Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Don't use funding application statistics as a proxy for creativity. Chris Lee, Ars Technica, 20 Sep 2014 (via Dave Farber) <http://arstechnica.com/science/2014/09/a-creativity-deficit-in-science-no/> Not so long ago, on a website not so far away, an opinion was expressed: creativity was being suppressed in science. On the surface, the statistics support this: younger researchers are getting progressively less of the funding. Older researchers, it is asserted, tend to propose less risky and less innovative research. As with any good opinion in science, Nobel prize winners are wheeled as supporting cast. But, is it really true? Are we truly suppressing the creative side of science? The answer is, overwhelmingly, no. Scientific papers are a crude measure for scientific progress, but never have more papers being produced per year than now. Clearly, something creative is going on here. If you don't like scientific papers, simply look at technological progress: your smartphone would not have nearly as much punch without the creativity of scientists; antiviral drugs were not found lying about on the ground; experimental stem-cell therapies were not accidentally attempted. Behind all of these new things lies a decade or more of scientific research. But, you know, thats not creative at all. [... PGN truncated for RISKS.]
This is the first article that I have seen that mentions some interesting downsides/risks about 3-D printing: Anna Gale, Fueled, via *IT Business*, 19 Sep 2014 http://www.itbusiness.ca/blog/6-challenges-3d-printing-has-yet-to-overcome/51152
Bug in Bash shell creates big security hole on anything with *nix in it Could allow attackers to execute code on Linux, Unix, and Mac OS X Ars Technica via NNSquad http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/ "The bug, discovered by Stephane Schazelas, is related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script. If Bash has been configured as the default system shell, it can be used by network-based attackers against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts."
[ORIGINAL SOURCES: Jonathan Zdziarski, 17 Sep 2014 http://www.zdziarski.com/blog/?p875 Cyrus Farivar, Ars Technica, 18 Sep 2014 Apple expands data encryption under iOS 8, making handover to cops moot "Apple cannot bypass your passcode and therefore cannot access this data." http://arstechnica.com/apple/2014/09/apple-expands-data-encryption-under-ios-8-making-handover-to-cops-moot/ PGN] > Quoting from the new iOS 8 privacy policy announced tonight 17 Sep 2014. >> Apple has no way to decrypt iMessage and FaceTime data when it's in >> transit between devices. So unlike other companies' messaging services, >> Apple doesn't scan your communications, and we wouldn't be able to comply >> with a wiretap order even if we wanted to. >> https://www.apple.com/privacy/privacy-built-in/ And why do we believe them? * Because we can read the source code and the protocol descriptions ourselves, and determine just how secure they are? * Because they're a big company and big companies never lie? * Because they've implemented it in proprietary binary software, and proprietary crypto is always stronger than the company claims it to be? * Because they can't covertly send your device updated software that would change all these promises, for a targeted individual, or on a mass basis? * Because you will never agree to upgrade the software on your device, ever, no matter how often they send you updates? * Because this first release of their encryption software has no security bugs, so you will never need to upgrade it to retain your privacy? * Because if a future update INSERTS privacy or security bugs, we will surely be able to distinguish these updates from future updates that FIX privacy or security bugs? * Because if they change their mind and decide to lessen our privacy for their convenience, or by secret government edict, they will be sure to let us know? * Because they have worked hard for years to prevent you from upgrading the software that runs on their devices so that YOU can choose it and control it instead of them? * Because the US export control bureaucracy would never try to stop Apple from selling secure mass market proprietary encryption products across the border? * Because the countries that wouldn't let Blackberry sell phones that communicate securely with your own corporate servers, will of course let Apple sell whatever high security non-tappable devices it wants to? * Because we're apple fanboys and the company can do no wrong? * Because they want to help the terrorists win? * Because NSA made them mad once, therefore they are on the side of the public against NSA? * Because it's always better to wiretap people after you convince them that they are perfectly secure, so they'll spill all their best secrets? There must be some other reason, I'm just having trouble thinking of it.
John Gilmore: The main answer is that the inmates have taken over the asylum, ... Although I am in general agreement with John's outrage over the government's discovery that secrecy in many forms can protect it from oversight --- national security classification is only one of these; privacy is also a great excuse for keeping things secret from the electorate --- I don't find the need for a clearance for the director of the James Webb telescope surprising. The first thing that comes to mind is my recollection that the problem with the Hubble telescope's mirrors was attributed to NASA's being unable to use existing machinery for testing them because it was classified. The range of areas in which a major project like the James Webb telescope brushes against secret technologies is broad. I believe an astronomical telescope cannot be pointed at the Earth because the Earth is too bright. As John point's out, however, there are other, much dimmer, objects like other people's spacecraft that it perhaps can look at. It also works the other way around. The first space shuttle was looked at by spy satellites to assess the status of its tiles; somehow they had forgotten they could do this by the time tile damage was suspected but not investigated on Columbia or perhaps the spy satellites did see damage to Columbia's wing tiles and either didn't tell NASA or just didn't tell us. The technology of the James Webb telescope must be closely related to that of the spy satellites. Giving the director an SI clearance doesn't guarantee NASA access to all relevant technology or the assistance of the agencies and companies that have it but I don't see any chance of that without it.
http://arstechnica.com/gadgets/2014/09/android-l-will-have-device-encryption-on-by-default/
http://arstechnica.com/gadgets/2014/09/hack-runs-android-apps-on-windows-mac-and-linux-computers/
A new hoax is quickly spreading across social media platforms that claims that the new iOS 8 update will help users wirelessly charge their iPhones and iPads with the help of a household microwave. Users should understand that this claim is false and that they will most definitely blow up their iOS device if they try this. http://www.ibtimes.co.uk/ios-8-wave-wireless-microwave-charging-feature-ipad-iphone-not-real-1466446
http://www.infoworld.com/article/2686976/consumerization-of-it/ios-8-reveals-the-dark-side-of-empowered-users.html iOS 8's iCloud Drive reveals the dark side of empowered users Apple's iCloud Drive deployment was sure to mess up people's access to documents—and it did InfoWorld | Sep 23, 2014
The new phones are thin, but it might make them more flexible than intended. Andrew Cunningham, Ars Technica, 23 Sep 2014 http://arstechnica.com/apple/2014/09/reports-suggest-the-iphone-6-and-6-plus-may-bend-under-pressure/
Pravda via NNSquad http://english.pravda.ru/society/stories/19-09-2014/128572-russia_internet-0/ "According to various reports, the officials will make a number of decisions regulating the use of the Internet in Russia, providing for the ability to cut the Russian Internet, known as Runet, from the outside world, in case of emergency." You know—emergencies—like Czar Putin trying to do a Stalin on his own people.
Every Gnutella user in the state of Washington was checked by the NCIS. http://arstechnica.com/tech-policy/2014/09/court-blasts-us-navy-for-scanning-civilians-computers-for-child-porn/
http://arstechnica.com/tech-policy/2014/09/giant-mq-4c-triton-surveillance-drone-flies-across-the-united-states/
Serdar Yegulalp, InfoWorld | 17 Sep 2014 The FBI and Department of Justice are mulling rules that would allow broader opportunities for domestic law enforcement to hack PCs as part of a criminal investigation http://www.infoworld.com/article/2684796/government/feds-seek-expanded-pc-hacking-powers-for-criminal-investigations.html
http://arstechnica.com/tech-policy/2014/09/texas-man-must-pay-40-4m-for-running-bitcoin-based-scam-court-rules/
http://arstechnica.com/tech-policy/2014/09/us-courts-agree-to-restore-10-years-of-deleted-online-public-records/
http://arstechnica.com/tech-policy/2014/09/faa-bars-drone-from-delivering-game-ball-to-college-football-matchup/
http://arstechnica.com/apple/2014/09/ifixit-tears-new-iphones-apart-finds-theyre-pretty-easy-to-fix/
http://arstechnica.com/tech-policy/2014/09/a-not-so-friendly-reminder-from-the-govt-yelp-is-not-for-kids/
http://arstechnica.com/business/2014/09/comcast-calls-rumor-that-it-disconnects-tor-users-wildly-inaccurate/
Apple puts up support page to get U2 album out of your iTunes Too many people don't want U2 anywhere near their libraries. http://arstechnica.com/apple/2014/09/apple-puts-up-support-page-to-get-u2-album-out-of-your-itunes/
http://arstechnica.com/tech-policy/2014/09/bill-would-limit-reach-of-us-search-warrants-for-data-stored-abroad/
(via Dave Farber) http://www.zdnet.com/why-big-data-evangelists-should-be-sent-to-re-education-camps-7000033862/
Cory Doctorow's worst fears w.r.t. repossessed Internet-enabled devices are now being realized. Perhaps this is what Jonathan Zittrain had in mind with his "kill switches for weaponry": "if you just make that next payment to the U.S. military-industrial complex secret account in Switzerland, we'll restore power to your tank/fighter-jet/etc. so that you can continue killing your own citizens. Thank you for your business!" What next? Internet-enabled Ebola medicines ? "Please remit $10 million to the Big Pharma secret lobbying slush fund, so that we can send you the Ebola medicine enable code. We're sorry for the temporary inconvenience." Michael Corkery and Jessica Silver-Greenberg Miss a Payment? Good Luck Moving That Car *The New York Times*, 24 Sep 2014 [pruned starkly for RISKS] http://dealbook.nytimes.com/2014/09/24/miss-a-payment-good-luck-moving-that-car/
FWIW, Cory's fears are my fears on this. And in the consumer space, self-stopping (rather than self-driving) cars are only the beginning. But I find many differences between the Internet-enabled shift from product to service among consumers—something I wrote about at length at <http://yupnet.org/zittrain/archives/14>—and an army ready to do awful things with weapons, perhaps stopped by the heavy weapons' refusing to work for anyone able to simply get hands on them. The power dynamics are inverted in the second example.
Why not? "Full access allows the developer of this keyboard to transmit anything you type, including things you have previously typed with this keyboard. This could include sensitive information such as your credit card number or street address." ... Head to your Settings app, then go to General > Keyboard > Keyboards. Choose to add a new keyboard, and pick it from the list of third-party keyboards. Finally, tap the new keyboard's name and choose to Allow Full Access (not required for Swype). You'll get a warning message about this, but it's required by the operating system. Obviously, a keyboard can theoretically collect everything you type into it; rest assured that well-known developers are keeping your info safe. http://www.makeuseof.com/tag/ios-8-lets-replace-iphone-ipads-keyboard-heres/ Well-known developers ALWAYS keep us safe. What could possibly go wrong with this?
IMHO the trouble is caused by using driver licenses where a "voter license" would be required—namely, a national citizen's ID card. The insistence on not to institute any form of an official ID card had resulted in using a driver license in most cases, which leads to such contraptions as a "non-driving license" which is used as an ID and issued by the DMV in some states, although it has nothing to do with driving. Since states and the federal government manage every other aspect of voting, why wouldn't they also manage voters identification?
That article considers rework and test costs versus loss of income. There are two other risks to bugs: Cost of damage from failure (e.g., misleading information leading to damage to reputation or even worse to customers), and/or loss of revenue, e.g., mispricing.
Marshall Kirk McKusick, George V. Neville-Neil, and Robert N.M. Watson The Design and Implementation of the FreeBSD Operating System Second edition, Addison-Wesley 2015 xxx + 886 + some useful unnumbered pages on videos and course materials Excerpted from the preface: This book is about the internal structure of the FreeBSD 11 kernel and the concepts, data structures, and algorithms used in implementing FreeBD's system facilities. The book covers FreeBSD from the system-call level down—from the interface to the kernel to the hardware itself. The kernel includes system facilities, such as process management, security, virtual memory, the I/O system, filesystems, the *socket* IPC mechanism, and network protocol implementations. This is a truly extraordinary book—extremely well written, comprehensive, incisive, and timely. It seems to have something for everyone—software developers, administrators, students, and others hungry for a single source for a wide range of considerable knowledge and experience that is highly relevant. The second edition has roughly 1/3 completely new text and 1/3 of the earlier text extensively rewritten, It can serve as a reference book, as well as a valuable source for operating systems courses. One of the major new additions in the 2nd edition is a chapter by Robert Watson on security, which includes more conventional topics such as discretionary/mandatory access control, audit, etc, but also more contemporary topics such as Capsicum, disk encryption, and so on. This new chapter may be of particular interest to RISKS readers. Whereas FreeBSD is used in its own right as a server OS, it is also an open-source operating-system foundation for systems as varied as Mac OS X and Apple iOS, NetApp's OnTap GX, EMC/Isilon appliances, Juniper Junos, and the Sony Playstation. Therefore, its security should be highly relevant to RISKS readers. Note: The preface says `FreeBSD 11'. The book does describe things that will ship with FreeBSD 11, but is also relevant for the existing FreeBSD 10.
Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 122 September 25, 2014 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Book Review by Richard Austin, 16 Sep 2014 Georgia Weidman: Penetration Testing: A Hands-On Introduction to Hacking No Starch Press 2014 ISBN 978-1-59327-564-8 Amazon.com USD 28.11 Table of Contents: http://www.nostarch.com/pentesting#toc When the publication announcement for this book arrived in my EMAIL, my first response was "Not another pen-testing book!" and I gazed at the table of contents with rather of a jaundiced eye. As you have probably noticed, I have a fondness for books that require you to "do" as you read and Weidman's chapters on setting up a virtual lab and introducing Kali Linux piqued my interest enough to start reading. Weidman wasted no time in starting to rack up credibility points as she noted that in a penetration test, you simulate attacks by actually EXPLOITING vulnerabilities rather than just identifying them (Chapter 0). Then on page 3, she earned her "veteran" status by noting that even a simple port scan of a device's management port can knock them off the air (in my experience by crashing the on-board web server). To avoid this becoming just another catalog of tools and dialogs, the reader will definitely want to follow the procedures in Chapter 1 to set up the virtual lab for the book. Weidman makes use of Kali Linux which has an arsenal of tools already installed and avoids much time wandering the "dependency maze" in getting the tools to run. She wisely recommends that you use the Kali version available on the book website so that her walkthroughs will match the tool versions. Chapters 2 through 4 provide a brief introduction to Kali, scripting and the Metasploit framework that prepare you for the detailed walkthroughs in later chapters. With preliminaries out of the way, Weidman devotes the next three chapters to the assessment phase of the penetration test. It's a pretty standard presentation of the usual tools (whois, nmap, Nessus, Metasploit, etc.) with accompanying introductory walkthroughs in the virtual lab environment. The next eight chapters are devoted to attacks, and this is where Weidman starts to shine. She makes the solid point that in a penetration test, you have to go beyond identifying a vulnerability and actually exploit it where possible. And, most importantly, after a successful exploit, you have to do something interesting (interesting to you as the pen-tester but damaging to the customer if actually done by an adversary). The catalog of attack methods is quite comprehensive and goes beyond the usual exploitation of technical vulnerabilities and cracking passwords to client-side attacks, social engineering (using SET. the Social Engineer Toolkit) and evading anti-virus. Chapter 13, "Post Exploitation", is highly recommended for its coverage (and walkthrough) of how to capitalize on an initial foothold to achieve further access within the infrastructure. She rounds out her survey of attacks with coverage of web applications (notable for illustrating use of the Burp proxy) and wireless. Weidman's next the important topic of "Exploit Development", and she spends four chapters covering stack-based buffer overflows, SEH (Structured Exception Handler) overwrites, fuzzing and development of Metasploit modules for new vulnerabilities. This section provides a concise, all-in-one-place overview of these essential topics. The final chapter covers Weidman's personal specialty: attacking mobile devices. As these wandering gateways into our infrastructures and repositories of proprietary data have become increasingly common, their value to our adversaries has correspondingly increased. Weidman's coverage of how these devices are attacked and use of her "Smartphone Pentest Framework" are a valuable addition to the knowledge base of the practicing security professional. The walkthroughs are done using emulators, so there's no need to risk "bricking" a real device when following along with the text. Through I started out with reservations about the need for yet-another-pen-testing-book, Weidman's presentation has much to recommend it to the technical security professional. No book is ever going to make one into a successful penetration tester but careful study and time invested in following her walkthroughs will provide increased understanding of the pen-tester's craft and appreciation of our adversaries' use of similar techniques in the field. Definitely a recommended read. Information for Subscribers and Contributors Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself)
Please report problems with the web pages to the maintainer