Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Understanding of the saga of Malaysian MH 370 is still considerably murky. The currently plausible seems to be that the plane apparently suffered some sort of electrical technological failure with fire and intense smoke, or perhaps human-aided catastrophic failure mode that might have eventually led to the incapacitation of the crew (and presumably everyone on board) -- despite all of the aircraft's would-be modular redundancy. In its last few hours, the autopilot had evidently been enabled (only a single button push is required to continue on the existing course), and the plane apparently then continued to fly without any crew member's assistance until it ran out of fuel somewhere in the south Indian Ocean. Even with the limited radar and electronic tracking, computation of the exact location of its demise is subject to many real-time variables (winds, altitude, temperature, and so on) in a very remote area. Very little seems known about the reasons for and effects of the earlier large changes in direction (an initial zig and then zag) and altitude (up and then down). There are still many unanswered questions—as to the cause, the reasons for the initial zig-zag (perhaps the pilot frantically tried to head toward an emergency landing on the nearest island with a landing strip), how the crew became disabled, and whether the sequence of unanticipated events unfolded, with perhaps some combination of inadvertent and/or malicious human actions involved. It appears that unanticipated accidental causes, possibly with together pilot inability to cope with overwhelming circumstances, are sufficient to explain most of what happened, although the possibility of some malicious human actions is still not out of the question. The Malaysian government and other geopolitical forces certainly contributed to the overall confusion. In response, some people have suggested that black-box data should be transmitted in real time to reliable remote repositories (truly cloud servers?). That might have been very effective in this case, to help determine the initial series of events, although it might not have helped to pinpoint the site of the ultimate crash site—where adequate satellite communication coverage may not have existed, and where the data may have been simply overwritten after the subsequent hours of continued flight.
[Thanks to Simon Davies <simon@privacy.org> for spotting this one. PGN] UK police action over "liking" a Facebook post could signal a dangerous prosecution trend http://www.privacysurgeon.org/blog/incision/uk-police-action-over-liking-a-facebook-post-could-signal-a-dangerous-prosecution-trend/ [like a look? look alike? MITI likes arose? PGN]
What if you don't want your Smart Key to automatically unlock the doors of your Chevrolet Volt when it gets within three feet of the car? Well, unfortunately, Chevrolet (General Motors) apparently never thought about this scenario as they didn't design in a way to turn off this feature. Interesting story about a woman who can't take her key with her surfing (because it isn't water proof) and can't lock it in her car either because it will automatically unlock her doors if she does. http://techpageone.dell.com/downtime/smart-key-pretty-dumb/
Hilary Stout, Bill Vlasic, Danielle Ivory and Rebecca R. Ruiz *The New York Times*, 24 Mar 2014 It was nearly five years ago that any doubts were laid to rest among engineers at General Motors about a dangerous and faulty ignition switch. At a meeting on May 15, 2009, they learned that data in the black boxes of Chevrolet Cobalts confirmed a potentially fatal defect existed in hundreds of thousands of cars. But in the months and years that followed, as a trove of internal documents and studies mounted, G.M. told the families of accident victims and other customers that it did not have enough evidence of any defect in their cars, interviews, letters and legal documents show. Last month, G.M. recalled 1.6 million Cobalts and other small cars, saying that if the switch was bumped or weighed down it could shut off the engine's power and disable air bags. ... http://www.nytimes.com/2014/03/25/business/carmaker-misled-grieving-families-on-a-lethal-flaw.html
Brian Jackson, *IT Business*, 24 Mar 2014 http://www.itbusiness.ca/news/casl-destined-to-be-challenged-on-grounds-it-violates-charter-rights-lawyers/47627 opening text: Canada's regulations to limit unwanted e-mail messages from businesses have been four years in the making, but if organizations representing the business community get their way, it could unravel much faster than that. Canada's Anti-Spam Legislation (CASL) is set to come into effect July 1 and requires businesses to receive consent from consumers before sending them commercial messages via e-mail or any other digital channel. But members of the business community and lawyers critical of the new law say the first organization fined by the enforcement regime will likely challenge it in court on the basis that it violates the Charter's protection of free speech. In this case, it would be a limitation on commercial speech.
Richard Ledgett, Deputy Director of the NSA, recently responded to Edward Snowden in a 30-minute TED Talk interview with Chris Anderson: https://www.ted.com/talks/richard_ledgett_the_nsa_responds_to_edward_snowden_s_ted_talk also on YouTube: https://www.youtube.com/watch?v=zLNXIXingyU Although this interview has been covered in the press, so far the articles I've seen missed an important exchange between Ledgett and Anderson. At ~7:40 into this interview, Chris asked Richard about the NSA's BULLRUN program to weaken Internet encryption standards, and then at ~27:30 Chris asks about the NSA's exploitation of existing Internet vulnerabilities. Richard never directly answered the question about weakening encryption, but he did declare that the NSA discloses to vendors the "overwhelming majority" of vulnerabilities that the NSA finds. Of course, no actual statistics were given about the number of vulnerabilities that were disclosed, nor how long the NSA took before such disclosures were made, nor how ethical it would be for the NSA to leave US citizens, companies, banks, and state & local governments at continuing risk of attacks from the vulnerabilities that the NSA preferred not to disclose. But Ledgett emphatically claimed that Snowden's disclosures of these vulnerabilities compromised national security, thus equating "Internet vulnerabilities" with "national security"; i.e., it is the NSA's policy to preserve Internet vulnerabilities in the interest of "national security". Nine months after Snowden's disclosures, I'm still trying to get my head around how an agency of the U.S. government which is paid by my tax dollars and which is sworn to protect me, arrogantly thinks that keeping me, my identity, and my computers vulnerable to all the bad actors in the world is somehow improving my "national security". The NSA has apparently taken up Saddam Hussein's tactics and decided to use me—and you and every American citizen with a computer—as a "human shield" against terrorists. Any damage to our identities and bank accounts are merely collateral damage and acceptable losses in this war on terrorists, drug dealers and paedophiles. In the best gung-ho Vietnam-war-like bravado, "we [the NSA] had to destroy the Internet in order to save it". At the very minimum, the NSA's view is an exceedingly provincial and warped view of "national security". It's time for these NSA guys/gals to "come out of the cold" and get a real job in the commercial sector to help to actually protect each and all of us from those bad actors on the Internet.
Jack Gillum, Associated Press, 22 Mar 2014 Police across the country may be intercepting phone calls or text messages to find suspects using a technology tool known as Stingray. But they're refusing to turn over details about its use or heavily censoring files when they do. Police say Stingray, a suitcase-size device that pretends it's a cell tower, is useful for catching criminals, but that's about all they'll say. For example, they won't disclose details about contracts with the device's manufacturer, Harris Corp., insisting they are protecting both police tactics and commercial secrets. The secrecy - at times imposed by nondisclosure agreements signed by police - is pitting obligations under private contracts against government transparency laws. Even in states with strong open records laws, including Florida and Arizona, little is known about police use of Stingray and any rules governing it. A Stingray device tricks all cellphones in an area into electronically identifying themselves and transmitting data to police rather than the nearest phone company's tower. Because documents about Stingrays are regularly censored, it's not immediately clear what information the devices could capture, such as the contents of phone conversations and text messages, what they routinely do capture based on how they're configured or how often they might be used. ... http://abcnews.go.com/Technology/wireStory/police-quiet-cell-tracking-technology-23016515
Molly Wood, *The New York Times*, blog, 19 Mar 2014 It's officially a post-Snowden and post-WhatsApp world, and my inbox is filled with pitches from companies promoting their secure messaging apps. But can you trust them? As the messaging wars heat up, security seems to be the big differentiator -the levels of security range from "military grade" to lightweight, depending on the app. But all of them have one thing in common, said the cryptographer and security expert Bruce Schneier: You shouldn't use them if your life is on the line. Mr. Schneier said when it comes to evaluating the security of a secure messaging app, the real question lies in why you need it. ... http://bits.blogs.nytimes.com/2014/03/19/can-you-trust-secure-messaging-apps/
Lewis Morgan, IT Governance, 25 Mar 2014 Microsoft 'zero day' vulnerability http://blog.itgovernance.co.uk/microsoft-zero-day-vulnerability-previewing-emails-in-outlook-can-lead-to-malware-infection-2/ opening text: On 24 March Microsoft released details about a vulnerability in Microsoft Word that can be used to infect computers with malware. The disturbing part however, is that computers can be infected from just 'previewing' an e-mail in Microsoft Outlook.
Alina Tugend, *The New York Times*, 21 Mar 2014 This is the situation: Customers search for a particular hotel and click on a link. They think they've landed on the official hotel website, but unknowingly they really have arrived at an unrelated site of a hotel booking company. They're promised great deals - and warned that rooms are going fast - but it turns out these so-called bargains are often worse than what's offered directly by the hotel. Many people have discovered this practice the hard way. Randy Ratliff, a lawyer in Kentucky; Debbie Greenspan, a hospitality expert in Maryland; and dozens of other people have posted comments online saying they were duped when they thought they were booking rooms on hotel websites, only to wind up fighting credit card charges from companies they had never heard of. ... http://www.nytimes.com/2014/03/22/your-money/third-party-hotel-booking-sites-can-mislead-consumers.html
Charlie Savage, *The New York Times*, 24 Mar 2014 http://www.nytimes.com/2014/03/25/us/obama-to-seek-nsa-curb-on-call-data.html WASHINGTON - The Obama administration is preparing to unveil a legislative proposal for a far-reaching overhaul of the National Security Agency's once-secret bulk phone records program in a way that - if approved by Congress - would end the aspect that has most alarmed privacy advocates since its existence was leaked last year, according to senior administration officials. Under the proposal, they said, the N.S.A. would end its systematic collection of data about Americans' calling habits. The bulk records would stay in the hands of phone companies, which would not be required to retain the data for any longer than they normally would. And the N.S.A. could obtain specific records only with permission from a judge, using a new kind of court order. ...
"In its effort to curtail access to Twitter, Turkey is getting more aggressive with a block of the service's IP address, according to sources inside Turkey as well as a DNS provider. That means that changing their DNS server, whether it be Google DNS or OpenDNS, will no longer work for residents in the country ... But the latest move by the government will make it more difficult, but not quite impossible, for residents to access Twitter. By blocking Twitter at the IP level, DNS services will no longer work. Instead, citizens are being urged to access the service via VPN or by using the Tor anonymity network." http://j.mp/NE9nmr (Techcrunch via NNSquad) - - - If the government of Turkey comes knocking on the Internet Governance door any time soon as things stand now, slam it in their face. [This has no end, apparently. For example, browse on `Turkey blocks YouTube days after Twitter ban'. PGN]
[...] Many groups have voiced outrage and many have suggested manually changing the DNS servers so that twitter can be accessed again. A day later, Google's DNSs (8.8.8.8 and 8.8.4.4) also have been blocked in Turkey. Likewise, the IP addresses belonging to twitter.com have also been blocked. Despite all these measures of censorship, the use of Twitter in Turkey has exploded, thanks to proxy servers, alternative DNS servers, and VPN servers. It has been said that Egypt's Mubarrak has remained in power for only 16 days after banning social networks in the country, thus Turks are hopeful that already three of those sixteen days have already gone by.
Yaniv Taigman, Ming Yang, Marc'Aurelio Ranzato, Lior Wolf DeepFace: Closing the Gap to Human-Level Performance in Face Verification Conference on Computer Vision and Pattern Recognition (CVPR) Abstract In modern face recognition, the conventional pipeline consists of four stages: detect => align => represent => classify. We revisit both the alignment step and the representation step by employing explicit 3D face modeling in order to apply a piecewise affine transformation, and derive a face representation from a nine-layer-deep neural network. This deep network involves more than 120 million parameters using several locally connected layers without weight sharing, rather than the standard convolutional layers. Thus we trained it on the largest facial dataset to date, an identity-labeled dataset of four million facial images belonging to more than 4,000 identities, where each identity has an average of over a thousand samples. The learned representations coupling the accurate model-based alignment with the large facial database generalize remarkably well to faces in unconstrained environments, even with a simple classifier. Our method reaches an accuracy of 97.25% on the Labeled Faces in the Wild (LFW) dataset, reducing the error of the current state of the art by more than 25%, closely approaching human-level performance. ... https://www.facebook.com/publications/546316888800776/ https://www.facebook.com/download/388286407980383/deepface.pdf [Potentially an interesting advance. This might work fairly well for small groups of subjects. But note that a 2.75% inaccuracy rate would represent 27,500 false identifications for each million subjects. One potential question for Homeland Security: For how many known terrorists are there 1000 images, and for how many unknown terrorists are there any known images? PGN]
Please report problems with the web pages to the maintainer