Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
http://www.theregister.co.uk/2015/05/31/airbus_software_config_brought_down_a400m/ Supposedly correct engine-control software installed improperly [PGN-ed]
<http://deredactie.be/cm/vrtnieuws.english/News/1.2351961> [Please visit the article website to see 2 graphics.] At the moment, Belgian air traffic is completely shut down. Belgocontrol, the Belgian air traffic control agency, is dealing with a power cut due to overvoltage. This means that no planes are allowed to land on, or take off from Belgian airports. Belgian airspace will remain closed until at least 5:30PM. There is increasing chaos at the airports as queues are growing, and more and more flights are being canceled and delayed. At 9:45AM, power went down at Belgocontrol. Flights preparing for landing at that very moment were still allowed to ground on the strip. All other flights were redirected to airports in neighbouring countries. Emergency generators appeared to be malfunctioning as well, as they did not automatically start running. "After that, we proceeded to a 'clear of the sky' operation", explains Belgocontrol spokesperson Dominique Dehaene. The power outage temporarily shuts down all air traffic in the country. However, fly-overs at 24,500 feet or higher are still possible, since they are not a Belgocontrol responsibility. Eurocontrol declares that air traffic will be down until at least 5:30PM. Airports at Brussels and Charleroi, for example, are already dealing with a significant number of delays. Liege and Antwerp-Deurne are out of service as well. Osten Airport is the only functioning airfield in the country right now. Most of the planes still in the air have been redirected to airports in neighbouring countries. [...]
Jason Davis, The Planetary Society Blog, 26 May 2015
http://www.planetary.org/blogs/jason-davis/2015/20150526-software-glitch-pauses-ls-test.html
Every 15 seconds, LightSail transmits a telemetry beacon packet. The
software controlling the main system board writes corresponding
information to a file called beacon.csv. If you're not familiar with CSV
files, you can think of them as simplified spreadsheets—in fact, most
can be opened with Microsoft Excel.
As more beacons are transmitted, the file grows in size. When it reaches
32 megabytes—roughly the size of ten compressed music files—it can
crash the flight system.
[Article also noted by robert schaefer: “It is now believed that a
vulnerability in the software controlling the main avionics board halted
spacecraft operations, leaving a reboot as the only remedy to continue the
mission.'' There's no one in outer space to push the reset button. RS]
Fusion.net, 26 May 2015 Last week, a gossip blog based in the Dominican Republic called Remolacha published a disturbing video of what it said was a self-parking car accident. A group of people stand in a garage watching and filming a grey Volvo XC60 that backs up, stops, and then accelerates toward the group. It smashes into two people, and causes the person filming the video with his phone to drop it and run. It is terrifying. [...] The main issue, said [Volvo spokesperson Johan] Larsson, is that it appears that the people who bought this Volvo did not pay for the Pedestrian detection functionality, which is a feature that costs more money. The Volvo XC60 comes with City Safety as a standard feature, however this does not include the Pedestrian detection functionality, said Larsson. The City Safety system kicks in when someone is in stop-and-go traffic, helping the driver avoid rear ending another car while driving slowly, or under 30 mph. http://fusion.net/story/139703/self-parking-car-accident-no-pedestrian-detection/
http://www.masslive.com/news/index.ssf/2015/05/boston_water_main_break_disrup.html
Do read my whole blog post that is referenced here. http://motherboard.vice.com/read/how-is-critical-life-or-death-software-tested
Will software security insurance eventually change lax security behavior?
"In-brief: In what may become a trend, an insurance company is denying a
claim from a California healthcare provider following the leak of data on
more than 32,000 patients. The insurer, Columbia Casualty, charges that
Cottage Health System did an inadequate job of protecting patient data."
http://securityledger.com/2015/05/clueless-clause-insurer-cites-lax-security-in-challenge-to-cottage-health-claim/
[This article also noted by Henry Baker, :-)
FYI—Finally, the costs of NOT securing people's data will exceed the
costs of securing those data.
Henry added, Companies will now pay more attention when the IRS
demonstrates to them how to improve their computer security.
PGN]
http://www.wired.com/2015/05/even-tiny-updates-tech-can-obstacles-disabled/ (WiReD via NNSquad) "For me, every step forward in making things lighter and smaller is a new obstacle. Often, the buttons I need to hit are too small, the screen too sensitive, or the glare off the screen too distracting to allow me to make use of my device. Updates to operating systems or apps that create slight changes to the size and position of buttons throw me off for days. While these changes might go unnoticed by a typical user, I endure a relearning process that slows me down and makes it more difficult to communicate." -- Paul Kotler
http://www.baynews9.com/content/news/baynews9/news/article.html/content/news/articles/bn9/2015/5/7/woman_plans_to_sue_a.html This isn't exactly a new risk. But as we are increasingly dependent upon these systems we need to take into account human factors. If this were a consumer-facing system it's likely that such checks would be built in. But how do these design factors get addressed in systems built to specifications? Or must we accept bad design just to get conformance to requirements? What are the details of this particular system?
[National Journal via NNSquad] http://www.nationaljournal.com/tech/supreme-court-intent-matters-in-violent-facebook-posts-20150601 The Supreme Court on Monday inched a little bit closer to answering a major free-speech question: how to draw the line between real threats of violence and angry diatribes protected by the First Amendment. In an 8-1 ruling, the court threw out the conviction of a Pennsylvania man who wrote violent, obscene Facebook posts about killing his wife, his coworkers, FBI agents and even kindergartners. But the court did not set a clear standard for future cases involving online threats, and some of the justices complained that the ruling would only make the legal landscape more complicated.
This kind of activity is precisely why Europe's purported "right to be forgotten" is so dangerous to democracy. Ben Riley-Smith, *The Telegraph*, 26 May 2015 Expenses and sex scandal deleted from MPs' Wikipedia pages by computers inside Parliament Exclusive: References to 'chauffeur-driven cars' and a criminal arrest wiped from online biographies in run-up to election http://www.telegraph.co.uk/news/general-election-2015/11574217/Expenses-and-sex-scandal-deleted-from-MPs-Wikipedia-pages-by-computers-inside-Parliament.html Expense claims and a Westminster sex scandal were deleted from MPs' Wikipedia pages by computers inside Parliament before the election, The Telegraph has found. Details of a police arrest, electoral fraud allegation and the use of "chauffeur-driven cars" were also been wiped by people inside the Commons. The revelation will raise suspicion MPs or their political parties deliberately hid information from the public online to make candidates appear more electable to voters. More than a dozen online biographies of sitting MPs were doctored from computers with IP addresses owned by the Houses of Parliament in the run-up to the election. Requests for comment were made to all the MPs in question via their party press offices, but just a handful replied to say the changes had nothing to do with them. Anyone can edit Wikipedia, an online encyclopaedia kept up to date by users. However each change is tracked and linked to an IP address - a unique string of numbers that identifies each computer using an Internet network. By looking at the changes made by computers with IP addresses owned by the Houses of Parliament it is possible to see what edits are being made from inside the Commons. *The Telegraph* has discovered persistent changes to MPs' biographies made from Parliament in what appears to be a deliberate attempt to hide embarrassing information from the electorate. [Numerous dishy examples omitted for lack of RISKS-relevance. PGN] FULL DETAILS OF WHAT WIKIPEDIA CHANGES WERE MADE FROM PARLIAMENT COMPUTERS ... [omitted for RISKS]
"Maybe Online Voting Isn't A Pipe Dream After All" (via NNSquad) http://readwrite.com/2015/05/22/du-vote-secure-online-voting Finally, you'd have to have faith that people would be willing to enter strings of numbers into both a handheld token and the online electoral website. Not to mention the fact that the system's security also depends on voters' willingness to flip a coin and take action based on the result. If in practice most people just entered the "column A" digits out of habit, that would undermine the system's reliability. Uselessly cumbersome, unworkable, and does nothing to solve the problems of integrity of the election process in terms of maintaining recountability (e.g., validated paper receipts or other mechanisms) and anonymity of votes.
The industry once thought big, but today's wave of start-ups is characterized by a rise in services aimed at the wealthy and the young. http://www.nytimes.com/2015/05/21/technology/personaltech/a-tech-boom-aimed-aat-the-few-instead-of-the-world.html
Most Americans say it is important to control who has access to their personal information, but they have little faith that the government or companies will protect their private data, according to a new report by the Pew Research Center. http://bits.blogs.nytimes.com/2015/05/20/survey-finds-americans-dont-trust-government-and-companies-to-protect-privacy/
The Federal Trade Commission's chief technologist fights to ensure that companies keep consumers' information safe and private. http://www.nytimes.com/2015/05/24/technology/the-governments-consumer-data-watchdog.html
FYI—It doesn't get much worse than this; these are the same people that can take money out of your bank accounts any time they want to. "We don't care, we don't have to...we're the IRS." (apologies to Lily Tomlin). "During this filing season, taxpayers successfully and safely downloaded a total of approximately 23 million transcripts." So the real number is somewhere between 1 and 23 million; let's pick "100,000" as a nice average.?!. http://bigstory.ap.org/article/34539a748b3745ffb92451472f814ffa/apnewsbreak-irs-says-thieves-stole-tax-info-100000 APNewsBreak: IRS says thieves stole tax info from 100,000 Stephen Ohlemacher, AP, 26 May 2015 WASHINGTON (AP) --Thieves used an online service provided by the IRS to gain access to information from more than 100,000 taxpayers, the agency said Tuesday. The information included tax returns and other tax information on file with the IRS. The IRS said the thieves accessed a system called "Get Transcript." In order to access the information, the thieves cleared a security screen that required knowledge about the taxpayer, including Social Security number, date of birth, tax filing status and street address. "We're confident that these are not amateurs," said IRS Commissioner John Koskinen. Koskinen said the agency was alerted to the thieves when technicians noticed an increase in the number of taxpayers seeking transcripts. The IRS said they targeted the system from February to mid-May. The service has been temporarily shut down. Taxpayers sometimes need copies of old tax returns to apply for mortgages or college aid. While the system is shut down, taxpayers can still apply for transcripts by mail. The IRS said its main computer system, which handles tax filing submissions, remains secure. The IRS has launched a criminal investigation. The agency's inspector general is also investigating. "In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles," the agency said. "During this filing season, taxpayers successfully and safely downloaded a total of approximately 23 million transcripts."
The hacking of CareFirst, a health insurer, may have some common links to the attacks on Anthem and Premera. http://www.nytimes.com/2015/05/21/business/carefirst-discloses-data-breach-up-to-1-1-million-customers-affected.html
John Leyden, *The Register*, 22 May 2015 Users with a fetish for risky encounters in public spaces will be thrilled Hackers have swiped and leaked the personal details and sexual preferences of 3.9 million users of hookup website Adult FriendFinder. Lusty lonely hearts, including those who asked for their account to be deleted, have been left in an awkward position after hackers broke into systems before uploading the details to the dark web. Email addresses, usernames, postcodes, dates of birth and IP addresses of 3.9 million members have been exposed. http://www.theregister.co.uk/2015/05/22/adult_hookup_site_breach_data/
Lucian Constantin, InfoWorld, 26 Mak 2015 Security researchers have found a Web attack tool designed specifically to exploit vulnerabilities in routers and hijack their DNS settings http://www.infoworld.com/article/2926221/security/large-scale-attack-hijacks-routers-through-users-browsers.html
http://www.nytimes.com/2015/06/01/world/americas/ex-fifa-official-jack-warner-cites-onion-article-in-defense.html Jack Warner, arrested last week in connection with a criminal investigation, held up the faux news report as evidence, he said, of an American conspiracy.
This Connection is Untrusted You have asked Firefox to connect securely to www.warren.senate.gov, but we can't confirm that your connection is secure. Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified. [...] www.warren.senate.gov uses an invalid security certificate.
http://www.nytimes.com/2015/05/30/your-money/one-tap-giving-extra-steps-mire-mobile-donations.html Mobile apps can be used to summon a car or order food with a simple tap, but making a charitable donation is not as easy.
http://www.bostonglobe.com/business/2015/05/31/partners-launches-billion-electronic-health-records-system/oo4nJJW2rQyfWUWQlvydkK/story.html
Hayley Tsukayama, 29 May 2015 Smartwatches such as the Apple Watch are designed to keep us from being glued to our smartphone screens all day. But even with their bite-sized messages, are these new gadgets still too distracting for use behind the wheel? Some other countries' police officers certainly seem to think so. A Canadian man was fined $120 for using his Apple Watch while driving earlier this week, Montreal's CTV News reported. ... http://www.washingtonpost.com/blogs/the-switch/wp/2015/05/29/could-wearingw-a-smartwatch-behind-the-wheel-land-you-in-hot-water/ Pincourt man fined $120 for using Apple Watch while driving http://montreal.ctvnews.ca/pincourt-man-fined-120-for-using-apple-watch-while-driving-1.2394293
FBI and Homeland Security Respond to Shocking Goatse Bomb in Atlanta http://gawker.com/fbi-and-homeland-security-respond-to-shocking-goatse-bo-1704768347 "The setup is exactly as insecure as you'd imagine: many of these electronic billboards are completely unprotected, dangling on the public Internet without a password or any kind of firewall. This means it's pretty simple to change the image displayed from a new AT&T offer to, say, Goatse.'' ... "security researcher Dan Tentler tweeted yesterday that he'd tried to warn this very same sign company that their software is easily penetrable by anyone with a computer and net connection and was told they were `not interested'.
http://www.nytimes.com/2015/05/26/business/uber-closes-in-on-its-last-frontier-airports.html American airport officials know the ride-hailing phenomenon will not recede, and they are rewriting regulations to welcome all manner of cars.
http://www.nytimes.com/2015/05/24/opinion/sunday/maureen-dowd-driving-uber-mad.html The tragic saga of how Cinderella's Uber coach turned back into a judgmental pumpkin.
http://bits.blogs.nytimes.com/2015/05/24/behind-the-downfall-at-blackberry/ A new book by two reporters from The Globe and Mail offers details about the emotional and business turmoil surrounding BlackBerry's near collapse.
Bruce Kushnick, *HuffPost*, 22 May 2015 It amazes me how many media stories have decided to just cut and paste Verizon's supplied information about their new FiOS "customized TV plan" without examining the 'fine print'. I guess everyone is just desperate to get anything that smacks of ala-carte pricing for cable TV service, where the customer can pick and choose which cable programming they want to buy -- and is supposed to save some money. http://www.huffingtonpost.com/bruce-kushnick/verizons-pick-your-own-ca_b_7419440.html
Andy Greenberg, 20 May 2015 A woman at a gym tells her friend she pays rent higher than $2,000 a month. An ex-Microsoft employee describes his work as an artist to a woman he's interviewing to be his assistant—he makes paintings and body casts, as well as something to do with infrared light that's hard to discern from his foreign accent. Another man describes his gay lover's unusual sexual fetish, which involves engaging in fake fistfights, “like we were doing a scene from Batman Returns.'' These conversations—apparently real ones, whose participants had no knowledge an eavesdropper might be listening—were recorded and published by the NSA. Well, actually no, not the NSA, but an anonymous group of anti-NSA protesters claiming to be contractors of the intelligence agency and launching a new `pilot program' in New York City on its behalf. That spoof of a pilot program, as the prankster provocateurs describe and document in videos on their website, involves planting micro-cassette recorders under tables and benches around New York city, retrieving the tapes and embedding the resulting audio on their website: Wearealwayslistening.com. ... http://www.wired.com/2015/05/nsa-pranksters-planted-tape-recorders-nyc/
James Spann, Medium.com, 27 May 2015 (via Dave Farber) <https://medium.com/@spann/the-age-of-disinformation-98d55837d7d9> I have been a professional meteorologist for 36 years. Since my debut on television in 1979, I have been an eyewitness to the many changes in technology, society, and how we communicate. I am one who embraces change, and celebrates the higher quality of life we enjoy now thanks to this progress. But, at the same time, I realize the instant communication platforms we enjoy now do have some negatives that are troubling. Just a few examples in recent days: I would say hundreds of people have sent this image to me over the past 24 hours via social media. [Rest omitted; somewhat less computer relevant. PGN]
http://www.bbc.com/news/technology-32511489 [an important read. LW] With a rising elderly population, the technology industry cannot afford to ignore the issue. It is estimated that, by 2030, 19% of the US population will be over 65 - roughly the same proportion that currently own iPhones. And by 2050, there will be one retired person for every two that are in work. Apple is looking to address this - but not with new hardware. In a joint venture with IBM, it announced last month it would design "iPad apps" that would be "very easy to use for seniors". Aimed at the Japanese market, the apps will help connect millions of older people with healthcare services. "It assumes that its product is inherently usable," says Mr Hosking. And this situation is a terrible shame and waste, because this tech can bring enormous benefits even to very elderly persons, if the effort were made by someone with sufficient resources and talent to do it right. (I'm talking to you, Google.)
In today's computing environment, especially in an enterprise setting where IT department looks after the PCs and other devices distributed across the premise, the need for centralized control is acute. Even PC's desktops are no exception with respect to the centralized control. We now have PCs running as if they were thin client in some environments. When a user logs in, these PCs load the user environment from centrally managed servers. The local files are swapped in/out when a different user logs in. (A similar complete wiping out of the previous user's desktop and restarting a computer with a fresh install even can often be seen at a PC made available at a hotel room or a hotel business center.) Such a centralized control may cause network load issues reported in web blogs and vendor white papers. With that background, let me tell you a story. I visited a hospital the other day for an appointment at 09:00. This is the earliest slot in the morning. I was there at about 08:50 and was instructed to wait in front of the doctor's office. Above the door, there is an LCD screen that shows whose turn (a number for the day's appointment which is printed on a supermarket receipt-like paper when I check in at the hospital using my ID card.). If there are people waiting, the queue is shown at the bottom. I thought it was really neat in this modern ICT age (although I thought it is a bit of waste of electricity although I am not sure if the LCD ran in energy saving mode or something.) >From the manner the doctor set up the 09:00 appointment a few weeks ago, I thought I would be consulted at 09:00 sharp. But 09:00 came and passed and nothing happened. I noticed the dentist's office in the back began accepting patients. (The hospital was a large general hospital with many departments.) Still nothing. Another doctor's office in the same row began accepting patient around 09:05. Still nothing at my doctor's office. I noticed the smoked glass window on the door of the doctor's office showed the interior lighting, so the doctor was already in. I began wondering if my previous medical tests turned out very bad and the doctor was going over them very carefully (?) At about 09:10, the LCD screen above my doctor's office door finally displayed my appoint number as the first patient that morning. I went in the office uneasily, and the first thing the doctor said is not related to my health at all: "Logging in is too slow in the morning. I could not get to read the data"(!) Wow. A great Risks item :-) It seems that the PC in the doctor's office is used as a thin-client workstation [running Java applications] setting to access medical care system, and from what gathered looking at the screen and hardware in a short time while I was there, it seems that the user-profile and everything is first copied to the local PC for efficiency reasons, and that caused a flood of the network transfer in the morning just before 09:00 when doctors and clerks began using their computers. No wonder all other doctors, too, could not invite patients quickly enough. The doctor mentioned the particular system is not used widely although it is priced at low cost which the hospital could afford: the doctor said something about low-quality, but I doubt that in general terms. It seemed feature-rich from the menu and the doctor's interaction once the files were fetched from the server(s) was good and UI seemed better than some systems used at smaller hospitals I have seen. But the problem is that this particular installation is simply not designed very well for network peak usage for a big hospital, and presumably other high-priced systems use different approach regarding the centralized desktop management to avoid the peak usage issue (or uses even 10GHz for backbone for network transfer I suppose to take care of high volume of I/O at peak time and powerful servers that cost a lot.) Well, a bad system design can cause health risks. Anyone going to this particular hospital had better not have a heart attack or other sudden severe symptoms before 9 o'clock in the morning because by the time they may get to the hospital on an ambulance in time, the doctors may not be able to read vital data due to "network timeout" on their PCs (!) I never thought I would experience such a direct computer-related risk in a hospital I visit.
http://www.fastcodesign.com/3046512/how-google-finally-got-design?utm_content-buffer20941 "Google's transformation into a company that creates beautiful software is the story of how tech itself has evolved in the mobile era." I'm posting this item here as an example of how different points of view can create *utterly contrary* reactions—because to many observers Google's user interfaces (and this definitely isn't just a Google problem) have become increasingly, frustratingly *unusable* to significant and growing segments of the user population—special needs, older users, and others. I'm currently conducting a survey on these issues—please see: http://lauren.vortex.com/archive/001103.html and responses have been pouring in—many of them maddeningly heartbreaking. More on this as I collect additional ongoing data.
There's something very weird about the Firefox browser & *The New York Times* web site, which causes my computers to use 5-8x the electricity of most other web sites. I have Javascript completely turned off, thanks to NoScript, but the NYTimes web site still consumes 11-15% of my CPU's (tested with both Windows/32-bit and Ubuntu/64-bit). Other web sites—e.g., LATimes.com, Boston.com, etc. (also with Javascript disabled)—take only perhaps 1-3% of my CPU's. The high CPU load occurs only when NYTimes is the top tab; if I switch the top tab to LATimes.com, the CPU load drops down to 1-3%. The NYTimes CPU load persists even when these computers are disconnected from the Internet. These measurements are up-to-date (as of today, 5/26/2015) for Firefox v. 38. All add-ons & extensions are disabled—except NoScript—and particularly, *all video is disabled*. The problem is not expensive gif images, because other sites which use gifs are not so expensive. I'm mystified. Apparently, leaving The NYTimes open in your Firefox browser makes for very expensive wallpaper.
This is an advertising stunt, but has interesting implications all the same: "Websites are already able to serve up ads customized for whoever happens to be viewing a page. Now an ad agency in Russia is taking that idea one step further with an outdoor billboard that's able to automatically hide when it spots the police coming." http://gizmodo.com/this-ad-for-banned-food-in-russia-can-hide-itself-from-1707145443
An alarming figure! But when we look at the story, we find the reality is (slightly) less alarming; that includes people who identified non-phishes as phishes, whereas "only" 80% of the people tested misidentified phishes.
[Numerous collision incidents have occurred—some days half a dozen] between trains and road vehicles, in the USA, described at this site: http://www.trainwreckdb.com/ I wonder what the rate is like elsewhere in our world. I suspect some of this, and violations of school bus safety, is thanks to the USA eliminating driver education from the school system, allegedly triggered by budget cuts. We can be thankful that these incidents are not triggering bomb trains. Bomb trains go off typically at least twice a month—there were almost 40 of them in the USA in 2014. Basically the infrastructure, to move crude oil, was developed before we had Canadian Oil Sands, and US fracking. Oil from those sources contain a lot of pieces of rock and sand, which abrade the insides of pipelines and oil tankers, causing them to breach, reach something to trigger ignition, and away they go in a monster fire. Here's a source for the above statistics: http://www.wsj.com/articles/train-wrecks-hit-tougher-oil-railcars-1425861371
Please report problems with the web pages to the maintainer