Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
American Airlines flights experienced significant delays this evening after pilots' iPads--which the airline uses to distribute flight plans and other information to the crew--abruptly crashed. "Several dozen" flights were affected by the outage, according to a spokesperson for the airline. "The pilot told us when they were getting ready to take off, the iPad screens went blank, both for the captain and copilot, so they didn't have the flight plan," Toni Jacaruso, a passenger on American flight #1654 from Dallas to Austin, told Quartz. "The pilot came on and said that his first mate's iPad powered down unexpectedly, and his had too, and that the entire 737 fleet on American had experienced the same behavior," said passenger Philip McRell, who was also on flight #1654. "It seemed unprecedented and very unfamiliar to the pilots." Other passengers in New York and Chicago also said they were being affected by the outage. http://qz.com/393909/american-airlines-planes-are-grounded-because-their-pilots-ipads-have-crashed/
Where's the backup system?
Jad Mouawad, *The New York Times*, 30 Apr 2015 Federal regulators will order operators of Boeing 787 Dreamliners to shut down the plane's electrical power periodically after Boeing discovered a software error that could result in a total loss of power. The Federal Aviation Administration said on Thursday that Boeing found during laboratory testing that the plane's power control units could shut down power generators if they were powered without interruption for 248 days, or about eight months. The findings were published in an airworthiness directive. Boeing said the problem had occurred only in lab simulation and no airplane had experienced it. Boeing said that powering the airplane down would eliminate the risk that all power generators would shut down at the same time. The company said it was working on a software update that should be ready by the fourth quarter this year. The plane maker said that power was shut down in all airplanes in service in the course of the regular maintenance schedule, and that it would be rare for a plane to remain with power on without interruption for eight months. [... Truncated for RISKS. PGN]
It's not clear how likely it is that generator could be left on for eight months. Do they run between flights and over-night? Only powered down at maintenance checks? Or go off when parked, like your car? Nice to see this was discovered in a lab simulation, not in mid-air. Richard Karash Richard@Karash.com +1 617-308-4750 — http://Karash.com [Also noted by Jeremy Epstein... PGN]
*The Washington Post*, 30 Apr 2015, via NNSquad http://www.washingtonpost.com/blogs/the-switch/wp/2015/04/30/congressman-with-computer-science-degree-encryption-back-doors-are-technologically-stupid/ The debate over whether companies should be forced to build in ways for law enforcement to access communications protected by encryption took a tense turn this week in a congressional hearing. On one side were law enforcement officials, including a high-ranking FBI official. On the other were tech-savvy members of the House Government Oversight and Reform Committee's Information Technology subcommittee—two with computer science degrees. "It is clear to me that creating a pathway for decryption only for good guys is technologically stupid," said Rep. Ted Lieu (D-Calif.), who has a bachelor's in computer science from Stanford University. "You just can't do that."
There's a good article in *The Guardian* pointing out that the members of the U.S. Congress, who would legislate cybersecurity for all Americans, do not themselves take the slightest security precautions - none of them encourage (or, for the most part, use) encrypted communication and none of their websites use https. http://www.theguardian.com/commentisfree/2015/apr/18/congress-cannot-be-taken-seriously-on-cybersecurity
Public wifi networks in airports & hotels often utilize man-in-the-middle techniques to require some sort of login—e.g., Ruckus Wireless. With "HTTPS Everywhere" & other new browser techniques to stop MITM techniques, it becomes almost impossible to use these networks. I now have to use a "throwaway" Chrome browser on my laptop that I use *only* for initial login to these networks with an HTTP throwaway home page. Once logged in, I can then fire up a real, *locked-down* browser that uses HTTPS Everywhere, NoScript, Tor, etc. Since public wifi networks place computers *most* at risk, these public wifi networks are going to have to find a better—i.e., more secure—way to login, as MITM'ing an http request is perhaps the world's worst (i.e., most insecure) idea ever invented.
http://www.nytimes.com/2015/04/28/opinion/preparing-for-warfare-in-cyberspace.html A new strategy begins to lay out the conditions under which America would use cyberweapons.
This idea has been around for a while, but the title says it all. All new cars will within three years contain tracking devices that alert the emergency services in the event of an accident. Under EU laws passed on Tuesday the technology will be compulsory from 2018 and fitted as standard in every model of car and small van. A serious crash will prompt an automatic call to the nearest emergency centre. Even if nobody in the vehicle is able to speak, the device will still relay the exact location, time, direction of travel, the scale of the impact and whether airbags have been deployed. <http://ec.europa.eu/digital-agenda/en/news/ecall-all-new-cars-april-2018> Apart from the privacy concerns mentioned, a couple of queries occur to me, assuming that this feature will use the regular public mobile telephone (cellphone) network: - If there's a multi-vehicle pile-up, could the cellphone network in the vicinity of the crash be overloaded by these automatically-generated calls, possibly blocking other urgent communications (as happened in the Boston Marathon bombing)? - Presumably this will increase the call-handling load for the cellphone network, so who pays? Do car owners have to take out a cellphone subscription, or will cellphone companies get some sort of Gov't funding, or will their other customers effectively subsidise the service? http://www.telegraph.co.uk/news/uknews/road-and-rail-transport/11569453/All-cars-must-have-tracking-devices-to-cut-road-deaths-says-EU.html
[I think that they may be thinking about closing the gate (after the horses ran away) by putting in a few pieces of bamboo :-) DKross] http://www.c-span.org/video/?325544-1/health-human-services-secretary-testimony-fiscal-year-2016-budget Sen Lamar Alexander to HHS Secretary Burwell "... half of doctors don't like their EHRs to the point that they'll accept Medicare penalties rather than deal with workflow disruption..." And added that the "...AMA found that 70 percent of doctors say their EHRs weren't worth the cost and that EHRs are the leading cause of physician dissatisfaction..."
Ian Paul, PCWorld, 30 Apr 2015 Twitter Cards are cool for watching videos or listening to tunes without leaving Twitter. But now the Internet Archive has the best use for Twitter's rich media feature yet: old-school MS-DOS games that can be played right inside a tweet. http://www.pcworld.com/article/2916528/now-you-can-embed-classic-ms-dos-games-in-tweets.html I guess this is one way to find/fix security exploits, but probably not the best way...
A case came up in Australia in 2011 of scratch-off gambling cards showing a winning match, and the winner got AUD100,000. However, company sue and won due to the code on the bottom of the card not being a "winning code". I was surprised the lotteries law allowed for this kind of opacity which could presumably be abused. http://www.abc.net.au/news/2011-08-25/scratchie-case-loss-a-picture-of-pain/2855046
I worked in IT for Starbucks the 1990s (1996-1999) and we had a VERY similar
(at least from what I can glean from the press reports of this one) failure
in 1998 (might have been '97).
Jeremy Epstein comments, "I don't know anything about running global IT
infrastructures, so perhaps I'm naive, but I would think that rollouts would
be done in a rolling fashion to avoid shutting down the entire company" - I
do know a bit about this, and I don't think I'd be violating any
non-disclosures by saying that even in the earlier failure, the updates
"pushed" to the stores were staggered (and I assume still are). I'm sure
the "failure mode" was much more complex. And, yeah, there probably is some
naiviety there, preventing ALL possible failure modes like this costs money
(at the very least, having onsite or rapidly available backups at every
store AND having at least 2 partners trained in how to perform the restore),
AND, even if that WAS a possibility, I can see how the "fog of the moment"
could make it difficult to implement ("Before we strike out on our own,
let's give corporate a chance to fix this", or "They told us they'd be back
up in 1 hour, and the recovery will take at least 2"). I also worked for
WaMu (another whole set of Risks:)); and I know the steps we took to ensure
"branch Independence" were pretty amazing and also VERY costly.
This is interesting from a number of standpoints - we now have 2 datapoints
from the same company; I would assume that the various systems have
changed/grown over the years (it would be REALLY interesting to have a
current or more recent Starbucks partner comment). IMHO, 2 failures in 17
or 18 years is really not too bad.
Please report problems with the web pages to the maintainer