Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
http://www.thestar.com/news/canada/2014/07/29/canadian_spy_agency_says_chinese_hacked_into_national_research_council_computers.html The Canadian government took the unusual step Tuesday of pointing fingers squarely at Beijing after a cyber attack on a prominent federal scientific research agency. The federal government's chief information officer confirmed Tuesday that the National Research Council of Canada (NRC) was the target of a cyberattack from a "highly sophisticated Chinese state-sponsored actor." Laurentius (Larry) Werring, VP Systems Security, Cyberun IT Security Services, 207 Bank Street, Suite 168, Ottawa, ON K2P 2N2 Canada 1-613-297-9232 [Also noted by Suzanne Johnson. PGN]
http://thehill.com/policy/technology/213933-cia-admits-to-wrongly-hacking-into-senate-computers CIA officials improperly hacked the Senate Intelligence Committee's computers ahead of a report on `enhanced interrogation' techniques, the spy agency's inspector general has concluded. In a statement shared with The Hill, CIA spokesman Dean Boyd said that the internal watchdog determined “that some CIA employees acted in a manner inconsistent with the common understanding'' between the agency and the committee about access to the network they used to share documents. CIA chief John Brennan told Intel Committee Chairwoman Dianne Feinstein (D-Calif.) and Vice Chairman Saxby Chambliss (R-Ga.) about the findings “and apologized to them for such actions by CIA officers,'' Boyd added.
It is interesting to contemplate what confusion will be caused when a driverless car passes a speed camera at a speed above the posted limit, say, in temporary road works. It is then amusing to contemplate the scenario of a faulty speed camera falsely pinging a driverless car. An "Oh no I wasn't." / "Oh yes you were." pantomime dialogue between computers might ensue. This brings to mind the situation reported a great many years ago when the UK changed the dialing code for the telephone operator. After consumers complained of having no power, a faulty electricity substation was discovered to be repeatedly sending an automated status report to which another automated system was responding: "You no longer dial '0' for the operator. Please replace your receiver and dial '100'. The RISK is that no-one will have thought of all the RISKS. Unless, of course, they are avid readers here.
Theresa Juva-Brown, tjuva@lohud.com 30 Jul 2014 The famous Left Coast Lifter—the ginormous crane that will help build the new Tappan Zee Bridge—just got a new computer system http://www.lohud.com/story/news/local/tappan-zee-bridge/2014/07/28/tappan-zee-bridge-left-coast-lifter-gets-tech-upgrade/13287985/ selected text: This week Hiti's team finished installing the crane's new computer software and hardware, including a flat panel touch screen for the operator. The computer now uses Windows 7 and has a solid-state hard drive instead of one with cooling fans, which tend to erode in a marine environment, he said. As noted in alt.folklore.computers by Walter Bushell: "IIUC the license for Windows always states it's not to be used in critical operations. Why oh why do people insist on using OSes outside their design regions?"
David Linthicum | InfoWorld, 01 Aug 2014 A federal audit shows what's probably true at most enterprises: Cloud services are hiding in the shadows of IT http://www.infoworld.com/d/cloud-computing/the-epa-doesnt-know-what-clouds-it-has-and-neither-do-you-247150 opening text: Do you know how much cloud computing is really going on in your organization? If you're like IT management in most companies and government agencies, you don't have a clue. For example, the Environmental Protection Agency (EPA) doesn't know how many cloud computing contracts it has or how secure they are, according to a recent audit by the agency's inspector general, in a report released last week. In at least one instance, the EPA may not have had access to a subcontractor's cloud for investigative purposes. Worse, that same subcontractor was not compliant with the Federal Risk and Authorization Management Program (FedRAMP), which sets security standards for cloud providers.
"A new law imposing restrictions on users of social media has come into effect in Russia. It means bloggers with more than 3,000 daily readers must register with the mass media regulator, Roskomnadzor, and conform to the regulations that govern the country's larger media outlets. Internet companies will also be required to allow Russian authorities access to users' information. One human rights group called the move "draconian". The law was approved by Russia's upper house of parliament in April. It includes measures to ensure that bloggers cannot remain anonymous, and states that social networks must maintain six months of data on its users. The information must be stored on servers based in Russian territory, so that government authorities can gain access." BBC via NNSquad http://www.bbc.com/news/technology-28583669 - - - Don't worry, Czar Putin knows what's good for you, comrade.
Techcrunch via NNSquad http://techcrunch.com/2014/08/02/chinese-communist-party-backed-tech-giants-bring-censorship-to-the-global-stage/ "It should come as no surprise, then, that the Portuguese version of Baidu produces heavily censored results on topics considered sensitive to the Chinese leadership. Compare search results between Google's Portuguese edition and Baidu's. On Google.br.com, a search for Tank Man (el hombre del tanque) turns up photos, documentary video and news articles about the lone rebel who stood in the way of approaching tanks outside of Tiananmen Square in 1989 ..." - - - The result when one country or group of countries tries to impose its own censorship desires onto the entire planet.
*Note: You're receiving this email because you've previously petitioned the White House on cell phone unlocking.* It's Legal to Unlock Your Cell Phone Last week, Congress passed a bill legalizing cell phone unlocking -- and this afternoon, President Obama signed that bill into law. This effort began as a result of the petition you signed, "Make Unlocking Cell Phones Legal." Two weeks after the petition crossed the threshold, we laid out steps that the Federal Communications Commission (FCC), industry, and Congress could take. Your effort culminated in the Unlocking Consumer Choice and Wireless Competition Act that President Obama signed today. The bill not only restores the rights of consumers to unlock their phones, but ensures that they can receive help doing so if they lack the technological savvy to unlock on their own. It's the first time a We the People petition has led to a legislative fix. [...] The White House, 1600 Pennsylvania Ave NW, Washington, DC 20500 202-456-1111
FYI—More about the vulnerabilities associated with Fitbit/Nike/Garmin/etc. "For example in one app that tracks sexual activity, the app makes specific requests to an analytics service URL at the start and end of each session." http://www.symantec.com/connect/blogs/how-safe-your-quantified-self-tracking-monitoring-and-wearable-tech Tracking, monitoring, and wearable tech, Symantec, 30 Jul 2014 Each day, millions of people worldwide are actively recording every aspect of their lives, thoughts, experiences, and achievements in an activity known as self-tracking (aka quantified self or life logging). People who engage in self-tracking do so for various reasons. Given the amount of personal data being generated, transmitted, and stored at various locations, privacy and security are important considerations for users of these devices and applications. Symantec has found security risks in a large number of self-tracking devices and applications. One of the most significant findings was that all of the wearable activity-tracking devices examined, including those from leading brands, are vulnerable to location tracking. Our researchers built a number of scanning devices using Raspberry Pi minicomputers and, by taking them out to athletic events and busy public spaces, found that tracking of individuals was possible. Symantec also found vulnerabilities in how personal data is stored and managed, such as passwords being transmitted in clear text and poor session management. www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/how-safe-is-your-quantified-self.pdf [Long item pruned for RISKS. Main section headings include: * How do self-tracking systems work? * So just how safe is your quantified self? * Location tracking of wearable devices * Transmission of tracking and personal data in clear text (20 percent of apps transmitted user credentials in clear text.) * Lack of privacy policies (52 percent of apps examined did not have privacy policies.) * Unintentional data leakage (The maximum number of unique domains contacted by a single app was 14 and the average was five.) * Other security weaknesses * What can you do about this? * More information: latest paper www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/how-safe-is-your-quantified-self.pdf
Interesting thought. http://www.telegraph.co.uk/technology/google/11010182/Why-Google-scans-your-emails-for-child-porn.html Why Google scans your e-mail for child porn Google trawls both the public internet and your private data to look for images of child abuse, it has been revealed, after a convicted sex offender is arrested over the contents of his GMail account A convicted sex offender has been arrested after Google flagged images of child abuse found in his GMail account to authorities, according to reports, revealing that the search giant is quietly but methodically watching our email activity for illegal images. Google spotted that the man had illegal images of a young girl stored in his GMail account during an automated search and reported it to the US non-profit National Center for Missing and Exploited Children. A subsequent police investigation lead to his arrest. [...] So, this process opens all kinds of opportunities for malicious behavior. A wants to harass B. So A sends B a known child porn image through gmail, even though B has not requested it in any way. Google identifies the image, and notifies law enforcement authorities. B is now the target of an investigation—the criminal offense being the receipt of child pornography. Even worse—if the email is not opened or goes into spam, Google probably still scans it, so B never knows he has to report anything to law enforcement authorities even though Google is reporting it to them. Folks, please think about a fix for this—and don't propose a solution that says Google should not scan those emails. Is there a way to get both the benefit of the scans and to prevent the harassment problem described above? [For those of you who want to know how Google knows an image is child porn -- they compute a hash of the image and compare it against a database of hashes of known CP images, that is images that have been adjudicated to be CP in court.] Thoughts? Thanks, Herb Lin
YouTube via NNSquad https://www.youtube.com/watch?v=FKXOucXB4a8 Using video (even consumer video) to recover sound from silent video, even from outside rooms. Using a laser bouncing off window glass has long been a technique for recovering room sounds remotely. The technology described here emphasizes the need to keep external windows completely covered during sensitive communications! Also, we can safely assume that intelligence agencies (at a minimum) have been using this technique for some time.
FYI—"[Low Resting Heart Rate] might be used to help predict future risk among criminals" Do you really want to share your FitBit/Nike/Garmin information with the FBI and the NSA ? Just sleep in the cloud... "Are Fitbit, Nike, and Garmin Planning to Sell Your Personal Fitness Data?" http://www.motherjones.com/politics/2014/01/are-fitbit-nike-and-garmin-selling-your-personal-fitness-data David Kohn, Calm Hearts, Bad Behavior, *The New Yorker*, 2 Aug 2014 http://www.newyorker.com/tech/elements/calm-hearts-bad-behavior For the past two years, researchers in Hong Kong interviewed the parents of three hundred and thirty-four adolescents about the aggressive and antisocial behavior of their children. Did the kids hurt others to win a game? Were they concerned about the feelings of their peers? The scientists also measured the heart rate of the children and found that low resting heart rate (L.R.H.R.)—usually an indicator of good cardiovascular health and the envy of distance runners and endurance athletes—was linked to bad behavior. Adrian Raine, the lead author of the Hong Kong study, which appeared in the July issue of the journal Aggressive Behavior, has been examining this odd correlation since 1977, when he studied a group of fifteen-year-old boys and found that those with a low heart rate were more likely to be convicted of crimes. Since then, Raine, a criminologist and psychologist at the University of Pennsylvania, and the author of *The Anatomy of Violence*, has become an expert on L.R.H.R. and other possible biological markers of antisocial behavior, such as brain size and neurotransmitter levels. He says that it's still not clear how the trait is connected to bad behavior. “We've established that the link exists. But we haven't nailed down why.'' There are several theories, but Raine tends to favor the fearlessness hypothesis, which says that some of those with L.R.H.R. remain undaunted by the threats that would keep most of us in check. When you get scared, your heart rate goes up, because your body activates to deal with the imminent hazard. By definition, people with less fear tend not to get activated in situations that others find threatening. “These people don't learn that it's wrong to be aggressive,'' Laura Wilson, a research psychologist at Virginia Tech University who has studied the topic, told me. “They don't fear consequences. They don't get sculpted into the law-abiding citizens that most people become.'' Another possibility is that people with L.R.H.R. are chronically under-aroused. “Having a low heart rate can be uncomfortable. It kind of feels like boredom,'' Amy Gower, a psychology researcher at the University of Minnesota, says. “To relieve that, some people seek stimulation through aggression.'' Raine's skeptics argue that L.R.H.R. and other biological factors play a relatively minor role in determining who becomes a criminal. “The evidence is pretty consistent that biological traits don't have a large effect,'' Robert Sampson, a social scientist at Harvard University who has studied the topic for more than two decades, told me. “Social and environmental characteristics have much more weight.'' He notes that crime rates vary widely from country to country (Spain's murder rate, for instance, is twenty-five times lower than Brazil's, and four times lower than in the United States), even though the biology of humans in those countries differs very little. Sampson says that L.R.H.R. may not be biological but, rather, the result of the same environmental factors that lead to crime: some people may adapt to chronic stress with a lower heart rate. Raine suggests that L.R.H.R. might be used to help predict future risk among criminals. Information about heart rate might help when deciding whether a prisoner should be released early, or which sort of prison best fits a particular offender. If this idea, in which the fate of a prisoner would be determined in part by biological data, evokes thoughts of eugenics, Raine, whose research on so-called `neurocriminology' has been controversial for decades, acknowledges that the proposal does, in fact, bring up difficult issues about science, probability, and social control. He agrees that L.R.H.R. is far from the sole determinant of criminality; his review of the research indicates that the trait accounts for about five per cent of all antisocial behavior (and that the rest can be explained by social and biological factors such as upbringing, neighborhood, education, income level, brain chemistry and structure, and so on). L.R.H.R. should be seen, Raine says, as a potential warning sign rather than a definitive mark of inevitable criminality. “Low heart rate is one piece of the jigsaw puzzle. It's not the whole story, but it's not trivial either.''
The Seattle mesh network has been at least temporarily turned off as a result of a local activism group, the Seattle Privacy Coalition. Details about that network have been requested under local freedom of information laws. Some additional links for details: https://www.seattleprivacy.org/the-sort-of-thing-we-are-curious-about/ http://www.dailydot.com/politics/seattle-police-mesh-network-shut-down/ https://twitter.com/SeattlePD/status/410248692264759297
In addition to cameras, Houston's TRANSTAR traffic monitoring system uses your toll tag's serial number to track your location around the region, and not just where you pay tolls. It then uses your location over time to estimate average speeds on the various roads along your route. And lest you think that you can avoid tracking by not getting a toll tag (something that will make your travel more difficult, since they've restricted some roads to tag-holders only), the system also uses the hardware address of your Bluetooth devices (phone, car media system, etc.), for the same purpose. Area drivers are given this assurance: "The MAC addresses read by AWAM [Anonymous Wireless Address Matching] are not directly associated with a specific user and do not contain any personal data or information that could be used to identify or 'track' an individual's whereabouts. In addition, all addresses collected by AWAM are anonymized through encryption immediately upon receipt. Users who have privacy concerns are also able to turn off the Bluetooth discovery function of their device which prevents it from being read by AWAM at all." http://traffic.houstontranstar.org/bluetooth/transtar_bluetooth.html
The severity of security breach has not been fully embraced due to the traditional assumption that thermostat cannot function more than a thermostat even though users are enjoying its smartness. Wasn't the TARGET breach a variation on this? . They had a system to help manage refrigeration, and the hackers got in thru that system to do how much damage? The more complicated the system, the easier for hackers to spoof the people who made it complicated.
There may be more immediate issues for power companies and insurers to worry about. CBC News reports "SaskPower to remove 105,000 smart meters following fires" subheaded "8 unexplained fires associated with new devices that measure power consumption" at http://www.cbc.ca/news/canada/saskatchewan/1.2723046 and says the Saksatchewan government has ordered the provincial power utility to remove all "smart" meters installed so far across the province. The costs are estimated at $45/meter ("dumb" presumably) and $45 labour, costing $9.5M. The utility also has 100,000 more meters in stock, and estimates the effort will take 6-8 months and total cost will reach $14M. Little of this is mentioned in their Smart Meters FAQ: http://www.saskpower.com/our-power-future/construction-projects/smart-meters CBC quotes the vendor as saying "Sensus underscores the critical importance of careful meter installation procedures, including the examination of meter boxes and wiring at installation, training of meter installers and the need to have rapid remedial action when field problems are observed". This may indeed point to an issue when installing 105,000 meters in a year across areas of a large, sparsely populated province, on existing (outside) meter bases, where the annual temperature range may be (a dry) -40C to +40C. A quick web search indicates that these problems have been widespread across North America and large deployments of "smart" meters have been canceled and reversed due to some fires in a number of states. The same vendor name crops up in a number of these cancellations. Risk of not checking the reputation of the vendor and product, and possibly installers too, or inadequately weighting such evidence against many governments' requirement to accept the lowest bid offered. Published reports on the causes and subsequent post-installation inspections mention inadequate retraining of meter readers as installers, problems reusing existing older meter bases, corrosion of bases, boxes, and connectors, broken connection blocks, melted conductors, and loose wiring connections as some of the installation issues identified. Risk of not understanding the possible impact of opening up and fiddling with an installation which may have been untouched for years or decades, and not following manufacturers recommendations on installer training, inspection and replacement practices, and prerequisites for equipment installation. Also mentioned in some of those reports where "smart" meter installation resumed, sometimes with different equipment from a different vendor, meter readers would be retrained and redeployed as meter inspectors, to monitor the condition and safety of the new meters. Risk of accounting only for savings from the great new thing, and ignoring any potential requirements and associated costs of going the new way. Also mentioned at the bottom of the CBC article: "Among the features of the new meters was an ability to transmit power usage data through a radio frequency, making it unnecessary for a meter reader to enter a home. That feature had not been implemented for the new meters already installed but was part of the overall plan for the new technology." My experience and understanding of "smart" meter deployment benefits has been that the costs are mainly justified by being able to have meter "readers" drive by meter locations with wireless equipment to interrogate the meter and receive the meter and usage data. Thereby getting actual usage more accurately, frequently, and cheaply than occasional meter location visits and manual usage recording, with estimated usage billed between visits. The paragraph quoted above implies that a further installation or feature enabling visit would have been necessary to gain any benefit from the new meters. Risk of having someone change something twice rather than doing everything (hopefully properly) at once doubles the chances that some issue will occur to let out the magic smoke, doubling the remediation costs (at least, as these events demonstrate).
Please report problems with the web pages to the maintainer