Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
... and you thought "Y2k-like" bugs were ancient history . http://pittsburgh.cbslocal.com/2014/07/10/14000-draft-notices-sent-to-pa-men -born-in-1800s/
FYI—Q: If the NSA hacked this device & caused a woman to get pregnant, would the NSA legally become the father of the child & be liable for child support? What if NSA-weakened encryption enabled someone else to hack the device? Sarah Gray, *Salon*, 7 Jul 2014 The device, developed by MicroCHIP, can last up to 16 years http://www.salon.com/2014/07/07/birth_control_of_the_future_could_be_activated_with_a_wireless_remote/ The company MicroCHIP, based in Massachusetts, is developing a rather futuristic form of contraception: a microchip that lasts for 16 years and can be easily turned off, no doctor's appointment necessary. The concept was conceived two years ago when Bill Gates visited Robert Langer's MIT lab. Gates, according to MIT Technology Review, mused over whether it was possible to create a birth control that could easily be turned on or off as desired. Langer thought a product he invented with Michael Cima and John Santini in the 1990s might work, which was licensed to MicroCHIP. The chip would be wireless, and could be controlled by the patient via remote control. Doctors, too, could control dosage remotely. MIT Technology Review explains the technology: “The device measures 20 x 20 x 7 millimeters, and it is designed to be implanted under the skin of the buttocks, upper arm, or abdomen. It dispenses 30 micrograms a day of levonorgestrel, a hormone already used in several kinds of contraceptives. Sixteen years' worth of the hormone fits in tiny reservoirs on a microchip 1.5 centimeters wide inside the device. MicroCHIP invented a hermetic titanium and platinum seal on the reservoirs containing the levonorgestrel. Passing an electric current through the seal from an internal battery melts it temporarily, allowing a small dose of the hormone to diffuse out each day.'' Gates is no stranger to sexual health technology. In 2013, the Bill and Melinda Gates Foundation challenged innovators to build a better condom -- one that would protect against unwanted pregnancy, sexually transmitted infections and feel good—to entice more folks to use them. The microchip device is still in the testing phase, and is not yet FDA approved. CNET reports: “So far, the chips have been tested in a human clinical trial, delivering osteoporosis medication to post-menopausal women over a one-month period, demonstrating that the technology works, producing no adverse immune reaction, and demonstrating the durability of the chip. The device was implanted using a local anesthetic, and the procedure took no more than 30 minutes.'' There are, of course, large kinks to work out before this could become a viable contraceptive method (not including political battles over birth control). A commenter on MIT Technology Review worries about who could potentially control such a device without the woman's consent. It is a rather scary prospect. The chips would need all sorts of encryption to protect data and keep the device safe from hackers. As technology entwines itself more and more within the fabric of our being—quite literally in this case—we must tread carefully, especially in terms of health. MIT Technology Review, CNET
Dan Goodin, Ars Technica More evidence the Internet of things treats security as an afterthought. In the latest cautionary tale involving the so-called Internet of things, white-hat hackers have devised an attack against network-connected lightbulbs that exposes Wi-Fi passwords to anyone in proximity to one of the LED devices. The attack works against LIFX smart lightbulbs, which can be turned on and off and adjusted using iOS- and Android-based devices. Ars Senior Reviews Editor Lee Hutchinson gave a good overview here of the Philips Hue lights, which are programmable, controllable LED-powered bulbs that compete with LIFX. The bulbs are part of a growing trend in which manufacturers add computing and networking capabilities to appliances so people can manipulate them remotely using smartphones, computers, and other network-connected devices. A 2012 Kickstarter campaign raised more than $1.3 million for LIFX, more than 13 times the original goal of $100,000. ... http://arstechnica.com/security/2014/07/crypto-weakness-in-smart-led-lightbulbs-exposes-wi-fi-passwords/
Update closes backdoor allowing unauthorized control of sensitive messaging gear. Dan Goodin, Ars Technica, 2 Jul 2014 Cisco Systems has released a security update that closes a backdoor allowing attackers to control software that large organizations use to manage voice over IP (VoIP) calls and messaging over their networks. The default secure shell (SSH) key made it possible for hackers to gain highly privileged administrative access to the Cisco Unified Communications Domain Manager, the networking company warned in an advisory published Wednesday. From there, intruders could execute arbitrary commands or gain persistent access to the systems. The advisory didn't explicitly say that attackers could monitor discussions or track the times that calls or messages were made and who sent and received them, but it wouldn't be surprising if those capabilities were also possible in an e-mail, a Cisco representative said these capabilities were not possible. In addition to VoiP management, the Cisco Unified Communications Domain Manager also allows users to manage Cisco Jabber, a cloud-based service for instant messaging, voice and video communications, desktop sharing, and conferencing. ... http://arstechnica.com/security/2014/07/private-crypto-key-stashed-in-cisco-voip-manager-allows-network-hijacking/
Jon Brodkin, Ars Technica via NNSquad, 15 Jul 2014 http://arstechnica.com/information-technology/2014/07/fccs-awful-website-crashes-on-last-day-for-initial-net-neutrality-comments/ "Today is the last day to file initial comments on the Federal Communications Commission's network neutrality proposal, and the FCC's ancient website is unable to handle the load. This morning when trying to access the form to submit comments and the list of already submitted comments, I got an error message that said: "could not inspect JDBC autocommit mode." I also got this much longer and more entertaining error message: ..."
[Pew Research via Dave Farber] The Pew Research Center's 2014 Global attitudes survey asked 48,643 respondents in 44 countries what they thought about the American government monitoring communications, such as e-mails and phone calls, in the U.S. and other countries. Specifically, global publics were asked whether the U.S. government's alleged monitoring of communications from individuals suspected of terrorist activities, American citizens, citizens of the survey countries or the leaders of the survey countries is acceptable or unacceptable. http://www.pewglobal.org/2014/07/14/nsa-opinion/
FYI—How thin is the line between "hacking online polls" and "hacking online elections"? Glenn Greenwald, *The Guardian*, 14 Jul 2014 Hacking Online Polls and Other Ways British Spies Seek to Control the Internet https://firstlook.org/theintercept/2014/07/14/manipulating-online-polls-ways-british-spies-seek-control-internet/ The secretive British spy agency GCHQ has developed covert tools to seed the Internet with false information, including the ability to manipulate the results of online polls, artificially inflate pageview counts on web sites, `amplify' sanctioned messages on YouTube, and censor video content judged to be `extremist'. The capabilities, detailed in documents provided by NSA whistleblower Edward Snowden, even include an old standby for pre-adolescent prank callers everywhere: A way to connect two unsuspecting phone users together in a call. The tools were created by GCHQ's Joint Threat Research Intelligence Group (JTRIG), and constitute some of the most startling methods of propaganda and Internet deception contained within the Snowden archive. Previously disclosed documents have detailed JTRIG's use of “fake victim blog posts,'' “false flag operations,'' “honey traps'' and psychological manipulation to target online activists, monitor visitors to WikiLeaks, and spy on YouTube and Facebook users. But as the U.K. Parliament today debates a fast-tracked bill to provide the government with greater surveillance powers, one which Prime Minister David Cameron has justified as an “emergency'' to “help keep us safe,'' a newly released top-secret GCHQ document called “JTRIG Tools and Techniques'' provides a comprehensive, birds-eye view of just how underhanded and invasive this unit's operations are. The document—available in full here -- is designed to notify other GCHQ units of JTRIG's “weaponised capability'' when it comes to the dark Internet arts, and serves as a sort of hacker's buffet for wreaking online havoc. The “tools'' have been assigned boastful code names. They include invasive methods for online surveillance, as well as some of the very techniques that the U.S. and U.K. have harshly prosecuted young online activists for employing, including “distributed denial of service'' attacks and “call bombing.'' But they also describe previously unknown tactics for manipulating and distorting online political discourse and disseminating state propaganda, as well as the apparent ability to actively monitor Skype users in real-time—raising further questions about the extent of Microsoft's cooperation with spy agencies or potential vulnerabilities in its Skype's encryption. Here's a list of how JTRIG describes its capabilities: * “Change outcome of online polls'' (UNDERPASS) * “Mass delivery of e-mail messaging to support an Information Operations campaign'' (BADGER) and “mass delivery of SMS messages to support an Information Operations campaign'' (WARPARTH) [WARPATH? PGN] * “Disruption of video-based websites hosting extremist content through concerted target discovery and content removal.'' (SILVERLORD) * “Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and bidirectional instant messaging. Also contact lists.'' (MINIATURE HERO) * “Find private photographs of targets on Facebook'' (SPRING BISHOP) * “A tool that will permanently disable a target's account on their computer'' (ANGRY PIRATE) * “Ability to artificially increase traffic to a website'' (GATEWAY) and “ability to inflate page views on websites'' (SLIPSTREAM) * “Amplification of a given message, normally video, on popular multimedia websites (Youtube)'' (GESTATOR) * “Targeted Denial Of Service against Web Servers'' (PREDATORS FACE) and “Distributed denial of service using P2P. Built by ICTR, deployed by JTRIG'' (ROLLING THUNDER) * “A suite of tools for monitoring target use of the UK auction site eBay (www.ebay.co.uk)'' (ELATE) * “Ability to spoof any e-mail address and send e-mail under that identity'' (CHANGELING) * “For connecting two target phone together in a call'' (IMPERIAL BARGE) While some of the tactics are described as “in development,'' JTRIG touts “most'' of them as “fully operational, tested and reliable.'' It adds: “We only advertise tools here that are either ready to fire or very close to being ready.'' And JTRIG urges its GCHQ colleagues to think big when it comes to Internet deception: “Don't treat this like a catalogue. If you don't see it here, it doesn't mean we can't build it.'' The document appears in a massive Wikipedia-style archive used by GCHQ to internally discuss its surveillance and online deception activities. The page indicates that it was last modified in July 2012, and had been accessed almost 20,000 times. GCHQ refused to provide any comment on the record beyond its standard boilerplate, in which it claims that it acts “in accordance with a strict legal and policy framework'' and is subject to “rigorous oversight.'' But both claims are questionable. British watchdog Privacy International has filed pending legal action against GCHQ over the agency's use of malware to spy on Internet and mobile phone users. Several GCHQ memos published last fall by The Guardian revealed that the agency was eager to keep its activities secret not to protect national security, but because “our main concern is that references to agency practices (ie, the scale of interception and deletion) could lead to damaging public debate which might lead to legal challenges against the current regime.'' And an EU parliamentary inquiry earlier this year concluded that GCHQ activities were likely illegal. As for oversight, serious questions have been raised about whether top national security officials even know what GCHQ is doing. Chris Huhne, a former cabinet minister and member of the national security council until 2012, insisted that ministers were in “utter ignorance'' about even the largest GCHQ spying program, known as Tempora—not to mention “their extraordinary capability to hoover up and store personal e-mail, voice contact, social networking activity and even Internet searches.'' In an October Guardian op-ed, Huhne wrote that “when it comes to the secret world of GCHQ and the [NSA], the depth of my `privileged information' has been dwarfed by the information provided by Edward Snowden to The Guardian.''
Cyrus Farivar, Ars Technica, 3 Jul 2014 NSA says it only gathers such data for "valid foreign intelligence purposes." Two Germany-based Tor Directory Authority servers, among others, have been specifically targeted by the National Security Agency's XKeyscore program, according to a new report from German public broadcaster ARD. Tor is a well-known open source project designed to keep users anonymous and untraceable-users' traffic is encrypted and bounced across various computers worldwide to keep it hidden. This marks the first time that actual source code from XKeyscore has been published. ARD did not say how or where it obtained the code. Unlike many other NSA-related stories, the broadcaster did not specifically mention the information being part of the trove leaked by whistleblower Edward Snowden. ... http://arstechnica.com/tech-policy/2014/07/report-rare-leaked-nsa-source-code-reveals-tor-servers-targeted/ [Mok-Kong Shen noted: Tor users identified by NSA (auf deutsch). PGN] http://www.heise.de/newsticker/meldung/XKeyscore-Quellcode-Tor-Nutzer-werden-von-der-NSA-als-Extremisten-markiert-und-ueberwacht-2248328.html
Via the PRIVACY Forum <privacy@vortex.com> http://www.businessweek.com/articles/2014-07-03/hospitals-are-mining-patients-credit-card-data-to-predict-who-will-get-sick Imagine getting a call from your doctor if you let your gym membership lapse, make a habit of buying candy bars at the checkout counter, or begin shopping at plus-size clothing stores. For patients of Carolinas HealthCare System, which operates the largest group of medical centers in North and South Carolina, such a day could be sooner than they think. Carolinas HealthCare, which runs more than 900 care centers, including hospitals, nursing homes, doctors' offices, and surgical centers, has begun plugging consumer data on 2 million people into algorithms designed to identify high-risk patients so that doctors can intervene before they get sick. The company purchases the data from brokers who cull public records, store loyalty program transactions, and credit card purchases.
The Verrückt is to be the world's tallest and fastest water slide and was to open on 23 May 2014. In an interview, Schlitterbahn Waterparks & Resorts co-owner Jeff Henry said that “Our correction coefficients were all off. Models didn't show air and water friction. A lot of our math was based on roller coasters at first, and that didn't translate to a water slide like this.'' http://www.usatoday.com/story/travel/destinations/2014/06/26/verruckt-worlds-tallest-water-slide-exclusive-ride-video/11421473,
Jordan Robertson, Bloomberg, 1 Jul 2014 [via ACM TechNews, Monday, July 7, 2014] Women occupied just over 26 percent of computer and mathematical positions in the U.S. last year, according to the U.S. Bureau of Labor Statistics. However, one area of the tech world in which women are making great gains is information security, where they outnumber men in certain positions, such as analyst and adviser, according to the International Information Systems Security Certification Consortium. Women such as ThreatGrid threat manager Tiffany Rad, for example, have found great success in information security, assuming leadership positions in both industry and academia. Women also are seeking education in the field much more than they previously did. Rad says college classes she teaches on information security law that used to be exclusively male are now almost evenly split between men and women. The success of women in information security also has come relatively quickly. Jeff Moss, founder of the DefCon and Black Hat security conferences, says although almost no women attended the conferences during the late '90s, now there are "too many to mention." Many attribute women's success in the field to its meritocratic nature. Heather Adkins, one of the founding members of Google's security staff, says the field was mired in sexism when she joined it in the late '90s, but it has markedly improved, although she says bias still persists in some areas. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-bc1fx2b625x059672&
(Hidden from Google via NNSquad): http://hiddenfromgoogle.com/ "The purpose of this site is to list all links which are being censored by search engines due to the recent ruling of "Right to be forgotten" in the EU. This list is a way of archiving the actions of censorship on the Internet. It is up to the reader to decide whether our liberties are being upheld or violated by the recent rulings by the EU." - - - As inevitable as the sun rising in the east. And—fascinating—it not only isn't a cloaked registration, but the registrant appears to be an identifiable person with a notable presence on the Net (including on GitHub). There is no escape from the Streisand Effect.
David Mitchell, *The Guardian via NNSquad http://www.theguardian.com/commentisfree/2014/jul/06/right-to-be-forgotten-internet-work-of-fiction-david-mitchell-eu-google "People's right to suppress unpleasant lies which are publicly told is being extended to unpleasant truths—until they die when it's suddenly open season on slander. The Internet will become constructed entirely of two different sorts of untruth: contemporaneous unalloyed praise and posthumous defamatory hearsay. No one has the right to be forgotten, any more than they have the right to be remembered. Our only right in this regard should be not to be lied about. And then maybe we can try to see the unflattering facts of other people's pasts in the light of our own imperfections. I wouldn't think less of someone because his house was repossessed 16 years ago. But I would if he turned out to be a liar."
*The Washington Post* via NNSquad 5 Jul 2014 http://www.washingtonpost.com/world/national-security/in-nsa-intercepted-data-those-not-targeted-far-outnumber-the-foreigners-who-are/2014/07/05/8139adf8-045a-11e4-8572-4b1b969b6322_story.html The surveillance files highlight a policy dilemma that has been aired only abstractly in public. There are discoveries of considerable intelligence value in the intercepted messages and collateral harm to privacy on a scale that the Obama administration has not been willing to address. Among the most valuable contents, which The Post will not describe in detail, to avoid interfering with ongoing operations, are fresh revelations about a secret overseas nuclear project, double-dealing by an ostensible ally, a military calamity that befell an unfriendly power, and the identities of aggressive intruders into U.S. computer networks ... Months of tracking communications across more than 50 alias accounts, the files show, led directly to the 2011 capture in Abbottabad of Muhammad Tahir Shahzad, a Pakistan-based bomb builder, and Umar Patek, a suspect in a 2002 terrorist bombing on the Indonesian island of Bali. At the request of CIA officials, The Post is withholding other examples that officials said would compromise ongoing operations. Executive summary: Complicated. LW
http://www.huffingtonpost.com/2014/07/09/chinese-hackers_n_5572871.html WASHINGTON (AP) Chinese hackers broke into the computer networks of the U.S. Office of Personnel Management earlier this year with the intention of accessing the files of tens of thousands of federal employees who had applied for top-secret security clearances, according to The New York Times. Senior U.S. officials say the hackers gained access to some of the agency's databases in March before the threat was detected and blocked, the Times reported in an article posted on its website Wednesday night. How far the hackers penetrated the agency's systems was not yet clear, the newspaper said. Accusations of hacking by China and counterclaims of such activity by the U.S. government have strained U.S.-Chinese relations. Chinese hacking has been a major theme of U.S.-China discussions this week in Beijing, though both sides have publicly steered clear of the controversy. In May, the Justice Department filed a 31-count indictment against five Chinese military officials operating under hacker aliases and accused them of penetrating computer networks of a half-dozen steel companies and makers of solar and nuclear technology to gain a competitive advantage. The Chinese government denied the allegations and suspended a working group on cyber rules that was to be part of the annual "Strategic and Economic Dialogue" this week. The Office of Personnel Management houses personal information for all federal employees. Those applying for security clearances would be expected to provide such information as foreign contacts, previous jobs, past drug use and other personal details, the newspaper reported. The Times quoted an unidentified senior U.S. official as saying that the attack had been traced to China but that it wasn't clear whether the hackers were part of the government. A Homeland Security Department official confirmed to the Times that an attack occurred but said no loss of personally identifiable information had been identified. The Office of Personnel Management oversees a system by which federal employees applying for security clearances enter financial data and other personal information, the Times said, and those who maintain such clearances are required to update their information through that system. Agencies and contractors use the information to investigate employees. The attack in March was not announced even though the Obama administration has urged U.S. companies to share information about breaches in security with the government and with consumers, the newspaper reported. "The administration has never advocated that all intrusions be made public," Caitlin Hayden, a spokeswoman for the Obama administration, said in a statement to the Times. "We have advocated that businesses that have suffered an intrusion notify customers if the intruder had access to consumers' personal information. We have also advocated that companies and agencies voluntarily share information about intrusions." Hayden said the administration had no reason to believe that personally identifiable information for employees had been compromised.
FYI—They now have to also worry about the xerox machines... http://www.theguardian.com/world/2014/jul/15/germany-typewriters-espionage-nsa-spying-surveillance Germany 'may revert to typewriters' to counter hi-tech espionage Politicians claim communications technology is mistrusted in wake of US spying allegations and NSA surveillance revelations Philip Oltermann in Berlin theguardian.com, Tuesday 15 July 2014 10.51 BST German politicians are considering a return to using manual typewriters for sensitive documents in the wake of the US surveillance scandal. The head of the Bundestag's parliamentary inquiry into NSA activity in Germany said in an interview with the Morgenmagazin TV programme that he and his colleagues were seriously thinking of ditching e-mail completely. Asked "Are you considering typewriters" by the interviewer on Monday night, the Christian Democrat politican Patrick Sensburg said: "As a matter of fact, we have—and not electronic models either". "Really?", the surprised interviewer checked. "Yes, no joke", Sensburg responded. During the continuing row over alleged US spying operations in Germany, there had been speculation that the CIA may have actively targeted the Bundestag's NSA inquiry committee. "Unlike other inquiry committees, we are investigating an ongoing situation. Intelligence activities are still going on, they are happening," said Sensburg.. Last year, the Russian government reportedly took similar measures in response to proof of NSA spying, as revealed by whistleblower Edward Snowden. The federal guard service, a powerful body tasked with protecting Russia's highest-ranking officials, put in an order for 20 Triumph Adler typewriters, which create unique "handwriting", that allows its source to be traced. According to German media, revelations about digital surveillance have triggered a fundamental rethink about how the government conducts its communications. "Above all, people are trying to stay away from technology whenever they can", wrote Die Welt. "Those concerned talk less on the phone, prefer to meet in person. More coffees are being drunk and lunches eaten together. Even the walk in the park is increasingly enjoying a revival".
Voting under duress? Some years ago, I was invited --- as a "person who knows about computers" --- to take part in a multinational commission (organised by legal/political science people) that was looking at the possibilities for introducing e-voting standards across Europe. Most countries sent delegations with a moderately technical focus, but the Swedes simply said, "We will not introduce any form of absentee voting --- including postal voting --- until we have some way to know that the person making the vote is alone in the room and cannot be subjected to any form of duress". (To this day, postal voting is only accepted at Swedish elections from people resident outside the country; I guess the pragmatic need to accept _some_ kind of vote outweighs the "duress" issue in that case.) PGN stated that Peterson is oversimplifying here. I'm not sure if that's correct. If there is a single, easy to understand, non-technical flaw that makes the technical discussion obsolete, it might be the best way to dissuade lawmakers --- who tend to be easy to befuddle with gee-whiz claims about technology --- from adopting e-voting technology. Nick Brown, Strasbourg, France. (Now retired from my previous job; hence the change of address from nick.brown@coe.int.)
> "For example, in many faux democracies, this takes the form of members of the dominant party's goon squad visiting voters at home, one by one, ... Forget your "faux democracies"; this type of behaviour is being investigated by the Electoral Commission and the police in more than one UK local council election, and has been suggested to have occurred in national General Elections. Particularly as the variant whereby individuals of the same ethnicity as the voters - many of whom are not fluent in the English language - collect their postal voting papers to complete them ... in the spirit of being helpful, of course. This notwithstanding, eVoting would deny us the amusement of pregnant and hanging chads.
The original author got pilloried for this over on Full Disclosure, for revealing a "bug" that's been known for around thirty years, and working exactly as documented. It's sad to see RISKS picking it up. If a person chops a foot off by swinging an axe around, whose fault is it? The axe's? The manufacturer's (both of the axe and the tool-she)? Or, heaven forbid, the user's fault? We seem to have a culture of "It's not my fault!", and finding someone else to blame does not bode well for the future. Dave Horsfall, North Gosford NSW, Australia
Dave, This is an old topic in RISKS regarding disclosure of bugs. Contrary to your view, the attackers often find the vulnerabilities before the good guys. From a software engineering point of view, I frequently note that the buffer overflow problem was recognized and avoided in Multics around 1965. I expect your message will be followed by many others saying it's about time THIS bug in a very commonly used piece of software was finally unveiled. Maybe NOW it will be fixed pervasively!
Please report problems with the web pages to the maintainer