue, that I always try to put the non-security items
first in each issue—assuming there are any. What has been rather
startling lately is that there are sometimes no such items! PGN]
Summary: Bloomberg News anchor hands his fellow anchors some Bitcoin printout/gift certificates. With all the numbers clearly visible on tv. As [Russia Today]'s story has it: The user, who goes by the name "milywaymasta," took to Reddit to explain what happened. "The guy that is hosting the series gave bitcoin gift certificates to the other two hosts. One of them opens up the certificate to reveal QR code of the private key," he wrote. "They then proceeded to show a closeup of the QR code in glorious HD for about 10 seconds. Hilarious." "I took it, it was only $20 worth. It was exhilarating nevertheless..." -- he offered it back, and he and the anchorman laughed it through. The risks aren't, of course, just for Bitcoin. rest: http://rt.com/usa/bloomberg-anchor-robbed-bitcoin-747/ On a related RISK, it seems that the Russia Today website is frequently offline courtesy of various denials of service and other attacks. Surprisingly they've been pretty quiet about what exactly has been happening.
30 Dec 2013 via Dave Farber <http://www.youtube.com/watch?vœrkhTM5Fks> From Stellar Wind to PRISM, Boundless Informant to EvilOlive, the NSA spying programs are shrouded in secrecy and rubber-stamped by secret opinions from a court that meets in a faraday cage. The Electronic Frontier Foundation's Kurt Opsahl explains the known facts about how the programs operate and the laws and regulations the U.S. government asserts allows the NSA to spy on you. Talk given by Kurt Opsahl, Senior Staff Attorney, Electronic Frontier Foundation (EFF) [Video: 1:03:16 in length, very informative talk]
Zach Miners, InfoWorld, 3 Jan 2014 Snapchat, feeling the heat, will let users opt out of compromised feature New controls will let people stop themselves from being searchable based on their phone numbers http://www.infoworld.com/d/security/snapchat-feeling-the-heat-will-let-users-opt-out-of-compromised-feature-233366
Candice So, *IT Business*, 3 Jan 2014 http://www.itbusiness.ca/article/how-did-snapchat-get-hacked
Claudiu Popa, *IT Business*, 3 Jan 2014 http://www.itbusiness.ca/blog/do-your-pcs-leak-valuable-intel-with-every-windows-error-report/45873
[From Dave Farber]
The most detailed and authoritative (public) version is probably
http://tomnichols.net/blog/2013/12/20/update-were-u-s-nuclear-codes-set-to-zero-bruce-blair-responds/
By the way, this topic *is* relevant to cryptography. Gustavus Simmons,
https://en.wikipedia.org/wiki/Gustavus_Simmons , cryptographer at Sandia
Labs and co-founder of the IACR, was involved in the creation of the
Permissive Action Links (PALs) that prevent the bombs from arming unless
they receive the right launch code.
In fact there's an allegation that public-key crypto was invented for the
PALs, before the Stanford crowd did it:
http://csl.illinois.edu/news/nuclear-weapons-permissive-action-links-and-history-public-key-cryptography
John
PS: Gus Simmons was also key to making the test-ban treaties work, by
providing cryptographic protocols that allowed sensors to be placed in each
others' countries, that would report back only what the treaty allowed them
to report, with no covert channels for additional information, and
verification that the sensor packages had not been tampered with.
The cryptography mailing list
cryptography@metzdowd.com <javascript:;>
http://www.metzdowd.com/mailman/listinfo/cryptography
... the Nuclear Launch Code at US Minuteman Silos Was 00000000 [via Dave Farber] tl;dr -> `launch codes' are a class of information that enables (when authorized by EMERGENCY WAR ORDERS) the USE of a nuclear weapon; the drop of a bomb, the launch of a missile, the employment of a tactical nuclear charge, etc. If you get these orders and codes, you are not being enabled or ASKED to use the weapon, you are being ORDERED to use the weapon. PAL codes are not launch codes; they are a code, input to the nuclear weapon itself, that unlocks the nuclear weapon to move it from being a protected, inert chunk of materials into being a real weapon that is capable of detonation; this is all about the transfer of custodial control of a nuclear device from the storage/maintenance/deployment forces to the operational forces. more detail: On the Titan, which is referenced in the article, a launch required both EWO (emergency war order) authentication, plus the “butterfly valve” code in order to unlock the fuel system on the Titan to allow for a launch. The butterfly valve is unique in its cryptologic protection; there is a single digit number of times that it can be activated before it completely locks up and needs a major maintenance event to replace the entire unit (taking the missile offline for a considerable time) Crews were much warned to be very careful entering codes. During certain exercises the real (non-repeating) codes were used; no launch crew ever knew how many cycles were already on the valve. good article that mentions the butterfly valve code here, although my belief is that it is not stored with in the EWO safe but is instead issued from National Command Authority with the launch authorization codes. http://www.crypto.com/blog/titans/ and THIS is VERY likely the real source for this reporters misunderstanding of what is and is not a launch code: https://www.cs.columbia.edu/~smb/talks/pal.pdf In this presentation, the author misuses the term `launch code' for `PAL code', and it seems a perfect dovetail to the journalist error. Summary: Terrible journalism - there are about 5 google searches that will turn up everything that anyone could want to know about all of this, PALs and launch codes, and valve codes, and everything—but the truth is nowhere near as spectacular. doug
http://www.dailymail.co.uk/news/article-2515598/Launch-code-US-nuclear-weapons-easy-00000000.html According to Tom Berson, “Gus tells a story, and if you know Gus, you know he told it more than once. Here it is, to the best of my memory.'' One day, his manager at Sandia Laboratories stepped in to his office and said, "Gus, I need a random number, right now." Gus immediately replied, "Zero." The manager objected, "That's not a random number." Gus, "Oh, yes it is." Manager, "Well, it doesn't look random." Gus, "You asked for a random number, not a random-looking number."
Please report problems with the web pages to the maintainer