A new report published by the New York University School of Law Brennan Center for Justice says that 43 states will use electronic voting machines older than 10 years in the 2016 elections, increasing the risk of failures and system crashes. Lawrence Norden, Christopher Famighetti, The Brennan Center, 15 Sep 2015 America's Voting Machines at Risk https://www.brennancenter.org/publication/americas-voting-machines-risk Executive Summary In January 2014, the bipartisan Presidential Commission on Election Administration (PCEA) issued a stern warning that should be of grave concern to all Americans: There is an “impending crisis—from the widespread wearing out of voting machines purchased a decade ago. Jurisdictions do not have the money to purchase new machines, and legal and market constraints prevent the development of machines they would want even if they had funds.'' This report, nearly two years later, documents in detail the extent of the problem and the steps we must take in the coming years to address it. Over the past 10 months, the Brennan Center surveyed more than 100 specialists familiar with voting technology, including voting machine vendors, independent technology experts, and election officials in all 50 states. In addition, we reviewed scores of public documents to quantify in greater detail the extent of the crisis. We explore the current challenge in three parts: (1) the danger, looking at the age of machines around the country relative to their expected lifespans and the problems that we can expect; (2) the new technologies that can help solve the problem going forward; and (3) recommended solutions to the impending crisis.
Ed Pilkington, *The Guardian*, 15 Sep 2015, via Dave Farber Voting technology deployed by most states across the US is now so antiquated it is in danger of breaking down, experts say http://www.theguardian.com/us-news/2015/sep/15/2016-election-old-voting-machines-hanging-chad The United States is heading for another catastrophe in its voting system equivalent to the notorious *hanging chad* affair that shook the country in 2000 and propelled George W Bush into the White House, experts on electoral procedures are warning. The voting technology deployed by most states around the country is now so antiquated and unreliable that it is in danger of breaking down at any time, the experts say. Some states are having to go on eBay to buy spare parts for machines that are no longer manufactured. The extent of decay in America's electoral infrastructure is laid bare in a new report from the Brennan Center, a nonpartisan institute at the New York University School of Law specializing in democracy and justice. Having consulted more than 100 voting specialists in all 50 states, the center concludes that the country is facing an impending crisis in the way it conducts elections. [...]
FYI—This is an OCR'd version of the National Security Council memo leaked to the Washington Post. The pdf of the original looks like it was typed on a *manual* typewriter—the NSC clearly following the lead of Russia to avoid being intercepted electronically! [The irony of the NSC using a manual typewriter for a memo on encryption is truly delicious!] http://www.theguardian.com/world/2013/jul/11/russia-reverts-paper-nsa-leaks The most distressing part of this memo is its complete disregard of the Constitution. The only "stakeholders"—according to this NSC memo—in favor of "civil liberties" and "human rights" seem to be organizations -- e.g., the EFF and the ACLU; ordinary citizens are apparently not "stakeholders", and have no "stake" in this discussion. Of course, every time someone uses the term "stakeholder", the only images that come to mind are those scenes from black-and-white horror movies in which the townspeople are chasing a vampire with wooden stakes that they intend to drive through his heart! http://apps.washingtonpost.com/g/documents/national/read-the-nsc-draft-options-paper-on-strategic-approaches-to-encryption/1742/ REVIEW OF STRATEGIC APPROACHES Option 1: Disavow Legislation and Other Compulsory Actions Option 2: Defer on Legislation and Other Compulsory Actions Option 3: Remain Undecided on Legislation or Other Compulsory Actions [Each has Engagement Strategy, timeline, Top Line Message; pros and cons; Much too long for RISKS, but fascinating reading. PGN]
Ellen Nakashima and Andrea Peterson, *The Washington Post*, 16 Sep 2015 https://www.washingtonpost.com/world/national-security/tech-trade-agencies-push-to-disavow-law-requiring-decryption-of-phones/2015/09/16/1fca5f72-5adf-11e5-b38e-06883aacba64_story.html White House officials have backed away from seeking a legislative fix to deal with the rise of encryption on communication devices, and they are even weighing whether to publicly reject a law requiring firms to be able to unlock their customers' smartphones and apps under court order. For the past year, law enforcement and the intelligence community have warned that an inability to obtain decrypted data is putting public safety and national security at risk, arguing it will allow criminals and terrorists to communicate securely. They have appealed to tech companies to voluntarily come up with solutions for their own products, and they don't want to rule out legislation entirely. But over the summer, momentum has grown among officials in the commerce, diplomatic, trade and technology agencies for a statement from the president *strongly disavowing* a legislative mandate and supporting widespread encryption, according to senior officials and documents obtained by The Washington Post. Their argument: Ruling out a law and supporting encryption would counter the narrative that the United States is seeking to expand its surveillance capability at the expense of cybersecurity. They say the statement from the president also would help repair global trust in the U.S. government and U.S. tech companies, whose public images have taken a beating in the wake of disclosures about widespread National Security Agency surveillance. And, they argue, it would undercut foreign competitors' claims that U.S. firms are instruments of mass surveillance. [...]
https://www.techdirt.com/articles/20150916/15035232275/white-house-realizes-mandating-backdoors-to-encryption-isnt-going-to-happen.shtml Over the last few months, I've heard rumblings and conversations from multiple people within the Obama administration suggesting that they don't support the FBI's crazy push to back door all encryption. From Congress, I heard that there was nowhere near enough support for any sort of legislative backdoor mandate. Both were good things to hear, but I worried that I was still only hearing from one side, so that there could still be serious efforts saying the opposite as well. However, The Washington Post has been leaked quite a document that outlines three options that the Obama administration can take in response to the whole "going dark" question. And the good news? None of them involve mandating encryption. Basically, the key message in this document is that no one believes legislation is a realistic option right now (more on that in another post coming shortly). That's big! The document's three options can be summarized as follows: * Option 1: Do the right thing, admit that backdooring encryption is a bad idea and dumb, and stand up for real cybersecurity by saying that more encryption is generally good for society. This will make lots of people happy—including civil liberties folks and the tech industry, and it will also do more to protect the public. It will also help the most with many foreign countries in showing that the US isn't just trying to spy on everyone—though it may piss off a few countries (mainly the UK) who have doubled down on backdooring encryption. Also, it will undermine China's plan to backdoor encryption as well. Let's call this the right option. * Option 2: Yeah, we know what the right thing to do is, but we'll take a half-assed approach to it to try to appease the FBI/law enforcement folks and not come out nearly as strongly against legislation. We'll say there's no legislation, but we'll at least leave the door open to it. In private, we may still push tech companies to backdoor stuff. This will anger lots of folks, but maybe (the administration believes) some civil liberties types will think it's enough of a win to celebrate. Then we pretend that we can hold some sort of "discussion" between people who disagree. * Option 3: We totally punt on the issue and don't really say anything. If we do say something, we say that this issue needs a lot more discussion and study (just like people have been saying for the last year). In other words, endless cryptowars with no end in sight. Clearly, Option 1 is the only sensible option, and the report lays out some pretty strong arguments for why coming out against backdooring encryption would be good. It would actually make the tech industry much more willing to work with the government in productive ways, rather than stupid, privacy and security-destroying ways. It would actually better protect the public and it would stop authoritarian regimes from using our own language against us to break encryption. The cons are basically that law enforcement might whine about it. Well, the administration actually says that it "provides no immediate solution to the challenges that the expanding use of encryption poses to law enforcement and national security" but given that law enforcement still hasn't done a good job showing this is a real problem, that's not really a big deal. In fact, law enforcement is still relying on made up ghost stories rather than any real evidence that encryption is a problem. So, now the big question is which option the administration will choose. Will it stand up and take leadership on this issue (Option 1), thereby actually protecting Americans? Or will it do a variety of half-assed measures believing that it has to support "both sides" or some crap like that? From the leaked report, it appears that if it chooses either Option 1 or 2, the White House will make a public statement on the matter within the next few weeks. It's better to burn out than fade away.]
http://lauren.vortex.com/archive/001123.html By now you're hopefully aware that the U.S. federal government is engaged in a major effort to pressure technology firms like Google and Apple to provide "backdoors" into encryption systems (particularly for mobile devices) that are increasingly designed so that the firms themselves cannot even decrypt the data without cooperation from the devices' owners. Simultaneously, there are efforts to pressure Congress into mandating such backdoors if the firms refuse to voluntarily cooperate. Despite the fact that essentially every reputable security, encryption, and privacy expert agrees that it is technically impossible to design such a backdoor that would not massively increase the potential for black-hat hacking—and so dramatically decrease the security of these systems—law enforcement continues to imply that if you don't see things their way -- well, perhaps you're not a loyal American. This was very nearly stated explicitly by the FBI and CIA directors at the Intelligence and National Security Summit in Washington yesterday, where the men bemoaned negative public opinion, "deep cynicism," and "venom" directed at the backdoor access plans—with CIA Director John Brennan suggesting that persons promulgating these views "may be fueled by our adversaries." Mr. Brennan's remark is reminiscent of President Richard Nixon's paranoid delusions that antiwar Vietnam protesters were all the puppets of ghostly Communist agents. Well, Mr. Brennan, let me help set you straight regarding your comment, which I believe many of us in the technology community find to be extremely misguided and offensive. We don't have any foreign masters. We simply don't trust you. And it's not just you. Almost everywhere we look at the intersection of technology and any agencies involved even peripherally in law enforcement activities, there's a long list of lies, errors, mismanagement, screw-ups, and abuses galore. It's an ironic situation to be sure, given that the technology displaying these very words at this very moment can trace their ancestry to a Department of Defense computer networking project. But the sad truth is that at every level of government, no matter whether Democrats or Republicans are in power, it's generally the same story. It starts at the local level, with municipalities lying to citizens about red light cameras, license plate readers, and police surveillance systems. At the state level it moves up to abuse and foul-ups of DMV databases and more. And at the federal level the list is almost too long to even begin. The recently revealed Office of Personnel Management hack exposed the personal data—including sensitive security clearance applications and related forms—of perhaps four million people or more. A 29-year-old contractor waltzes out of NSA with a thumb drive filled with reams of the agency's most sensitive documents. No—Mr. CIA Director and Mr. FBI Director—you're not going to sell us your foreign influence bogeymen this time. We simply believe that we cannot trust government agencies to have the honesty and competency to be entrusted with keys to our own encryption -- the security of which is rapidly becoming a fundamental requirement of our day-to-day lives. Frankly, even if there were a magic wand that could create that impossible backdoor system in a seemingly secure and safe manner—we still wouldn't and couldn't entrust you not to find avenues to abuse it. This is overall a very unfortunate state of affairs, because yes, we know that encryption may be leveraged for evil in very serious ways. But you still can't get blood out of a stone. The technical reality is that the kinds of encryption backdoors you want cannot be made secure and would themselves represent horrific security risks. Perhaps someday you'll find ways to earn back our trust. But all the trust in the world won't change the technical realities that make encryption backdoors a non-starter. And the sooner you understand these truths, the better it will be for us all.
“the OPM inspector general had identified real risks to OPM's security practices as early as 2007'' “If you can't protect it, don't collect it.'' 'just because you put the word *cybersecurity* in the bill doesn't necessarily make it a good idea' Eric Geller, Daily Dot, 14 Sep 2015 Sen. Ron Wyden thinks the next big cybersecurity bill could make things worse https://www.dailydot.com/politics/ron-wyden-opm-cisa-cybersecurity-interview/ Is the U.S. government doomed to repeat its past cybersecurity mistakes? That's the big question currently plaguing Sen. Ron Wyden (D-Ore.), the Senate's leading privacy advocate, as Congress begins to consider another piece of cybersecurity legislation in the wake of the largest cyberattack in U.S. government history. Before Congress passes the major cybersecurity bill that's on its plate, Wyden wants to analyze what went wrong in the massive data breach at the U.S. Office of Personnel Management (OPM). In the shadow of evidence showing that OPM's vulnerabilities were known internally as far back as 2007, Wyden sent a letter to William Evanina, the head of the National Counterintelligence and Security Center, asking how aware the agency was of these flaws. [...]
FYI—An excellent rebuttal to this weekend's NYTimes article, which was written *in advance* of said article! [Indeed, a Prebuttal! PGN] Ryan Calo, Gabriella Penuela, Fusion, 07 Sep 2015 10 a.m. Tech companies may be our best hope for resisting government surveillance (This op-ed is adapted from a forthcoming essay in University of Chicago Law Review. "this move by tech giants to make government surveillance harder reflects public opinion" "we face serious hurdles in seeking to resist and reform surveillance in practice" "we can elect privacy-minded politicians, but how will we furnish them with the access, expertise, or incentives needed to pursue reform?" "criminals make bad surrogates for our Fourth Amendment rights" "corporations act as custodians of our digital life" (from author's U. Chi. L. Rev. paper) "corporations have historically been complicit in, even enabling of, mass surveillance" "if a company promises to fight for its users, who will enforce that promise if broken?" "Citizens can extract promises from firms to push back against surveillance on their behalf but have no recourse if these promises are not enforced." (from author's U. Chi. L. Rev. paper) "[Nevertheless, tech companies such as Apple and Google] may [still] be our best chance out of this surveillance mess." http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2635181 ) http://fusion.net/story/193583/tech-companies-may-be-our-best-hope-for-resisting-government-surveillance/
FYI—An amazing "John Hancock" moment in history! (John Hancock was the 1st signer of the Declaration of Independence.) https://en.wikipedia.org/wiki/John_Hancock Nora Doyle-Burr, *Valley News*, 16 Sep 2015 Despite Law Enforcement Concerns, Lebanon Board Will Reactivate Privacy Network Tor at Kilton Library http://www.vnews.com/home/18620952-95/despite-law-enforcement-concerns-lebanon-board-will-reactivate-privacy-network-tor-at-kilton-library "the city is not going to shut down its roads simply because some people choose to drive drunk" West Lebanon—The Kilton Public Library will reactivate its piece of the anonymous Internet browsing network Tor, despite law enforcement's concerns that the network might be used for criminal activities. The Lebanon Library Board of Trustees let stand its unanimous June decision to devote some of the library's excess bandwidth to a node, or relay, for Tor, after a full room of about 50 residents and other interested members of the public expressed their support for Lebanon's participation in the system.
Matthew Reed, *Fort Bragg Advocate-News*, 4 Sep 2015 A fiber optic line AT&T says was deliberately cut near Hopland sent Mendocino County back into an Internet blackout. The fiber was sliced at about 10 a.m. yesterday. The break caused 911 emergency service to be interrupted for many customers in Mendocino and Humboldt Counties. Capt. Greg Van Patten, MCSO public information officer, said yesterday that the department was preparing for a 24 hour Internet black-out and put extra deputies on patrol. Van Patten said the investigation into the incident is ongoing. “It was obvious that someone cut the line intentionally, which constitutes an act of vandalism. The investigation into the identity of any suspects is underway, and also into the motive for the act.'' The cut was in a rural area about 1.5 miles south of Burke Hill Road in Ukiah, according to MCSO, and the fiber optic line was located above ground. http://www.advocate-news.com/general-news/20150904/major-internet-outage-strikes-again I'm curious, were the extra deputies to prevent more vandalism, or to calm the masses who can't post their Facebook/Twitter/Instagram/etc. updates?
<http://www.cybersecurityintelligence.com/blog/hack-on-united-airlines-makes-cias-job-more-difficult-601.html> The Chinese hackers that stole the personally identifying information of more than 20 million people from the Office of Personnel Management (OPM) last year also hacked into United Airlines, Bloomberg reports. And Dave Aitel, CEO of cybersecurity firm Immunity, Inc., notes that the hackers' breach of United is especially significant as it's the main airline in and out of Washington, DC's Dulles International, the nearest international airport to the CIA's headquarters in Langley, Virginia. “Every CIA employee and visitor coming from abroad flies in and out of Dulles, and chances are they=E2=80=99re flying United, The combination of information the hackers obtained from OPM with the travel information they now have from United is hugely powerful, and it will make the kind of work the CIA does much more difficult.'' [...]
http://insidecostarica.com/2015/09/01/authorities-investigating-wanted-son-el-chapo-guzman-worlds-want-drug-lord-costa-rica/ Jesus Alfredo Guzman Salazar, 29, who is also wanted by the US Drug Enforcement Administration (DEA), posted a tweet to the social networking site, Twitter on Monday that may have inadvertently revealed his presence in Costa Rica. The social networking app, when used from a smartphone, pins a user's location to each tweet, unless the feature is turned off.
The TSA is learning a basic lesson of physical security in the age of 3-D printing: If you have sensitive keys—say, a set of master keys that can open locks you've asked millions of Americans to use—don't post pictures of them on the Internet. A group of lock-picking and security enthusiasts drove that lesson home Wednesday by publishing a set of CAD files to Github that anyone can use to 3-D print a precisely measured set of the TSA's master keys for its `approved' locks—the ones the agency can open with its own keys during airport inspections. Within hours, at least one 3-D printer owner had already downloaded the files, printed one of the master keys, and published a video proving that it opened his TSA-approved luggage lock. Those photos first began making the rounds online last month, after the Washington Post unwittingly published (and then quickly deleted) a photo of the master keys in an article about the `secret life' of baggage in the hands of the TSA. It was too late. Now those photos have been used to derive exact cuts of the master keys so that anyone can reproduce them in minutes with a 3-D printer or a computer-controlled milling machine. [...] http://www.wired.com/2015/09/lockpickers-3-d-print-tsa-luggage-keys-leaked-photos/ [Also noted in *The Washington Post* by Mark Thorson: http://boingboing.net/2015/08/21/make-your-own-tsa-universal-lu.html PGN]
via NNSquad http://spectrum.ieee.org/cars-that-think/transportation/self-driving/researcher-hacks-selfdriving-car-sensors The multi-thousand-dollar laser ranging (lidar) systems that most self-driving cars rely on to sense obstacles can be hacked by a setup costing just $60, according to a security researcher. "I can take echoes of a fake car and put them at any location I want," says Jonathan Petit, Principal Scientist at Security Innovation, a software security company. "And I can do the same with a pedestrian or a wall." Using such a system, attackers could trick a self-driving car into thinking something is directly ahead of it, thus forcing it to slow down. Or they could overwhelm it with so many spurious signals that the car would not move at all for fear of hitting phantom obstacles. In a paper written while he was a research fellow in the University of Cork's Computer Security Group and due to be presented at the Black Hat Europe security conference in November, Petit describes a simple setup he designed using a low-power laser and a pulse generator. "It's kind of a laser pointer, really. And you don't need the pulse generator when you do the attack," he says. "You can easily do it with a Raspberry Pi or an Arduino. It's really off the shelf."
[Thanks to Laura S. Tinnel.] Turla APT group, which was named after its notorious software Epic Turla, is abusing satellite-based Internet connections in order to: * Siphon sensitive data from government, military, diplomatic, research and educational organisations in the United States and Europe. * Hide their command-and-control servers from law enforcement agencies. Read more here: http://thehackernews.com/2015/09/hacking-satellite.html
FYI—This hack of FireEye's Malware Protection System (MPS) is very instructive. We are all told *never to open* attachments from suspicious-looking emails. That's great advice. Unfortunately, FireEye's MPS system never got that memo. Attachments *specially crafted to attack the FireEye MPS system itself* are opened by the MPS system in order to look for malware. Unfortunately, when a specially-crafted ".zip" file is opened to look for malware inside, the FireEye system itself is compromised. Oops! This is a general problem with antivirus/antimalware systems: they generally run with high privileges, and they generally do risky stuff like opening attachments on suspicious emails. Thus, an antivirus/antimalware system should be constructed like the bomb squad's Total Containment Vessels (TCV's). Furthermore, this malware should be moved to a safe location before opening it within said TCV. FireEye's TCV was thus compromised by an "explosive" device specifically constructed to destroy just this TCV. http://www.nabcoinc.com/vessels - - - - Felix Wilhelm, ERNW Playing with Fire: Attacking the FireEye MPS [Malware Protection System] https://www.ernw.de/download/ERNW_44CON_PlayingWithFire_signed.pdf Kim Zetter, *WiReD*, 11 Sep 2015 A Bizarre Twist in the Debate Over Vulnerability Disclosures http://www.wired.com/2015/09/fireeye-enrw-injunction-bizarre-twist-in-the-debate-over-vulnerability-disclosures/ Dan Goodin, Ars Technica, 11 Sep 2015 Security company litigates to bar disclosure related to its own flaws http://arstechnica.com/security/2015/09/security-company-sues-to-bar-disclosure-related-to-its-own-flaws/
Dan Goodin, ComputerWorld, 10 Sep 2015 "Data that was designed to require decades or at least years to crack was instead recovered in a matter of a week or two." http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/ Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked; Programming errors make 15.26 million accounts orders of magnitude faster to crack. When the Ashley Madison hackers leaked close to 100 gigabytes' worth of sensitive documents belonging to the online dating service for people cheating on their romantic partners, there seemed to be one saving grace. User passwords were cryptographically protected using bcrypt, an algorithm so slow and computationally demanding it would literally take centuries to crack all 36 million of them. Now, a crew of hobbyist crackers has uncovered programming errors that make more than 15 million of the Ashley Madison account passcodes orders of magnitude faster to crack. The blunders are so monumental that the researchers have already deciphered more than 11 million of the passwords in the past 10 days. In the next week, they hope to tackle most of the remaining 4 million improperly secured account passcodes, although they cautioned they may fall short of that goal. The breakthrough underscores how a single misstep can undermine an otherwise flawless execution. Data that was designed to require decades or at least years to crack was instead recovered in a matter of a week or two. The cracking team, which goes by the name "CynoSure Prime," identified the weakness after reviewing thousands of lines of code leaked along with the hashed passwords, executive e-mails, and other Ashley Madison data. The source code led to an astounding discovery: included in the same database of formidable bcrypt hashes was a subset of 15.26 million passwords obscured using MD5, a hashing algorithm that was designed for speed and efficiency rather than slowing down crackers. [...]
Somehow, it seems more efficient to simply replay a past posting from Boxing Day, 2001. Nearly 15 years later, and things haven't improved; we're still weeding out large numbers of buffer overflow bugs. We're also very close to having a person killed by a buffer overflow bug in automotive software. Remind me again about how it would be *too expensive* to rewrite all this bad code from scratch? “it's high time that someone defined *buffer overflow* as being equal to *gross criminal negligence*'' “If buffer overflows are ever controlled, it won't be due to mere crashes, but due to their making systems vulnerable to hackers.'' “the records of our customer service department show very few complaints about software crashes due to buffer overflows and the like'' “The lauded Microsoft programming tests of the 1980's were designed to weed out anyone who was careful enough to check for buffer overflows, because they obviously didn't understand and appreciate the intricacies of the C language.'' “If I remove array bounds checks from my software, I will get a raise and additional stock options due to the improved performance and decreased number of calls from customer service.'' 'Software people would never drive to the office if building engineers and automotive engineers were as cavalier about buildings and autos as the software engineer is about his software.' [See Henry Baker, Buffer Overflow Security Problems, RISKS-21.85, 26 Dec 2001 http://catless.ncl.ac.uk/Risks/21.84.html ]
Lucian Constantin, InfoWorld, 15 Sep 2015 The firmware on at least 14 business routers has been replaced with a backdoored version, researchers from Mandiant found http://www.infoworld.com/article/2984085/security/attackers-install-highly-persistent-malware-implants-on-cisco-routers.html
Analog SF & Fact Magazine, November 2015 issue, has an article, by Richard A. Lovett, on Legal; Social; Scientific; etc. Ramifications of the Latest (Very Real) Mind-Reading Technologies, with many scary examples of both good and evil applications in both current state-of-art, and where the tech appears to be going. Researchers show volunteers various topics, then use brain scanning to monitor how the brain reacts, to build up a data base, to see what's common across many volunteers, when they interact with same subjects. Then a computer compares brain scan patterns of different volunteers, to the data base, to deduce what they were thinking about. Failures include volunteers misidentifying what they are viewing. Plus the technology can only handle still photos, is not yet fast enough to track a human brain watching something in motion. It is not clear from the article what kinds of computers were used. The limiting factor seems to be in the brain-scanning technology, not the computer analysis. Anyone, who cares about Mental Privacy, ought to pick up a copy, on sale at news stands until Oct-27, when it gets replaced by the December issue. If this is not sold in your area, back issues can be obtained from Dell Magazines Direct 1-800-220-7443 More info at www.analogsf.com Technology, developed for good medical purposes, can have non-medical applications. Human Genome Mapping led to Law Enforcement use and abuse of DNA in crime identification of suspects, finding some innocent, but there are such high costs, that there can be inadequate budget to address minor crimes. US police have an astronomical volume of untested rape kits, money budgeted to resolve the backlog, but many localities have opted to spend the money on other things, than bringing justice for rape victims, by catching serial rapists. Similarly, Human Brain De-Coding can determine: . If a suspect has been at a crime scene; . Get someone's password ,which was never written down anywhere; . What pictures someone saw, including in a dream. Just as Google Translate does not measure up to Star Trek's Universal Translator, current Brain Hacking Technologies are vastly inferior to Vulcan Mind Meld. The technology is in its infancy, is frightfully expensive, but has significant world wide research funding. It will get more effective, and cheaper. So right now its use is mainly by governments and medical researchers, not terrorists & criminals. In the future: schools may use it on kids; married partners won't need a breach to detect cheaters; and hand held portable scanners, to find out which politicians are lying to us, will revolutionize elections. - - - - Will this become like taking photos in a public place, where police harass citizens legally recording their work now, and will go crazy when we can detect corrupt cops electronically? How soon will this be mounted on drones, to detect people thinking "Death to America" and how to go about it? Do Mind Readers need a Search Warrant? Does the Right not to Self Incriminate oneself apply? The article presents arguments on both sides of such legal questions. There are technologies which may not be exported to repressive states. This may belong on the list, but they probably already have it.
I got an email that claimed to be from Paypal. It said that a subscription payment to Lastpass password manager had failed; click here. Of course, as an informed netizen I would never click on an emailed link. It was clearly phishing. I forwarded the phishing email to Paypal security and to Lastpass security. Paypal responded saying yes indeed it was a phishing attempt and that Paypal would never ever send me an email with a link. Lastpass responded with an email that said, "To see our response to your ticket, click here." I thought it was safe to click on the Lastpass emailed link because I requested it. So, I did click it, but I immediately regretted doing so. It could have been a two-stage phishing attempt anticipating a Lastpass follow-up. Today, I got emails from both Paypal and Lastpass saying that my subscription was canceled because of nonpayment. (Both emails offered links to click to remedy the situation.) It appears that all those "phishing" emails were actually legitimate. It also appears that Paypal security claimed that their own legitimate email was a phishing attempt to cover up their embarrassment over bad security practices. My lifestyle is not compatible with snail mail, brick and mortar stores, cars, buses, or cash. I must live electronically. How the dickens can I do that while being responsible and secure?
https://plus.google.com/+LaurenWeinstein/posts/TPGq25rCG5C One of the most likely responses to the widespread use of ad blockers will be a vast increase in so-called "native advertising," exemplified by articles, stories, or other materials—including "editorials" and the like -- that do not reveal in a straightforward manner that they are actually *placements* whose content is being paid for by advertisers. In essence, these are "stealth ads"—designed to pretend they're not ads at all. And ad blockers normally won't be able to touch them. So now instead of knowing that there's an ad trying to convince you to buy something or change your point of view, you won't even know someone is paying to put the words and images in front of you. Congratulations.
http://www.nytimes.com/2015/09/14/us/politics/one-symptom-in-new-medical-codes-doctor-anxiety.html?partner=rss&emc=rss The more than 100,000 new codes, which will take effect on Oct. 1, have potential benefits, as they will require doctors to make a deeper assessment of many patients. But the change is causing waves of anxiety among health care providers, who fear that claims will be denied and payments delayed if they do not use the new codes, or do not use them properly. Some doctors and hospitals are already obtaining lines of credit because they fear that the transition to the new system will cause cash-flow problems. This could end up being a situation where the desire to collect more detailed data ends up killing people.
David Robertson, University of Illinois News Bureau, 9 Sep 2015 via ACM TechNews, Monday, Sept. 14, 2015 University of Illinois at Urbana-Champaign (UIUC) researchers recently concluded the Motion Leaks through Smartwatch Sensors (MoLe) project, which found smartwatches are vulnerable to hackers. The researchers designed an app and were able to guess what a user was typing through data "leaks" produced by the motion sensors on smart watches. The research has privacy implications, as an app that looks harmless could gather data from email messages, search queries, and other confidential documents. Although smartwatches can offer valuable insights into human health and context, "the core challenge is in characterizing what can or cannot be inferred from sensor data and the MoLe project is one example along this direction," says UIUC professor Romit Roy Choudhury. The app uses an accelerometer and gyroscope to track the micro-motion of keystrokes as a wearer types on a keyboard. A possible solution to these motion leaks would be to lower the sample rate of the sensors in the watch, notes UIUC Ph.D. student He Wang. The researchers' current system cannot detect special characters such as numbers, punctuation, and symbols that could appear in passwords, but the researchers say hackers could develop techniques for these characters in the future. http://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_5-e154x2d3eax063843&
Zack Whittaker, Zero Day, 3 Sep 2015 The case, if lost, could see a mass exodus of international customers from the US cloud. http://www.zdnet.com/article/why-microsoft-data-case-could-unravel-the-us-tech-industry/ opening text: Saying "no" to the government is never a good idea. But Microsoft had little option. In a little under a week, Microsoft will again head to a Manhattan court in an effort to try to quash a search warrant, sought by the US Justice Department, in an international drugs-related case. The warrant itself isn't out of the ordinary, but it does contain a crucial facet: It is demanding data on an email account stored by Microsoft in a datacenter in Ireland.
http://arstechnica.com/security/2015/09/mozilla-data-stolen-from-hacked-bug-database-was-used-to-attack-firefox/ An attacker stole security-sensitive vulnerability information from the Mozilla's Bugzilla bug tracking system and probably used it to attack Firefox users, the maker of the open-source Firefox browser warned Friday. In an FAQ published (PDF) alongside Mozilla's blog post about the attack, the company added that the loss of information appeared to stem from a privileged user's compromised account. The user appeared to have re-used their Bugzilla account password on another website, which suffered a data breach. The attacker then allegedly gained access to the sensitive Bugzilla account and was able to "download security-sensitive information about flaws in Firefox and other Mozilla products." No 2-factor login protection Mozilla? REALLY?
NNSquad http://gizmodo.com/how-ashley-madison-hid-its-fembot-con-from-users-and-in-1728410265 To the Ashley Madison "guest," or non-paying member, it would appear that he was being personally contacted by eager women. But if he wanted to read or respond to them, he would have to shell out for a package of Ashley Madison credits, which range in price from $60 to $290. Each subsequent message and chat cost the man credits. As documents from company e-mails now reveal, 80 percent of first purchases on Ashley Madison were a result of a man trying to contact a bot, or reading a message from one. The overwhelming majority of men on Ashley Madison were paying to chat with Angels like Sensuous Kitten, whose minds were made of software and whose promises were nothing more than hastily written outputs from algorithms. But the men were not fooled. At least, not all of them. An analysis of company e-mails, coupled with evidence from Ashley Madison source code, reveals that company executives were in a constant battle to hide the truth. In emails to disgruntled members of the site, and even the California attorney general, they shaded the truth about how the bots fit into their business plan.
Maria Korolov, InfoWorld, 1 Sep 2015 Ten top-level domains are to blame for at least 95 percent of the websites that pose a potential threat to visitors http://www.infoworld.com/article/2978801/security/the-webs-10-most-dangerous-neighborhoods.html opening text: Wouldn't it be convenient if all the spam and malware sites were all grouped together under one top-level domain—.evil, say—so that they would be easy to avoid? According to a new study from Blue Coat, there are in fact 10 such top-level domains, where 95 percent or more of sites pose a potential threat to visitors.
Oscar Wilde supposedly said "ASSUME makes an ASS out of U and ME", which makes Wilde the first security researcher, since a security "exploit" by definition takes advantage of an *assumption* that isn't always true. (Mark Twain was another early security researcher: "It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so.") The "Rowhammer" hardware bug recently discussed at Blackhat 2015 has converted a run-of-the-mill DRAM *reliability* problem into a *security* problem. But this won't be the last such conversion. *To a first approximation, *every* HW/SW bug can potentially be escalated into a security exploit.* In short, HW bugs don't just cause BSOD's (Blue Screens of Death); it's now only a matter of months/weeks(?) before such a rowhammer exploit is found in the wilde that empties bank accounts. Here are some excepts from the Blackhat Rowhammer talk slides: Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges How to cause and exploit single bit errors Mark Seaborn and Halvar Flake <email@example.com> Timeline, 2014 June, 2014 CMU paper published Sept, 2014 CMU paper read Oct, 2014 NaCl exploit working & tested on more laptops Nov, 2014 Kernel exploit working (12 weeks) "Reliability" problems are often security problems e.g., Memory corruption bugs * Originally treated as "just reliability" issues * Clever exploits showed they're more dangerous than that Hardware industry hasn't internalised this lesson yet. Bad cells "Badness" varies by DRAM module: * % of rows with bad cells: Varies from 30% to 99.9% * # of row activations causing failure: Can be as low as 98,000 ([only] 8% of the 1,300,000 allowed by spec) Repeated row activations can cause bit flips in adjacent rows * A fault in many DRAM modules, from 2010 onwards * Bypasses memory protection: One process can affect others * The three big DRAM manufacturers all shipped memory with this problem * A whole generation of machines Mitigations CMU paper: The industry has been aware of this problem since at least 2012 * Industry preparing mitigations—but no security advisories * ECC (Error Correcting Codes) * TRR (Target Row Refresh) * Higher DRAM refresh rates Conclusions * As software-level sandboxes get better, attackers will likely target more esoteric bugs, such as hardware bugs * Rowhammer: not just a reliability problem * Hard to verify that hardware meets spec * Vendors should adopt security mindset * Vendors should be more transparent https://www.youtube.com/watch?v=0U7511Fb4to https://www.blackhat.com/docs/us-15/materials/us-15-Seaborn-Exploiting-The-DRAM-Rowhammer-Bug-To-Gain-Kernel-Privileges.pdf https://www.blackhat.com/docs/us-15/materials/us-15-Seaborn-Exploiting-The-DRAM-Rowhammer-Bug-To-Gain-Kernel-Privileges-wp.pdf http://arxiv.org/pdf/1507.06955v1.pdf https://github.com/google/rowhammer-test
http://www.technologyreview.com/news/541351/facebooks-like-buttons-will-soon-track-your-web-browsing-to-target-ads/ Facebook's ad targeting algorithms are about to get a new firehose of valuable and controversial personal data. Starting next month, the millions of Facebook "Like" and "Share" buttons that publishers have added to their pages and mobile apps will start funneling data on people's Web browsing habits into the company's ad targeting systems. After the change, the types of sites you visit could be used to tune ads shown to you inside Facebook's social networking service, its photo-sharing service Instagram, and websites that use Facebook's ad exchange.
https://digboston.com/license-to-connive-boston-still-tracks-vehicles-lies-about-it-and-leaves-sensitive-resident-data-exposed-online/ Prior to two weeks ago, when this reporter alerted authorities that they had exposed critical data, anyone online was able to freely access a City of Boston automated license plate reader (ALPR) system and to download dozens of sensitive files, including hundreds of thousands of motor vehicle records dating back to 2012. If someone saw your shiny car and wanted to rob your equally nice house, for example, they could use your parking permit number to obtain your address. All they had to do was find the server's URL.
I went to support.hp.com today to check on possible driver updates for an HP computer. I downloaded some of the drivers, but was appalled to see that HP used "http:" rather than "HTTPS:" on its driver downloads. Furthermore, some of the downloads terminated early—but *completely quietly* on the latest Chrome browser—so that one would only notice later that the download had been corrupted—in this particular case by simple truncation. HP seems to be blissfully unaware of: 1. There are bad actors out there on the Internet; 2. Who would like nothing better than to infect everyone's computers; 3. Who find drivers and BIOS updates to be wonderful attack surfaces; 4. And who can infect http downloads *silently* and in *real time*. For example, security researchers have shown how a "Backdoor Factory" can "patch" downloads "on-the-fly" which can't be detected later (see below). "The technology doesn't necessarily know how an attacker was able to get into a system, but [HP's] SureStart will find a way to detect that malware of some form is present in the BIOS" [Duh! Perhaps the malware got into the BIOS during a download from http://ftp.hp.com ?] HP is apparently selling off its TippingPoint security division; one can only hope that one of HP's other security divisions will educate HP's computer unit about how to encrypt driver downloads. "[TippingPoint's] technology is not a key part of HP's broader security strategy, which is focused on more sophisticated, faster-growing areas such as *encryption*." "Earlier this year, HP bought an encryption company Voltage Security, which *helps customers protect their data*." - - - - The Backdoor Factory (BDF) For security professionals and researchers only. The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state. https://github.com/secretsquirrel/the-backdoor-factory - - - - HP seeks to sell cyber security unit TippingPoint: sources http://uk.reuters.com/article/2015/09/02/us-tippingpoint-m-a-hp-idUKKCN0R229120150902 - - - - HP Enhances SureStart Tech to Protect Users From BIOS Attacks http://www.eweek.com/security/hp-enhances-surestart-tech-to-protect-users-from-bios-attacks.html "The promise of SureStart is to help users protect, detect and recover from BIOS attacks, Ali said. *The technology doesn't necessarily know how an attacker was able to get into a system*, but SureStart will find a way to detect that malware of some form is present in the BIOS, he added."
We at the FBI know about these vulnerabilities, because we use them all the time to attack our own citizens' IoT devices. We also don't want these vulnerabilities to be fixed, because otherwise, we'll "go dark", and won't be able to read your emails or view your daughter's webcam. Our job is now done. You have been warned. But don't forget to leave that Golden Key under the mat by the front door just for us. —FBI Director Comey 'The FBI ... offers some tips on mitigating those cyber threats.' 'purchase IoT devices from manufacturers with a track record of providing secure devices' [i.e., *none* !] 'the criminal can access the home or business network and collect personal information or remotely monitor the owner's habits and network traffic' Alert Number I-091015-PSA. 10 Sep 2015 Internet of Things Poses Opportunities for Cyber Crime http://www.ic3.gov/media/2015/150910.aspx The Internet of Things (IoT) refers to any object or device which connects to the Internet to automatically send and/or receive data. As more businesses and homeowners use web-connected devices to enhance company efficiency or lifestyle conveniences, their connection to the Internet also increases the target space for malicious cyber actors. Similar to other computing devices, like computers or Smartphones, IoT devices also pose security risks to consumers. The FBI is warning companies oand the general public to be aware of IoT vulnerabilities cybercriminals could exploit, and offers some tips on mitigating those cyber threats. [Long item truncated for RISKS. PGN]
http://superuser.com/questions/957907/unable-to-install-fonts-on-windows-10 "After a week of trying everything. The answer as weird as it sounds it's to enable the windows firewall. I, know makes no sense right? It's not connected to font settings, however once "On" I was able to fix My issue with installing fonts on windows 10 and not a valid font message!"
NNSquad http://www.theinquirer.net/inquirer/news/2425381/microsoft-is-downloading-windows-10-to-your-machine-just-in-case He told us: "The symptoms are repeated failed 'Upgrade to Windows 10' in the WU update history and a huge 3.5GB to 6GB hidden folder labeled '$Windows.~BT'. I thought Microsoft [said] this 'upgrade' was optional. If so, why is it being pushed out to so many computers where it wasn't reserved, and why does it try to install over and over again? "I know of two instances where people on metered connections went over their data cap for August because of this unwanted download. My own Internet (slow DSL) was crawling for a week or so until I discovered this problem. In fact, that's what led me to it. Not only does it download, it tries to install every time the computer is booted."
Seems to leave us with two options: 1. Abandon Windows altogether.<br> 2. Stick with Windows XP, which, according to Microsoft policy, will no longer be updated. It will therefore not get "spying features" added. What I do, and have done for years, is to use Linux for everything, except when there is something that requires Windows. I then use XP (or occasionally Vista on an old laptop), but only for those specific tasks.
I have tried editing the hosts file on Windows - I wanted to add an explicit entry for my printer, iirc. WINDOWS WON'T LET YOU! The windows self-protection feature - from as long ago as XP - will by default revert any changes made to important system files - such as the hosts file. It can be defeated - I know it's possible to make changes stick - but it's some magic incantation that defeated me. So no. For a naive user, it is impossible to edit the hosts file.
Errmm... because an on-board computer with processing ability even remotely close to that of an average 100 IQ brain is even further away in the future than "as-yet-undefined 5G technology" with hard "quality-of-service guarantee"?
> If the average 100 IQ human with modest visual ability and reflexes can > successfully navigate, it's not at all clear to me why my future Subaru++ is > going to require the equivalent of a streaming Hollywood movie, from long > distances, to compete. Many years ago (in the 80s, I believe, in the days of 8-bit processors) I remember the stories about how much processing power would be required to achieve AI and make robots that could walk etc. Then I read a story, about a guy who *had* *made* robot crabs, that could successfully navigate the surf zone on a beach. With water flowing backwards and forwards. With the sand shifting underfoot. With breakers crashing over the little robots. And all with minimal processing power that did little more than assess the immediate situation, and adjust the stance of the robot so that when the robot was free to move, it did so, and when the water was crashing about it the aerodynamic (or waterdynamic) forces pushed it down and held it firm. We think we need to throw huge amounts of processing power at a problem to solve the entire problem. But all biology does is throw minimal power at it to solve the immediate issue, and that is usually more than is needed.
There's a vaguely similar problem with public transport in London. As well as contactless credit/debit cards, Apple Pay and similar smartphone systems can now be used fare payment. All fine and dandy, but the London Transport web site warns: > Make sure you have enough battery > > Your iPhone or Apple Watch must be switched on to use it to travel. You > should also check that you have enough battery on your iPhone or Apple > Watch to complete your journey. If you don't and: > > It runs out of battery in the middle of a rail journey, you will not be > able to touch out at the end and could be charged a maximum fare. If an > inspector asks you to touch your iPhone or Apple Watch on their reader, it > will not be able to be read and you could be liable for a penalty fare. https://tfl.gov.uk/fares-and-payments/contactless/other-methods-of-contactless-payment/apple-pay Of course the passive RFID-type of contactless cards don't have problems with power supplies, but now that there are many more of them around, there can be trouble with 'card clash' (when readers try to read two close-together cards at once and fail) or, worse, when a passenger unintentionally has one card read at the starting station and a different one read at the final station. PS: There was a small item in the newspaper about Twitter, and in particular the 140-character limit (co-founder Jack Dorsey quoted as saying that it was inspired by the 160-character limit of SMS), with the obvious aim of preventing unnecessary verbosity. Fine for English, but other languages can need more letters to say something worthwhile, e.g. German...
Perhaps the real failure here is in failing to understand that driving is a social activity. You are cooperating with other drivers with some suggested rules of the road. The law doesn't work if we take it too seriously. When I rented a Tesla in California the adaptive cruise control was set to 4 seconds behind the car in front of me. It worked there but would've failed in Boston where other drivers would recognize an opportunity to use the empty space between cars. I look forward to driverless cars so that I can play chicken with them—I'll get right of way by winning 100% of the time. Sure the driverless cars could try to respond by gaming me back but unlike me they have a lawyer circuit that can't claim ignorance or inattention. I do worry that insurance companies will view people doing their own driving as reckless rather than innovative. You can't say you want innovation if you are too efficient and serious about enforcing rules. The risk of optimizing against arbitrary metrics. And why are we characterizing the problem as automation rather than assisting the driver and also setting aside some venue such as guideways where driverless cars can cooperate with their peers? This also reflects the larger inability to understand the Internet as a byproduct of using software to cooperating in using common facilities to create our own solution. This is why buffer bloat is a problem—a provider is denying us the information essential for cooperation in hiding the true characteristics of the infrastructure behind opaque buffers. The Internet is a network in the social sense and not in the sense of something being provided.
Please report problems with the web pages to the maintainer