Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Irene Klotz, Space Station's Cubesat Launcher has Mind of its Own, Discovery, 5 Sep 2014 http://news.discovery.com/space/space-stations-cubesat-cannon-has-mind-of-its-own-140905.htm Last night, two more of Planet Lab's shoebox-sized Earth imaging satellites launched themselves from aboard the International Space Station, the latest in a series of technical mysteries involving a commercially owned CubeSat deployer located outside Japan's Kibo laboratory module. Station commander Steve Swanson was storing some blood samples in one of the station's freezers Friday morning when he noticed that the doors on NanoRack's cubesat deployer were open, said NASA mission commentator Pat Ryan. Flight controllers at the Johnson Space Center in Houston determined that two CubeSats had been inadvertently released. “No crew members or ground controllers saw the deployment. They reviewed all the camera footage and there was no views of it there either,'' Ryan said. The satellites, owned by San Francisco-based Planet Labs, are part of a planned 100-member network designed to collect images of the entire Earth every 24 hours. So far, 12 of 32 CubeSats delivered to the space station aboard a Cygnus cargo ship in July have been deployed, including four launched inadvertently, said NanoRacks spokeswoman Abby Dickes. In addition to the two Planet Labs satellites launched Thursday night, two more of the company's satellites were released accidentally 23 Aug, a NASA status report shows. The latest inadvertent deployment followed unsuccessful attempts Wednesday night to return NanoRack's CubeSat dispenser to service. efforts included jiggling the small robotic arm holding the dispense in an attempt to get its doors to open, Ryan added. Flight control teams are assessing whether to bring the deployer back inside the station or to try to release the remaining CubeSats still awaiting launch.
The Hacker Uploaded Malicious Software, But Consumers' Personal Data Didn't Appear to Be Taken Danny Yadron, WSJ, 4 Sep 2014 A hacker broke into part of the HealthCare.gov insurance enrollment website in July and uploaded malicious software, according to federal officials. Investigators found no evidence that consumers' personal data were taken or viewed during the breach, federal officials said. The hacker appears only to have gained access to a server used to test code for HealthCare.gov, the officials said. The server was connected to more sensitive parts of the website that had better security protections, the officials said. That means it would have been possible, if difficult, for the intruder to move through the network and try to view more protected information, an official at the Department of Health and Human Services said. There is no indication that happened, and investigators suspect the hacker didn't intend to target a HealthCare.gov server. ... http://online.wsj.com/articles/hacker-breached-healthcare-gov-insurance-site-1409861043
Hackers downloaded malicious software onto a test server of HealthCare.gov, but did not steal any personal information on consumers, Obama administration officials said. http://www.nytimes.com/2014/09/05/us/hackers-breach-security-of-healthcaregov.html [up? down? which way does the staircase go? PGN]
UCLA, Cisco & more join forces to replace TCP/IP *Network World* via NNSquad http://www.networkworld.com/article/2602109/lan-wan/ucla-cisco-more-join-forces-to-replace-tcpip.html "Their aim is to put forth an Internet architecture that's more secure, able to support more bandwidth and friendlier to app developers. Cryptographic authentication, flow balance and adaptive routing/forwarding are among the key underlying principles." - - - Except in some comparatively specialized scenarios and situations, don't hold your breath for TCP/IP going away anytime soon.
I just wrote a piece for Scientific American about kill switches for ... medium and heavy weapons. I know I've long inveighed against vendor (and, by proxy, government) control over consumer technology, and I still think that's a central threat to both open code and free speech. But all of that otherwise-worrisome tech applied to weapons seems to invert the equities. http://www.scientificamerican.com/article/the-case-for-kill-switches-in-military-weaponry/ [...] Jonathan Zittrain, Harvard Law School | Harvard Kennedy School of Government | Harvard School of Engineering and Applied Sciences and Berkman Center for Internet & Society http://cyber.law.harvard.edu>
http://betanews.com/2014/09/03/mystery-fake-cellphone-towers-discovered-across-america/
"In a submission to the Australian Government on the issue of online piracy, the BBC indicates that ISPs should be obliged to monitor their customers' activities. Service providers should become suspicious that customers could be pirating if they use VPN-style services and consume a lot of bandwidth, the BBC says." Torrent Freak via NNSquad http://torrentfreak.com/bbc-isps-should-assume-heavy-vpn-users-are-pirates-140908/ - - - And what should we assume the folks running the BBC are? Pick your synonym for "dangerous fools" ...
John E. Dunn | Techworld, InfoWorld, 04 Sep 2014 iCloud on iOS secretly keeps last three backups, says Check Point Software researcher http://www.infoworld.com/d/mobile-technology/apple-icloud-backup-quirk-could-have-allowed-hackers-access-deleted-files-249749
Brian X. Chen, *NYTimes* blog, 4 Sep 2014 Apple said on Thursday that it would strengthen its security measures after a recent episode where hackers broke into the Apple accounts of a number of celebrities, stole their nude photos and leaked them on the Internet. The company said it would add alerts to tell people about activities that could be signs of a break-in. Customers will receive emails and alerts called push notifications, which are messages that show up prominently on iPhones and iPads, when someone tries to change the password for their iCloud account, upload their backed-up account data to a new device or log into their accounts for the first time from an unknown device, the company said. The notifications will be added in two weeks. ... http://bits.blogs.nytimes.com/2014/09/04/apple-says-it-will-add-new-security-measures-after-celebrity-hack/
Questions persist after the release of a newly declassified version of a legal memo approving the National Security Agency's Stellarwind program, a set of warrantless surveillance and data collection activities secretly authorized after the terrorist attacks of Sept. 11, 2001. http://www.nytimes.com/2014/09/07/us/redactions-in-us-memo-leave-doubts-on-data-surveillance-program.html
As our online personal information has become less and less personal, the privacy pendulum may now ready to switch directions. http://bits.blogs.nytimes.com/2014/09/07/rethinking-privacy-on-the-internet/
Jaikumar Vijayan | Computerworld, 03 Sep 2014 The breach occurred at nearly all of Home Depot's 2200 U.S. stores http://www.infoworld.com/d/security/data-shows-home-depot-breach-could-be-largest-ever-249732 opening text: It looks like Home Depot may have earned the dubious distinction of being responsible for the biggest compromise ever involving credit and debit card data.
Woody Leonhard | InfoWorld, 8 Sep 2014 August's Windows Installer Service patch causes wide range of inscrutable problems on Windows 7 and Windows 8 machines http://www.infoworld.com/t/microsoft-windows/microsoft-patch-kb-2918614-triggers-key-not-valid-use-more-errors-249973
"With Super Cruise, when there's a congestion alert on roads like California's Santa Monica Freeway, you can let the car take over and drive hands free and feet free through the worst stop-and-go traffic around," Barra said in the speech at Cobo Center in Detroit. "If the mood strikes you on the high-speed road from Barstow, California, to Las Vegas, you can take a break from the wheel and pedals and let the car do the work. Having it done for you—that's true luxury." But... GM's Super Cruise technology is not a self-driving car and the feature will require drivers to remain alert and ready to take the wheel if traffic conditions become too complex, Lauckner told reporters at a briefing before Barra's speech. http://www.bloomberg.com/news/2014-09-07/gm-to-introduce-hands-free-driving-in-cadillac-model.html Let the car do the work ... BUT remain alert. "What could possibly go wrong?" seems a profoundly inadequate degree of skepticism. Comments on the article question the ability of a company that for many years shipped faulty ignition switches to get this bit of technology right. Gabriel Goldberg, Computers and Publishing, Inc. gabe@gabegold.com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
We have dynamic cruise on our Sienna, and it's great on the highway. Doesn't function below 28mph, alas. But on the Interstate, I get behind someone I like going fast enough and not weaving/etc., lock it in a click or two above their speed, and now it's just steering, not playing with the gas. Really makes long trips less stressful.
The title of this item is misleading: As you can read in the linked article, the fault causing the satellites to be injected into the wrong orbit was in the launcher, not the satellites. You may consider this a technicality. But since the launcher and the satellites come from different manufacturers, I think it is important to point to the right entity when discussing the failure.
Comments on solar power: > Aside from the general economic issue, the big concern is that solar power > is intermittent and can cut out at any second. Actually, solar power is about a reliable and predictable a source of energy delivery in a usable form that I can imagine. The yearly flux of solar illumination is almost constant. More to the point, a lot of energy is used in areas where the usable intensity is low for half a year and high for the other half. Weather effects that exacerbate this are, on average, quite regular on a yearly basis. It is true that energy storage is challenging and is likely to remain so for the foreseeable future. There is great potential in the equatorial regions, most notably the great deserts. Building large collection systems there would make solar generation nearly independent of the time of year, although occasional violent weather would continue to be a problem. At least as important as producing huge amounts of power on a regular schedule, adopting such a scheme could become an economic engine that might offset the disproportionate effect of climate change on equatorial peoples.
> Solar panels do actually work tolerably well in cloudy conditions, and it's > pretty rare for a cloud to cover an entire country. Solar panels do, indeed, produce power also in cloudy conditions, but "tolerably well"? My experience is: Lightly overcast: ~30% of peak power Thick clouds: ~10% of peak power Rainy, cloudy winter day: Below threshold at which converter switches on. In winter, even at the best, sunny days, power is well below summer peak level (~50%) due to the low sun. I live in The Netherlands, where it is not so rare that a cloud covers the entire country, and more. But it is, of course, a small country.
"Huffington" is continuing trying to "disappear" their discredited five part series on the "creator" of e-mail. You'll recall that yesterday the links to the five stories at: http://www.huffingtonpost.com/news/the-history-of-email/ led to a sort of editorial apology. Today, four of the five stories have vanished from the page entirely—leaving a big white gap—and search results that previously pointed at them now appear to be 404. And in case you don't remember what this page looked like originally, I made a screenshot of it yesterday, because I anticipated something like this. Screenshot at: (G+): https://plus.google.com/+LaurenWeinstein/posts/f5i8tB4bveC
Techdirt via NNSquad https://www.techdirt.com/articles/20140901/07280928386/huffpo-publishes-bizarre-misleading-factually-incorrect-multi-part-series-pretending-guy-invented-email-even-though-he-didnt.shtml "Again, that might make for a nice story line if there were some factual basis behind it, but there isn't. The history of e-mail is well-documented from multiple sources and it began way, way before 1978. And while early versions were somewhat crude, by 1978 they had basically everything that Ayyadurai claims to have invented (it is entirely believable that Ayyadurai, as a bright kid, independently came up with the same ideas, but he was hardly the first). There was a messaging system called MAILBOX at MIT in 1965. You can read all the details of it here, including source code. Ray Tomlinson is frequently credited with inventing the modern concept of email for the Internet by establishing the @ symbol (in 1972) as a way of determining both the user and which computer to send the email to. By 1975, there were things like email folders (invented by Larry Roberts) and some other basic email apps. As is noted, by 1976—two years before Ayyadurai wrote his app—email was 75% of all ARPANET traffic." - - - Why? Because Huffington is only interested in the clicks, that's why, and if they thought they could get more clicks by claiming Caligula invented e-mail, they'd be running those stories too.
> "Since the vendors pay for the bounty, introducing bugs into their own > code is counterproductive" (Mills, RISKS-28.24) Hmmm... Let's see. Suppose employee A works for company M which boasts of a bug bounty. Freelancer J colludes with employee A to either induce A to purposely create a bug, or at least provide information about where such bugs can be found. Freelancer J gets bug bounty from M, and shares it with employee A. Rinse & repeat. Everybody wins, except for the poor customers and their credit ratings after being hacked. Such collusion is legal when A is a law-maker and J is a lobbyist, and such collusion is rampant and extremely profitable. Sometimes, A and J are even the same people, which is called the "revolving door" of agencies such as the FCC and now, apparently, the NSA (Alexander). > "the Moral Hazard theory doesn't seem to apply here" *jericho, RISKS-28.24) The biggest moral hazard is caused by computer hardware & software vendors who sell software that they're not willing to stand behind; i.e., they use their own customers as alpha and beta testers (aka "human shields" aka "collateral damage", in the case of computer hacking & ID theft). Dan Geer has already discussed this issue. Bug bounties don't "drain the swamp", but perversely create an industry dependent upon the existence of the swamp. The FBI loves the swamp, because it enables them to manufacture crimes and once in a while produce a pelt. The NSA loves the swamp, because it enables them to monitor "terrorists", and the bigger the swamp, the larger the NSA's budget. There's also the problem of price. A hundred dollars for a Twitter bug is an LOL joke; the cost of such a bug to a large corporate user might be millions of dollars. Even $100k for a significant bug pales in comparison to the millions of dollars that such a bug is worth to a criminal or nation-state. Do you ever wonder why the Apple goto-fail bug lasted so long? Let's assume that some bounty-hunter actually *did* notice Apple's goto-fail behavior. Any bounty-hunter worth his salt would quickly check for the existence of this bug on other Apple devices & versions and notice how extensive this bug was. A quick calculation would reveal that the bug was worth multiple millions of dollars to the right customer. It's entirely possible that some bounty-hunter was keeping such a bug in his inventory for this big pay day. Consider the recent JP Morgan attacks. These "Willie Sutton" hackers were apparently going after serious money, and were obviously willing to expend considerable resources in the process. What kind of a bounty would it take to buy them off? My best guess: $1 billion. Talk like a Pirate Day is in 2 weeks (Sept. 19th). We all know about pirates (the real kind, who sink ships and murder people, not the MPAA faux rhinestone kind). These pirates started off as legal "privateers", but often ended up being hanged for piracy after the govt stopped its privateer program. https://en.wikipedia.org/wiki/Privateer https://en.wikipedia.org/wiki/William_Kidd This current bug-bounty-hunting privateer movie isn't going to end any better than the seafaring privateer movie. Besides, Errol Flynn and Johnny Depp will never look as good wielding a mouse and a keyboard. However, I do *not* recommend paying larger bounties, even though there are bugs worth far more money. I *do* recommend spending *just as much money*—i.e., *billions* of dollars—on *formal methods* which are the only known way to *guarantee* the lack of certain types of bugs. I agree with Dan Geer that we need to loose the real privateers—the plaintiffs bar—on the computer hardware and software industry, so that we can finally start draining the swamp and make the Internet "safe at any speed". https://en.wikipedia.org/wiki/Unsafe_at_Any_Speed Given the "fat tail" distribution of harm from computer bugs, it's only a matter of time before the first $1 BILLION loss is incurred (assuming that it hasn't *already* occurred—in secret—e.g., in Sept 2008), and a large company loses 50% or more of its market value as a result of being hacked. Wouldn't it be preferable to spend $1 billion *proving programs correct* than a far larger amount to criminals and/or bounty-hunters ?
Webinar: Building a Software Security Initiative Thursday, September 25, 2014 1:00 - 2:00 PM EDT Register: http://discover.cigital.com/e/28332/tration-html-sco-id-1218490076/3kzhjz/848842747 The increasing frequency and costs of security breaches are driving customers, senior executives, and board of directors to demand evidence of a formal program to address software security. Do you know how to start building a scalable software security initiative? Join Cigital and Tyler Shields, Senior Analyst at Forrester Research, Inc., for a live webinar exploring what it takes to create, restart, or mature a software security initiative, including: * Strategies for securing budget and support to build a software security initiative * Identifying foundational components required for an effective software security initiative * Distinguishing key attributes of a scalable software security initiative * Tactics to enable management, security, and engineering groups to make immediate software security improvements Cigital, 21351 Ridgetop Circle, Suite 400, Dulles, VA 20166
Please report problems with the web pages to the maintainer