Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Technology must have been involved somehow... http://www.viralnova.com/31-building-fails-gallery/ ...here's what went wrong. [This item is decidedly *NOT* computer related, but I will bet some of these examples will appear in computer-related talks. I'm reminded of the photo of the barrier in a road, with tracks of vehicles that went around it on the grass, which I must have seen in a dozen security talks by now. PGN]
As one might expect, it wasn't a single problem, but a series of interrelated problems. It's a fairly simple matter to substitute "software" for "battery", and see the state of security in the world today. Flaws in manufacturing, insufficient testing and a poor understanding of an innovative battery all contributed to the grounding of Boeing's 787 fleet last year after a fire in a jet at Boston's airport and another incident in Japan, according to a report released Monday by regulators. The report, by the National Transportation Safety Board, assigned in the starkest terms yet the blame for the 787's battery problems. The safety board investigating the Boston episode suggested for the first time that manufacturing flaws introduced defects that led a battery cell to fail, though the board stopped short of drawing a firm conclusion. The failure of that cell rippled to other cells, causing the battery to consume itself in fire and smoke. [...] The board found a wide range of failings among manufacturers and regulators. The battery's maker, GS Yuasa of Japan, used manufacturing methods that could introduce potential defects but whose inspection methods failed to detect the problem, the board found. Boeing's engineers failed to consider and test the worst-case assumptions linked to possible battery failures, it said. And the Federal Aviation Administration failed to recognize the potential hazard and did not require proper tests as part of its certification process, the report said. [...] http://www.nytimes.com/2014/12/02/business/report-on-boeing-787-dreamliner-batteries-assigns-some-blame-for-flaws.html?emcíit_th_20141202&nl=todaysheadlines&nlid#103254
I recently got e-mail from the Tower insurance company promoting SmartDriver, produced by a US company called DriveFactor. The web page is http://www.tower.co.nz/insurance/car/smartdriver/ with a FAQ at http://www.tower.co.nz/insurance/car/smartdriver/frequently-asked-questions. This is an app for iOS and Android that purports to measure how safely you are driving by using your device's sensors to record “acceleration, braking, cornering, trip frequency and duration'' and your GPS location, more. You can get a discount of up to 20% if you are safe enough. In no particular order, - I am very pleased to have a phone that is too dumb to support malware. (http://www.dilbert.com/2014-12-03/). No discount for me! - Wait, I do have an iPad, and so does my wife. Sorry, it doesn't work on iPads. No discount for me! - My wife *does* have a smart-phone. It's a Windows phone. No discount for her! - The app will lack awareness of the context. If a child or an animal runs across the road in front of me, and I brake hard enough to avoid a death, I will be penalised for unsafe driving, not rewarded. Similarly, a sharp turn to avoid an accident will count as unsafe, not safe. - http://www.drivefactor.com/how-can-traffic-affect-driving-behavior/ suggests that they can tell light traffic from rush hour, but the statement “the car experienced an additional 13.7 total g's of acceleration'' is a little confusing. - I wonder whether they compare your speed as reported by GPS with the speed limit for the relevant road, and just how accurate their maps are. - The app will lack awareness of the context. We are often told these days that driving too slowly is dangerous, but the app won't know about rain, fog, or road works, and it doesn't appear to have any way you can tell it that you are towing something. - Q. Can I get a copy of my data? A. We will provide access to your data that is readily available. Please note that we may ask you to pay a reasonable fee if your request is time consuming or costly. This is a non-answer. A couple of Official Information Act requests have shown me that governments have a way of saying that information they *ought* to have had is not readily available, and I don't expect businesses to be any different. And whose opinion of `a reasonable fee' applies? - Q. Can the police request the data in case of accidents or investigations? A. If TOWER is legally required to share information with authorities, we will abide by our obligations under the law. This is an even more flagrant non-answer. If the data are held in the US and analysed by DriveFactor, they can presumably thumb their noses at NZ law. *Tower* might well not hold anything but summaries. Longer term, I'm concerned by several things. - First people paid their bills over the counter at the post office, then Internet banking became available, and now you are charged penalty payments if you pay over the counter in real money. How long before your insurance company starts charging extra to people who don't use such an app? (With a safe driving discount of up to 20%, I think we can see that the penalty paid by a Windows Phone user could be substantial.) - How long before inability to produce your logs counts against you in court? (If you don't want anyone monitoring your driving, you must know you are a bad driver, so the accident must have been your fault.) - There is a privacy act in New Zealand, but under the principle of the sovereignty of Parliament, it could be gone tomorrow if John Key's business friends saw an advantage in getting their hands on data like this. Of course much of this information can be gleaned from mobile phones anyway if you can plant what you want in them, and NZ is part of Five Eyes. But I like to turn my phone off when driving, for safety, ironically enough. DriveSmart offers a financial incentive to keep your phone on. My younger daughter will turn 16 tomorrow and is interested in learning to drive. When I told her about DriveSmart, she was able to grasp these issues. Welcome to the self-surveillance society.
Nicole Perlroth, *The New York Times*, 03 Dec 2014 and the blog: http://bits.blogs.nytimes.com/2014/12/02/hacked-vs-hackers-game-on/ There has been an awakening that online threats are real and growing worse, and that the prevailing `patch and pray' approach to computer security will not do. [Also noted by Matthew Kruk. Those of you tired at rather pessimistic items in RISKS might also be interested in a companion article by Nicole Perlroth in the same issue of *The Times* and the same blog: http://bits.blogs.nytimes.com/2014/12/02/reinventing-the-internet-to-make-it-safer/ PGN]
The breach exposed two things the movie industry loathes—the piracy of films, and details about executive compensation. It sent a ripple of dread across Hollywood. http://www.nytimes.com/2014/12/03/business/media/sony-is-again-target-of-hackers.html
http://www.engadget.com/2014/11/26/sony-pictures-computers-are-still-locked-as-hackers-demand-equa/?ncid=rss_truncated
http://www.buzzfeed.com/charliewarzel/it-gets-worse-the-newest-sony-data-breach-exposes-thousands
... In this case, a thirty-one-year-old man, Anthony Douglas Elonis, who lives in the small Pennsylvania community of Lower Saucon Township, was convicted for postings on Facebook four years ago that prosecutors treated as actual threats of violence. The jury agreed, leading to a guilty verdict and a forty-four-month prison sentence. His messaging came after his wife had left him and he was fired from his job at an amusement park because of one of his postings. ... http://www.scotusblog.com/2014/11/argument-preview-the-social-media-as-a-crime-scene/
Peter Bright, *Ars Technica*, 3 Dec 2014 Psy's hit song has been watched an awful lot of times. http://arstechnica.com/business/2014/12/gangnam-style-overflows-int_max-forces-youtube-to-go-64-bit/ Although it's no longer 2012, apparently people are still watching the YouTube video for Korean pop star Psy's smash hit song Gangnam Style. The irritatingly catchy tune has racked up so many views that Google has been forced to upgrade YouTube's infrastructure to cope. When YouTube was first developed, nobody ever imagined that a video would be watched more than 2 billion times, so the view count was stored using a signed 32-bit integer.
`Anonymous', InfoWorld, 3 Dec 2014 A single word on a simple button does not mean what an admin thinks it means during what should be a routine weekend job http://www.infoworld.com/article/2854353/it-jobs/for-major-outage-push-the-button.html Techies and users often accuse each other of speaking different languages, but truth be told, we in IT don't always understand one another either. Take the case of the tech team who decided a simple one-word sign in the data center would mean the exact opposite of all expectations. As I paused outside of the closed door, I stared at a big, red button labeled "Open" right next to the entrance. I'd seen it before and assumed it would open the door. Logically, I pushed the button. Instantly, a dreaded silence descended—the sound of a data center that has gone dead. The Open button must have shut off all power to the data center! It certainly hadn't opened the door. To this day I marvel at the lunacy of putting a big, red, completely unprotected button next to a door, labeled as Open but in actuality meaning "Open all power circuits in case of emergency only." The label never changed, but our crew put a plastic box over it so you had to flip open the box before you could push the button. Even with a small staff, you can never assume that everyone knows what a sign like that means. Clear communication is a necessity.
http://www.zdnet.com/article/apple-entering-a-whack-a-mole-era-of-malware-defense/?tag=nl.e539 http://www.zdnet.com/article/apple-entering-a-whack-a-mole-era-of-malware-defense/?tag=nl.e539&s_cidå39&ttagå39&ftag=TRE17cfd61
Simon Phipps, *InfoWorld*, 3 Dec 2014 Angry support queries fly, citing problems with mystery iOS apps -- that turn out to be scamware http://www.infoworld.com/article/2854754/mobile-apps/fraudulent-apps-stalk-apples-app-store.html selected text: Many people think that the sort of scams Microsoft cleared out of its mobile app store this year could never affect Apple. But how tight is Apple's review process for the App Store? If you're competing with Apple, it seems to be very tight, and the rules are constantly changing. But if you're a scammer looking to make a fast buck, it appears that Apple process can be defeated. That's three apps that logic demands should never have been allowed into the App Store in the first place if anyone was paying the slightest attention to their names and icons, including one with a dummy URL for support and another hollow shell that cannot possibly have passed any meaningful scrutiny by an app tester. Yet they are all in the supposedly sanitary iTunes Store. I found several other apps (1, 2, 3) using the name Quickoffice (although without Google's icon). How many more apps like this are there in the App Store? I contacted Apple for comment but received no reply at press time.
Tom Kaneshige, *CIO*, 1 Dec 2014 CIOs naturally want a BYOD policy in place to give them some level of control, but the reality is that employees will do whatever they want regardless of the policy. http://www.cio.com/article/2852984/byod/byod-brings-corporate-contradictions.html
Sean Gallagher, *Ars Technica*, 25 Nov 2014 Access through partners such as Cable & Wireless pulls in gigabits globally. http://arstechnica.com/tech-policy/2014/11/new-snowden-docs-gchqs-ties-to-telco-gave-spies-global-surveillance-reach/ Documents reportedly from the Edward Snowden cache show that in 2009, GCHQ (and by association, the NSA) had access to the traffic on 63 submarine cable links around the globe. The cables listed handle the vast majority of international Internet traffic as well as private network connections between telecommunications providers and corporate data centers. According to a report in the German newspaper Suddeutsche Zeitung, the telecommunications company Cable & Wireless—now a subsidiary of Vodafone -- actively shaped and provided the most data to GCHQ surveillance programs and received millions of pounds in compensation. The relationship was so extensive that a GCHQ employee was assigned to work full-time at Cable & Wireless (referred to by the code-name Gerontic in NSA documents) to manage cable-tap projects in February of 2009. By July of 2009, Cable & Wireless provided access to 29 out of the 63 cables on the list, accounting for nearly 70 percent of the data capacity available to surveillance programs. A Vodafone spokesperson did not deny the details when questioned by Suddeutsche Zeitung but said that any taps were performed legally under a warrant. The cable access wasn't just used for surveillance—it was also used to pipe back data pulled from other networks through Computer Network Exploitation (CNE) operations to populate Incenser (a GCHQ special source collection system) running in a data center at GCHQ's signals collection center at Bude in Cornwall. One of the networks that was targeted by a CNE hack and accessed over Cable & Wireless capacity, according to an NSA slide, was the Fiber-Optic Link Around the Globe (FLAG), a global network operated by the Indian telecommunications company Reliance Communications' subsidiary, Global Cloud Xchange. Data pulled the FLAG network's connections span the globe, with landing points in the US, Europe, North Africa, the Saudi Peninsula, India, Malaysia, China, Taiwan, South Korea, and Japan. [...]
Ryan Gallagher, *First Look*, 04 Dec 2014 Operation Auroragold: How the NSA Hacks Cellphone Networks Worldwide The NSA continues to introduce vulnerabilities into GSM systems worldwide. https://firstlook.org/theintercept/2014/12/04/nsa-auroragold-hack-cellphones/ In March 2011, two weeks before the Western intervention in Libya, a secret message was delivered to the National Security Agency. An intelligence unit within the U.S. military's Africa Command needed help to hack into Libya's cellphone networks and monitor text messages. For the NSA, the task was easy. The agency had already obtained technical information about the cellphone carriers' internal systems by spying on documents sent among company employees, and these details would provide the perfect blueprint to help the military break into the networks. The NSA's assistance in the Libya operation, however, was not an isolated case. It was part of a much larger surveillance program—global in its scope and ramifications—targeted not just at hostile countries. According to documents contained in the archive of material provided to The Intercept by whistleblower Edward Snowden, the NSA has spied on hundreds of companies and organizations internationally, including in countries closely allied to the United States, in an effort to find security weaknesses in cellphone technology that it can exploit for surveillance. The documents also reveal how the NSA plans to secretly introduce new flaws into communication systems so that they can be tapped into—a controversial tactic that security experts say could be exposing the general population to criminal hackers. Codenamed AURORAGOLD, the covert operation has monitored the content of messages sent and received by more than 1,200 email accounts associated with major cellphone network operators, intercepting confidential company planning papers that help the NSA hack into phone networks. [Long item truncated for RISKS. PGN]
The (UK) Guardian: Usual suspects—Russia and China thought to be in the clear as attention focuses on US, UK and Israeli agencies. Symantec said the Regin malware was likely developed by a nation-state. But which one? Regin is the latest malicious software to be uncovered by security researchers, though its purpose is unknown, as are its operators. But experts have told the Guardian it was likely spawned in the labs of a western intelligence agency. None of the targets of the Regin hackers reside on British soil, nor do any live in the US. Most victims are based in Russia and Saudi Arabia—28% and 24% respectively. Ireland had the third highest number of targets - 9% of overall detected infections. The infections lists doesn't include any five-eyes countries -- Australia, Canada, New Zealand, the UK and the US. “We believe Regin is not coming from the usual suspects. We don't think Regin was made by Russia or China,'' Mikko Hypponen, chief research officer at F-Secure, told the Guardian. His company first spied Regin hiding on a Windows server inside a customer's IT infrastructure in Northern Europe. Only a handful of countries are thought capable of creating something as complex as Regin. If China and Russia are ruled out, that would leave the US, UK or Israel as the most likely candidates. “There are no other countries I can think of,'' said F-Secure researcher Sean Sullivan, when *The Guardian* put this suggestion to him. Full story at: http://www.theguardian.com/technology/2014/nov/24/regin-malware-western-surveillance-technology
Yet another techno-fantasy disaster—after 15 years, $16 billion CAD, a province-wide EMR system is a disaster and should be thrown out and redone from scratch. The risks reported here were only (!) financial—no telling what risks may have been borne by patients and workers from poorly designed, dysfunctional systems. But, the technocratic wish is so strong, hospitals and governments are mindlessly rushing forward anyway. *The Montreal Gazette* http://montrealgazette.com/news/local-news/quebecs-electronic-records-plan-a-disaster-barrette-says Robert L Wears, University of Florida, wears@ufl.edu 1-904-244-4405 (ass't) Imperial College London, r.wears@imperial.ac.uk +44 (0)791 015 2219
If you want to comment on this article, you shouldn't be allowed to be anonymous. Anne Applebaum, *Slate*, 28 Nov 2014 http://www.slate.com/articles/news_and_politics/foreigners/2014/11/internet_trolls_pose_a_threat_internet_commentators_shouldn_t_be_anonymous.html
[FYI—Perhaps not. HB] Who Should Own the Internet? Julian Assange on Living in a Surveillance Society, *The New York Times*, 4 Dec 2014 http://www.nytimes.com/2014/12/04/opinion/julian-assange-on-living-in-a-surveillance-society.html It is now a journalistic cliché to remark that George Orwell's *1984* was `prophetic'. The novel was so prophetic that its prophecies have become modern-day prosaisms. Reading it now is a tedious experience. Against the omniscient marvels of today's surveillance state, Big Brother's fixtures -- the watchful televisions and hidden microphones—seem quaint, even reassuring. Everything about the world Orwell envisioned has become so obvious that one keeps running up against the novel's narrative shortcomings. I am more impressed with another of his oracles: the 1945 essay *You and the Atomic Bomb*, in which Orwell more or less anticipates the geopolitical shape of the world for the next half-century. “Ages in which the dominant weapon is expensive or difficult to make will tend to be ages of despotism, whereas when the dominant weapon is cheap and simple, the common people have a chance ... A complex weapon makes the strong stronger, while a simple weapon—so long as there is no answer to it—gives claws to the weak.'' [Long item truncated for RISKS. PGN]
I thought fleeting messages were bad. You know, the kind that assume you are still in front of your computer and your eyes also just happen to be glued to that spot on the screen and then disappear in one second. But now I read http://en.wikipedia.org/wiki/Wickr : Sell, who "berated an FBI agent who asked her to install a backdoor into Wickr," reportedly "prides herself on the fact that Wickr is designed by professional cryptographers and that it knows absolutely nothing about its users." The firm "spent years designing the most fleeting message on the market," stated Time Magazine, noting that messages are instantly "scrambled by military-grade encryption technology"...
>> Subject: House Republicans just passed a bill forbidding >> scientists from advising the EPA on their own research > ... The government should seek and require peer review of funding done by > people that aren't funded to do that research by the government. ... The purpose of tenure is to ensure that even though the scientist is funded by the government, the government has no influence on the scientist's work, and the scientist's work has no impact on their funding. This allows the scientist to be unbiased, and therefore give unbiased advice to the EPA. (This means that the vast majority of scientists should be given tenure: which is unfortunately not the case). On the other hand, a "think tank" of lobbyists funded by oil companies in order to push their agenda *cannot* be independent: their jobs depend on presenting a certain point of view. When the politicians (who are also funded by the same oil companies) pass a bill forbidding the scientists from advising the EPA, while at the same time allowing the lobbyists to advise the EPA, it is clear that there is a problem. >> Subject: The safest computers are iPhones and iPads (Galen Gruman) >> But rarely do you see smartphones and tablets in these reports. Why? >> Because they're more secure than computers and data centers. > > Bingo - the jackpot in in poor reasoning. This one I agree with. Why do thieves rob banks? It's not because banks are less secure than other places, but "because that's where the money is." Dr Martin Ward STRL Principal Lecturer & Reader in Software Engineering martin@gkc.org.uk http://www.cse.dmu.ac.uk/~mward/
Recent RISKS have highlighted increasing tensions between Internet businesses and governments. For a British take, here are some excerpts from an article in last week's *Telegraph* on the topic. <http://www.telegraph.co.uk/technology/facebook/11256524/Why-the-Government-has-unfriended-Facebook.html> The problem in this case, however, is not what Facebook shows us, but what we put up there ourselves. Playing host to all human life means, unfortunately, that you get exactly that—all human life, including the criminals, terrorists, racists and lunatics. ... Facebook's argument has always been that it can't, and shouldn't, be held responsible for what its users post. And there's certainly something to that. Keeping tabs on more than a billion people would be a huge technical challenge. ... Building a proper system of surveillance would require enormous resources, involve huge intrusion into our privacy, and throw up all manner of false positives. In short, it is not just impractical, but probably impossible. But while this argument is valid, it is also enormously convenient. It allows the company to keep its customer services team—the number of people devoted to interacting with other human beings, with all the mess that involves—as small as possible, thereby raising profit margins and ensuring that most of its staff can get on with doing cool things with code. And it also allows it to wash its hands of the social consequences of the software it produces. ... David Cameron is saying, in effect, that Facebook must use its enormous power wisely and responsibly—or the state will step in to ensure that it does. Facebook is saying that it is a tool of its users, not of governments. The old order is asserting itself against the new, and the new against the old. Even if an accommodation is eventually reached on this particular issue, it is a racing certainty that they will clash again. IMHO I feel that this is a difference between European and American cultures. What seems to be wanted is for social networking sites to be fully moderated and only accessible to vetted registered users, which would probably virtually kill them, but European governments may well regard this as an acceptable outcome. [Chris also noted this article. Included entire text removed for RISKS. PGN] Robert Colvile, *The Telegraph*, 27 Nov 2014 Why the [UK] Government has unfriended Facebook The Lee Rigby case has brought the simmering tension between Silicon Valley and the state out into the open. http://www.telegraph.co.uk/technology/facebook/11256524/Why-the-Government-has-unfriended-Facebook.html
> http://www.gironsec.com/blog/2014/11/what-the-hell-uber-uncool-bro/ ... and when you read the blog followups, you will find a big discussion of fact and conjecture, including the link http://thenextweb.com/apps/2014/11/27/ubers-app-malware-despite-may-read/ -- which dismantles the whole issue. 1247 Fort Miller Road, Fort Edward, NY 12828, +1 518 695 4794
Please report problems with the web pages to the maintainer