Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Peter Swire, *Slate*, 15 Jul 2015
The government doesn't need to weaken encryption—it already has the tools
it needs to catch criminals.
http://www.slate.com/articles/technology/future_tense/2015/07/encryption_back_doors_aren_t_necessary_we_re_already_in_a_golden_age_of.html
[Excerpt:]
... the Review Group on Intelligence and Communications Technology report,
released in December 2013, unanimously and clearly recommended that the
U.S. government vigorously encourage the use of strong encryption, stating:
We recommend that, regarding encryption, the US Government should:
(1) fully support and not undermine efforts to create encryption standards;
(2) not in any way subvert, undermine, weaken, or make vulnerable
generally available commercial software; and
(3) increase the use of encryption and urge US companies to do so, in
order to better protect data in transit, at rest, in the cloud, and in
other storage.
With full awareness of the `going dark' concerns, we sharply criticized
any attempt to introduce vulnerabilities into commercially available
products and services, and found that even temporary vulnerabilities
should be authorized only after administration-wide scrutiny. Based on
the top-secret briefings and our experience, we found these policies would
best fight cybercrime, improve cybersecurity, build trust in the global
communications infrastructure, and promote national security.
At heart, providing access exceptions for U.S. law enforcement and
intelligence agencies will be harmful, rather than helpful, to national
security. The inability to directly access the content of a small
fraction of these communications does not warrant the subsequent damage
that would result to privacy and to U.S. economic, diplomatic, and
security interests.
Peter Swire is the Huang professor of law and ethics at the Georgia
Institute of Technology, senior counsel with Alston & Bird LLP, and a
cyber-fellow with New America.
Matt Green (JHU) has an outstanding and well-written blog post on exceptional access and related subjects—and their historical context. http://blog.cryptographyengineering.com/2015/07/a-history-of-backdoors.html
Benjamin Wittes, LawFareBlog, 12 Jul 2015 Thoughts on Encryption and Going Dark, Part II: The Debate on the Merits http://www.lawfareblog.com/thoughts-encryption-and-going-dark-part-ii-debate-merits
...what could go wrong? From Government Technology magazine, June 2015 http://www.govtech.com/magazines/gt/Government-Technology-June-2015.html Designing in Reverse Utah unveiled the latest iteration of its portal in April, with a new mobile-first design that uses analytics to provide citizens an online experience that's localized, personalized and individualized. “We are trying to make Utah.gov something that will stand out for people, keep them coming back and help them navigate as easily as possible,'' said Utah CTO Dave Fletcher. The state also worked to make the redesigned site truly device agnostic, so it adjusts dynamically and automatically based on the user. To accomplish this, the portal was designed in reverse. Rather than creating a wireframe of the site's look and then coding to match that look, they started with the coding and didn't get to see how the site looked until later.
(19 Jul 2015, SlashDot, based on NYT) Despite Triage, US Federal Cybersecurity Still Lags Behind <http://yro.slashdot.org/story/15/07/19/0359200/despite-triage-us-federal-cybersecurity-still-lags-behind> U.S. vs. Hackers: Still Lopsided Despite Years of Warnings and a Recent Push <http://www.nytimes.com/2015/07/19/us/us-vs-hackers-still-lopsided-despite-years-of-warnings-and-a-recent-push.html?ref=technology> *According to *The New York Times*, U.S. government officials will soon announce all the improvements their IT security teams have made to federal systems in response to the OPM breach. Unfortunately, says the Times, these updates only just scratch the surface, and are more to show that the government is "doing something" than to fix the long-standing problems with how it handles security. "After neglect that has been documented in dozens of audits for nearly two decades, the federal government is still far behind its adversaries. And it is still struggling to procure the latest technological defenses or attract the kind of digital security expertise necessary to secure its networks." It seems each agency has to be hit by a cyberattack, causing it to go into panic-mode independently, before learning to properly safeguard its systems. Officials say far too much money is wasted on figuring out who and what to blame, rather than on ameliorating the problem. "At the Internal Revenue Service, auditors identified 69 vulnerabilities in the agency's networks last year, but when officials there told Government Accountability Office auditors this year that they had fixed 24 of those problems, investigators found only 14 had been resolved."* U.S. vs. Hackers: Still Lopsided Despite Years of Warnings and a Recent Push <http://www.nytimes.com/2015/07/19/us/us-vs-hackers-still-lopsided-despite-years-of-warnings-and-a-recent-push.html>By Michael D. Shear and Nicole Perlroth, *TheNYTimes*, 18 Jul 2015 In the month since a devastating computer systems breach at the Office of Personnel Management, digital SWAT teams have been racing to plug the most glaring security holes in government computer networks and prevent another embarrassing theft of personal information, financial data and national security secrets.
Cameron (who previously wanted to ban *all cryptography*) subsequently reversed hiself. http://uk.businessinsider.com/uk-government-not-going-to-ban-encryption-2015-7
http://www.theguardian.com/technology/2015/jul/14/security-flaw-found-in-school-internet-monitoring-software [Thanks to Ross Anderson]
Thanks a bunch, Twitter. If I had been at a public terminal or somewhere else with other people around, you would have just proudly revealed my private phone number to everyone. Jeez. [NNSquad] [Image]: https://plus.google.com/u/0/+LaurenWeinstein/posts/3MnyvtyTqfX
Katie Moussouris. Security, 16 Jul 2015 Vendors receiving vulnerability reports will have to apply for `deemed export licenses'. Vulnerability disclosure itself is threatened by the new rules. Some researchers' work will be commandeered by their own government for use in surveillance if they turn it over to request an export license. https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items#h-19 https://www.wired.com/2015/07/moussouris-wassenaar-open-comment-period/
(Russia Beyond the Headlines): http://rbth.com/politics/2015/07/14/controversial_new_law_on_right_to_be_forgotten_stirs_debate_in_russi_47745.html Russia has adopted a law on the so-called "right to be forgotten," which will require internet search engines to remove links to personal information at the request of citizens. Although State Duma deputies claim the legislation mirrors that of the European Union, industry players strongly oppose the law, predicting a series of lawsuits, while lawyers say that such a right is unconstitutional and express concern that the law will be used by prominent individuals to selectively edit their past.
[Making privateers also means making pirates; there's lots more tears and gibbeting to come. It's time for a little mutiny against 'bug bounties'.] Darren Pauli, *The Register*, 16 Jul 2015 FireEye intern nailed in Darkode downfall was VXer, say the Feds: 'Helped improve detection capabilities' while allegedly selling badass trojan toolkit http://www.theregister.co.uk/2015/07/16/fireeye_intern_morgan_culbertson_allegedly_darkode_vxer_dendroid/ Background: https://en.wikipedia.org/wiki/List_of_pirates https://en.wikipedia.org/wiki/Gibbet
Lucian Constantin, InfoWorld Users should update Java as soon as possible because attackers are already taking advantage of at least one vulnerability http://www.infoworld.com/article/2948208/security/oracle-fixes-zeroday-java-flaw-and-over-190-other-vulnerabilities.html
[FYI—Another day, another "shocked, shocked" story of hacked surveillance software. This would be boring, except that the FBI really, really wants to be invited to this party, too.] Thomas Fox-Brewster, *Forbes*, 14 Jul 2015 This 'Anti-Radicalisation' Tech Teachers Use To Monitor Kids Has A Shocking Security Hole http://www.forbes.com/sites/thomasbrewster/2015/07/14/child-surveillance-vulnerability/
A simple errand to get a passport photo exposes the blinkered logic lurking in the rule-bound technologies that pervade our lives. http://www.nytimes.com/2015/07/19/your-money/hairless-head-in-a-clueless-photo-booth.html [Same article noted by George Mannes: Algorithm of passport photo booth crops off head of bald subject PGN]
Engineering a self-driving car is difficult enough. Now the public has to be convinced that the technology works. http://www.nytimes.com/2015/07/17/automobiles/trying-to-win-the-publics-trust-with-autonomous-cars-at-120-mph.html [Works? Maybe. But is it safe, secure, nonsubvertible, private, etc. PGN]
http://gizmodo.com/firefighters-cant-save-people-burning-in-cars-because-o-1718675039
Monty Solomon also noted:
http://www.pbs.org/newshour/rundown/drones-california-fire/
A video posted on YouTube showing a drone firing a gun in a wooded area has caused some controversy today. The short video shows a four-rotored custom drone with a special rig containing a handgun. The handgun proceeds to fire four shots, handling the recoil better than might be expected. The user who posted the video also submitted it to Reddit, where a commenter noted that the apparent use of a solenoid trigger would class the device as an automatic weapon under ATF rules. http://tech.slashdot.org/story/15/07/16/1455223/gun-firing-drone-raises-some-eyebrows> <https://www.youtube.com/watch?v=xqHrTtvFFIs> <http://www.theguardian.com/technology/2015/jul/16/drone-firing-handgun-video-youtube> <http://thestack.com/drone-firing-gun-160715> <https://www.reddit.com/r/guns/comments/3cyd67/>
Advocatus Diaboli writes: Email conversations posted on WikiLeaks reveal that Boeing and Hacking Team want drones to carry devices that inject spyware into target computers through WiFi networks <http://it.slashdot.org/story/15/07/19/2322240/hacking-team-and-boeing-subsidiary-envisioned-drones-deploying-spyware> <http://it.slashdot.org/%7EAdvocatus+Diaboli> <https://firstlook.org/theintercept/2015/07/18/hacking-team-wanted-infect-computers-drone/>. The Intercept reports: "The plan is described in internal emails from the Italian company Hacking Team, which makes off-the-shelf software that can remotely infect a suspect's computer or smartphone, accessing files and recording calls, chats, emails and more. A hacker attacked the Milan-based firm earlier this month and released hundreds of gigabytes of company information online. Among the emails is a recap of a meeting in June of this year, which gives a "roadmap" of projects that Hacking Team's engineers have underway. On the list: Develop a way to infect computers via drone. One engineer is assigned the task of developing a "mini" infection device, which could be "ruggedized" and "transportable by drone (!)" the write-up notes enthusiastically in Italian. The request appears to have originated with a query from the Washington-based Insitu, which makes a range of unmanned systems, including the small ScanEagle surveillance drone, which has long been used by the militaries of the U.S. and other countries. Insitu also markets its drones for law enforcement."
Boeing In Deep Sh*tu: Are you smarter than a fifth grader? "Insitu also markets its drones for law enforcement" Another "NOBUS" conceit: NObody But US" could possibly do something this clever. https://firstlook.org/theintercept/2015/07/18/hacking-team-wanted-infect-computers-drone/ Hacking Team and Boeing Subsidiary Envisioned Drones Deploying Spyware Cora Currier 2015, 18 July 2015 There are lots of ways that government spies can attack your computer, but a U.S. drone company is scheming to offer them one more. Boeing subsidiary Insitu would like to be able to deliver spyware via drone.
Older people are ideal targets because they often have ample savings, own their homes and may be lonely and susceptible to being deceived. http://www.nytimes.com/2015/07/18/your-money/swindlers-target-older-women-on-dating-websites.html
Good: apology, clarification, and only opt-in autodialed or recorded calls,
or texts. And only two paragraphs of legalese to read. But, sigh—must
CALL customer support to revoke opt-in.
"Notice of policy update"
We value our relationship with you and work hard to communicate clearly.
Recently, however, we did not live up to our own standards.
Earlier this year, we sent you an email about updates that we planned to
make to our User Agreement on July 1, 2015. The User Agreement is a
document we share to help you understand your relationship with PayPal and
the obligations we both have.
Unfortunately, some of the language in this update caused confusion and
concern with some of our customers about how we may contact you.
To clear up any confusion, we have modified the terms of Section 1.10 of
our User Agreement. The new language is intended to make it clear that
PayPal primarily uses autodialed or prerecorded calls and texts to:
Help detect, investigate and protect our customers from fraud
Provide notices to our customers regarding their accounts or
account activity
Collect a debt owed to us
In addition, the new Section 1.10(a) and 1.10(b) makes it clear that:
We will not use autodialed or prerecorded calls or texts to contact
our customers for marketing purposes without prior express written consent.
Customers can continue to enjoy our products and services without
needing to consent to receive autodialed or prerecorded calls or texts.
We respect our customers' communications preferences and recognize
that their consent is required for certain autodialed and prerecorded
calls and texts. Customers may revoke consent to receive these
communications by contacting PayPal customer support and informing us of
their preferences.
If you are interested, you can read this updated section of the User
Agreement below and by clicking on the links at the bottom of this
message.
We apologize for any confusion we may have caused. Should you have any
additional questions, please don't hesitate to reach out to our customer
service team.
https://view.paypal-communication.com/w/DXWSIO7/MS9YBC/ASU0OD8/QXQPJP/1/34db06e43778403c1835/
NNSquad http://magazine.good.is/articles/depict-accessibility-visual-impairment-web-browsing Last month, Parsley presented Depict, a crowd-sourced image description tool that could change the experience of the browsing the web for the blind and visually impaired. The tool works in two parts--a browser extension for blind users that provides user-created descriptions of images around the Internet, and a website for sighted users to provide those requested descriptions. If a blind user clicks on an image of an apple tree, which is not properly described in the HTML code, the photo will appear on the crowd-sourced website where sighted users can write "apple tree." The highest rated description based on sighted user votes will then replace the original description, and be read aloud to any blind user that scrolls over the photograph in the future. Parsley's husband Jason Sanders helped her develop the final iteration of Depict, which is now available as an extension on Google Chrome browsers.
[The beginning or the end of an error?] Peter Bright, Ars Technica, 17 Jul 2015 Now it will only take a National Security Letter for Microsoft to install some govt's malware (warrant completely optional). Only Enterprise users will be able to hold back the updates longterm. http://arstechnica.com/information-technology/2015/07/windows-10-updates-to-be-automatic-and-mandatory-for-home-users/
http://www.nytimes.com/2015/07/15/business/big-board-system-failure-draws-attention-to-staff-cuts.html Staff reductions in New York have been under scrutiny because of the possibility that they left the exchange without enough experienced people to manage a crisis like the one it faced last Wednesday.
Steve Ragan, CSO, 5 Jul 2015 Firm made famous for helping governments spy on their citizens left exposed http://www.csoonline.com/article/2943968/data-breach/hacking-team-hacked-attackers-claim-400gb-in-dumped-data.html
*The Washington Post* via NNSquad https://www.washingtonpost.com/world/national-security/islamic-states-embrace-of-social-media-puts-tech-companies-in-a-bind/2015/07/15/0e5624c4-169c-11e5-89f3-61410da94eb1_story.html "ISIS has been confronting us with these really inhumane and atrocious images, and there are some people who believe if you type 'jihad' or 'ISIS' on YouTube, you should get no results," Victoria Grand, Google's director of policy strategy, told The Washington Post in a recent interview. "We don't believe that should be the case. Actually, a lot of the results you see on YouTube are educational about the origins of the group, educating people about the dangers and violence. But the goal here is how do you strike a balance between enabling people to discuss and access information about ISIS, but also not become the distribution channel for their propaganda?" Related: "Terrorism, the Internet, and Google": http://lauren.vortex.com/archive/001111.html (6/30/2015)
[This sure is vague about exactly what this "range" consists of...] A virtual training range developed for the Marine Corps to prepare troops for cyber operations has been adapted to do everything from prepare for offensive actions to secure networks defensively against hacking threats like the Heartbleed security bug, Marine officials said. The network was established by defense contractor ManTech within the last year at a cost of about $9.1 million. Maintained at an office park just south of Marine Corps Base Quantico, Va., it is used to train not only troops who focus on cyber operations, but Marines who focus on communications, intelligence and operational planning. "Conceptually people might have a harder time picturing this battle space, but it is battle space," said Col. Gregory T. Breazile, the director of the service's cyber and electronic warfare integration division, in an interview. "When we in the Marine Corps look at maneuver warfare, this is maneuver warfare. It's fighting the enemy's weak points and exploiting those weak points so that you can defeat your adversary." https://www.washingtonpost.com/news/checkpoint/wp/2015/07/08/heartbleed-and-beyond-marine-corps-cyber-range-trains-to-fight-off-hackers/ Gabriel Goldberg, Computers and Publishing, Inc. gabe@gabegold.com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
http://www.nytimes.com/2015/07/18/us/nsa-summer-camp-hacking-cyber-defense.html The National Security Agency is making sure that middle school and high school students—and some teachers, too—are learning how to hack, crack and defend in cyberspace.
http://www.nytimes.com/2015/07/19/us/us-vs-hackers-still-lopsided-despite-years-of-warnings-and-a-recent-push.html Officials and experts acknowledge that the computer networks of many federal agencies remain highly vulnerable to sophisticated cybercriminals, who are often sponsored by other countries.
[FYI—OK, if we're going to have civil liability for end-to-end encryption, then it should go both ways; those who screw up customers' encryption should also have to pay—e.g., OPM, Sony, Target, Neiman-Marcus, etc.—and a lousy few hundred dollars for "credit monitoring" isn't nearly enough by orders of magnitude. I suspect that the vast majority of the money will go to the Neiman customers rather than to kidnap victims' parents.] Conor Friedersdorf, *The Atlantic*, 15 Jul 2015 Do Encrypted Phones Threaten National Security? A legislator compares manufacturing devices with strong, end-to-end encryption to dumping toxic waste in a stream. http://www.theatlantic.com/politics/archive/2015/07/does-encryption-threaten-national-security/398573/
What does it mean to "secure a network"? Is this like securing glass and copper? It's not that networks are harder to secure—the increased use of connectivity exposes the naiveté inherent in the idea of securing the network. This isn't as much a technical issues as a social problem as we come to terms with the new topologies of relationships. Of course this is about marketing a particular solution as if automation is answer. People tend to forget that those algorithms amplify our naiveté as well as our understanding.
Please report problems with the web pages to the maintainer