Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Emoticons in texts can rack up huge bills Jane Wakefield, BBC, 5 February 2015 http://www.bbc.co.uk/news/technology-31148424 Many people use icons in text messages as a way of expressing emotions 'More diverse' emoji faces planned New emojis developed for smartphones Apple seeks greater emoji diversity People using emoticons (emojis) that denote happy, sad or other emotions in their text messages could be racking up big bills, the BBC has learned. Consumer website MoneySavingExpert has received a large number of complaints about the issue. It seems to affect older models of phones, including some Samsung and Apple handsets. In Scotland, a woman ran up bills totaling over £1,000 after adding emoticons to text messages. Sad face The issue revolves around how the handset interprets the icons, known as emoticons or emojis. In some cases, especially on older handsets, the emoticons are converted into MMS (multi-media service) messages, which can cost up to 40p each depending on the network. [PGN-ed... This is enough to make some people emote even more. (:< ]
This is an interesting story of how a combination events over decades resulted in a small annoying bug. The conclusion is that given enough time, there won't be people around who recognize the history and reasons. An implication is that it may be more difficult to find such bugs. I think the regular RISKS reader can generalize this to a much broader set of things that may start popping up in decades to come. Takeaway: assumptions and workarounds are contextual, and context changes with time. https://medium.com/medium-eng/the-curious-case-of-disappearing-polish-s-fa398313d4df [* We need Reverse Polish ASCII to include this S-variant character from Polish keyboards. This is really a nifty item, and a nice illustration of a really convoluted risk. PGN]
Kyle Wiens, WiReD, 02.05.2015 http://www.wired.com/2015/02/new-high-tech-farm-equipment-nightmare-farmers/ The cost and hassle of repairing modern tractors has soured a lot of farmers on computerized systems altogether. In a September issue of Farm Journal, farm auction expert Greg Peterson noted that demand for newer tractors was falling. Tellingly, the price of and demand for older tractors (without all the digital bells and whistles) has picked up. “As for the simplicity, you've all heard the chatter. There's an increasing number of farmers placing greater value on acquiring older simpler machines that don't require a computer to fix.'' (Machinery Pete)
According to BMW this vulnerability has now been patched. At the time of my initial investigation, ConnectedDrive included six security vulnerabilities: -BMW uses the same symmetric keys in all vehicles. -Some services do not encrypt messages in transit between the car and the BMW backend. -The ConnectedDrive configuration data isn't tamper-proof. -The Combox discloses the VIN via NGTP error messages. -NGTP data sent via text messages is encrypted with the insecure DES method. -The Combox does not implement protection to guard against replay attacks. Details: http://www.heise.de/ct/artikel/Beemer-Open-Thyself-Security-vulnerabilities-in-BMW-s-ConnectedDrive-2540957.html My "Risks" lessons - some old stories: The use of "Global Keys" in a large network is a SIN! (point 1 above) Vulnerabilities often result from backward compatibility. In this case the hacker can reverse engineer the oldest (cheapest) BMW he can find with Connected Drive. Security through obscurity is vulnerable, because reverse-engineering techniques have become alarmingly powerful. The high-level design may be (fairly) secure, but vulnerabilities can be found in the configuration details.
Anthem said Wednesday that its database has been hacked, potentially exposing personal information about 80 million of its customers and employees. The health insurer said the breach exposed "names, birthdays, social security numbers, street addresses, email addresses and employment information, including income data," but added that no financial information, including credit card details, was compromised. [Source: CNBC via NNSquad] http://www.cnbc.com/id/102398852# "Income data" isn't financial information?
*The New York Times* via NNSquad http://www.nytimes.com/2015/02/06/business/experts-suspect-lax-security-left-anthem-vulnerable-to-hackers.html?partner=rss&emc=rss "The hackers are thought to have infiltrated Anthem's networks by using a sophisticated malicious software program that gave them access to the login credential of an Anthem employee." - - - Looks like no 2-factor in use. Of course. I'm thinking more and more that 2-factor systems are going to have to be mandated in some manner.
A report that the Sony hack is a) ongoing and b) done by Russians. http://consumerist.com/2015/02/05/report-russians-not-just-north-korea-behind-sony-data-hack-are-still-doing-it-right-now/
Stu Sjouwerman, *CSO*, 3 Feb 2015 http://www.csoonline.com/article/2879028/social-engineering/the-worst-of-the-worst-phishing-scams.html The depths a phishing scammer will stoop to in order to gain a buck are remarkable. Here are some of the bottom feeders to guard against in your inbox. [...]
Candice So, *IT Business*, 3 Feb 2015 http://www.itbusiness.ca/news/adware-found-in-google-play-store-app-that-has-been-downloaded-millions-of-times/53578
[Note: This item comes comes to RISKS via Dewayne Hendricks via Dave Farber) One thing that can clearly be said at this point. We do not yet see Wheeler actually applying Title II properly, in a way consistent with the limits described here (and his commentary has clearly been inconsistent with this characterization, both all along and at the moment of this announcement of the policy approach), but he has chosen the correct substantive basis to proceed on. The basis in Title II does put the law back on the grounds on which it's supposed to be based. Seth - - - - Susan Crawford, The Internet Is Back to Solid Regulatory Ground Feb 5 2015 http://www.nytimes.com/roomfordebate/2015/02/04/regulate-internet-providers/the-internet-is-back-to-solid-regulatory-ground The news that the head of the Federal Communications Commission just proposed that the agency should use its authority—under Title II of the Telecommunications Act—to oversee high-speed Internet access services should be welcomed by all who use the Internet. But let's be clear about what this is and isn't. He's not proposing to "regulate the Internet" or the websites of businesses that use the Internet to reach customers. This would not constrain what Americans can say online, nor would it constrain the extraordinary innovation that has come about because of the Internet's borderless and permission-free nature. Tom Wheeler is simply saying that the F.C.C. should have solid legal authority over the physical wires, tubes and towers located in the United States that move information from Point A to Point B. And that's all he's doing. Today, the private operators of this basic, two-way communications infrastructure—in effect, the general-purpose replacement for the telephone network—are free of any oversight. Left to their own devices, the companies selling Internet access will reasonably act to discriminate against existing competitors, make entry by new competitors more difficult, and make more money any way they can from their existing infrastructure -- including by collaborating with one another to divide markets. The F.C.C. has been worried about this kind of thing for a while now. But because a prior F.C.C. had taken a sharp deregulatory turn under then-chairman (now cable industry advocate) Michael Powell—who put high-speed Internet access in an unregulated category under the Telecom Act -- the Obama-era F.C.C. was powerless to address these problems. The D.C. federal court of appeals twice told the F.C.C. that it couldn't regulate with one hand, by imposing "Open Internet" rules, for example, and deregulate with the other. Now, the chairman is saying that the F.C.C. will return to the solid regulatory ground that made the commercial Internet possible in the first place. High-speed Internet access is indeed a regulated service. This may not be good news for Comcast, Verizon, AT&T and Time Warner Cable—who, among other things, want to make more money by demanding extra payments from popular online companies like Netflix—but it is great news for every other part of American society.
Paul Venezia, InfoWorld, 4 Feb 2015 http://www.infoworld.com/article/2878968/net-neutrality/fcc-tom-wheeler-internet-vote-title-ii-reclassification.html
David Meyer, GigaOM, 6 Feb 2015, via Dave Farber https://gigaom.com/2015/02/06/uk-access-to-nsa-mass-surveillance-data-was-illegal-court-rules/ The system through which U.K. spy agency GCHQ can access data from NSA mass surveillance programs was in violation of fundamental rights, the Investigatory Powers Tribunal has ruled. However, the limits of that finding have left human rights groups dissatisfied. <https://gigaom.com/2014/10/28/uk-spies-can-get-intercepted-communications-from-nsa-without-warrant-government-lawyers-admit/> The decision came as a result of a case brought about by Privacy International, Liberty and other human rights groups regarding the Prism and Upstream programs. Prism is the scheme through which U.S. intelligence gets users' communications from service providers in that country, and Upstream intercepts bulk data from the Internet's core infrastructure. <http://www.ipt-uk.com/docs/Liberty_Ors_Judgment_6Feb15.pdf> In December the IPT ruled that it was legal in principle for GCHQ get data from these programs now—i.e., from December 2014, in the post-Snowden world, where people actually know what's going on—but it held back on saying whether there had been historical breaches of human rights. <https://gigaom.com/2014/12/05/uk-cable-tapping-programs-are-legal-spy-court-rules/> Having subsequently heard out both the complainants and the intelligence agencies, the tribunal said on Friday that the data-sharing regime had violated the rights to privacy and free expression, as set out in Articles 8 and 10 of the European Convention on Human Rights. However, it reiterated that it believes the system now no longer does so. <http://www.ipt-uk.com/docs/Liberty-Order6Feb15.pdf> <http://www.echr.coe.int/Documents/Convention_ENG.pdf> In a statement on Friday, Privacy International said it and Pakistani NGO Bytes For All would ask the IPT, which generally acts as a secret court, to “confirm whether their communications had been unlawfully collected prior to December 2014 and, if so, demand their immediate deletion.'' <https://gigaom.com/2014/01/09/pakistani-human-rights-group-sues-uk-government-over-surveillance/> The groups also disputed the December ruling's assertion that the disclosure of “a limited subset of rules governing intelligence-sharing and mass surveillance'' made everything OK. They will now appeal that ruling with the European Court of Human Rights, as will Liberty. Here's what Liberty legal director James Welch said in the statement: We now know that, by keeping the public in the dark about their secret dealings with the National Security Agency, GCHQ acted unlawfully and violated our rights. That their activities are now deemed lawful is thanks only to the degree of disclosure Liberty and the other claimants were able to force from our secrecy-obsessed Government. But the Intelligence Services retain a largely unfettered power to rifle through millions of people's private communications, and the Tribunal believes the limited safeguards revealed during last year's legal proceedings are an adequate protection of our privacy. We disagree, and will be taking our fight to the European Court of Human Rights. “We must not allow agencies to continue justifying mass surveillance programs using secret interpretations of secret laws,'' Privacy International deputy director Eric King added. “The world owes Edward Snowden a great debt for blowing the whistle, and today's decision is a vindication of his actions.''
Dan Goodin, Ars Technica, 4 Feb 2015 Paranoid, or: How I learned to stop griping and love digital signatures. <http://arstechnica.com/security/2015/02/psa-your-crypto-apps-are-useless-unless-you-check-them-for-backdoors/> At the beginning of the year, I did something I've never done before: I made a new year's resolution. From here on out, I pledged, I would install only digitally signed software I could verify hadn't been tampered with by someone sitting between me and the website that made it available for download. It seemed like a modest undertaking, but in practice, it has already cost me a few hours of lost time. With practice, it's no longer the productivity killer it was. Still, the experience left me smarting. In some cases, the extra time I spent verifying signatures did little or nothing to make me more secure. And too many times, the sites that took the time to provide digital signatures gave little guidance on how to use them. Even worse, in one case, subpar security practices of some software providers undercut the protection that's supposed to be provided with digitally signed code. And in one extreme case, I installed the Adium instant messaging program with no assurance at all, effectively crossing my fingers that it hadn't been maliciously modified by state-sponsored spies or criminally motivated hackers. More about those deficiencies later—let's begin first with an explanation of why digital signatures are necessary and how to go about verifying them. By now, most people are familiar with man-in-the-middle attacks. They're waged by someone with the ability to monitor traffic passing between an end user and a website—for instance, a hacker sniffing an unsecured Wi-Fi connection or the National Security Agency sniffing the Internet backbone. When the data isn't encrypted, the attacker can not only read private communications but also replace legitimate software normally available for download with maliciously modified software. If the attack is done correctly, the end user will have no idea what's happening. Even when Web connections are encrypted with the HTTPS standard, highly skilled hackers still may be able to seed a website with malicious counterfeit downloads. That's where digital signatures come in. A prime candidate for such an attack is the OTR plugin for the Pidgin instant messenger. It provides the means to encrypt messages so (1) they can't be read by anyone monitoring the traffic sent between two parties and (2) each party can know for sure that the person on the other end is, in fact, who she claims to be. Fortunately, the OTR installer is provided through an encrypted HTTPS connection, which goes a long way to thwarting would-be man-in-the-middle attackers. But strict security practices require more, especially for software as sensitive as OTR. That's why the developers included a GPG signature users can check to verify that the executable file hasn't been altered in any way. I ended up burning about 90 minutes figuring out how to verify the signature using Gpg4win, the Windows-based e-mail encryption suite Ars wrote about almost two years ago. No doubt, more technically adept people than me would have spent only a small fraction of the time I did, but that misses the point. In a post-Snowden era, encryption is no longer the exclusive domain of developers, hackers, and technology professionals. Increasingly, it's a prerequisite for lawyers, journalists, and anyone else duty-bound to keep secrets. OTR didn't provide instructions, so I'll show how I did it, with the understanding that installation of Gpg4win, the Mac-based GnuPG, or a similar program for Linux is a prerequisite. (Fortunately, Gpg4win is digitally signed with a key that has been verified by a recognized certificate authority. The digital signature and checksums available online provide further verification.) First I downloaded the pidgin-otr-4.0.1.exe installer, the GPG signature for that file, and the public key the OTR developers used to generate the signature. I then opened Kleopatra, a key management program included with Gpg4win, clicked the Import button, and navigated to the directory storing the public key. (Alternatively, I could have right-clicked on the signature file and highlighted "More GpgEX options" and selected "Import keys.") Like magic, Kleopatra showed the key as belonging to the OTR Dev Team. [,,,]
Bloomberg Internally, Nadella is cutting through Microsoft's bureaucracy to get things done. He has changed the way engineering teams are structured, largely eliminating testers to speed software releases... http://www.bloomberg.com/news/articles/2015-02-04/why-nadella-s-second-year-as-microsoft-ceo-will-be-a-lot-harder Fasten your seatbelts, it could be a bumpy second year. Eliminating testers—just bureaucracy, after all— what could go wrong with THAT? Gabriel Goldberg, Computers and Publishing, Inc. firstname.lastname@example.org 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
Be very, very careful what you wish for. The exact same arguments for forcing parents to vaccinate their children will be used to force everyone to "vaccinate" their computers with NSA/GCHQ-approved spyware prior to being allowed to connect to the Internet. The Chinese are nearly there already. Once everyone's computers have been "vaccinated", it [would then be considered] "safe" to introduce Internet voting. From then on, a simple hack can silently steal elections. To the computer vaxxers: please don't give totalitarian government to my tiny, helpless future baby. To the anti-vaxxers: please don't give measles to my tiny, helpless future baby Lindy West, *The Guardian*, 3 Feb 2015 http://www.theguardian.com/society/commentisfree/2015/feb/03/anti-vaxxers-vaccination-nature The anti-vaccination movement is spreading across the US on the back of ideas about `all-natural' lifestyles. They're right about one thing: there is nothing more natural than dying from measles. [And of course, you would have to TRUST the vaccination-ware not to include deleterious effects, just as you have to trust anti-virus software! PGN]
[I realize that this essay is long, but it should be read in its entirety.] [I agree it should be read in its entirety. But it is still too long and perhaps even not quite right for RISKS in its entirety. PGN] Modern societies are literally scaring themselves to death. Just as auto-immune diseases cause the host to start attacking itself, our irrational fears have caused an auto-paranoia that is shredding our liberal democracies before our eyes. http://www.theguardian.com/books/2015/jan/31/terrorism-spectacle-how-states-respond-yuval-noah-harari-sapiens Yuval Noah Harari: the theatre of terror Terrorists have almost no military strength so they create a spectacle. How should states respond? The author of Sapiens, a history of humanity, reflects on the past, and alarming future, of the fear factor Yuval Noah Harari, 31 January 2015 As the literal meaning of the word indicates, terror is a military strategy that hopes to change the political situation by spreading fear rather than by causing material damage. This strategy is almost always adopted by very weak parties, who are unable to inflict much material damage on their enemies. Of course, every military action spreads fear. But in conventional warfare, fear is a byproduct of material losses, and is usually proportional to the force inflicting the losses. In terrorism, fear is the whole story, and there is an astounding disproportion between the actual strength of the terrorists and the fear they manage to inspire. [PGN-ed ...] Yuval Noah Harari is the author of Sapiens: A Brief History of Humankind.
The best distinction I've heard is: "A clever person can get out of situations, which a wise person would have never gotten himself into in the first place" :-)
A good start would be to follow the advice from the 1968 NATO conference on Software Engineering. For example, to use strongly typed languages that support strong static analysis tools and to act on the insight that testing can only show the presence of bugs, never the absence.
Please report problems with the web pages to the maintainer