David Learmount, *The Telegraph*, 31 Dec 2014 http://www.telegraph.co.uk/news/uknews/11318189/Too-many-pilots-cant-handle-an-emergency.html Opinion piece in today's newspaper (Dec 31st, 2014) about pilots' overreliance on computers to fly aircraft may be of interest for RISKS. This is in the context of the recent AirAsia flight QZ8501 loss, but it also appears to figure in Air France flight 447 plunging into the Atlantic 5 years ago. The article summarises an FAA study (published last year) called 'The Operational Use of Flight Path Management Systems', which says: The FAA working group established that today's pilots have a number of vulnerabilities. The prime one is that if the automatics fail, the pilots are no longer practised in managing without them. This leads pilots to lose confidence in their own traditional flying abilities, so when things go wrong they have a tendency to try to restore failed automatic systems when, in fact, they should be flying the aircraft to keep it safe. Incidentally, I'm certainly no expert, but I'd always assumed that iced-up pitot tubes (for air-speed indicators) were a pretty routine problem for aircraft?
I've been a regular reader of (and occasional contributor to) RISKS since the early 80s. In all that time, I'm not sure I have seen a proposal that takes as insufficient a view of the real deployment arena as this one: http://bigstory.ap.org/article/89042513370f4b58a2e3545513f64435/railroads-seek-one-person-crews-freight-trains Even if we ignore for a moment the long-term proposal of people-free freight trains, going from two people to one would seem to benefit exactly one group of people: the railroads that have to pay the other half of their road staff. It's not exactly like a failure on a 5000-ton train pulled by a 400-ton locomotive is small and has little effect on the Real World... What does surprise me in this AP piece is that AAR appears in *favor* of one-person crews. I guess it represents the railroad owners, though. Jay R. Ashworth, Ashworth & Associates, St Petersburg FL USA [By reverse induction, the railroad owners would undoubtedly love zero-person crews, where I presume Jay and many other RISKS readers would not. PGN]
A BBC Politics article at http://www.bbc.co.uk/news/uk-politics-30234304 asks the question in the Subject. The Political and Constitutional Reform Committee of MPs has recommended that the government should run online voting pilots in the next parliament "with a view to all electors having the choice of voting online at the 2020 general election". According to the article, a fellow campaigner is Lord Malloch Brown, a former minister who is now chairing an e-voting technology company. Unsurprisingly, Malloch Brown claims that his company's machines "are much more secure than postal votes" and are "very advanced, with high levels of encryption", and that "the results can be registered and collated before hackers have time to break into the systems". Hmm. At least some of the Committee seem to be clued up, but the fear has to be that political issues will weigh more heavily than the security and other problems that have so frequently surfaced in RISKS. Andy Walker, Nottingham.
Here is a book I recommend to anyone interested in online voting: Kim Zetter's Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon. This book captures the zeitgeist of cyberattacks and cyberweapons better than any other book I have come across. It is technically accurate, but I think extremely accessible to general audiences. And it is a pretty exciting and amazing story as well. Although it does not event mention Internet voting per se, you cannot read this book and fail to appreciate the dangers that Internet voting would be vulnerable to. Kim Zetter, of course, was an early journalist, and one of the best, covering the voting wars a decade ago.
Wired via NNSquad http://www.wired.com/2014/12/government-computer-security/ "And that's why the current regulatory paradigm for computers, inherited from the 16-year-old stupidity that is the Digital Millennium Copyright Act, needs to change. As things stand, the law requires that computing devices be designed to sometimes disobey their owners, so that their owners won't do something undesirable. To make this work, we also have to criminalize anything that might help owners change their computers to let the machines do that supposedly undesirable thing."
*The New York Times* via NNSquad http://www.nytimes.com/2014/12/27/technology/risks-in-using-social-posts-to-spot-signs-of-distress.html?partner=rss&emc=rss&_r=0 A week after the app was introduced on its website, more than 4,000 people had activated it, the Samaritans said, and those users were following nearly 1.9 million Twitter accounts, with no notification to those being monitored. But just about as quickly, the group faced an outcry from people who said the app, called Samaritans Radar, could identify and prey on the emotionally vulnerable—the very people the app was created to protect. "A tool that 'lets you know when your friends need support' also lets you know when your stalking victim is vulnerable #SamaritansRadar," a Briton named Sarah Brown posted on Twitter. A week and a half after the app's introduction, the Samaritans announced it was reconsidering the outreach program and disabled the app.
Vijay, Tech Worm, December 28, 2014 http://www.techworm.net/2014/12/indian-isps-block-free-paste-website-pastebin-git-hosting-repository-github.html Anupam Saxena, Times of India, Dec 31, 2014 http://timesofindia.indiatimes.com/tech/tech-news/Pastebin-Dailymotion-Github-blocked-after-DoT-order-Report/articleshow/45701713.cms Tech Worm excerpt: Neither of the two blocks bode well with the Internet users of India, especially the developers and students. GitHub provides a very high performing platform for distributed revision control and source code management (SCM) functionality of Git as well as adding its own features. With its user friendly web-based graphical interface and desktop as well as mobile integration it is a go to tool for developers and computer science students.
*Wall Street Journal* via NNSquad http://www.wsj.com/articles/u-s-tech-firms-face-showdown-with-russian-censors-1419620113 "Facebook Inc., Twitter Inc. and Google Inc. have started resisting Russian government orders to remove information about a rally next month in support of opposition leader Alexei Navalny, raising the prospect of a showdown over the Kremlin's efforts to control online information. In response to a request from Russian prosecutors, Roskomnadzor, the country's communications regulator, began issuing block orders for Russia just hours after the Moscow rally was publicized on social media late last week, officials said. Facebook honored the initial order last weekend and blocked a page promoting the event, but others were quickly created, attracting more attention."
Reuters http://www.reuters.com/article/2014/12/30/us-nuclear-southkorea-cybersecurity-idUSKBN0K80J620141230 Excerpt: “Korea Hydro & Nuclear Power Co Ltd said it would beef up cyber security by hiring more IT security experts and forming an oversight committee, as it came in for fresh criticism from lawmakers following recent hacks against its headquarters.'' Comments: 1) What is a `low risk; worm? 2) Hiring experts and forming committees does not seem to this writer to be an effective strategy for reducing risk.
Reuters via NNSquad http://www.reuters.com/article/2014/12/26/us-iran-internet-censorship-idUSKBN0K40SE20141226 "The Islamic Republic has some of the strictest controls on Internet access in the world, but its blocks on U.S.-based social media such as Facebook, Twitter and YouTube are routinely bypassed by tech-savvy Iranians using virtual private networks (VPNs). Under the new scheme, Tehran could lift its blanket ban on those sites and, instead, filter their content. The policy appears to follow President Hassan Rouhani's push to loosen some social restrictions, but it was not clear if it would mean more or less Internet freedom. Iranians on Twitter expressed concern that, as part of the new policy, the government would try to block VPN access to such sites."
The hacked are itching to hack back. To read the entire article, go to http://bloom.bg/1xdL56N Hacking costs the global economy as much as $575 billion annually, according to a study published in June by McAfee, a security-software maker owned by Intel Corp. (INTC), and the Center for Strategic & International Studies. ...certainly an objective observer. (Not)
Author says: I didn't go looking for grief this afternoon, but it found me anyway, and I have designers and programmers to thank for it. In this case, the designers and programmers are somewhere at Facebook. http://meyerweb.com/eric/thoughts/2014/12/24/inadvertent-algorithmic-cruelty/ ...different sort of risk from the usual. Gabriel Goldberg, Computers and Publishing, Inc. firstname.lastname@example.org 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
As the resolution of photos increase and burst shots become common . http://mashable.com/2014/12/29/fingerprint-photo-copy/
Here's an article about digital preservation, but what I find astounding is that when they made the DVD version of Toy Story, they had to make it from a film print because the digital files were unreadable. How could anybody be so incompetent as to allow millions of dollars worth of digital IP to become inaccessible? http://www.vulture.com/2014/12/perils-of-an-all-digital-movie-future.html Sure, I've lost a few files, but never anything important. I keep backups of the important stuff.
Ars via NNSquad http://arstechnica.com/tech-policy/2014/12/nsa-has-vpns-in-vulcan-death-grip-no-really-thats-what-they-call-it/ "The National Security Agency's Office of Target Pursuit (OTP) maintains a team of engineers dedicated to cracking the encrypted traffic of virtual private networks (VPNs) and has developed tools that could potentially uncloak the traffic in the majority of VPNs used to secure traffic passing over the Internet today, according to documents published this week by the German news magazine Der Speigel. A slide deck from a presentation by a member of OTP's VPN Exploitation Team, dated September 13, 2010, details the process the NSA used at that time to attack VPNs--including tools with names drawn from Star Trek and other bits of popular culture." - - - Not really new, but confirmational. That's what intel agencies around the world are paid to do—crack codes.
FYI—Why are we doing this? Why aren't we spending this money on putting in rooftop solar & cutting the cord to the grid entirely? David Perera, *Politico*, 1 Jan 15 http://www.politico.com/story/2015/01/energy-electricity-data-use-113901.html The next Big Data threat to our privacy may come from the electricity we consume in our homes. Smart online power meters are tracking energy use—and that data may soon be worth more than the electricity they distribute. The Department of Energy is publishing in January the final draft of a voluntary code of conduct governing data privacy for smart meters, 38 million of which have already been installed nationwide. The meters gather information about household electricity consumption and transmit it wirelessly at regular intervals to the supplier. It's a key element in the push for the so-called smart grid, a more efficient way to distribute the nation's electricity. But, despite the voluntary code, critics fear consumers will still be cajoled or conned into giving up their data, not just to power companies but to third-party data aggregators. Too much money is at stake, they say. And the huge profits to be made could upend the business model of energy utilities. [...]
IT World via NNSquad http://www.itworld.com/article/2863635/romanian-version-of-eu-cybersecurity-directive-allows-warrantless-access-to-data.html "More than a dozen Romanian non-governmental organizations are protesting new cybersecurity legislation passed by the parliament last week that would force businesses to provide the country's national intelligence agencies with access to their data without a court warrant. The law could also impact businesses from Europe and beyond, as Romania is a hub for IT outsourcing and software development. Many multinational corporations including Amazon, Microsoft, Adobe Systems, Siemens and Intel have research and development centers in the country."
Julie Hirschfeld Davis, *The New York Times*, 3 Nov 2015, via NNSquad http://www.nytimes.com/2015/01/04/us/politics/her-task-weaning-the-white-house-off-floppy-disks.html Megan J. Smith advised President Obama on the technological issues before his decision late last year to come out strongly in favor of a free and open Internet, including making sure that Mr. Obama heard from Vinton G. Cerf, Google's vice president and one of the chief architects of the Internet, and Tim Berners-Lee, the inventor of the World Wide Web. "Having the engineering voice saying, 'This is how the technology works,' was very important," she said. - - - I would add that in my experience, so long as you don't talk down to them, most people are interested in the reality of how these systems work and how that impacts their views of the associated policy issues. Explaining in ways non-techies will understand is crucial!
Ars via NNSquad http://arstechnica.com/security/2015/01/gogo-issues-fake-https-certificate-to-users-visiting-youtube/ Mandatory HTTPS connections have long been the bane of people using so-called "captive-portal" Internet services offered by hotels and conferences. Typically, such services redirect first-time users to a terms of service page before they can browse the Internet. Those redirections often stall when users first try to visit encrypted webpages, creating a hugely frustrating problem for end users, broadband providers, and website operators alike. While this is a hard problem to solve, Gogo's current approach sets a bad precedent. Promising not to monitor or collect sensitive data isn't the same thing as being unable to do it. The entire premise of HTTPS is at stake. - - - Unacceptable. Period.
Today I did the maximum dumb thing in my computer career. Toying around with the "Facebook Friends To Groups Adder - Chrome Extension", before you know it I had added Grandma, professors, my neighbor's kids, that bible thumper, all to one of the [Not Suitable For Work] Facebook groups I was a member of. The administrator happened to be awake at the time and asked if I was nuts. Fortunately they were able to cancel each of the 300 membership applications in the queue before anyone noticed...
A reminder of the very strong hindsight bias in Silicon Valley along with a simplistic measure of merit and the idea that smart people can pick winners and offering prizes as incentives. Thus we adopt policies with parts and not wholes. It's not just Silicon Valley. We see the same biases from those who became rich and blame smarts rather than luck. Once one is very rich there is enough buffer so that one gets more opportunities to be lucky and to seem prescient by simply ignoring failures. This is also a risk to society as the (often naive) ideas become public policy. http://en.wikipedia.org/wiki/The_Rise_of_the_Meritocracy I read the book in my freshman sociology class and may be the source of the term.
Lucian Constantin, InfoWorld, 19 Dec 2014 Malicious Git code repositories can execute rogue commands on client machines interacting with them http://www.infoworld.com/article/2861439/security/critical-vulnerability-in-git-clients-puts-developers-at-risk.html A critical vulnerability in client software used to interact with Git, a distributed revision control system for managing source code repositories, allows attackers to execute rogue commands on computers used by developers. The flaw affects the official Git client as well as third-party clients and software based on the original Git code. The issue only affects implementations running on Windows and Mac OS X, not Linux, because their file systems are case-insensitive: NTFS and FAT for Windows and HFS+ for Mac OS X.
Slashdot via NNSquad http://it.slashdot.org/story/14/12/29/0251211/norse-security-ids-6-including-ex-employee-as-sony-hack-perpetrators But Norse Security is taking the debate up a notch: saying that they have conclusive evidence pointing to group of disgruntled former employees as the source of the attack and data theft. The Security Ledger quotes Norse Vice President Kurt Stammberger saying that Norse has identified a group of six individuals—in the U.S., Canada, Singapore and Thailand—that it believes carried out the attack, including at least one 10-year employee of SPE who worked in a technical capacity before being laid off in May. Rather than starting from the premise that the Sony hack was a state sponsored attack, Norse researchers worked their investigation like any other criminal matter: starting by looking for individuals with the "means and motive" to do the attack.
AP via NNSquad http://www.apnewsarchive.com/2014/Sony-emails-reveal-loose-use-of-passwords-and-IDs-ripe-for-hacking/id-041c9dc46e9d408fa569ccac15c0ffe0 "In the weeks before hackers broke into Sony Pictures Entertainment, the studio suffered significant technology outages it blamed on software flaws and incompetent technical staffers who weren't paying attention, even as hackers targeted executives to trick them into revealing their online credentials." - - - It's my gut feeling that this relatively simple hack actually had nothing to do with North Korea at all—though they may be leveraging some propaganda points from it. But of course, it's in the interests of the commercial "cybersecurity" firms—and governments seeking ever larger and bloated "cyberwar" budgets—to play this up as some sort of "super hack" and to pin it on a widely despised geopolitical enemy—much more conducive to expanded sales and budgets than this turning out to have been the work of teenage hackers living in their parents' basements.
It has now been announced that Google Play/YouTube and other online venues (possibly to include Netflix at some point) are either now or soon will enable streaming of Sony's "comedy assassination" film (at least in some countries). I note this specifically because I do not support censorship even of this trash, and I feel it is completely appropriate and admirable for the film to be made widely available in the interests of free speech. That said, this doesn't mean you're required to watch it. A film like this is unlikely in the extreme to bring about positive change in a horrible place like North Korea. If anything, it could drive their insane leadership to even further internal repression. So my *personal* recommendation remains to ignore this film entirely, and not reward Sony's series of unforced errors that enabled this entire mess.
>stored in its centralized zone data system <https://czds.icann.org/en>, Before people get too panicky, CZDS is used to distribute copies of top level domain zone files to people like me who have signed up for access. The account info used to access it is intended to be private but the zone data itself is what the TLDs name servers serve, so it is by any normal definition public. (Some TLDs imagine that their zonefiles are full of valuable proprietary data, which tells us that they don't understand the DNS at all.) ICANN wrote to us, told us that they'd reset our passwords so we'd have to use the usual forgotten password hack to re-reset them to something we know.
> Re: "Your cell phone number: To give or not to give" (RISKS-28.41) > Dual SIM cellphones are pretty common, although for obvious reasons you're > never going to get one from a carrier. First, I'm not so clear on how "obvious" it is as I can't figure out the reluctance and resistance. That being said, I've been trying for years to convince Omnipoint (where I'm both a customer and a shareholder) to offer dual-SIM phones. This would be a useful option for people who currently carry around two separate phones - one for their personal use and one for work. - at least today most phones (with one key exception - that's YOU Apple I'm pointing at) use the same charger.
This idea is not just disruptive but also stupid—as others may have noticed by now; if DNS is blocked in any significant way, vulnerable sites would just revert to publicizing their IP address as part of their URL instead of the site name, thus completely bypassing DNS lookup.
"shed twice as much heat" is a typo? Surely doubling the volts quadruples the power dissipated? As my freshman students know... Twinkle twinkle little star Power equals I squared R (awright... V squared over R, but that doesn't scan) Len
At risk of sounding like a total geek, in 220V Europe the mandatory wire colours for power cords are: Brown - Hot (live/phase) Blue - Cold (neutral) Green & Yellow stripes - Safety Ground (earth) I believe that in North America they are black for hot and white for cold; no idea what other territories use, presumably it depends on whether they're 110V or 220/240V. Obviously for moulded cords it's impossible to verify without cutting into the cord and damaging it, but the various territories' safety authorities will need to be satisfied that regulations are being complied with.
Please report problems with the web pages to the maintainer