Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Total parenteral nutrition (intravenous feeding) is complicated to administer and there are tools to assist in the preparation of individualized dosing. Because such nutrition is typically administered weeks to years and the composition needs to change frequently (in instances, daily) and because patients receiving this sort of treatment are invariably quite ill, even relatively small flaws in the calculations can produce significant physiological disturbances. http://www.fda.gov/Safety/MedWatch/SafetyInformation/SafetyAlertsforHumanMedicalProducts/ucm398509.htm
A computer software and GUI sourced incident waking up a town in Colorado Lafayette's 3 a.m. tornado-siren misfire blamed on human error, 'less-than-intuitive' software. Officials say 'work around' in place, but new software needed. Lafayette's tornado sirens mistakenly sound for 8 minutes in middle of night. The Boulder County Sheriff's Office has determined that human error and a "less-than-intuitive" software system were to blame for mistakenly off Lafayette's tornado sirens in the middle of the night last month. On May 22, Lafayette's emergency sirens were triggered at 3:07 a.m. by a pager notification for an unrelated police operation. The sirens sounded for about eight minutes until Boulder County dispatchers—alerted by incoming calls from concerned Lafayette residents—shut them down at 3:15 a.m., officials said. ... After investigators recreated the chain of events, officials said a dispatcher accidentally set off the alarms while trying to send a staff notification through the Computer Aided Dispatch (CAD) system, the same software that launches the alert sirens, according to a release. Officials believe that while trying to send out the notification, the dispatcher received an error message and then tried to click an "OK" to close the box. But the button to activate the alert sirens is directly underneath the "OK" button in the error box, and the investigators believe the dispatcher "inadvertently" selected that option. ... Officials with the Boulder County Sheriff's Office dispatch center—which handles Lafayette police dispatch duties—said it they have developed a "work around" that will make it easier for dispatchers to confirm where their pages are going. But they said the ultimate solution is to have the Lafayette sirens operated through a standalone software system similar to the one used by all other Boulder County alert sirens. http://www.dailycamera.com/lafayette-news/ci_25892803/lafayettes-3-m-tornado-siren-misfire-blamed-human
David Kravets, Ars Technica, 5 Jun 2014 Thankfully, European top court rules against the publishers' "irrational" claims. http://arstechnica.com/tech-policy/2014/06/web-browsing-is-copyright-infringement-publishers-argue/ Europeans may browse the Internet without fear of infringing copyrights, as the EU Court of Justice ruled Thursday in a decision that ends a four-year legal battle threatening the open Internet. It was the European top court's second wide-ranging cyber ruling in less than a month. The court ruled May 13 that Europeans had a so-called "right to be forgotten" requiring Google to delete "inadequate" and "irrelevant" data upon requests from the public. That decision is spurring thousands of removal requests. In this week's case, the court slapped down the Newspaper Licensing Agency's (NLA) claim that the technological underpinnings of Web surfing amounted to infringement. The court ruled that "on-screen copies and the cached copies made by an end-user in the course of viewing a website satisfy the conditions" of infringement exemptions spelled out in the EU Copyright Directive. The NLA's opponent in the case was the Public Relations Consultants Association (PRCA). The PR group hailed the decision. "We are utterly delighted that the CJEU has accepted all of our arguments against the NLA, which represents eight national newspapers. The Court of Justice, like the Supreme Court before them, understands that the NLA's attempts to charge for reading online content do not just affect the PR world, but the fundamental rights of all EU citizens to browse the Internet," PRCA Director General Francis Ingham said. "This is a huge step in the right direction for the courts as they seek ways to deal with the thorny issues of Internet use and copyright law." The NLA is the body that distributes reproductions of newspaper content, including the Guardian's. Its main argument was the cost that the licensing public relations companies pay for the reproductions should factor in to what is temporarily copied on a reader's computer. David Pugh, the NLA's managing director, said opponents were making the case out to be as if the sky was falling, but it's not, he said. Pugh believed the issue was much narrower than portrayed. "In our view, [the temporary copying] exception is designed to protect ISPs and telecoms companies when they're transmitting data from A to B in networks. The PR spin put on this case was that if our ruling was allowed to stand then users of the Internet would be criminalized for using a browser, but that's never been what it's about," he said. [...]
Jon Brodkin, *The New York Times* (via Dave Farber), 4 Jun 2014 http://www.nytimes.com/2014/06/05/opinion/when-the-landline-is-a-lifeline.html AT&T and Verizon are pushing hard to shift traditional landline service, which has mostly operated over copper lines, to a system of Internet-based phones by around 2020. If the Federal Communications Commission approves the switch as is, it could come as a shock to the 96 million Americans who still rely on landlines. The change itself is inevitable: the old copper lines are aging and expensive to maintain. And the new system is already in use. As of December 2012, 42 million Americans had Internet-based phones. But moving to an all Internet-based network will benefit Americans only if the F.C.C. is able to protect them in the shift. The new phones have some major technical flaws. They can't hold up during long power failures or connect all emergency phone calls. But there are also regulatory problems: The change in service could free the telecom industry from its obligation to guarantee universal access and fair prices to consumers. As a result, people in remote or rural areas who rely on landlines could end up paying a lot for a bad deal. So-called common carrier rules have long required phone companies to offer services to everyone, at reasonable rates. But in a series of decisions beginning in 2002, the F.C.C. classified broadband Internet as an “information service'' instead of a telecommunication service, freeing it from these rules. For now, the F.C.C. hasn't weighed in on where the Internet-based phones—also called VoIP, for voice over Internet protocol -- stand, leaving them in regulatory limbo. While the new phones all rely on the Internet, they don't all use the same delivery mechanism. Fiber and cable are more reliable carriers than the wireless network that cellphones also rely on. Without new regulations, phone companies could refuse wired Internet service to remote areas where it's not profitable to build it—a good 25 percent of AT&T's service area. One key upside to the old telephone network is that it can draw electricity from the copper wires, keeping residents connected to emergency services even when power failures render lights and cellphones useless for days. Alarm systems and medical alert devices often still rely on the traditional landline system, and those will need to be safely moved to new networks. Regardless, the phone companies are pushing ahead, sometimes without permission from the F.C.C. In 2012, after Hurricane Sandy destroyed much of the copper infrastructure in western Fire Island, N.Y., Verizon didn't want to fix the phone lines. Instead, it proposed replacing them with Voice Link, a substitute that connects to the cellular network. Residents and government officials protested that these phones would be less reliable and unable to last through power failures like the one that had just crippled the island. Voice Link isn't compatible with fax machines and medical alert systems, and its terms of service note that 911 calls might not even go to emergency service providers but can be legally routed to Verizon operators. [...]
Chris Kanaracus, Computerworld, 21 May 2014 Ricky Joe Mitchell must also pay more than $500,000 in restitution and fines A former network engineer for oil and gas company EnerVest has been sentenced to four years in federal prison after pleading guilty in January to sabotaging the company's systems badly enough to disrupt its business operations for a month. Ricky Joe Mitchell of Charleston, West Virginia, must also pay $428,000 in restitution and a $100,000 fine, according to an announcement this week from U.S. Attorney Booth Goodwin's office. In June 2012, Mitchell found out he was going to be fired from EnerVest and in response he decided to reset the company's servers to their original factory settings. He also disabled cooling equipment for EnerVest's systems and disabled a data-replication process. ... http://www.computerworld.com/s/article/9248499/IT_pro_gets_4_years_in_prison_for_sabotaging_ex_employer_39_s_system
Lucian Constantin, InfoWorld, 03 Jun 2014 Serious flaw in GnuTLS library endangers SSL clients and systems A vulnerability patched in the GnuTLS library can potentially be exploited from malicious servers to execute malware on computers http://www.infoworld.com/d/security/serious-flaw-in-gnutls-library-endangers-ssl-clients-and-systems-243629
In yet another demonstration of what happens when design includes weak security, we have the appalling possibility that, say, Monty Python reruns could be replaced by FAUX News broadcasts. Of course, some people argue that FAUX News is actually a satirical series anyway. http://www.bbc.co.uk/news/technology-27761756
http://truth-out.org/news/item/24186-usda-and-submachine-guns-latest-example-of-mission-creep-as-federal-policing-expands#.U5QXqf8fbGU.gmail
Dante D'Orazio, *The Verge*, 8 Jun 2014 (via Dave Farber) http://www.theverge.com/2014/6/8/5790936/computer-passes-turing-test-for-first-time-by-convincing-judges-it-is Eugene Goostman seems like a typical 13-year-old Ukrainian boy—at least, that's what a third of judges at a Turing Test competition this Saturday thought. Goostman says that he likes hamburgers and candy and that his father is a gynecologist, but it's all a lie. This boy is a program created by computer engineers led by Russian Vladimir Veselov and Ukrainian Eugene Demchenko. That a third of judges were convinced that Goostman was a human is significant—at least 30 percent of judges must be swayed for a computer to pass the famous Turing Test. The test, created by legendary computer scientist Alan Turing in 1950, was designed to answer the question "Can machines think?" and is a well-known staple of artificial intelligence studies. Goostman passed the test at the Turing Test 2014 competition in London on Saturday, and the event's organizers at the University of Reading say it's the first computer succeed. Professor Kevin Warwick, a visiting professor at the university, noted in a release that "some will claim that the Test has already been passed." He added that "the words Turing Test have been applied to similar competitions around the world," but "this event involved the most simultaneous comparison tests than ever before, was independently verified and, crucially, the conversations were unrestricted." The program nearly passed the test back in 2012, when 29 percent of judges at another competition decided that it was a human. Despite the achievement, the results are far from conclusive and they do not mean that the machines are taking over the world—no matter what you read on the Internet. The program is scripted with a personality that likely assisted in convincing judges, and it is not the artificial intelligence you know from sci-fi movies. This is no HAL from 2001: A Space Odyssey. For instance, the Turing Test doesn't hinge on whether the computer's responses are correct or not -- it only involves the "humanness" of its answers. The test is carried out over a text chat. Goostman's "age" may have also helped it pass the test. As Veselov notes, "Our main idea was that he can claim that he knows anything, but his age also makes it perfectly reasonable that he doesn't know everything." [...]
https://medium.com/@dweinberger/would-a-google-car-sacrifice-you-for-the-sake-of-the-many-e9d6abcf6fed Plus: Networked Road Neutrality 1. The programmed morality of networked cars Google self-driving cars are presumably programmed to protect their passengers. So, when a traffic situation gets nasty, the car you're in will take all the defensive actions it can to keep you safe. But what will robot cars be programmed to do when there's lots of them on the roads, and they're networked with one another? We know what we as individuals would like. My car should take as its Prime Directive: “Prevent my passengers from coming to harm.'' But when the cars are networked, their Prime Directive well might be: “Minimize the amount of harm to humans overall.'' And such a directive can lead a particular car to sacrifice its humans in order to keep the total carnage down. Asimov's Three Rules of Robotics don't provide enough guidance when the robots are in constant and instantaneous contact and have fragile human beings inside of them. It's easy to imagine cases. For example, a human unexpectedly darts into a busy street. The self-driving cars around it rapidly communicate and algorithmically devise a plan that saves the pedestrian at the price of causing two cars to engage in a Force 1 fender-bender and three cars to endure Force 2 minor collisions—but only if the car I happen to be in intentionally drives itself into a concrete piling, with a 95% chance of killing me. All other plans result in worse outcomes, where “worse'' refers to some scale that weighs monetary damages, human injuries, and human deaths. Or, a broken run-off pipe creates a dangerous pool of water on the highway during a flash storm. The self-driving cars agree that unless my car accelerates and rams into a concrete piling, all other configurations of joint actions result in a tractor trailing jack-knifing, causing lots of death and destruction. Not to mention The Angelic Children's Choir school bus that would be in harm's way. So, the swarm of robotic cars makes the right decision and intentionally kills me. In short, the networking of robotic cars will change the basic moral principles that guide their behavior. Non-networked cars are presumably programmed to be morally-blind individualists trying to save their passengers without thinking about others, but networked cars will probably be programmed to support some form of utilitarianism that tries to minimize the collective damage. And that's probably what we'd want. Isn't it? But one of the problems with utilitarianism is that there turns out to be little agreement about what counts as a value and how much it counts. Is saving a pedestrian more important than saving a passenger? Is it always right try to preserve human life, no matter how unlikely it is that the action will succeed and no matter how many other injuries it is likely to result in? Should the car act as if its passenger has seat-belted him/herself in because passengers should do so? Should the cars be more willing to sacrifice the geriatric than the young, on the grounds that the young have more of a lifespan to lose? And won't someone please think about the kids—those adorable choir kids? We're not good at making these decisions, or even at having rational conversations about them. Usually we don't have to, or so we tell ourselves. For example, many of the rules that apply to us in public spaces, including roads, optimize for fairness: everyone waits at the same stop lights, and you don't get to speed unless something is relevantly different about your trip: you are chasing a bad guy or are driving someone who urgently needs medical care. But when we are better able control the circumstances, fairness isn't always the best rule, especially in times of distress. Unfortunately, we don't have a lot of consensus around the values that would enable us to make joint decisions. We fall back to fairness, or pretend that we can have it all. Or we leave it to experts, as with the rules that determine who gets organ transplants. It turns out we don't even agree about whether it's morally right to risk soldiers' lives to rescue a captured comrade. Fortunately, we don't have to make these hard moral decisions. The people programming our robot cars will do it for us. 2. Networked Road Neutrality Imagine the roadways are full of self-driving vehicles. Imagine that Google remains in the lead, and the bulk of the cars carry their brand. And assume that these cars are in networked communication with one another. Can we assume that Google will support Networked Road Neutrality, so that all cars are subject to the same rules, and there is no discrimination based on contents (= passengers), origin, destination, or purpose of the trip? Or would Google let you pay a premium to take the “fast lane''? (For reasons of network optimization the fast lane probably wouldn't actually be a designated lane but well might look much more like how frequencies are dynamically assigned in an age of “smart radios.'') We presumably would be ok with letting emergency vehicles go faster than the rest of the swarm, but how about letting the rich folks pay to go faster by programming the other robot cars to give way when a car with its “Move aside!'' bit is on? Let's say Google supports a strict version of Networked Road Neutrality. But, suppose Comcast starts to make cars, and programs them to get ahead of the cars that choose to play by the rules. Would Google cars take action to block the Comcast cars from switching lanes to gain a speed advantage—perhaps forming a cordon around them? Would that be legal? Would selling a virtual fast lane on a public roadway be legal in the first place? And who gets to decide? The FCC? One thing is sure: It'll be a golden age for lobbyists.
[Via Dave Farber's IP distribution. PGN] It's easy to imagine dystopian outcomes and unanticipated consequences for all actions. Can the author of this note comment on the likelihood of the occasion he postulates, or the likelihood of such programming? To date, there is no evidence of such programming and no reason to foresee it. On the other hand, there is quite good reason to expect that as the number of autonomous vehicles grows, we can expect safer roads, less stressed drivers, and relief from rush hour agony behind the wheel [*]. We already almost do that with lane change alarms and active cruise control. We are one short step away from letting go the wheel entirely in many circumstances. Further, a more likely path for these cars to take is that the require an an attentive driver well before they own the roadways. We should live so long! This kind of argument is reminiscent of the argument raised over caller ID twenty-five years ago. Yes, it can be misused, but are we better off for it? I think so. [* PGN adds, What could possibly go wrong? Some RISKS readers may disagree with this sentence, based on all sorts of threats, vulnerabilities, and past experience with human nature.]
David Sanger and Nicole Perlroth, *The New York Times* via NNSquad, 6 Jun 2014 http://www.nytimes.com/2014/06/07/technology/internet-giants-erect-barriers-to-spy-agencies.html "Just down the road from Google's main campus here, engineers for the company are accelerating what has become the newest arms race in modern technology: They are making it far more expensive and far more difficult for the National Security Agency and the intelligence arms of other governments around the world to pierce their systems."
*The Washington Post* via NNSquad http://www.washingtonpost.com/world/middle_east/cellphone-operator-reveals-scale-of-govt-snooping/2014/06/06/b703183c-edc3-11e3-8a8a-e17c08f80871_story.html "But the most explosive revelation in Vodaphone's report is that in six countries, authorities require direct access to an operator's network, bypassing legal niceties like warrants and eliminating the need to get case-by-case cooperation from phone-company employees. It did not name the countries for legal reasons and to safeguard employees working there."
Kim Zetter, *WiReD*, 3 Jun 2014 (via Dave Farber) <http://www.wired.com/2014/06/feds-seize-stingray-documents/> A routine request in Florida for public records regarding the use of a surveillance tool known as stingray took an extraordinary turn recently when federal authorities seized the documents before police could release them. The surprise move by the U.S. Marshals Service stunned the American Civil Liberties Union, which earlier this year filed the public records request with the Sarasota, Florida, police department for information detailing its use of the controversial surveillance tool. The ACLU had an appointment last Tuesday to review documents pertaining to a case investigated by a Sarasota police detective. But marshals swooped in at the last minute to grab the records, claiming they belong to the U.S. Marshals Service and barring the police from releasing them. ACLU staff attorney Nathan Freed Wessler called the move “truly extraordinary and beyond the worst transparency violations'' the group has seen regarding documents detailing police use of the technology. “This is consistent with what we've seen around the country with federal agencies trying to meddle with public requests for stingray information,'' Wessler said, noting that federal authorities have in other cases invoked the Homeland Security Act to prevent the release of such records. “The feds are working very hard to block any release of this information to the public.'' Stingrays, also known as IMSI catchers, simulate a cellphone tower and trick nearby mobile devices into connecting with them, thereby revealing their location. A stingray can see and record a device's unique ID number and traffic data, as well as information that points to its location. By moving a stingray around, authorities can triangulate a device's location with greater precision than is possible using data obtained from a carrier's fixed tower location. The records sought by the ACLU are important because the organization has learned that a Florida police detective obtained permission to use a stingray simply by filing an application with the court under Florida's “trap and trace'' statute instead of obtaining a probable-cause warrant. Trap and trace orders generally are used to collect information from phone companies about telephone numbers received and called by a specific account. A stingray, however, can track the location of cell phones, including inside private spaces. The government has long asserted it doesn't need a probable-cause warrant to use stingrays because the device doesn't collect the content of phone calls and text messages, but instead operates like pen-registers and trap-and-traces, collecting the equivalent of header information. The ACLU and others argue that the devices are more invasive than a trap-and-trace. Recently, the Tallahassee police department revealed it had used stingrays at least 200 times since 2010 without telling any judge because the device's manufacturer made the police department sign a non-disclosure agreement that police claim prevented them from disclosing use of the device to the courts. ...
Re: U.S. Marshals Seize Cops' Spying Records to Keep Them From the ACLU [Note: This comment comes to RISKS via Dewayne Hendricks and Dave Farber). > U.S. Marshals Seize Cops' Spying Records to Keep Them From the ACLU > Kim Zetter > Jun 3 2014 > <http://www.wired.com/2014/06/feds-seize-stingray-documents/> Why Are the US Marshals at the Center of All These Pen Registers? By emptywheel Jun 4 2014 <http://www.emptywheel.net/2014/06/04/why-are-the-us-marshals-at-the-center-of-all-these-pen-registers/> The US Marshal Service shows up prominently in two Pen Register stories from yesterday. First, as part of a great story from WSJ's Jen Valentino-Devries mapping out how many federal criminal electronic records requests never get unsealed? In eight years as a federal magistrate judge in Texas, Brian Owsley approved scores of government requests for electronic surveillance in connection with criminal investigations—then sealed them at the government's request. The secrecy nagged at him. So before he left the bench last year, the judge decided to unseal more than 100 of his own orders, along with the government's legal justification for the surveillance. The investigations, he says, involved ordinary crimes such as bank robbery and drug trafficking, not “state secrets.'' Most had long since ended. A senior judge halted the effort with a one-paragraph order that offered no explanation for the decision and that itself was sealed. She released this summary of all the Federal Pen Register/Trap and Trace requests in 2012. As she pointed out on Twitter, the greatest number of requests don't come from FBI. They come from the USMS, which submitted almost half of all requests that year, with 9,132. Then, the ACLU revealed that, just before an appointment to view Sarasota, Florida's requests under the Pen Register authority to use Stingray IMSI catchers to identify cell locations, the US Marshals declared control over the records, claiming they had deputized the local cop who had made the requests. [...]
Nicole Perlroth, *The New York Times*, 3 Jun 2014 The National Security Agency's snooping is about to get more difficult. Google on Tuesday released the source code for a new extension to its Chrome browser that will make it a lot easier for users to encrypt their email. The tool, called End-to-End, uses an open-source encryption standard, OpenPGP, that will allow users to encrypt their email from the time it leaves their web browser until it is decrypted by the intended recipient. It will also allow users to easily read encrypted messages sent to their web mail service. The tool will require that users and their recipients use End-to-End or another encryption tool to send and read the contents. This could be a major blow to the NSA. Despite numerous cryptographic advances over the past 20 years, end-to-end email encryption like PGP and GnuPG is still remarkably labor-intensive and require a great deal of technical expertise. User mistakes—not errors in the actual cryptography -- often benefited the NSA in its decade-long effort to foil encryption. ... http://bits.blogs.nytimes.com/2014/06/03/google-offers-new-encryption-tool/ http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryption-easier-to.html https://code.google.com/p/end-to-end/
Darren Pauli, *The Register*, 6 Jun 2014 New tool checks differences, could lead to 0-day bonanza http://www.theregister.co.uk/2014/06/06/patch_piker_redmond_means_win_8_fixes_skip_7_researchers_say/
Although the invasiveness of the advertising is the obvious first concern, a bigger problem would seem to lie in the implications of the data that might be collected. Will Google be able to infer—and sell to advertisers -- details about household habits? Who's been at home when, and what have they eaten? Can we really believe that no information would leak from these gadgets back to Google's data centers? [HH] EPIC Alert, Volume 21.10, 30 May 2014 <http://www.epic.org> Google Plans Advertising on Appliances, Including Nest Thermostat In a letter to the US Securities and Exchange Commission, Google announced plans to place targeted ads on Google-controlled appliances. "A few years from now, we and other companies could be serving ads and other content on refrigerators, car dashboards, thermostats, glasses, and watches, to name just a few possibilities," Google wrote. The proposal raises significant privacy concerns for the "Internet of Things." Earlier in 2014, EPIC warned the FTC about Google's acquisition of Nest Labs, maker of a smart thermostat, stating, "Google regularly collapses the privacy policies of the companies it acquires." Nevertheless, the Commission approved Google's acquisition without further review. [Lots of URLs included in the EPIC Alert, truncated for RISKS. PGN]
Daily Dot and Motherboard have come out with reporting based on access to sealed documents from the Monsegur trial. Daily Dot focuses on the domestic Stratfor hack, while Motherboard focuses on the international hacks, mainly Brazil. http://www.dailydot.com/politics/hammond-sabu-fbi-stratfor-hack/ http://motherboard.vice.com/read/exclusive-how-an-fbi-informant-helped-anonymous-hack-brazil Monsegur was complimented for his "extraordinary cooperation" with the FBI. Indeed, the word 'extraordinary' appears an extraordinary number of times in his sentencing transcript: http://cryptome.org/2014/05/monsegur-sentencing.htm
Please report problems with the web pages to the maintainer