Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
https://en.wikipedia.org/wiki/Dual_EC_DRBG "one of the numbers in the winning combination appeared on TV screens before it was actually drawn" Quantum entanglement may be implicated... https://en.wikipedia.org/wiki/Alain_Aspect http://bigstory.ap.org/article/4b23b095df6345dfaaa993192ce8ab93/serbia-lottery-chief-resigns-live-ticket-draw-scandal Serbia lottery chief resigns in live ticket draw scandal Jul. 30, 2015 12:27 PM EDT BELGRADE, Serbia (AP) The head of Serbia's state lottery resigned on Thursday following allegations of fraud during a live ticket draw this week. In a live broadcast Tuesday evening, one of the numbers in the winning combination appeared on TV screens before it was actually drawn. That sparked accusations that the numbers had been chosen in advance. The State Lottery has denied fraud and blamed the incident on a "technical mistake." The company head, Aleksandar Vulovic, said Thursday that he was stepping down out of "moral obligation." "The draw was completely in accordance with the rules and the company abides by the law," the state lottery said in a statement. Police said lottery employees who worked during the draw will undergo a lie detector test, while computers and other equipment have been impounded. Police said they have questioned six people in the scandal. The lottery is very popular in Serbia, a Balkan country with a poor economy and widespread corruption.
Security Ledger via NNSquad https://securityledger.com/2015/07/doctors-still-in-the-dark-after-electronics-records-hack-exposes-data-on-4-million/ Four million patients of more than 230 hospitals, doctors offices and clinics had patient data exposed in a May hack of Fort Wayne, Indiana firm Medical Informatics Engineering (MIE) and its NoMoreClipBoard electronic health records system, according to the Indiana Attorney General. The breach affected 3.9 million people in total, 1.5 million in Indiana alone, almost a quarter of the state's population, according to a statement by the Indiana Attorney General's Office. The breach affects healthcare organizations from across the country. Healthcare providers ranging from prominent hospitals to individual physicians' offices and clinics are among 195 customers of the NoMoreClipBoard product that had patient information exposed in the breach. However, more than a month after the breach was discovered, some healthcare organizations whose patients were affected are still waiting for data from EMI on how many and which patients had information exposed, the Security Ledger has learned. "We have received no information from MIE regarding that," said a spokeswoman for Fort Wayne Radiology Association, one of hundreds of healthcare organizations whose information was compromised in the attack on MIE. Calls and e-mail messages seeking comment from EMI were not returned.
DataCenterKnowledge via NNSquad http://www.datacenterknowledge.com/archives/2015/07/28/google-cloud-platform-to-let-customers-control-encryption-keys/ Now, the "Customer-Supplied Encryption Keys" feature allows customers to use their own encryption keys as a free beta feature, providing customers more control around their data security, as long as they are able to securely store the encryption key. "With Customer-Supplied Encryption Keys, we are giving you control over how your data is encrypted with Google Compute Engine," Leonard Law, product manager forGoogle Cloud Platform for Enterprise, wrote in a blog post. "Keep in mind, though, if you lose your encryption keys, we won't be able to help you recover your keys or your data - with great power comes great responsibility!"
IT World via NNSquad http://www.itworld.com/article/2956115/counterterrorism-expert-says-its-time-to-give-companies-offensive-cybercapabilities.html The U.S. government should deputize private companies to strike back against cyberattackers as a way to discourage widespread threats against the nation's businesses, a former government official says. Not just an idiot, but an incredibly dangerous idiot.
http://www.lawfareblog.com/iphones-fbi-and-going-dark
The more time we spend swimming in digital waters, the shallower our cognitive capacity becomes and the less control we have of our attention. http://www.nytimes.com/2015/08/01/business/dealbook/struggling-to-disconnect-from-our-digital-lives.html
As new tech companies spend huge amounts to lure customers with deals, it's a great time to be a consumer. But can these companies ever turn a profit? http://www.nytimes.com/2015/07/30/technology/personaltech/steep-discounts-a-boon-for-customers-but-a-gamble-for-start-ups.html
The police said they believed Mr. Karpeles had manipulated transaction records on a computer system that Mt. Gox used to swap Bitcoins for dollars. http://www.nytimes.com/2015/08/02/business/dealbook/mark-karpeles-mt-gox-bitcoin-arrested.html
http://arstechnica.com/tech-policy/2015/08/uk-peer-calls-for-universal-internet-delete-button-may-also-want-unicorns/ In an interview with the Irish Examiner, Baroness Kidron was tackled this point. "The question of how they know you are a child is a torturous question," she told the paper. "There are plenty of companies that work on anonymous verification and there are ways websites can know that a kid is a kid without knowing who they are." Essentially, then, the good Baroness believes in techno-magic: those clever geeks will come up with some unspecified system that can work out a young person's age to the nearest day--or month, or year, depending on your gullibility--without even knowing who they are. That's merely one technical reason why the system will be impossible to implement. Another is because of legal issues. Last week, Google politely but firmly refused to extend the so-called "right to be forgotten" from Europe to the whole world. As it wrote on its blog, "We believe that no one country should have the authority to control what content someone in a second country can access." Other Internet companies are likely to agree with that viewpoint, which means that at best they might block access to a young person's post for visitors from the UK, or possibly in Europe, but it would still exist for users in other countries (and for those who connect via VPNs, of course). Dangerous pandering politicos.
Samsung is reducing the price of its Galaxy S6 mobile phone. That doesn't necessarily mean that buyers should rush in. http://bits.blogs.nytimes.com/2015/07/30/why-consumers-should-tread-carefully-with-samsung-galaxys-price-cut/
Comey voice: "You have reached the telephone of John Doe. Please leave a detailed message so that we may get track to you." [No iWarrants necessary.] Although the NSA politely refused comment on the Apple announcement, Adm. Michael Rogers was seen to be giving a high five to Mr. Comey. http://www.businessinsider.com/apple-siri-voicemail-transcription-service-2015-8 Apple is preparing to launch a voicemail service that will use Siri to transcribe your messages James Cook Aug. 3, 2015, 5:51 AM Apple employees are testing a voicemail service that uses Siri to answer your calls and transcribe voicemail messages. Apple's iCloud service will then send you the text of the transcribed voicemail—meaning you will never need to listen to your voicemails again, sources tell Business Insider. The new service is being prepared for launch in 2016, we hear. Apple's proposed solution is both incredibly simple and incredibly clever: People like to leave voicemails (it's often quicker to orally deliver your information than it is to type it in a text message). But they don't like to receive voicemails (it's a lot quicker to read a text than it is to listen to the person talking to you). The new product will also bridge a generation gap: Older users like voicemails. Young people do not. We first heard about Apple employees using a new kind of voicemail service several weeks ago. Here is how it works: When someone using iCloud Voicemail is unable to take a call, Siri will answer instead of letting the call go to a standard digital audio recorder. iCloud Voicemail can relay information about where you are and why you can't pick up the phone to certain people. But the coolest feature of the service is that Siri will transcribe any incoming voicemails, just as it does with anything else you say to it. Here's what it looks like at the moment when Siri transcribes something you say into text: http://static3.businessinsider.com/image/55bf3a6add0895fa668b4682-800-250/fullsizerender.jpg Apple sends voice data to company servers, where Siri converts the words spoken into text. iCloud Voicemail will presumably function in the same way, sending the raw voicemails to Apple, and Siri will then transcribe them and make them available on your iPhone. Siri is already going to be upgraded in iOS 9, Apple's coming mobile operating system. It will be able to search within applications and predict what you want to do. Clearly, Apple is focusing on its virtual assistant, and iCloud Voicemail will be another part of what it can do. Multiple Apple employees are testing iCloud Voicemail. Business Insider understands that the service is scheduled to be released in 2016 if it works reliably enough, presumably with the iOS 10 mobile operating system. Apple has already launched products that stray into the domain of mobile phone network and wireless service providers. It quietly launched Apple SIM in 2014, which lets customers switch between networks easily, all through the device. There has been continued speculation that Apple may want to become its own mobile virtual network operator. (An MVNO rents bandwidth from traditional wireless service suppliers and bills customers who go through it.) iCloud Voicemail would replicate something that carriers already do. Another incentive for Apple to launch its own carrier network would be to compete with Google. Google is operating its own service, but only through its Nexus 6 smartphone.
"the bill that would give participants in the proposed information-sharing program immunity not just from prosecution, but from regulatory action" Sam Thielman, *The Guardian*, 3 Aug 2015 Homeland Security admits Cybersecurity Information Sharing Act raises concerns while corporations and data brokers lobby for bill as it returns to Senate http://www.theguardian.com/world/2015/aug/03/cisa-homeland-security-privacy-data-internet The Department of Homeland Security (DHS) on Monday said a controversial new surveillance bill could sweep away `important privacy protections', a move that bodes ill for the measure's return to the floor of the Senate this week. The latest in a series of failed attempts to reform cybersecurity, the Cybersecurity Information Sharing Act (Cisa) grants broad latitude to tech companies, data brokers and anyone with a web-based data collection to mine user information and then share it with `appropriate Federal entities', which themselves then have permission to share it throughout the government. Minnesota senator Al Franken queried the DHS in July; deputy secretary of the department Alejandro Mayorkas responded today that some provisions of the bill `could sweep away important privacy protections' and that the proposed legislation `raises privacy and civil liberties concerns'. Much of the attention on Cisa has been directed at companies such as Google, Facebook and Comcast, which have large hoards of Internet user behavior. But arguably more important are data brokers. Among the groups lobbying for the passage of Cisa are Experian, which tracks consumer trends using information from loyalty cards and other sources and licenses the information to help target advertising; Oracle, whose Data Cloud product works similarly; and Hitrust, which aggregates healthcare information. The paragraph generating the most concern can be found in section 4 of the bill: [a] private entity may, for cybersecurity purposes, monitor A) the information systems of such a private entity; B) the information systems of another entity, upon written consent of such other entity and D) information that is stored on, processed by, or transiting the information systems monitored by the private entity under this paragraph. Debate on the bill could start on Wednesday with a vote on Thursday. Privacy concerns are already significant in the private sector, where the use of personal data at scale is largely unregulated. “With respect to data brokers that sell marketing products, the Commission recommends that Congress consider legislation requiring data brokers to provide consumers access to their data, including sensitive data held about them, at a reasonable level of detail, and the ability to opt out of having it shared for marketing purposes,'' wrote the FTC in a whitepaper titled Data Brokers: A Call for Transparency and Accountability last May. Such legislation has been introduced, but is repeatedly referred to committee. https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf Data brokers are anxious to avoid losing the ability to aggregate vast quantities of personal data - the sale and licensing of consumer databases is a lucrative practice, as web advertising booms and TV advertising becomes more sophisticated. It's also a practice that prefers not to disclose exactly what information it is holding. Mike Seay, an Illinois man whose child died the year previous, received in 2014 a junk mail flier from OfficeMax addressed to “Mike Seay, Daughter Killed in Car Crash'' (this was indeed how his 17-year-old daughter had died). Cisa's mandate would seem to cover the publicly used interfaces of the health insurers and banks—including SunTrust, Prudential, American Express, Aflac and Bank of America—that lobbied on the bill. Drew Mitnick of digital advocacy organization Access Now pointed to language in the bill that would give participants in the proposed information-sharing program immunity not just from prosecution, but from regulatory action. “The transparency requirement is so narrow that, if you met the requirements within the bill to get protection, it would give [participating companies] broad range to collect data and then send it to the government.'' Lobby group the Financial Services Roundtable (FSR) on Monday launched an advertising campaign, stopcyberthreats.com, aimed at tackling an online campaign by privacy activists who have dubbed Cisa `the Darth Vader bill' and are worried by the sweeping legal immunity corporations will receive under Cisa. If the bill were to pass and enough of those companies were to cooperate with any given agency, the amount of information floating free within the federal government could easily extend to credit card histories (collected by data miners at Argus), lists of goods purchased (aggregated from customer loyalty cards by companies including Acxiom and Experian), and healthcare records (tracked by insurers). Credit check giant Experian said that the company would like to see the legislation pass. “Experian supports legislation that would facilitate greater sharing of cyberthreat information among appropriate private and government entities,'' said a company spokeswoman in a statement to the Guardian. “Such sharing arrangements, under parameters set by law, could improve our mutual efforts to better detect and respond to emerging cyber threats.'' The company also laid the duty to walk the knife's edge between citizens' information security and their personal safety at the feet of their elected officials. “Congress has the responsibility to balance the need for facilitating greater information sharing, and thereby enhancing cyber security, with important consumer privacy concerns. We encourage and support Congress' effort in striking this balance.''
http://www.kattenstoet.be/en/page/497-510/cat-torturing-in-the-middle-ages.html Once again, people who live in glass houses shouldn't be throwing anything, much less rocks. Focusing on fixing vulnerabilities is like building a “10-foot wall at the price of $1 million around your complex,'' he added. Then, [the criminals] “go out and purchase a 15-foot ladder for $30.'' And when you can't find the criminals, the alternative is? “When you decide you're going to breach territorial jurisdiction and go after someone, you have opened up a can of worms which is well beyond the scope of your threat,'' Rogers added. I never thought I would agree with Mike Rogers on anything! Grant Gross, IT World, 3 Aug 2015 Counterterrorism expert says it's time to give companies offensive cybercapabilities http://www.itworld.com/article/2956115/business/counterterrorism-expert-says-its-time-to-give-companies-offensive-cybercapabilities.html The U.S. government should deputize private companies to strike back against cyberattackers as a way to discourage widespread threats against the nation's businesses, a former government official says. Many U.S. businesses have limited options for defending their IP networks, and the nation needs to develop more `aggressive' capabilities to discourage cyberattacks, said Juan Zarate, the former deputy national security advisor for counterterrorism during President George W. Bush's administration. The U.S. government should consider allowing businesses to develop “tailored hack-back capabilities,'' Zarate said Monday at a forum on economic and cyberespionage hosted by think tank the Hudson Institute. The U.S. government could issue cyberwarrants, giving a private company license “to protect its system, to go and destroy data that's been stolen or maybe even something more aggressive,'' he added. Zarate, now a senior counselor focused on sanctions at antiterrorism think tank the Foundation for Defense of Democracies, called for better cybersecurity tools as well, but suggested a new way of thinking about the tools “that not only puts us on the defensive, but also on the offensive.'' Also: http://hudson.org/research/11408-cyber-enabled-economic-warfare-an-evolving-challenge https://s3.amazonaws.com/media.hudson.org/files/publications/2015.08CyberEnabledEconomicWarfareAnEvolvingChallenge.pdf
It can easily feel as if no one's bank account or credit card is safe. But for consumers, the effect is quite different from what the headlines suggest. http://www.nytimes.com/2015/08/02/business/stolen-consumer-data-is-a-smaller-problem-than-it-seems.html
Reuters is reporting that the mobile interfaces found to be vulnerable to recently reported remote control exploits in Fiat Chrysler Jeep vehicles may also be present in other manufacturers' vehicles. Apparently, the vendor who produced the systems has other automotive customers. This incident highlights the need for integral firewalls when constructing remote access mechanisms for network connected devices. This is not a problem limited to vehicular electronics, it is present a large number of devices that are network-enabled (e.g., IoT). The complete Reuters article is at: http://www.reuters.com/article/2015/07/31/us-fiat-chrysler-hacking-regulator-idUSKCN0Q525U20150731 - Bob Gezelter, http://www.rlgsc.com
In Risks 28.82, Alister Macintyre writes about the NTSB public hearings on
the accident to SpaceShipTwo (SS2). The NTSB customarily presents the
provisional findings, statement of probable cause, and any safety
recommendations they have made or will make. Presentations are made by
investigators and comments are received. Little to no written reasoning is
given, but matters may be verbally discussed. The final report appears
typically months later.
The NTSB's summary of what happened is succinct. There are twin tail booms
on SpaceShip2 with aerodynamic surfaces ("feathers"). Booms with feathers
are actuated during reentry to maintain the craft in the design position for
aerodynamic braking and heat dispersion. Normal position of both booms is
nominally 0° and when activated they rise to 60°. After
release from the carrier aircraft, the rocket is fired up and SS2
accelerates nearly vertically. The booms are locked until the difficult
transsonic flight regime is passed, and they are unlocked at about Mach 1.4,
to ensure they remain ready for deployment when needed somewhat later. But
the pilot flying unlocked them while still transsonic, below Mach 1. The
actuators aren't able alone to hold the booms in place against the
aerodynamic forces during this flight phase and the booms deployed. And the
spacecraft broke. That is, as techies say, its structural integrity was
compromised.
The NSTB largely fingered - or aims to finger - weaknesses in the hazard
analysis (HazAn) involving human factors (HF). The point being that there
was a event with catastrophic effect (technical term) subject to a single
point of failure, namely the human error involved in unlocking too
early. Shouldn't be so, they suggest rightly, and say what weaknesses there
are in the HazAn process and the assessment process of release to flight
which might have allowed this feature to escape sufficient attention.
But Macintyre speaks of "cut corners" and various other deprecations. I
strongly disagree with any such suggestions. Getting a HazAn right is very
tricky, especially on novel equipment such as this. I don't see evidence for
anything like that at this stage. To the contrary, I see people doing a very
hard and novel job, largely succeeding, and finding out in the hardest way
possible where they need to do better.
I say more at http://www.abnormaldistribution.org/2015/08/03/the-accident-to-spaceship-two/
Prof. Peter Bernard Ladkin, University of Bielefeld and Causalis Limited
www.rvs.uni-bielefeld.de www.causalis.com
Hagelin was around in about 1924, and tried to sell his ealy machine to the US and the UK. They weren't interested so he sold it to the Germans. BTW...that early machine was replicated in software for the original UNIX 'crypt'. There are arrays called wheel1, wheel2 (or similar).
"... so there is an apparent need for a better balance between privacy of the individual, and ..." I've heard some variant of the above statement almost every day of my adult life. Erosion is the appropriate word when applied to privacy. Each "balance" chips away at it. Thus, are mighty mountains eroded to mere dust. After 50 years of struggle, I'm ready to throw in the towel. Defense of individual privacy is utterly pointless.
> What could possible go wrong? A great deal, but one thing could possibly go right. This will, at a stroke, ensure essentially every domestic user has plausible deniability for use made of their Internet connection. If a company's business model is to sue a small subset of the people who've infringed copyright in some trivial fashion for wildly disproportionate sums, this ought to nicely cut them off at the knees; and any idea of legislating equally draconian penalties for third-party use of one's wireless will, I hope, also become unfeasible when that turns out to include basically everyone. It also might, I hope, reduce the utility of ubiquitous snooping by the security services - not just from plausible deniability but because it really won't be that easy to tie an IP address to a person or household. -- David Damerell <damerell@chiark.greenend.org.uk> Kill the tomato! Today is Tuesday, July. Tomorrow will be Wednesday, July.
I still run XP (admittedly, it's in a virtual machine that doesn't respond to the Internet and is relatively little used). Why? Well, Vista didn't offer that much of an improvement. Then everybody said Windows 7 sucked, so no sense in upgrading to that. I tried installing Windows 8 in a fresh VM and found its UI changes so annoying that I shut the thing down and haven't rebooted it. Windows 9 was so bad that Microsoft didn't even release it. And this very issue of RISKS lists severe (to be mild) privacy problems with 10. I suspect a lot of consumers are of the same mind: XP works well enough for them, and what they hear from their friends who have bought new computers with Vista/8/10 is scary. As for enterprises, those significant UI and other changes make the cost of upgrading extremely high. In my experience, software developers--especially young ones--rarely grasp the cost of discarding backwards compatibility. They're so focused on "new" and "shiny" and "fancier" that they forget to consider whether it "works".
It is said that hard cases make bad laws. The New Zealand "Civil Aviation Rules, part 102" can be found at www.caa.govt.nz/rules/Rule_Consolidations/Part_102_Consolidation.pdf There's certainly a "hard cases" issue here. According to http://www.stuff.co.nz/technology/gadgets/70493842/drone-operators-may-need-flying-permits-under-new-rules.html the number of reported drone incidents was 2012: 3, 2013: 9, 2014: 27, 2015 (FIRST HALF): 53. Combine that with the fact that the present government is strongly pro-business, and they want to *allow* more businesses to use more drones for more things, and the fact that previously drones were governed by part 101, which can be found at https://www.caa.govt.nz/rules/Rule.../Part_101_Consolidation.pdf, and covers things like model aircraft and kites, and the badness of the new regulations is a little less clear-cut than might at first appear. For example, under the old regulations, it was forbidden to operate a "remotely piloted aircraft" - within 4km of an aerodrome - above people who have not given consent - above property without prior consent - any higher than 400 feet (feet? we went metric a long time ago; what are *feet* doing in NZ law?) except with detailed prior notice - if your view is obstructed - at night - that weights more than 25kg - or that might drop anything that could do damage. The really important thing is that the new rules DO NOT TAKE ANY OLD PERMISSIONS AWAY. Part 102 only applies to "a person who operates an unmanned aircraft OTHER THAN in accordance with Part 101" or who wants an operator certificate anyway. Any way that you were previously allowed to operate a drone, you still are. The point of Part 102 is to *free things up* so that businesses can operate bigger drones, make deliveries, fly higher, fly in the dark &c. The requirement for a pretty detailed "exposition" covering hazards, risks, and mitigation schemes, would be far more onerous for hobbyists than the certificate fee, but seem fair enough for a business. I am not a lawyer. (My father was, but my Ouija board blew a fuse when I tried to install Windows 10.) So my reading of these regulations is definitely subject to correction by people with real knowledge in this area. But just this once, it seems that when a government minister talked about new rules being intended to *increase flexibility*, he may have been telling the truth. Oh, you may feel that requiring consent before operating above people and property is a hard burden for hobbyists. It may be so, but it is not a burden introduced in Part 102.
Please report problems with the web pages to the maintainer