Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
On 28 March, New South Wales goes to the polls. This is notable for two
reasons: not only is it expected to be a tight contest, with two
conservative governments in two other states falling after just one term in
several months, but it also sees the introduction of e-voting.
It's not available to all, but merely to those who cannot attend a polling
place on the day, due to sickness, absence, disability, etc. As an aside,
despite what you may hear otherwise, Australia does *not* have compulsory
voting, but compulsory *attendance* (and I think I've broken the law merely
by reporting that).
Being somewhat disabled myself (the nearest polling place is further away
than I care to walk), I registered online, proved my identity (name, DOB,
address, driver's licence number etc), made up a 6-digit PIN, and received
an authorisation token via SMS for subsequent use.
There is a demonstration page, and whoever designed it has a wicked sense of
humour.
www.iVote.nsw.gov.au (the demo page is under there).
In the lower house, for the seat of Sydney Harbour (known for its large
floating population) we have the "Khaki Party" (a take on The Greens), the
"Workers Party" (ditto Labor Party), etc; in the upper house we have e.g.
"Australians for Advancement" (our anthem is "Advance Australia Fair"),
"City Life Party (Spencer Davis Group)" (and please don't tell me that I
need to explain that), etc.
The e-voting polls open a few days earlier; a receipt code will be issued,
which can be used to verify that your vote has been recorded as cast, and
after the close of polls that it was included in the count.
I'll report on my subsequent experiences.
Who said that bureaucrats don't have a sense of humour?
Dave Horsfall DTM (VK2KFU), North Gosford NSW 2250, Australia
http://www.horsfall.org/spam.html (and check the home page whilst you're there)
What the GAO Found While the Federal Aviation Administration (FAA) has taken steps to protect its air traffic control systems from cyber-based and other threats, significant security control weaknesses remain, threatening the agency's ability to ensure the safe and uninterrupted operation of the national airspace system (NAS). These include weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring activity on FAA's systems. Additionally, shortcomings in boundary protection controls between less-secure systems and the operational NAS environment increase the risk from these weaknesses. http://www.gao.gov/products/GAO-15-221 Gabriel Goldberg, Computers and Publishing, Inc. gabe@gabegold.com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
This person's light bulb performed a DoS attack on his entire smart house.
Kashmir Hill, Fusion, March 3, 2015
http://fusion.net/story/55026/this-guys-light-bulb-ddosed-his-entire-smart-house/
The light was performing a DoS attack on the smart home to say,
`Change me'.
[That is reVOLTing. WATT are the other risks with smart systems? PGN]
Ravi Somaiya, 9 MAR 2015 Gigaom, a pioneering technology blog that became a fixture in Silicon Valley and claimed 6.4 million monthly readers, abruptly announced on Monday that it would shut down. The site, which was founded in 2006, seemed to have been stopped dead in its tracks; earlier Monday, it had been posting articles, most recently on Apple. News of its closure was first broken on Twitter by those connected with it, but was confirmed shortly afterward by its founder, the tech journalist and venture capitalist Om Malik. http://www.nytimes.com/2015/03/10/business/media/tech-blog-gigaom-abruptly-shuts-down.html
Interesting working paper by Florian Egloff: http://www.politics.ox.ac.uk/materials/centres/cyber-studies/Working_Paper_No.1_Egloff.pdf Abstract: Policy literature on the insecurity of cyberspace frequently invokes comparisons to Cold War security strategy, thereby neglecting the fundamental differences between contemporary and Cold War security environments. This article develops an alternative viewpoint, exploring the analogy between cyberspace and another largely ungoverned space: the sea in the age of privateering. This comparison enables us to incorporate into cybersecurity thinking the complex interactions between state and nonstate actors, including entities such as navies, mercantile companies, pirates, and privateers. The paper provides a short historical overview of privateering and cybersecurity and compares the two by identifying state actors, semi-state actors, and criminal actors in each historical context. The paper identifies the limitations of Cold War analogies and presents the analogy of privateering as a superior conceptual benchmark for future policy guidance on cybersecurity. The paper makes three main arguments. First, cyber actors are comparable to the actors of maritime warfare in the sixteenth and seventeenth centuries. Second, the militarisation of cyberspace resembles the situation in the sixteenth century, when states transitioned from a reliance on privateers to dependence on professional navies. Third, as with privateering, the use of non-state actors by states in cyberspace has produced unintended harmful consequences; the emergence of a regime against privateering provides potentially fruitful lessons for international cooperation and the management of these consequences. Florian Egloff, Clarendon Scholar, University of Oxford
FYI—Be careful out there... (from Hill Street Blues) https://people.torproject.org/~ioerror/skunkworks/forensics/valencia-tracking-device/ On 4 Mar 2015, we found a tracking device inside of the wheel well of a car belonging to an attendee of the Circumvention Tech Festival in Valencia, Spain. This was reported in the local media. If you have information about this device - please send information to jacob at appelbaum dot net using gpg. The device was magnetically mounted inside of the left wheel well of the car. The battery is attached by cable to the tracking device. The battery was magnetically mounted to the frame of the car. The tracking device was similarly magnetically mounted. The device itself has an external magnetically mounted GPS antenna. It has a very simple free hanging GSM antenna. The device included a Movistar SIM card for GSM network access. The entire device was wrapped in black tape. https://people.torproject.org/~ioerror/skunkworks/forensics/valencia-tracking-device/IMG_6321.thumb.JPG https://people.torproject.org/~ioerror/skunkworks/forensics/valencia-tracking-device/IMG_6331.thumb.JPG https://people.torproject.org/~ioerror/skunkworks/forensics/valencia-tracking-device/IMG_6382.thumb.JPG + more pix.
A U.S. citizen is jailed in the UAE for a Facebook article he posted in the USA. Full story at: http://m.bbc.com/news/technology-31692914 There seems to be a growing problem of defining limits of jurisdictions for actions on the web.
Former NFL player Aaron Hernandez is currently on trial for murder. The investigation and trial testimony was largely based on evidence that was derived from cell phone records. Authorities created a detailed time line of Hernandez leaving his suburban home, driving to Boston where he picked up the victim, driving to a deserted industrial park where the murder occurred and then returning home. This was based on text messages and cell tower pings from both Hernandez and the victim.This time line also led to surveillance video of the car on route. http://boston.cbslocal.com/2013/06/27/aaron-hernandez-linked-to-murder-via-texts-video-cell-phone-towers/ http://espn.go.com/boston/nfl/story/_/id/12425944/aaron-hernandez-trial-testimony-resumes
[via Dave Farber] http://www.cnet.com/news/man-charged-for-refusing-to-give-up-phone-passcode-to-canadian-border-agents/?part=propeller&subj=news&tag=link
http://www.nytimes.com/2015/03/09/technology/popular-yik-yak-app-confers-anonymity-and-delivers-abuse.html
Ars via NNSquad http://arstechnica.com/tech-policy/2015/03/florida-moving-to-unmask-anonymous-websites-to-combat-online-piracy/ The bill, which landed on the state's House and Senate floors Tuesday, requires websites to display a "correct name, physical address, and telephone number or e-mail address" of the owner if they play a "substantial part in the electronic dissemination of commercial recordings or audiovisual works, directly or indirectly." The disclosure is required even if all the recordings or audiovisual works disseminated by the website are owned by the website owner. - - - Typical nonsense from Florida. Good luck with that, boys.
*The New York Times* via NNSquad http://www.nytimes.com/2015/03/07/world/asia/china-blocks-web-access-to-documentary-on-nations-air-pollution.html "Then on Friday afternoon, the momentum over the video came to an abrupt halt, as major Chinese video websites deleted it under orders from the Communist Party's central propaganda department. The startling phenomenon of the video, the national debate it set off and the official attempts to quash it reflect the deep political sensitivities in the struggle within the Chinese bureaucracy to reverse China's environmental degradation, among the worst in the world. The drama over the video has ignited speculation over which political groups were its supporters and which sought to kill it, and whether party leaders will tolerate the civic conversation and grass-roots activism that in other countries have been necessary to curbing rampant pollution."
One day in a court of law, the log files of a computer system will be used to prove that some incident happened at some certain time. Let's have a look. journalctl says Mar 10 03:14:32 jidanni2 kernel: sd 2:0:0:0: [sdb] Attached SCSI Mar 10 03:14:32 jidanni2 kernel: EXT4-fs (sda8): mounted filesys /var/log/kern.log says Mar 10 03:14:47 jidanni2 kernel: [ 4.000166] sd 2:0:0:0: [sdb Mar 10 03:14:47 jidanni2 kernel: [ 62.534080] EXT4-fs (sda8): So did this happen at 03:14:32 or 03:14:47 or is all we in fact really know was that there was an entire (62 - 4 =) 58 second gap between the two lines? The latter: my screen froze for a minute.
For years, I have believed that the ever increasing lack of ECC was a serious flaw. My main concern was and is that memory capacities have increased far faster than reliability. The danger of a spontaneous bit failure at a random location in a multi-gigabyte memory is a matter for concern. However, it has not been reported by Ars Technica that a team has announced an escalation of privilege exploit achieved exploiting the underlying packaging and physics of DRAM memory, particularly, DDR3 (without ECC). This experimental work raises the level of concern from the theoretical to the (somewhat) practical. While certainly arcane, the fact that some memory assemblies display sensitivity to reference patterns and affect the contents of cells other than those intended is a severe problem, which undermines ALL of the presumptions inherent in the design of all operating systems. The complete Ars Technica article is at: http://arstechnica.com/security/2015/03/cutting-edge-hack-gives-super-user-status-by-exploiting-dram-weakness/ Bob Gezelter, http://www.rlgsc.com
http://lauren.vortex.com/archive/001090.html We get a lot of laughs out of the so-called "Streisand Effect"—the phenomenon of someone trying to cover up or otherwise limit public knowledge of some already public aspect of their life, and in the process drawing far more attention to the situation than would have been the case if they'd just kept quiet in the first place. When we're talking about a wealthy celebrity trying to suppress photos of their Malibu mansion—that's what the Streisand Effect is named for, by the way—at least a few chuckles seem entirely understandable. But when governments unwittingly invoke the Streisand Effect via shortsighted, misguided, hamfisted attempts at censorship of important issues, it's difficult to find any humor on the stage. So we now have the sorry spectacle of the government of India—at least in theory the world's largest democracy—petulantly and disastrously attempting to suppress the viewing of a BBC documentary exposing a nightmarish culture of rape within India itself. That the situation has many complexities and subtleties is without question. A confluence of historical, cultural, religious, caste, and political forces are in play. And while it's certainly true that problems with rape are not by any means restricted to India, the unique character of the problem there, including the bizarre twist of many government officials who apparently themselves have had accusations lodged against them involving abuse of women, creates a particularly convoluted tapestry. It's into this sordid mix comes the new BBC documentary "India's Daughter"—exploring in painfully but necessarily straightforward detail many key aspects and circumstances of this problem. The Indian government had three choices in the face of this incredibly important film. They could have ignored it. They could have embraced it as an element toward helping to solve their endemic problems with the abuse of women. Then there's the choice they actually made—the worst possible of them all. The Indian government's choice was to attack the film, to attack the BBC, to attack the filmmaker—then they acted as quickly as they could (but ineffectually, as we'll see) to try prevent their own citizens from seeing the documentary itself. The actual visibility of the film in different parts of the world is tricky to catalog since it's a moving target, but one thing is pretty clear -- anyone who really wants to see it can find a way to do so. The original broadcast version was on BBC-controlled outlets, and the BBC has followed its usual practice of asserting ownership rights to (try) remove unauthorized copies from the Net (e.g., from YouTube). But the proliferation of copies—both on YouTube and on other easily accessible Net venues—has made that effort of limited success at best. Of course since BBC does indeed control those rights, it's within their purview to exercise them. The behavior of the government of India regarding this film falls into an entirely different category, however. Variously asserting "risks to public order" and "damage to tourism"—among other arguments—the Indian government not only filed blocking demands with Google's YouTube—with which Google has been complying as per local laws through geographical blocks --- but has also proclaimed the film a "defamation" of India. They've even proclaimed, seemingly taking a page from the EU's twisted sensibilities regarding "Right To Be Forgotten" censorship, that they'd like to find a way to ban the film globally. Not a chance, India. Ain't gonna happen. You know where this story is going. The censorship demands of India have vastly increased global awareness of "India's Daughter" and shot viewership globally (and in India) through the roof, for the multiplicity of copies and the relative ease of evading geo-blocks through a variety of technical means have made a laughingstock of the Indian government's reaction. The real tragedy though isn't what this means for inept Indian government officials, but rather for the vast majority of people in India who are decent, hardworking, and even more horrified about the abuse of women in their country than are outside observers. I've heard from a lot of them directly from India over the last couple of days. Many heap criticism on their government, fearing that the government's behavior may be viewed in some quarters as an attempt to "cover up" or somehow justify abuse of women, and so reflect terribly on views of India globally. Most note that they have been able to see the film despite the government's efforts to block it, and some are literally praying that the end result will be positive for India and particularly for women, despite their government's atrocious behavior. Unfortunately and unsurprisingly, there are the vulgar trolls as well. I've been dealing with them on my Google+ threads on this topic—I keep the "banhammer" on my belt right next to my phone, and the trapdoor lever is always close at hand—and as usual these vermin have made their presence known on YouTube video comments as well. You never want to feed the trolls, and you can't let yourself be distracted by them either. Despite the immediate debacle of the Indian government's behavior regarding "India's Daughter" and their attempts to suppress it, the power of the Internet and yes, the Streisand Effect, will inevitably win the day in the end. And regardless of angry machinations by Indian politicians against the best interests of their own citizens, the Internet sunlight pouring in to illuminate the specter of rape and other abuse of women in India is in the end unstoppable. Not just in India, but around the entire globe, no matter how politicians pontificate and harass, ultimately the sands of censorship will still slip through their fingers. This has tended to be historically true in the long run even before the time of the Internet, even before the coming of electronic communications in any form. In the Internet age, it's even more of a truth that governments and leaders can attempt to ignore only unsuccessfully, and only with the most extreme of peril.
ACM TechNews, Wednesday, March 4, 2015 Read the TechNews Online at: http://technews.acm.org Craig Timberg, *The Washington Post* (03/03/15) Companies and government agencies are scrambling to correct a major security flaw revealed this week that has left users of Apple and Google devices and users of million of websites vulnerable to man-in-the-middle attacks for more than a decade. Dubbed FREAK, the vulnerability is the result of 1990s-era government policy that restricted the export of strong encryption techniques, which resulted in what is now considerably weak 512-bit encryption being coded into numerous software products that have since proliferated around the world. The flaw was discovered by French computer science lab INRIA during tests of encryption systems and took everyone by surprise as 512-bit encryption has been considered obsolete for more than a decade. University of Pennsylvania cryptographer Nadia Heninger was able to crack the vulnerable encryption in about seven hours by renting time on Amazon Web Services servers. Hackers could exploit this method to steal passwords and personal information and potentially launch broader attacks on affected websites. The University of Michigan estimates almost a third of all "secure" websites are affected by FREAK, with about 5 million encrypted websites still vulnerable as of Tuesday morning. Governments and businesses were working behind the scenes to address FREAK before it became public knowledge on Monday, and both Apple and Google are working on patches for computers and mobile devices. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-d6f8x2c7a9x057755&
[From the FREAK researchers] On Tuesday, March 3, 2015, researchers disclosed a new SSL/TLS vulnerability - the FREAK attack. The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use 'export-grade' cryptography, which can then be decrypted or altered. There are several posts that discuss the attack in detail: Ed Felten: https://freedom-to-tinker.com/blog/felten/freak-attack-the-chickens-of-90s-crypto-restriction-come-home-to-roost/ Matt Green: http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html The Washington Post: http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/ Tracking the FREAK Attack https://freakattack.com What You Need To Know https://nakedsecurity.sophos.com/2015/03/04/the-freak-bug-in-tlsssl-what-you-need-to-know/
To locate bank robber, FBI unusually asked for warrant to use stingray http://arstechnica.com/tech-policy/2015/03/to-locate-bank-robber-fbi-unusually-asked-for-warrant-to-use-stingray/
I reported earlier about the ordeal of a few people who were arrested by the police in Japan because the computer trojan/virus they somehow downloaded sent threatening notes to various services. The police thought these people were the real perpetrators. But the real party behind the bot/virus and the blackmails sent a revealing e-mail to a lawyer, and demanded the wrongly arrested people be freed. The e-mail contains information that was only available to the person sending the original black mails. As a result of this e-mail, and as the result of a local Police who found the trace of suspected unknown virus-like activity on one of the computers of the arrested men, the charges were dropped for all the falsely arrested people, and freed. [ Trojan sent blackmails from PCs. Japanese Police arrested PC owners 27.10] In my post that started with the above paragraph (in Risks 27.10), I followed up on this earlier report by the news that a man was arrested on a few flimsy (to my eyes) evidences that - a surveillance camera caught the man padding a stray cat in an island with a neck collar in which a SD media that described somethings only the real perpetrator could know was found later. (A couple of mysterious e-mails had arrived at a few news media companies telling them to look for the media that contains the information that shows the arrest of earlier people could be proved all wrong and how inept the police was when it comes to cybercrime. Police with the presence of press reporters found the cat and collected the SD media.) - the virus/trojan seemed to have been created on an HP computer and this man's PC was made by HP (!?). - his PC's log showed that this PC connected to Tor network previously. The police had found that some earlier "bait" posts to popular BBS to solicit unsuspected readers to download a free software infected with the trojan program were posted from Tor network and the timing of connection was about right. I then wondered aloud whether this man was a real culprit or another victim portrayed by the real perpetrator of the series of crimes as a falsified suspect to show the ineptness of the police again. (I learned today that during the subsequent court proceedings, that a few more "supporting" evidences were provided, but they all seemed to my eyes not strong enough to invalidate the "benefit of doubt".) Well, today I am reporting that the verdict is finally in. This man *WAS* guilty and he *ADMITTED* it. He was sentenced to 10 years in prison on February 4th. He did not appeal the decision to the higher court within two weeks. So the verdict is final and I am reporting it. Scary thing is that his guilty verdict came only because (in my mind anyway) he made a crucial blunder during the trial. Details how he was caught red-handed, so to speak: In my eyes, the "evidences" collected by the police and presented by the prosecutor were so fragile and so the verdict could go either way As far as the crime went, the perpetrator hid his/her track rather well and unless NSA or somebody like that is cooperating, any national police would have difficulty. But ARRESTING WRONG PEOPLE *was* the making of Japanese police. The crucial blunder he committed was this. During the court proceeding, this man sent a few e-mails from a mobile phone to media companies claiming that the man was innocent and the e-mail was sent from the real perpetrator. He sent the e-mails out by a calendar feature so that the e-mails would be sent on May 16, 2014 when he would attend the court proceeding. Now, these e-mails would have raised the level of doubt in media and society if it had not been known that these came out from the same man. And this news of e-mails actually did raise my doubt in the police for a day or two. But, he buried the live mobile phone in a river bank around the sunset of May 15 so that e-mails would be sent from the hidden unit. But he *WAS SEEN* burying something in the river bank by a plain cloth policeman nearby. After the e-mails reached the news media on 16th, the buried object was dug out by the police, and was found to be a phone, and the e-mails sent were recorded intact in the unit. After it was revealed to him that his deed was seen on the spot and the phone with incriminating evidence was found, he finally admitted that he *IS* the real perpetrator on May 19th. [I have no idea whether the police intentionally tailed him. Quite likely. But I could not find any mention of the fact about this. Anyone seeing somebody burying a small object in the river bank would get curious. And it is possible that the burying was considered an exchange of illegal drug by a peddler to the buyer or something.] So, the real perpetrator was caught this time around, but it was not due to the skill of digital sleuths so much, but to the criminal's blunder :-( The police and prosecutor may not have been able to catch this man without his strange habit of trying to send out e-mails to news media at crucial times, which eventually led to his demise. (The mind of criminals is hard to fathom.) Also, if he had been careful enough to hide this in a closed place not viewable from the distance, the police and prosecutor may not have been this lucky. [OK, I am not suggesting this to would-be criminals :-) ] To be honest, it is quite likely that this man came out of the court proceedings found not guilty with the set of evidences alone. I have concerns about the level of digital-readiness of the police and prosecution offices in Japan although at the national level, efforts are under way to modernize the skill and investigation method. I bet to the readers that the people who were arrested incorrectly and *GRILLED* by clueless police investigators are still fuming. And it seems this sort of ordeal can happen to ANYBODY from the way this crime was handled by the Japanese police and prosecution office. Don't we live in interesting times?
In "Japanese Satellite Broadcasting scramble protection cracked" (Risks
Volume 26: Issue 85), I reported the following story of a fight between a
cracker community and paid broadcasting companies.
It has been widely reported in many blogs in Japan that a widely used
scramble protection system for satellite broadcasting (and for that matter
some ground-based broadcasting) in Japan called B-CAS (BS Conditional
Access System) has been compromised.
Basically, satellite broadcasting relies on an IC card supplied by B-CAS
company limited, to handle the management of subscription and duration
(and presumably key handling for descrambling). In Japan, TV tuners on
the market have the card slot where the card is inserted "
[... description of how the internal password, keys for
descrambling was cracked. ...]
However, the operator of the paid-channel can not sit idle and must have
been pushing B-CAS company to do something in the last few days.
--- end quote ---
That day of reckoning for the users of modified cards to view the paid
channel without proper subscription finally came this month.
According a comment from a friend who brought this news to me, WOWOW,
one of the satellite broadcasting companies that use this BCAS service
has finally changed the internal keys for descrambling WOWOW
channel. BCAS card and the TV tuners are so designed that the dynamic
update of the stored key is possible by suitable authorization key and
this is exactly what they did if I understand my friend's comment correctly.
Why didn't they change the key as quickly as two years ago when the
news of compromise was announced?
The reason cited by my friend is as follows.
WOWOW allows a free trial subscription of two weeks to anyone for
asking. And the key for this trial is one of the keys that was
compromised during cracking in 2012. Only the expiration date is
modified when a new user asks for a free subscription: I think the
usage of the key and the starting date is activated on the first
use/access to the channel AUTOMATICALLY and the remaining days is
decremented each day.
The user can view the TV for two weeks using the key for
descrambling. Once the expiration day comes, the card cannot
provide the key for descrambling to TV tuner any more.
If the user wants to continue seeing the channel, he/she will contact
WOWOW for official subscription. I think this free trial period without
manual intervention is very important marketing-wise.
Back in 2012, the thinking of the broadcasting station seemed as follows.
Since there have been many legitimate BCAS cards in the distribution
channel with
the compromised key, if WOWOW decides to change the key stored in the
card for trial viewing, the users who buy the tuners with BCAS card with
old key will no longer be able to
experience the free trial. (WOWOW could theoretically allow
2-weeks free trial by using the normal billing system, but I don't
think their system allows such flexible usage: their billing works
only at the resolution level of calendar months as far as I could
tell.)
Also, *even if* such usage of billing system was possible, the cost of
telephone support for free-trial would be huge and not attractive and
increasing the support staff will dampen the subsequent marketing
success. After all, the beauty of free trial seems to be there is no
human intervention at all to start it. WOWOW, even during normal time,
is understaffed as far as new subscription goes: it had to go way out
of ordinary business practice just before a few big sport events in
the last 12 months (such as soccer world cup, and Nishigori tennis
match) so that a new subscriber's tuner is given a
descrambling key first for viewing before the paper processing on the
account side is finished completely. (The key is sent via
broadcasting signal and one has to wait for 30 minutes by tuning into
WOWOW channel before the key is received and stored properly in the
BCAS card for descrambling in the unit.)
Adding more workload on the telephone support to handle manual
intervention for every free trial request would have been
unthinkable for it.
Anyway, after two years from the news of compromise, WOWOW now seems
to think the virtually no BCAS cards with compromised keys inside are
still in the distribution channel. Old cards supplied with TV tuners
have been sold. So they can effectively change the keys used both for
free viewing (with limited duration that decreases each day) and
descrambling of normal broadcast (with duration that seems to be
extended each month based on subscription). They figure virtually
nobody will be inconvenienced by this arrangement. New BCAS cards in the
distribution channel come with new keys and legitimate existing users
have their keys changed by signals from broadcast. Those who get
unlucky to use old BCAS card (with the old key) to access WOWOW for
the first time after the key is changed, and told on the screen that
free trial is no longer possible can call customer support: but number
of such users will be very small as WOWOW correctly figures.
*BUT*, no basic hardware modification was attempted after all due to
the large cost such a move will necessitate. At $5 a card, and
reportedly close to 100 million cards in Japan, who will bear the
cost?
So, WOWOW took the least expensive solution although it is not bullet-proof.
Even though the WOWOW key has been changed this way, my friend told me
that some souls already figured out the new key and posted the key to
underground BBSes (!) I wondered how it is possible, but it seems
that some people bought paid subscription to WOWOW using the BCAS card
with compromised backdoor so that they can monitor the content of the
keys inside. Once they noticed the change of the keys early February
and the figured the intention of WOWOW, at least some souls posted the
changed keys to the BBSes.
The revealed keys will enable the use of modifiable BCAS card, and
those who use "soft" BCAS emulator to descramble the recorded
scrambled signal afterward using their PCs.
The act of posting such key is amazing since the police after the
plodding of the broadcasters arrested a few people in the last couple
of years:
- one posted the source code with detailed explanation of how
the BCAS card could be modified for free viewing until 2038 [YES,
it has the 32 bit wrap around time issue :-) ]
- and a few others who obtained these modifiable cards and sold them
at auctions for profits.
These arrests and sentencing handed out to the people who have been
caught have made the crackers hide into underground and so I could not
learn much technologically from public BBSs as I could in 2012. But I
found these public BBSs are full of cries from people who seemed to
have bought "black" BCAS cards from the shady dealers to ask if
further modification is possible to cope with the new key. (The posts
are anonymous superficially although ISP will keep the log for three
months.)
At least one other broadcaster seems to follow the track of
WOWOW and change the key shortly according to my friend's guess.
Because the new key is already publicized in underground BBSs, people
who are savvy enough to modify the cards in the first place probably
can do so again. But these people are really minority. I think WOWOW
wants to weed out the general consumer-types who bought the shady
"black" BCAS cards from dubious sources. I think WOWOW has been
successful. After a few more such key changes in the next few
years, the "black" BCAS cards may not look so cheap any more (they
commanded a hefty price, but will be less inexpensive than the paid
subscriptions to the all the paid channels it covers for a year or
two.)
So, from the viewpoint of WOWOW, a little deterrence goes a long way.
It and other broadcasters probably don't care if a small minority
of technically-savvy crackers are enjoying the free ride as long as
the general consumers stay away from "black" BCAS cards from shady
dealers.
(Oh, I should mention that the high percentage of spams I receive
since 2012 is related to the "black" BCAS cards. So there *IS* a
demand and supply.)
FYI—If you're a senior govt official, don't try this at home. http://www.thedailybeast.com/articles/2015/03/07/hillary-s-secret-email-was-a-cyberspy-s-dream-weapon.html When a notorious online break-in artist got a hold of the Secretary of State's now-infamous email address, he gave himself the power to use it to target the global elite. The private email address for Hillary Clinton, which became the talk of Washington this week and created her first major speed bump on her road to the White House, has actually been freely available on the Internet for a year, thanks to a colorful Romanian hacker known as Guccifer. On March 14, 2013, Guccifer—his real name is Marcel-Lehel Lazar—broke into the AOL account of Sidney Blumenthal, a journalist, former White House aide to Bill Clinton, and personal confidante of Hillary Clinton. Lazar crowed about his exploits to journalists, disclosing a set of memos Blumenthal had written to Clinton in 2012, as well as the personal email address and domain she's now known to have used exclusively for her personal and official correspondence. [...]
>Since the use was non-commercial, the public has a clear interest in Bush's >correspondence since he was a government official at the time and a likely >candidate for US President, and the commercial market of the e-mail is >negligible, the argument for fair use in this case is very small. Grr ... is very STRONG. That is, it is very unlikely that should anyone take this to court, that they would win.
>NOT! As a first order WAG, I would assume that the TOS involved in emailing >the governor *in his official capacity as an elected public figure, cover >that. And the FOIA would cover the publication. TOS? There are no terms of service on incoming e-mail. Or if there are, in return for the valuable information you have obtained by reading this message you hereby agree to pay me $1,000 (CAD because I'm feeling generous.) Pay up. FOIA is a Federal law, but Jeb was a state official. Florida has what is inevitably named the Sunshine Law that provides access to state documents, and I agree that his mail would likely be included.
https://developers.google.com/maps/faq#china_ws_access "Why can't I access Google Maps APIs from China? The Google Maps APIs are served within China from the domain maps.google.cn. This domain does not support https. When making requests to the Google Maps APIs from China, please replace https://maps.googleapis.com with http://maps.google.cn."
{Security from attack] "Even if it is theoretically possible, it has been
demonstrated in the most compelling possible terms that it will not be done
for a host of reasons. The most benign fall under the rubric of "Never
ascribe to malice what is adequately explained by stupidity" while others
will be aggressively malicious.
Napoleon's aphorism brings to mind that the two increasing levels of attack
can most usefully be described by:
Grey's Law (with apologies to one A.C.Clarke): Any sufficiently advanced
incompetence is indistinguishable from malice.
And what I call Machiavelli's corollary: Any sufficiently advanced malice
is indistinguishable from incompetence.
Or: "They are so useless that you think they are doing it on purpose."
And: "They are so good at messing you over, that you have no idea it was
being done, on purpose."
And far too much of the future impact of 'Obnoxious Things' will look like
the latter.
R. Geoffrey Newbury, 150 Lakeshore Road West Mississauga, Ontario, L5H 3R2
t905-271-9600 newbury@mandamus.org
>If automated automobiles become practical and widely adopted, then car >accidents will be the result of programming errors instead of driver errors, >which makes the assignment of responsibility in litigation a challenge. Gee, it's as though we haven't had operatorless transit vehicles for decades. Granted, they're not exactly the same since transit vehicles usually run on a track, but people can get stuck in the doors or trespass on the track, and somehow we've been able to deal with it.
Please report problems with the web pages to the maintainer