Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Adam Liptak, *The New York Times*, 18 Aug 2015 (PGN-ed) http://www.nytimes.com/2015/08/18/us/politics/courts-free-speech-expansion-has-far-reaching-consequences.html A [unanimous, but with four concurring opinions] June 2015 Supreme Court decision [reversing the judgment of the Court of Appeals and remanding the case. relating to posted signs] is already being felt around the country, and critics say it could endanger all sorts of laws intended to protect the public. Robert Post, the dean of Yale Law School and an authority on free speech, said the decision was so bold and so sweeping that the Supreme Court could not have thought through its consequences. The decision's logic, he said, endangered all sorts of laws, including ones that regulate misleading advertising and professional malpractice. “Effectively, this would roll consumer protection back to the 19th century.'' [...] Whether viewed with disbelief, alarm, or triumph, there is little question that the decision, Reed v. Town of Gilbert (Arizona), marks an important shift toward treating countless laws that regulate speech with exceptional skepticism. [The Court's opinion is here: http://www.supremecourt.gov/opinions/14pdf/13-502_9olb.pdf Before anyone suggests that this item might have no bearing on computer-related risks, and thus that this item might not be relevant to RISKS because the signs in question might not be computerized, you might think what bearing this decision might have on imposing or not imposing restrictions on computer-based signs and indeed the entire Internet (and not just the Internet of Signs—pretty soon we might even be regulating the Internet of Sighs). PGN]
The IRS announced today that an `extensive review' of the Get Transcript Web application data breach found additional taxpayers might have been affected. The IRS will be sending letters to the affected individuals this month. “The IRS will begin mailing letters in the next few days to about 220,000 taxpayers where there were instances of possible or potential access to 'Get Transcript' taxpayer account information. As an additional protective step, the IRS will also be mailing letters to approximately 170,000 other households alerting them that their personal information could be at risk even though identity thieves failed in efforts to access the IRS system.'' http://www.irs.gov/uac/Newsroom/Additional-IRS-Statement-on-the-Get-Transcript-Incident [Jada Smith has an article in *The New York Times* this morning: Cyberattack Exposes I.R.S. Tax Returns: Using Social Security numbers, birth dates, street addresses and other personal information obtained elsewhere, the criminals completed a multistep authentication process and requested the tax returns and other filings, the I.R.S. said. Information from those forms was used to file fraudulent returns, the I.R.S. said, and the agency sent nearly $50 million in refunds before it detected the scheme. “Obtained elsewhere''? That is mostly public information. This stuff is not secret, and should not be assumed to be secret or used as authenticators. PGN] [S(n)ide comment: The IRS's website uses `IRS', *not* `I.R.S.'. RISKS has always preferred ACRONYMS without P.E.R.I.O.D.S. Period. PGN]
Years ago the phone system in New Zealand used to be part of the Post Office. It was split off in 1987 and privatised in 1990, then broken into three pieces in 2008, separating retail, wholesale, and network. The lines company is called Chorus. Telecom renamed itself to SPARK a year ago. (I'm sure I don't want sparks in my phones; how about you?) As well as landline phone services, mobile services, broadband, and so on, SPARK operate a paging service. Business users have largely abandoned pagers for mobile phones, but - the Fire Service uses pagers - the St John Ambulance service use pagers - the Coastguard use pagers - most district health boards use pagers. They use pagers to tell people in an emergency that they are needed and what they are needed for. Unfortunately, the loss of business users mean that the paging system is no longer profitable, and the fact that SPARK is a privately-owned company responsible to its foreign owners means that SPARK announced that they want to shut down the paging service completely mid next year. They say they are happy to help pager customers move to mobile-based alternatives. While mobile phones may be a *newer* technology than pagers, for the needs of the emergency services they are not a *superior* technology. The following advantages have been claimed for pagers: - Much longer battery life - People can turn their phone off to get some sleep but leave their pager one (see "longer battery life") in case of emergency (my phone gets "spammed" by the network operator with text messages, so leaving one's phone on isn't that good an option) - Pagers operate on a lower frequency, so penetrate even quite large buildings better than mobiles - Pagers have much wider coverage than mobiles. Again, this is due to the low frequency (155MHz). I can drive 15 minutes from the centre of Dunedin and be in an area with no mobile phone coverage at all. This point is *vital* for rural emergency services. Most _people_ live in cities or large towns, so are covered, but if you explore for example http://www.vodafone.co.nz/network/coverage/ you will discover that large *areas* of New Zealand have no 4G, no 3G, and no 2G coverage. - Text messages experience much higher delays than pager messages. (When you need emergency services, you need them fast.) I personally have experienced text messages arriving over an hour "late". - When there is a disaster (as in the earthquakes we've had), the mobile phone network gets overloaded, but the pager service just keeps going. Apparently anyone can intercept pager messages, but then in a rural town, anyone can hear the emergency siren, so for _this_ application, big deal. (Actually, sirens are being retired.) According to http://www.geekzone.co.nz/sbiddle/8834 "for time critical messaging the reality is we just don't have a modern solution that can replace the paging network."
A misconfigured Google search appliance may have been what helped make the Senate torture report possible (allowing the Senate staffers to see the Panetta review they weren't supposed to see). Long article, based on FOIA documents. Jason Leopold, VICE News, 14 Aug 2015 The Google Search That Made the CIA Spy on the US Senate https://news.vice.com/article/the-google-search-that-made-the-cia-spy-on-the-us-senate Nicholas Weaver, a researcher with the International Computer Science Institute in Berkeley, reviewed some of the CIA documents for VICE News. He said the computer network the CIA set up was essentially a "big common fileserver, but with different roles and access controls, so a [Senate] person could only read [Senate] stuff, and CIA only CIA stuff, and there was a shared folder that both could read. So it wasn't really two separate networks connected by a firewall, but a common fileserver with separate roles." "It appears there are a bunch of workstations, printers, a shared database, a shared fileserver, and a shared Google search appliance," Weaver said. "Otherwise, it's completely disconnected from the rest of the world." [...] What the Cyber Blue Team discovered is that the Google search tool was misconfigured when Centra Technology installed it in 2009. The OIG's report about the incident noted that it wasn't the first time the CIA had to address a vulnerability issue with the Google search tool. "In November 2012, the RDI team learned of a vulnerability with the Google appliance, related to configuration settings that had been in place since the initial installation in November 2009," the OIG's report says. "[The Office of Inspector General] reviewed an April 2013 email between members of the RDINet IT staff detailing the existing settings, which indicated an access control deficiency for search results. The RDI IT team updated the Google appliance in April 2013 to reflect this change. Prior to this update, the settings provided to the [Office of Inspector General] showed that the Google appliance was not configured to enforce access rights or search permissions within RDINet and its holdings." Weaver explained that the Cyber Blue Team concluded the Google appliance "wasn't enforcing permissions properly, and revealing accessible locations for the [CIA] files."
NNSquad, *Indian Express* http://indianexpress.com/article/technology/social/as-sundar-pichai-becomes-google-ceo-wikipedia-fights-over-his-school/ And yes the edits are continuing. So far Pichai's wikipedia page has seen over 354 edits in the last week alone, and the number of users who have edited Pichai's page stands at 406. If you see the graph on the edit stats page for Pichai, you will notice how the graph spikes once August 2015 starts, the month when he was announced as Google's new CEO. While some of us might have a good laugh over this 'edit-war', the issue raises concerns over how 'collective wisdom' online is often guided by its inherent biases. In this case, the desire to claim the new Google CEO as a member of one particular Chennai school has reduced the whole exercise of Wikipedia's democratic freedoms to a farcical exercise. Wikipedia is not an encyclopedia, it's an anonymous brawl. I'd like to see Google help to sponsor a long-term project to create a new online encyclopedia that would consist almost entirely of fully attributed entries -- that means, showing the real names of the real people who wrote them -- and included peer review whenever possible and appropriate. It's time to move beyond the Wikipedia "anybody can declare themselves to be an anonymous expert about anything" model. The quality of Google's search results moving forward would not only benefit if this proposal reached fruition, but the entire Internet community would benefit as well.
https://plus.google.com/+LaurenWeinstein/posts/gDkmfYoZLiR A bit more on this since my original comments earlier today seem to have attracted considerable attention. I am of course aware of Google's relatively brief "Knol" project, announced in 2007, opened in 2008, then closed and deleted in 2012. Any dispassionate reading of Knol's history strongly suggests that there was nothing inherently wrong with the concept, but that it was rendered impractical at the time mainly due to rabid attacks by Google haters and Wikipedia fanboys. But with the accelerating failure of Wikipedia along a range of vectors, it's more clear than ever that a model involving attributed, authoritative articles is absolutely necessary. And it is my suspicion that the fundamental nature of Wikipedia will prevent it from making the kinds of major course corrections that might help decelerate its decline. Whether a new alternative—learning from Knol rather than jettisoning the concept—might be best operated by Google or merely funded by them (and others) is an open question. Personally, a model I prefer would have Google operating this alternative—leveraging already available infrastructure—in cooperation with an internal/external oversight board to help defuse the haters. But one way or another, we need to start moving beyond the Wikipedia model, and we need to do that now.
What really gets me is the lack of expert review. They have this philosophy that if the media doesn't cover something it doesn't exist. While I understand the need to have reliable and verifiable sources for information this leaves a huge amount of very valuable information out. Information that people in a particular field would easily verify. Examples include open source software and new language development. While there is some coverage about open source block busters, the smaller projects are mostly used but not written about. I tried to explain to editors that some of the software they use to run Wikipedia wouldn't even qualify but got nowhere. Developers use mailing lists, blogs, news aggregators (like /.) and social media to discuss developments. What media is left to cover software doesn't cover it but that doesn't mean it doesn't exist or is not important. Some very interesting software history was deleted recently and although I tried to explain the Internet bit rot, that once interesting things hosted on old computers are quickly disappearing from the Internet, but that didn't help either. I completely agree with you that having a volunteer encyclopedia with real users and names that includes real subject matter experts as moderators would be far preferable to the current Wikipedia model. Paying high level people (experts in a field) to participate and write content would also be extremely valuable.
Roger A. Grimes, InfoWorld, 4 Aug 2015 The computer security industry has a dirty secret: If an 'independent' code review says a product is totally secure, you aren't hearing the full story. http://www.infoworld.com/article/2956215/security/bug-free-code-computer-security-lie.html [No surprise to RISKS readers, but apparently a great surprise to many others. PGN]
I disagree with Wolff's statement. Strenuously. The Spaceship was badly designed, just as NTSB said. Yes, pilots (or other operators of devices) might have to perform an unsafe action. But there are standard designs that help mitigate accidental deployment. Here are two simple examples: 1. A protective cover. Many installations have a safety cover. Thus, in military aircraft where a button might eject the pilot or ignite an explosive to destroy security information, (or where a single switch disconnects all power), the use of a simple cover that must be opened first helps reduce the chance of accidental activation. 2. A detent. Being aircraft have a throttle control which stops the forward motion of the throttle when it reaches a limit that might cause damage to the engine. But if the pilot would, for some reason, prefer to stay alive even if it destroys the engine, extra force allows the throttle to move beyond the setting. There are several other ways i can think of that might have worked in the SpaceShip2, but the solution should only be designed with full information about the spaceship, its operating characteristics, and other constraints. Wolff's statement that the pilots should understand the consequences of their actions is very sensible and logical. And that's why we have so many accidents: engineers think sensibly and logically and are completely unaware of how people really behave. As I tell people over and over again, logic is an artificial way of thinking, invented by philosophers and mathematicians. if it were how we thought and behaved, it wouldn't have had to be invented and it wouldn't be so difficult to learn. The same problem happens with security issues. Onerous password requirements imposed by security administrators are bypassed by people who write them down. Sure, I use 1Password, but it only works on websites, and more and more places want passwords in ways that are not recognized by 1Password. As I have pointed out at security conferences, it is the most dedicated employee who violates the rules—otherwise they couldn't get their job done. Sigh, this lesson has to be repeated over and over and over again. (The good side is that my books are always relevant.) Don Norman, Prof. and Director, DesignLab, UC San Diego http://www.jnd.org/ dnorman@ucsd.edu designlab.ucsd.edu/ www.jnd.org https://mail.google.com/mail/?view=cm&fs=1&tf=1&to=dnorman@ucsd.edu>
The comments on this, in various publications, have so far argued about whether the faulty landing gear actuation should be held against the pilot or the design. I suggest that it should be against the design, because unintended actuation can be largely eliminated by making the control a guarded switch. I recall a similar potential problem in a helicopter, when both pilots and engineer officers argued that a switch controlling release of underslung loads should be guarded because it was immediately next to a switch that was routinely toggled during shutdown, so that a tired or distracted pilot could easily toggle the wrong switch. Headquarters said nonsense, it had never happened and therefore would never happen; and then it did happen, releasing a pyrotechnic on to the concrete. fortunately it was not armed, but it could have been, at great cost—all to save a trivial amount for safety.
Aw, come on. If you're sending to a list of 200 people, you need some way to manage additions, drops, and bounces. I can assure you from painful experience that people who think they are doing it adequately by hand are mistaken. Setting up a Google email group that allows only the group owner to post takes about two minutes. Why is that "not a real alternative"?
Please report problems with the web pages to the maintainer