Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
John Markoff and Claire Cain Miller, *The New York Times*, 17 Jun 2014 (begins front page of Science Times in the National Edition) Smarter machines will be freer to interact with people, making safety a bigger concern The article lists a bunch of cases of serious industrial accidents involving robots, cited from OSHA data: * Bakery, Aug 2011 * Plastics factory, May 2011 * Metal factory, Jul 2006 * Car factory, Mar 2006 * Car factory, Dec 2001 * Metal factory, Aug 1999 * Meatpacking plant, Jun 1999 * Sporting goods manufacturer, Nov 1996 * Aluminum factory, Feb 1996 The article notes that “Many were a result of human error; others were caused by robots' unexpected behavior.'' Each case involved a death, except for the sporting goods one. If you seriously believe in the infallibility of smart robots and their ability to prevent accidental misuse, you might want to read this article, and perhaps dig into the OSHA data. Also, when we combine robots with the Internet of Things, we must also address the reality that robots could be hacked remotely by malfeasers. The same considerations should also apply to Automated Highways, and perhaps even Free Flight (the FAA's notion that we can get rid of air-traffic controllers and have all the smarts in the cockpit computers—which may mercifully have fallen by the wayside), Once again, the lessons from the Risks Forum leap to the forefront.
A province-wide EMR system in Alberta, Canada, collapsed Monday, making it impossible to see test results, medical histories, medications, etc for several hours. The system has a history of previous difficulties (202 clinics lost access for roughly one day a year ago; a major slowdown occurred last week, requiring about 15 minutes for simple tasks such as prescription renewals). The vendor reported the problem was "a technical issue that was difficult to find and address." A single system for an entire province—what could go wrong? Details at: http://medicinehatnews.com/news/local-news/2014/06/10/system-failure-has-docs-patients-upset/ Robert L Wears, University of Florida, wears@ufl.edu 1-904-244-4405 (ass't) Imperial College London r.wears@imperial.ac.uk +44 (0)791 015 2219
Ars Technica via NNSquad http://arstechnica.com/business/2014/06/att-we-need-to-buy-directv-because-u-verse-tv-is-a-failure/ "AT&T has world-class wireline and wireless broadband facilities, but its video service, which is available in only a minority of customer locations within AT&T's 22-state incumbent local exchange carrier ('ILEC') region, is uneconomic and not fully competitive with cable providers," the company said. AT&T only provides U-verse video where it has fiber-to-the-node or fiber-to-the-premises, the company said. "As a result of its relatively limited video footprint, AT&T is far smaller than Comcast and Time Warner Cable, its principal competitors," it said. "Lack of scale particularly hinders AT&T with respect to content acquisition, which is by far the largest variable cost of MVPD [multichannel video programming distributor] service. AT&T therefore faces challenges selling competitive broadband/video bundles even inside its U-verse video footprint." Although AT&T lags behind Comcast in Internet and video subscribers, it has double Comcast's overall revenue. AT&T made $128.8 billion in revenue last year compared to Comcast's $64.7 billion. Left unsaid is that AT&T bears responsibility for making U-verse available only in "a minority of customer locations," by choosing to slow down and limit its fiber deployment, until AT&T announced a recent expansion.
[We can argue risk for whom if you would like!] *Review Journal*, Jun 12 2014 http://www.reviewjournal.com/trending/woman-creates-fake-facebook-profile-discovers-niece-wants-kill-her
Ian Paul | PC World, 11 Jun 2014 For several months, Google toyed with the idea of hiding full Web addresses from users in Chrome http://www.infoworld.com/d/applications/google-chromes-experiment-killing-urls-appears-be-hold-244145
Steven Kurutz, *The New York Times*, 11 Jun 2014 In this age of rapid transformation, the house key has been surprisingly resistant to change. Cars have mostly switched to key fobs. Hotels and office buildings favor the pass card. And yet the little metal keys we carry around—part security device, part domestic totem—aren't that different from the ones carried by our parents, their parents or their parents, going back to the Civil War, when Linus Yale Jr. invented the cylinder lock, modifying an ancient Egyptian design. That was before the Internet of Things, an approach to life in which every household fixture, no matter how unsexy or long neglected by designers, can be rewired for digital living. And now, like the thermostat and the slow cooker, the house key and its mate, the front-door lock, are going "smart" too. In the last year or so, several electronic door locks from industry bigwigs like Schlage and Kwikset have hit the market, making it possible to unlock your home using a smartphone, tablet or computer. And two new locks created by tech start-ups, which are forthcoming, promise the hands-free ease of unlocking the door automatically as you approach it. ... http://www.nytimes.com/2014/06/12/garden/losing-the-key.html [I guess that RISKS may soon have to spawn an offspring, called Smart RISKS! (or perhaps RISKS of Trying to Be *Too Smart*!) PGN]
http://arstechnica.com/security/2014/06/pf-chang-turns-to-vintage-1970s-tech-after-credit-card-breach/ US restaurant chain P.F. Chang's China Bistro plans to temporarily bring back manual credit card imprinting while it investigates a security breach that allowed hackers to steal customer payment card data from multiple stores. The old-school manual system has already been spotted by people affiliated with Sans, a computer security training institute. Readers may remember the system from decades ago, when eight-track tapes and, later, Betamax video, were still the rage. P.F. Chang's servers will be retaining carbon copies of the transactions, according to KrebsOnSecurity reporter Brian Krebs, who first reported the breach three days ago after finding that thousands of newly stolen credit and debit cards for sale in underground forums were all used at the chain. "At P.F. Chang's, the safety and security of our guests' payment information is a top priority," a statement posted on the chain's website stated. "Therefore, we have moved to a manual credit card imprinting system for all P.F. Chang's China Bistro branded restaurants located in the continental United States. This ensures our guests can still use their credit and debit cards safely in our restaurants as our investigation continues." The statement went on to advise customers to monitor their credit card and bank statements and to report any suspicious activity to their card issuers. According to Krebs, P.F. Chang's is also deploying dial-up card readers that will be plugged in to old-fashioned phone lines and used to process the imprint slips. The chain's shift to a manual system is already prompting jokes that rib a security-through-obscurity approach. In fairness, manual imprints are probably more secure. Just as they are harder for merchants to quickly process in large numbers, they probably are similarly harder for digital thieves to siphon up wholesale. P.F. Chang's is the latest nationwide chain to be hit by an embarrassing hack that compromised its customers' sensitive data. In November, retailer Target suffered a breach that compromised credit card and personal data for as many as 110 million customers. Like P.F. Chang's, Target has been working with law enforcement agencies to investigate the hack. Unlike P.F. Chang's, Target has continued to process payment card transactions electronically.
Loek Essers, InfoWorld Home, 27 May 2014 Hackers are demanding ransoms to unlock devices that were locked with the Find My iPhone tool, according to forum posts http://www.infoworld.com/d/mobile-technology/apple-devices-held-hostage-using-find-my-iphone-243133
Tim Hornyak, InfoWorld, 11 Jun 2014 The attack temporarily shut down Evernote, which now has over 100 million users http://www.infoworld.com/d/security/evernote-hit-denial-of-service-attack-244124
Bill Snyder, InfoWorld, 12 Jun 2014 Microsoft, Google, even Facebook are protecting their bottom lines -- and you—by fighting outrageous court orders and encrypting user content http://www.infoworld.com/d/the-industry-standard/tech-giants-finally-grow-spine-and-resist-nsa-spying-244174
Tim Wum, *The New York Times*, 3 Jun 2014 Thanks to Facebook and Instagram, oversharing one's personal life feels as authentic as reality TV. Right now anonymous posts hold the key to the truth. In the seminal 1999 cultural manifesto "No Logo," the writer Naomi Klein pronounced that corporations were now in the business of selling brands, rather than products. Whoever "produces the most powerful images, as opposed to products," she wrote, "wins the race." At the time, it was a shocking message; little did she realize that by 2014 it would not just be companies, but also people, who would be caught up in a branding race through social media, and one directed not just at customers, but relatives and friends. The euphemism is "sharing," but Klein would probably just call it selling a personal brand, whether you consider yourself the pretty young thing with literary tastes and a traditional side, the family man who brews his own beer or the tough lawyer with a sense of humor. It can be nice to share, but brand maintenance takes constant work and demands consistency. A serious self-brand should have some presence on Facebook, Twitter, LinkedIn, Instagram, Foursquare, Google+ and Tumblr; keeping it all up can feel like working as an unpaid intern for a Z-list celebrity known as Oneself. In light of this, the recent comeback of online anonymity seems entirely predictable. Two popular smartphone apps, Secret and Whisper, took off this spring, especially in the tech communities, offering users the opportunity to speak to their friends and a broader audience, anonymously, on just about any subject. Reddit, an anonymous discussion and linking site, has recently witnessed a traffic explosion; with more than 110 million unique monthly visitors, it has more traffic than Netflix or any American newspaper. Users of these anonymous outlets make it clear they're looking for a break from Facebook and other social media. One comment: "Maybe the reason Secret is ... interesting ... is because it doesn't have to be happy all the time." ... http://tmagazine.blogs.nytimes.com/2014/06/03/oversharing-facebook-instagram-whisper-secret/
Steve Lohr, *The New York Times*, 12 Jun 2014 People around the world are thrilled by the ease and convenience of their smartphones and Internet services, but they aren't willing to trade their privacy to get more of it. That is the top-line finding of a new study of 15,000 consumers in 15 countries. The privacy paradox was surfaced most directly in one question: Would you be willing to trade some privacy for greater convenience and ease? Worldwide, 51 percent replied no, and 27 percent said yes. (The remainder had no opinion or didn't know.) There were country-by-country differences, but there was a consistency to the results, especially in the developed nations. The United States was 56 percent no and 21 percent yes. Britain was almost identical—55 percent no, 18 percent yes. Germany was most privacy protective—71 percent no, and 12 percent yes. India, by contrast, had the highest yes percentage—48 percent, to 40 percent no. ... http://bits.blogs.nytimes.com/2014/06/12/the-privacy-paradox-a-challenge-for-business/
Among the many password traps: You have used the same password at multiple sites and now you want to clean things up. You go to one of these websites and find there is no option to change your password. Worse: The only option available is to request they send you your (precious) password in open e-mail. Hard to believe this could happen in 2014? Here it is: http://checkinsooner.com Implication: more important day by day, do not re-use passwords. Richard Karash, Karash Associates LLC +1 617-308-4750 http://Karash.com
Sean Gallagher, Ars Technica, 10 Jun 2014 A week spent playing NSA reveals just how much data we leak online. On a bright April morning in Menlo Park, California, I became an Internet spy. This was easier than it sounds because I had a willing target. I had partnered with National Public Radio (NPR) tech correspondent Steve Henn for an experiment in Internet surveillance. For one week, while Henn researched a story, he allowed himself to be watched-acting as a stand-in, in effect, for everyone who uses Internet-connected devices. How much of our lives do we really reveal simply by going online? Henn let me into his Silicon Valley home and ushered me into his office with a cup of coffee. Waiting for me there was the key tool of my new trade: a metal-and-plastic box that resembled nothing more threatening than an unlabeled Wi-Fi router. This was the PwnPlug R2, a piece of professional penetration testing gear designed by Pwnie Express CTO Dave Porcello and his team and on loan to us for this project. The box would soon sink its teeth into the Internet traffic from Henn's home computer and smartphone, silently gobbling up every morsel of data and spitting it surreptitiously out of Henn's home network for our later analysis. With its help, we would create a pint-sized version of the Internet surveillance infrastructure used by the National Security Agency. Henn would serve as a proxy for Internet users, Porcello would become our one-man equivalent of the NSA's Special Source Operations department, and I would become Henn's personal NSA analyst. ... http://arstechnica.com/security/2014/06/what-the-nsa-or-anyone-can-learn-about-you-from-internet-traffic/
Steve Henn, NPR, 13 Jun 2014 http://www.npr.org/blogs/alltechconsidered/2014/06/13/321389989/heres-one-big-way-your-mobile-phone-could-be-open-to-hackers selected text: Earlier this spring, when I conducted an experiment tapping my own Internet traffic, Sean Gallagher, a reporter from the tech news site Ars Technica, came to my house, and we connected a little device called a Pwn Plug -- invented by computer security expert Dave Porcello—to my network. Seeing just how much data streamed out of my phone the second I connected was a big surprise. My phone pinged Apple, Google and Yahoo. Then apps like Twitter and Facebook connected to the Internet. This all happened in just seconds of it simply sitting on my desk. I hadn't touched the phone. If Porcello had been a hacker, those few seconds could have been a gold mine.
http://www.huffingtonpost.com/2014/06/11/cell-tracking-unconstitutional_n_5486458.html
"Simply put, spreadsheets are good for quick and dirty work, but they are not designed for serious and reliable work." Sez who? Let me state authoritatively that statement is simply not true. You'd think after all these years we'd be past "who needs spreadsheets when you have Fortran (or, for Lemire, C)". There is a reason why spreadsheets are valuable tool—they give you the ability to work with the numbers. It's like complaining about those new-fangled typewriters because writing should be done at a leisurely pace using a ballpoint pen or maybe quill and ink. What we should be concerned with is the interpretation of the data and the tendency to treat number as supporting whatever meaning we project on them . It reminds me of another personal experience when I was at Interactive Data Corporation and we introduced Black-Scholes (option pricing) numbers. Naive people on Wall St used as the foundation for derivatives even though they had little intrinsic meaning. It's easy to see that wealth is increasingly concentrated—the question is why does it take precise calculations based on guesstimates to "prove" that is happening? One risk is that we'll approach this as a problem of numbers rather than recognizing we have a structural problem. Spreadsheets are useful way to provide insight as long as we don't confuse the numbers with their meaning. We see this again in the spectrum auction which is backed by lots of analyses premised the idea that faux wires is the right way to communicate in the absence of wires thus maximizing the local value to the owners while minimizing the global value to society.
I've been saying this for years. Just to easy to hide mistakes either by accident or on purpose to make a point. Hundred or thousands or more programming statements scattered all over the sheets and linked perhaps to other sheets that the author has not reviewed in detail.
In RISKS there was some interesting commentary on Google's self-driving cars and the possible rules under which the software would decide who gets to live and who gets to die in the presence of a pending `exchange of inertia', one might call it, when vehicles and/or pedestrians collide out in the real world and smart cars have time to crunch software to evaluate least-harm consequences of possible defensive measures the cars may take. What I haven't seen mentioned in either David Weinberger's original article (https://medium.com/@dweinberger/would-a-google-car-sacrifice-you-for-the-sake-of-the-many-e9d6abcf6fed ) or the follow-up commentary to Risks is the most probable over-riding datum which smart cars will retrieve from their on-line databases and evaluate milliseconds before making defensive (or even offensive) actions: Smart cars will determine there is a threat to human life, talk among themselves to retrieve and weigh each threatened occupant's and pedestrian's financial wealth and social standing, and the priority for survival will be meted out to the wealthiest with us 99%ers peasants fully expected to die first. Let's be realistic, okay? Google is evil, ergo its cars will be evil. These corporate Oligarchs don't care about human life unless it's wrapped around a limo wearing a tuxedo on its way to a Wall Street meet-and-greet with lobbyists and politicians, and the software in their cars can be expected to have all the ethics and morals of a Mitt Romney or a Donald Trump.
This sounds exactly like the BT Home Hub, which has been pretty much standard fare for British Telecom customers for many years. As I remember it, in order to sign up for roaming wi-fi, I had to enable my router as a hot-spot, but it was opt-in. So now, if I'm away from home and there is a BT customer nearby I will see a "BT wifi" router which I can sign in on using my home credentials. Hopefully that is configured to just provide a bridge directly to the BT master router in the exchange. I agree that if the router can be compromised, there is a risk that the user's home network will be hijacked but I suspect routers are vulnerable enough that the added attack surface isn't that important.
> I especially liked the part about "people using the Internet via > the hotspot won't slow down Internet access on the home network. Let me see if I understand this. The four guys sitting at my neighbor's pool all streaming a playoff game of their favorite team to their iPads are not going to use up any of the RF bandwidth of my local Access Point? Anyone care to explain that one to me? Bill Gunshannon, University of Scranton, Scranton, Pennsylvania
> Thanks for sharing that. So long a the router doesn't have any flaws, and > no one uses the guest access for nefarious purposes, what could go wrong? Plenty, but no more than what's already wrong with any other public hotspots. >> I don't recall any disaster stories, although I haven't particularly >> been looking for them. >> >> http://www.btwifi.com/find/uk/ John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
How do we get past the fear of contribute to the public good? What happens if someone uses your sidewalk or your porch light to conduct criminal activity? The Internet is about a big idea—exchanging raw (best efforts) packets apart from their meaning. Making people liable is the idea that we must prevent all bits from flowing lest just in case someone may not understand the concept of a bit is akin to requiring someone walk in front of a car lest it go too fast and scare the horses. The risk of doing harm is not just a risk but a reality. By making everyone along the path a gatekeeper who must prevent all bits from passing we prevent even the simplest applications such as connected healthcare from happening and people die. I explain more in http://rmf.vc/BitsVsMessages and in my next IEEE column. We must educate lawyers and organizations like the ACLU about the importance of understanding the concept of packets apart from their meaning and the harm that comes from crippling our ability to communicate. As an added benefit we would get "network neutrality" as byproduct of removing gatekeepers from the role of second-guessing the meaning of bits. As to the Xfinity problem—I presume that using a different IP address is a simple enough that we should instead concentrate on the value of increased connectivity. There's a separate risk of compromised routers that totally apart from the Xfinity effort.
It's happening in the UK too—this was included in a newspaper's computing section, text saved *WITHOUT* permission (BT is my ISP but I don't know it this applies to me, I don't use WiFi at all). On the face of it a good idea, as it allows ISPs to enhance their WiFi coverage with no extra hardware; presumably legal liability should be shown in the ISP T&Cs, but is it..? > Technology Advice <http://www.telegraph.co.uk/technology/advice/> > Are curb crawlers piggybacking on my BT WiFi? > Your Wi-Fi router is moonlighting as a part time public wireless > hotspot, says Rick Maybury > By Rick Maybury <http://www.telegraph.co.uk/journalists/rick-maybury/> > <http://www.telegraph.co.uk/technology/advice/10805144/Are-curb-crawlers-piggybacking-on-my-BT-WiFi.html>
Yes, I know about the Dinorwic pumped storage set-up in Wales, *however* this is just used to give a little extra capacity to cover short-term peaks. According to Wikipedia, the water can last for up to 6 hours, and the installed generating capacity is 1.65GW. Also according to Wikipedia, the UK's electricity demand is 35.8GW on average and 57.5GW peak. Therefore, 22 Dinorwics would be needed to meet the UK's average load, or 35 for peak load, and that's just for a few hours. Wikipedia gives the efficiency as 75% so getting 100% of power out means putting 133% in. The problem with renewable electricity sources (at least for wind, solar, and tidal) is that they only supply power in short bursts while it's needed 24/7, so if a country wanted to get all of its electricity from these sources, it would have to have enough storage capacity to meet the country's entire demand for quite long periods of time, and the renewable sources would have to have enough capacity to replenish the storage facilities (allowing for their inefficiencies) during the times when they do produce power. Other RISKS readers will probably have better information. The other problems are (a) if electricity supplies become unreliable then people may well use their own generators in preference to public supplies, which defeats the object of 'green' energy sources, and (b) building all those pumped storage projects and the transmission lines to them takes a lot of steel, concrete, truck journeys, freight activity, etc. which has a big environmental impact.
Please report problems with the web pages to the maintainer