Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
A bug in Microsoft's communication program means sending or receiving a
message that says "http://:" (without the quotation marks) will crash
Skype. Rebooting or logging in and out does not help; it simply crashes
again at launch. The glitch, according to VentureBeat, works on Windows,
Android, and iOS; Skype on Mac and the Windows 8 Modern app, however,
appear unaffected. [PCMag via NNSquad]
http://www.pcmag.com/article2/0,2817,2485271,00.asp
Unit testing? BAH!
Prosecutors are able to apply the law broadly because they do not have to show that the person deleting evidence knew there was an investigation underway. In other words, a person could theoretically be charged under Sarbanes-Oxley for deleting her dealer's number from her phone even if she were unaware that the feds were getting a search warrant to find her marijuana. The application of the law to digital data has been particularly far-reaching because this type of information is so easy to delete. Deleting digital data can inadvertently occur in normal computer use, and often does. [*The Nation* via NNSquad] http://m.thenation.com/article/208593-you-can-be-prosecuted-clearing-your-browser-history
[ citing from the IEEE Spectrum website tracking "Bio-Medicine <http://spectrum.ieee.org/biomedical>" and the "Tech Talk" blog there ] (*The artificial pancreas is the culmination of a 50-year slog in bioengineering--one that is finally paying off because of improvements in insulin, sensors, and algorithms.*) Diabetes Has a New Enemy: Robo-Pancreas Sensors, actuators, and algorithms can automatically control blood sugar.... <http://spectrum.ieee.org/biomedical/bionics/diabetes-has-a-new-enemy-robopancreas> Can Hackers Commit the Perfect Murder By Sabotaging an Artificial Pancreas? <http://spectrum.ieee.org/tech-talk/biomedical/bionics/can-hackers-commit-the-perfect-murder-by-sabotaging-an-artificial-pancreas-> Robotic systems are, at last, beginning to take over some of the burden of managing the fluctuations in blood glucose in patients with Type 1 diabetes. But a new report warns that as the systems get adopted more widely, the risk of criminal eavesdropping and sabotage will also increase. The report, by Yogish C. Kudva and colleagues at the Mayo Clinic in Rochester, Minn., and at the University of Virginia in Charlottesville, appears in *Diabetes Technology & Therapeutics* <http://online.liebertpub.com/doi/full/10.1089/dia.2014.0328>. Make the machine administer too little insulin, and the blood-glucose level may rise high enough to send the patient into a ketoacidosis coma. Make it administer too much, and the glucose falls until the brain fails causing the to patient faint, or even die. It might seem to bad guys like the way to commit the perfect murder. ... Read all about it in the June issue of *IEEE Spectrum*, which is devoted to a single topic: "Hacking the Human OS."
Health care spending $ billions to protect the records it spent $ billions to install http://www.politico.com/story/2015/06/health-care-spending-billions-to-protect-the-records-it-spent-billions-to-install-118432.html
http://www.nytimes.com/2015/06/07/magazine/the-agency.html From a nondescript office building in St. Petersburg, Russia, an army of well-paid `trolls' has tried to wreak havoc all around the Internet and in real-life American communities. The battle was conducted on multiple fronts. Laws were passed requiring bloggers to register with the state. A blacklist allowed the government to censor websites without a court order. Internet platforms like VKontakte and Yandex were brought under the control of Kremlin allies. Putin gave ideological cover to the crackdown by calling the entire Internet a "C.I.A. project," one that Russia needed to be protected from. Restrictions online were paired with a new wave of digital propaganda. The government consulted with the same public relations firms that worked with major corporate brands on social-media strategy. It began paying fashion and fitness bloggers to place pro-Kremlin material among innocuous posts about shoes and diets, according to Yelizaveta Surnacheva, a journalist with the magazine Kommersant Vlast. Surnacheva told me over Skype that the government was even trying to place propaganda with popular gay bloggers —a surprising choice given the notorious new law against "gay propaganda," which fines anyone who promotes homosexuality to minors. [via NNSquad]
Jon Oltsik, Network World, 2 Jun 2015 A report by John Oltsik <http://www.networkworld.com/author/Jon-Oltsik/> from the recent Cyber Exchange Forum event, sponsored by ACSC (the Advanced Cyber Security Center, <http://www.acscenter.org/>) The featured speaker was Sean Kanuck, National Intelligence Officer for Cyber Issues, Office of the Director of National Intelligence. In this role, Sean directs the production of national intelligence estimates (for cyber-threats), leads the intelligence community (IC) in cyber analysis, and writes personal assessments about strategic developments in cyberspace. Cybersecurity Views from a National Intelligence Officer <http://www.networkworld.com/article/2930395/cisco-subnet/cybersecurity-views-from-a-national-intelligence-officer.html> Some highlights: * On the scope of threats. Sean does not subscribe to the notion of a "cyber Pearl Harbor" for the most part. He stated that there are only a few nation states capable of this type of attack (i.e. China and Russia) and that an attack of this magnitude was highly unlikely during peace time. His caveat to this was that we already face a series of disruptive attacks like those at the Sands Hotel of Las Vegas and Sony Pictures that are having a cumulative impact on the U.S. economy and national security. * On future attacks. Sean spoke of a growing concern around data integrity using the Syrian Electronic Army hack of the Associated Press's Twitter account in 2013. This particular event led to a decrease of $137 billion in stock market valuation. He emphasized the fact that a relatively small crime moved billions of dollars and that these types of scams are often used to fund all types of other malicious activities. * On non-state actors. While these groups don't have the sophistication of nation states, Kanuck described the threat from non-state actors as being "as good as what can be purchased online from the cyber black market." In other words, the bad guys will improve malware attacks as well as their tactics, techniques, and procedures (TTPs) as the cybercrime industry becomes more organized and market-like. Unfortunately, this advancement is already well underway. * On political will. Sean stated that there are about 30 countries that are now developing offensive cyber capabilities. It's cheap and effective with very little risk. * On commercial cybersecurity innovation. New products like automated penetration testing software can really help companies identify IT risk, but Kanuck pointed out that they are also making it easier for the black hat community. Sean said that organizations can expect to encounter cyber-attacks that cause IT attrition and degradation. Much like disaster recovery, organizations should then create a plan that allows them to operate in a degraded state when this occurs...
"NOBUS" = "NObody But US" is Gen. Michael Hayden's famous boast regarding NSA's capabilities, e.g.: http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/04/why-everyone-is-left-less-secure-when-the-nsa-doesnt-help-fix-security-flaws/ Let's assume, for the sake of argument, that this is true; that no govt -- with the exception of the U.S.—can collect and interpret intelligence as well as the U.S. Most people would assume that this is a *GOOD* thing; after all, isn't intelligence *obviously* monotonically increasing? Isn't it *obvious* that more intelligence is always better? Isn't this monotonicity the whole point of "collect it all" ? A problem with "obvious" is that "obvious" doesn't necessarily mean "true". Perhaps the simplest example of non-monotonicity is the Ishihara Color Test *hidden digit plate*: "only individuals with color vision defect could recognize the figure". A person with normal color vision (i.e., without the color vision defect) wouldn't see the figure. In this case, more information is worse! https://en.wikipedia.org/wiki/Color_perception_test The "collect it all" mentality has already been challenged on Bayesian grounds: http://www-stat.wharton.upenn.edu/~hwainer/Readings/Wainer%20Savage.pdf I'm going to challenge NOBUS on "paranoia & arrogance" grounds; I claim that the NOBUS attitude has actually made it cheaper and easier for the U.S. to *attack itself* with a self-inflicted act of "terrorism". Here are the ingredients: * U.S. paranoia has put its entire govt security apparatus on a "hair trigger" response * U.S. is now capable and willing to shoot down commercial airliners as a defense against another "9/11" * "Collect it all" enables U.S. govt to make intelligence correlations impossible by other govts * Electronic intelligence "evidence" is given far greater weight than common sense by govt intelligence apparatus Since the U.S. govt has already loaded its gun, pointed it at its foot, and cocked it, all that a "terrorist" has to do now is to convince the govt that a threat from that foot is imminent, at which point the U.S. govt will blow its own foot off. This "terrorist" knows that the collect-it-all NSA is listening to meta-data world-wide, and actual data outside the U.S. Furthermore, the NSA is hard at work producing correlations, the overwhelming majority of which are spurious. Enter the Ishihara Color Test *vanishing plate*: only individuals with better color vision can recognize the figure; the US now has better intelligence vision, so NOBUS sees the figure. All that is necessary is to seed NSA-monitored communications channels with enough misdirections—each of which is completely innocent by itself -- but which, when "correlated" by a paranoid intelligence apparatus, will create the perception of imminent attack by a commercial airliner landing at a major U.S. city—e.g., Washington, DC or New York City. Note that these seeds would be uncorrelated (and indeed uncorrelatable) by any other govt, but due to NOBUS, only the U.S. govt would "see" the "overwhelming" evidence of imminent attack. Note that this "terrorist" need not send any agents into the physical U.S.; he/she need not train anyone to fly a plane; he/she need never engage in an act more violent than tapping a computer keyboard, using a cell phone or an ATM machine or a credit card. All this "terrorist" has to do is to convince this paranoid govt that a commercial airliner is not under the complete control of its pilots, and that this "knowledge" is obtained too late in the plane's landing pattern before a missile would have to be fired. But it gets worse: even *practice attempts* at misdirection will be interpreted as additional evidence of a real plot, so this "terrorist" would eventually be able to accomplish his/her goal. I leave it to the Tom Clancy's of the world to construct the appropriate seeds to plant, but it doesn't seem that difficult to come up with appropriate scenarios. Note that—due to NOBUS—no other govt would (be able to) come to the same conclusions, and therefore that no other govt would willingly blow its own foot off. The NOBUS collect-it-all/correlate-it-all mentality has risks of its own.
http://www.nytimes.com/2015/06/03/us/politics/senate-surveillance-bill-passes-hurdle-but-showdown-looms.html A bill to allow the government to restart surveillance operations, but with new restrictions, passed over the opposition of the Senate majority leader, and was signed by President Obama.
The war against crypto is just beginning. Government officials around the world—particularly here in the USA—are ramping up gigantic PR campaigns aimed at legislators and the media to argue that end-to-end encryption without backdoor access for government helps terrorists and cannot be permitted, particularly if operated by the large Web services that most people use. This battle is going to make the old Clipper Chip controversies of the 90s look like a walk in the park. *** You can count on it. *** [LW in NNSquad]
http://www.nytimes.com/aponline/2015/06/03/us/politics/ap-us-nsa-surveillance-qa.html
http://arstechnica.com/tech-policy/2015/06/how-i-tracked-fbi-aerial-surveillance/
A company called Nexar has unveiled a smartphone application that turns the phone into a dashboard camera. The application lets drivers rate other drivers, and at the end of the day uploads all tagged footage to the cloud, to be shared by other clients; it then uses the info to warn users of "bad drivers" close to them. Details at: http://www.geektime.com/2015/05/28/channel-that-road-rage-into-something-constructive-with-nexar-you-can-easily-report-terrible-drivers/ There is no mention of whether the application enables tagged drivers to review and/or appeal their rating (just the first issue which popped into my mind, there may be lots more). Amos
FYI—IoS = "Internet of Sh*t" ? This napp app needs 1 GB of RAM & 4 GB of flash (wipeable, of course) ? The third world will be recycling these processors for their drones, as in "The Internet of stuff hits the fan". The name of Intel's new product? Alimentary, my dear Watson... Your baby's privacy is assured, because Intel's software is "leakproof" (tm). Coming for grownups with adult diapers: the Sh*tbit wrist "activity" tracker. http://www.theregister.co.uk/2015/06/02/intel_imagines_chips_in_kids_pants_to_create_the_internet_of_span_classstrikeshtspan_ithingsi/ Intel imagines chips in nappies to create the Internet of sh*t things We have a CODE BROWN down there, repeat CODE BROWN Intel-sponsored 'DiaperPie' connected nappy Simon Sharwood, *The Register*, 2 Jun 2015 Computex 2015 If you think the Internet of Things (IoT) is a steaming pile of you-know-what, Intel's kind-of confirmed your suspicions by backing a team that's imagined an Internet-connected nappy (diaper for North American readers). Computex 2015 is full of folks spruiking the Internet of stuff. On the show floor you can hardly move for video cameras, sensors and associated networking kit. Intel's taken things a step further, revealing today that one of the `maker' teams its encouraged to play with its Edison platform has created a prototype Internet-connected nappy (diaper). The idea's simple: nappies of the future will include a sensor, or you'll get your tot to wear one, and when your offspring's alimentary canals produce waste you'll get a warning on your smartphone. WiFi produces too much energy to ensure the viability of infant innards, so Bluetooth LE gets the job of telling you about the presence of something brown or yellow. For now, the nappy is full of an Intel Edison system and its host board. The pair certainly have enough grunt to squeeze out some data: there's a dual core Atom at 500Mhz in there, along with 1GB of RAM and 4GB of flash to store—let's leave that to the imagination. Before your correspondent's children were toilet trained, their mother and I employed a sophisticated remote olfactory sensing technology to determine whether their pants were full. That biological device had a remarkable range and never ran out of batteries but was susceptible to viruses, which could reduce its sensitivity by inducing unusual flows of mucus. Future parents, it seems, may be spared that marvelous part of child-rearing. Intel and its makers did not, however, discuss a solution for the nastiest part of the job, namely the bit involving wet wipes. Your correspondent will report if such a device can be found on the show floor.
Jackie Dove, 4 Jun 2015 In the run-up to Apple's Worldwide Developer Conference, Adobe Digital Index, the company's marketing arm, has concluded that Apple is currently the dominant player in consumer digital video consumption, and that the trend is likely to continue. In a new report examining Online Video Viewing and Browsing Trends between 2014 and 2015, Adobe declared Apple as a clear winner in major categories of content, including Internet-connected, subscription-based pay TV programming, known in the trade as TV Everywhere. The study was based on anonymous and aggregated data gathered by Adobe Marketing Cloud analytics, which tracked more than 500 billion visits to 11,000 sites in the US and 7,000 sites abroad. The results? Not only does Apple dominate pay TV, but its iOS devices account for a majority of all premium video viewing content whether authenticated via subscription or unauthenticated and freely accessible. According to Adobe's research, Apple has captured 62 percent of all authenticated video. http://thenextweb.com/apple/2015/06/04/apple-now-dominates-consumer-digital-video-viewing-says-new-adobe-report/
Open Wireless Advocates to European Court: Don't Make Us Lock Down Our Networks In the preliminary reference to the Court of Justice of the European Union, the Europe's highest court is asked whether an enforcement practice requiring open wireless networks to be locked is an acceptable one. Germany's Federal Supreme Court in 2010 held that the private operator of a wireless network is obliged to use password protection in order to prevent abuse by third parties. If the CJEU affirms this finding, the effect could be to extend this bad precedent throughout Europe, grounding the open wireless movement across the continent. If on the other hand it rejects that finding, German law could be forced to return to sanity, allowing thousands of hotspot operators to open up their networks again. [via NNSquad]
Volvo points out that the pedestrian detection function requires additional sensor hardware (radar and a camera) not fitted to that model, and even if it were fitted it is overridden by a driver explicitly accellerating as in the accident shown in the video. Which raises a few relevant RISKS: 1. Why did the victims and the driver apparently believe that the car could magically avoid hitting pedestrians? 2. Why do the media typically fail to accurately investigate or report the incident? 3. Should a car fitted with appropriate sensors override a driver in such a situation? Andrew Pam, Xanadu Chief Scientist; Glass Wings http://www.glasswings.com.au Serious Cybernetics http://www.xanadu.com.au/; http://www.sericyb.com.au/
In Israel, street ads showing women - even just faces - often get marred or damaged by Jewish ultra-orthodox activists. Maybe this is a solution - an ad that changes whenever it senses someone approaching who is wearing a big black hat...
I used to work in a big company where the security department were trying to educate employees by sending around messages which were supposed to look suspicious, and then reprimanding those who had opened the messages. The trouble was, they made such a poor job of hiding the messages' origin, that I always mistook these for just yet another routine message from security, and fell for opening them every time! I wonder how many of Intel's subjects had opened the supposed phishing messages precisely because they did recognize them for what they really were.
I wonder if this license had already made its way into some big bad database of sex offenders. If it did, she might be in for more trouble down the road. One specific problem in this case is that precisely because she's not an offender, she has no legal right to require the state to let her search such databases for her name!
In Risks 28.66, Henry Baker reports on Wikipedia-page edits from the UK House of Commons before the UK elections. He also suggests a link with the European Union Court of Justice ruling that people have a right to have certain information about them obscured in a WWW search. It's only one sentence; he doesn't justify the connection he makes and I don't see one. First, anyone can edit Wikipedia pages. This is not the first time in which information on public figures may have been "cleaned up" on Wikipedia (if it indeed happened, and whoever did it - many may be motivated). Most of us understand that people whose career depends upon their personal reputation may engage in "image management" and Wikipedia is the obvious place to start. Indeed, North America has a little industry that will do it for you. Second, public figures standing for public office in the UK have no legal right set by the European Court or otherwise in UK law (as I understand it as a layman) to have correct public-interest information about themselves omitted from Internet searches or indeed any publication. They have everyone's legal right through libel laws to have false information about themselves corrected and resulting damage compensated by the perpetrator. That's all as it was before the EUCJ ruling about the "right to be forgotten". Peter Bernard Ladkin, University of Bielefeld and Causalis Limited www.rvs.uni-bielefeld.de www.causalis.com
Please report problems with the web pages to the maintainer