Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Tom Warren, *The Verge* 20 Jul 2014 Engines fail to reignite in $160,000 crowdfunding effort [A subsequent excellent item by Keith Cowing, co-leader of the ISEE-3 Reboot Project (whom Tom Warren quotes, below), Lost and Found in Space: Crowdsourcing finds new frontiers with a spaceship's reboot. is an Op-Ed in today's issue of *The New York Times*, 19 July 2014—well worth reading! It has a considerably more positive and construcive spin. PGN] <http://www.theverge.com/2014/7/10/5886807/isee-3-space-probe-rescue-ends> Efforts to resurrect the vintage ISEE-3 space probe have ended in disappointment. The probe was launched by NASA in 1978 to measure solar winds, but decommissioned in 1997 as the craft drifted farther and farther from Earth. A group of former NASA employees launched a $160,000 crowdfunding effort in 2008 to attempt to return the probe to active duty, but despite a promising start earlier this week the mission is largely over. The team successfully fired the ISEE-3's thrusters at the weekend, but additional efforts to spin the craft into a new orientation towards Earth have failed. The promising engine firings over the weekend could have been the result of burned fuel that was already in the fuel lines, but attempts on Tuesday and Wednesday failed because the nitrogen tanks aren't working or are empty. "At this point we're sort of scratching our heads," says Keith Cowing, a former NASA employee working on the project, in an interview with NPR. "We may take one last run at the spacecraft but this may be it for an attempt to bring it back to Earth." The ISEE-3 space probe has now been switched to a mode that allows its instruments to collect and beam back data to Earth. Communications are expected to last around another three months before the craft drifts too far away from Earth to realistically be rescued again.
http://www.bbc.com/news/technology-28344219 Driverless cars, such as those being developed by Google, could be lethal weapons, the FBI has reportedly warned. An internal report, obtained by *The Guardian*, said the vehicles could be "game changing" for law enforcement. The report noted criminals using automated cars would have both hands free and be able to take their eyes off the road during a car chase. But it said that driverless vehicles could help the emergency services by automatically clearing a path for them. In the report, which was marked restricted and obtained under a public records request, the FBI predicted the vehicles "will have a high impact on transforming what both law enforcement and its adversaries can operationally do with a car". And, under the heading "Multitasking", the FBI said that "bad actors will be able to conduct tasks that require use of both hands or taking one's eyes off the road which would be impossible today". That raised the prospect that suspected criminals would be able to fire weapons at pursuing police cars. ]...]
BBC via NNSquad http://www.bbc.com/news/technology-28331598 A French judge has ruled against a blogger because her scathing restaurant review was too prominent in Google search results. The judge ordered that the post's title be amended and told the blogger Caroline Doudet to pay damages [$2000!]. Ms Doudet said the decision made it a crime to be highly ranked on search engines. The restaurant owner said the article's prominence was unfairly hurting his business. Ms Doudet was sued by the owner of Il Giardino restaurant in the Aquitaine region of southwestern France after she wrote a blogpost entitled "the place to avoid in Cap-Ferret: Il Giardino". According to court documents, the review appeared fourth in the results of a Google search for the restaurant. The judge decided that the blog's title should be changed, so that the phrase: "the place to avoid" was less prominent in the results. The judge sitting in Bordeaux also pointed out that the harm to the restaurant was exacerbated by the fact that Ms Doudet's fashion and literature blog "Cultur'elle" had around 3,000 followers, indicating she thought it was a significant number. - - - I hope French readers of this are as humiliated and embarrassed as they should be. "Liberty, Equality, Fraternity"...? Looks like Inspector Clouseau is running the store.
http://thecolbertreport.cc.com/ look for July 15th and Vint.
"Researchers from an American security company have unearthed a substantial malware-based fraud ring. The operation has infiltrated one of Brazil's most popular payment methods, Boleto, for two years. An estimated 495,753 Boleto transactions have been compromised, which means the hackers could have stolen up to $3.75bn. https://blogs.rsa.com/rsa-uncovers-boleto-fraud-ring-brazil/ "... this will have been the largest electronic theft in history if even half of the valued worth turns out to be in the hands of criminals, according to the New York Times."
FYI—No doubt, the dogs smell the FAT in the file system. If dogs can really do this, I foresee an uptick in coffee-scented thumb drives. ;-) This stunt is analogous to "MPAA's Anti-Piracy Dogs Visit Elementary School"; see article below; I wonder if dogs can smell the difference between DVD+R's and DVD-R's... Katie Mulvaney, *Providence Journal*, 5 July 2014 New methods to combat growth of Internet child porn in Rhode Island http://www.providencejournal.com/breaking-news/content/20140705-new-methods-to-combat-growth-of-internet-child-porn-in-rhode-island.ece State Police Detective Adam Houston takes Thoreau from his cruiser. The yellow lab, 2, is trained to sniff out devices such as thumb drives and hard drives that child porn traffickers use to store photos of children. From a bank of computers at state police headquarters, detectives tap into a network of child pornography traffickers. ... Golden Labrador The state police, through the task force, are also taking a new approach. The recent arrival of golden Labrador Thoreau makes Rhode Island the second state in the nation to have a police dog trained to sniff out hard drives, thumb drives and other technological gadgets that could contain child pornography. Thoreau received 22 weeks of training in how to detect devices in exchange for food at the Connecticut State Police Training Academy. Given to the state police by the Connecticut State Police, the dog assisted in its first search warrant in June pinpointing a thumb drive containing child pornography hidden four layers deep in a tin box inside a metal cabinet. That discovery led the police to secure an arrest warrant, Yelle says. “If it has a memory card, he'll sniff it out,'' Detective Adam Houston, Thoreau's handler, says. At times, child pornographers hide devices in ceiling tiles or even radios. Houston demonstrated the dog's skills last month. Houston walked the dog through a room in which he had hidden devices. A second pass went more slowly, with Houston coaxing the dog. “Show me. Show me.'' Thoreau furiously sniffed shelves, desks, cabinets. The dog located a hard drive inside a Ziploc bag in the upper shelf of a desk. A flash drive and thumb drive were also found, with the dog zeroing in on their location down to the exact drawer. In exchange, Thoreau got food. “This is how he eats every day,'' says Houston, who cares for the dog around the clock. ... http://pctechtalk.com/topic/68819-mpaas-anti-piracy-dogs-visit-elementary-school/ [Henry included an older relevant item:] MPAA's Anti-Piracy Dogs Visit Elementary School Started by kingace , Apr 25 2008 01:36 PM Lucky and Flo used to help "educate" kids about the "importance of copyright laws." Lucky and Flo, the world's first-ever DVD-sniffing dogs, made a visit to Clover Avenue Elementary School in Los Angeles a few days ago to kick-off a three-city North American tour that will include visits to Mexico City and Washington DC in honor of World Intellectual Property Day. The MPAA teamed up with Los Angeles City Councilmember Wendy Greuel—Chair of the Los Angeles Anti-Piracy Task Force—and Internet safety expert Dr. Parry Aftab to talk to Clover's fourth and fifth graders about the importance of copyright protection with the assistance of the MPAA's very own Lucky and Flo. "Lucky and Flo have traveled all over the world assisting law enforcement officials in tracking down pirate operations and have helped raise global awareness about the problem of motion picture piracy. These special dogs are helping us educate children about the importance of respecting copyrights while presenting it in a fun and exciting way," said MPAA executive vice president and director of worldwide anti-piracy operations John Malcolm. But, what's unclear is why such young children must be subject to such efforts. Certainly showing them two DVD-sniffing canines is meant to scare them to some degree. Why else would they tout their ability to sniff out pirated goods? I'll bet they even did a demonstration where they hid a pirated DVD in one of the kids' lockers for Lucky or Flo to find, further frightening young children into copyright law submission. "Education is key to further any efforts undertaken to protect intellectual property. By speaking to kids at this age level we are working to instill early-on the importance of protecting copyrights and the negative consequences of piracy," said council member Greuel. "Film piracy harms local economies, kills jobs and impacts everyone who is involved in the production and distribution of movies." Yet, again we have a case of copyright holders using heavy-handed tactics to "educate people." Surely these elementary school age children are too young to sell bootleg DVDs so is it digital piracy that it's concerned with? If this is the case I hope someone tells the kids that Lucky and Flo can't detect pirated movies on your hard disk drive. http://www.zeropaid.com/news/9429/MPAA%27s+Anti-Piracy+Dogs+Visit+Elementary+School
Ron Amadeo, Ars Technica, 7 Jul 2014 Apps install from phone to watch, but the encryption key gets lost. With smartwatches running Android Wear slowly starting to trickle out into the world, developers are coming to grips with Google's new wearable platform. In doing so, they have found one of its first big bugs: paid apps don't work. ... http://arstechnica.com/gadgets/2014/07/google-drm-bug-blocks-paid-android-wear-apps/
Casey Johnston, Ars Technica, 2 Jul 2014 A court order is on the table for Google to undo Goldman Sachs' mistake. Google won't delete Gmail message without a court order, but it will block. Goldman Sachs has demanded a court order to get Google to unsend an e-mail that the bank sent in error, according to Reuters' report Wednesday. The e-mail contained "highly confidential" information addressed to the wrong account, a mistake on Goldman Sachs' part that Google hasn't yet been tempted to rectify. ... http://arstechnica.com/business/2014/07/goldman-sachs-demands-google-unsend-one-of-its-e-mails/
David Kravets, Ars Technica, 2 Jul 2014 Authorities are likely to confront growing number of encrypted devices. The use of court-approved wiretaps in domestic criminal cases in 2013 increased five percent from the year before, and authorities largely defeated encryption methods on the mobile, landline, and other devices they tapped, according to a report Wednesday from the US agency that oversees the country's court system. The Administrative Office of the United States Courts, using the latest available figures, said there were 3,576 wiretaps reported. That represented a nine-percent bump in federal court orders and a three percent increase from state judges. The report said that only one wiretap application was denied for all of 2013. When it comes to cracking encryption, the authorities said they encountered encryption 41 times, up from 15 the year before. ... http://arstechnica.com/tech-policy/2014/07/court-approved-wiretaps-defeating-encryption-feds-say/
David Linthicum, InfoWorld, 08 Jul 2014 Sex, spies, and the cloud: NSA revelations continue to weaken confidence Washington Post investigation asserts that the NSA collects data mostly from ordinary citizens, not potential terrorists http://www.infoworld.com/d/cloud-computing/sex-spies-and-the-cloud-nsa-revelations-continue-weaken-confidence-245658 opening text: According to a four-month investigation by *The Washington Post* based on information provided by Edward Snowden, ordinary Internet users far outnumber legally targeted foreigners in the communications intercepted by the National Security Agency from U.S. digital networks. Indeed, 9 of 10 account holders found in a large store of intercepted electronic conversations, which Snowden provided in full to the Post, were not the intended surveillance targets. Instead, they were gathered as part of the NSA's monitoring of other people of interest.
Cyrus Farivar. Ars Technica, 26 Jun 2014 Law & Disorder / Civilization & Discontents Suspect told cops: "Everything is encrypted and no one is going to get to it." http://arstechnica.com/tech-policy/2014/06/massachusetts-high-court-orders-suspect-to-decrypt-his-computers/
Editorial Board of *The Washington Post*, 13 Jul 2014 The Internet security company Symantec revealed recently that a group of hackers known as Dragonfly infiltrated malware into legitimate software belonging to three manufacturers of industrial control systems—the stuff that controls factories and power grids. In one case, the contaminated control software was downloaded 250 times by unsuspecting users before the compromise was discovered. This kind of cyberattack is not new, but it is audacious and dangerous. One of the first such assaults was the Stuxnet campaign, which had sabotage as its primary goal, against the Iranian nuclear program. By contrast, Dragonfly was a multi-pronged infiltrator, aimed at cyber-espionage and gaining long-term access to computers, with sabotage as a future option, perhaps flicking off the electrical power to a city or shutting down a factory. Dragonfly probably was state-sponsored from somewhere in Eastern Europe. Not alarmed? Then take a look at a proposal from the Securities Industry an d Financial Markets Association. According to Bloomberg, Wall Street's biggest trade group has suggested setting up a high-level U.S. government-industry council to deal with cyberthreats. What do they fear? Attacks that “destroy data and machines'' and could lead to runs on financial institutions, loss of confidence in the banking system and “devastating'' consequences for the economy. The group predicts attacks could result in “account balances and books and records being converted to zeros,'' Bloomberg reported on 8 Jul. A torrent of cyberattacks—disruption, espionage, theft—is costing U.S. business and government billions of dollars. This is reality, not science fiction. In March, Chinese hackers broke into the U.S. government agency that houses the personal information of all federal employees. For several years, it has been clear to many in government and the private sector that the nation needs to vastly improve protection of its private networks and that only government has the sophisticated tools to do that. But Congress has balked at legislation that would ease the necessary cooperation. Thus it was encouraging to see the Senate Select Committee on Intelligence vote 12 to 3 last week to approve a cybersecurity bill that would begin to bridge the gap. Its prospects in the full Senate are uncertain. A similar bill passed the House last year. Understandably, the legislation has triggered alarms about invasion of privacy. There are legitimate fears that the National Security Agency and U.S. Cyber Command will, in pursuit of cybersecurity, scoop up too much information about Americans. Certainly, the disclosures by former contractor Edward Snowden about how much the NSA vacuumed up in telephone and Internet data have undermined confidence in the government. But this supercharged privacy debate should not stand in the way of a good cybersecurity bill. Rather, it is a reason for Congress to build in workable and sufficient privacy protections and get on with passing legislation that is long overdue.
Serdar Yegulalp | InfoWorld, 09 Jul 2014 Better patch Flash: 'Rosetta Flash' attack can steal site cookies A new proof-of-concept attack exploits a bug in Adobe Flash that allows stealing of user credentials across websites http://www.infoworld.com/t/hacking/better-patch-flash-rosetta-flash-attack-can-steal-site-cookies-245801
FYI—Is this case of scholar misconduct really rare, or merely rarely uncovered? Fred Barbash, *The Washington Post*, 10 Jul 2014 http://www.washingtonpost.com/news/morning-mix/wp/2014/07/10/scholarly-journal-retracts-60-articles-smashes-peer-review-ring/ Every now and then a scholarly journal retracts an article because of errors or outright fraud. In academic circles, and sometimes beyond, each retraction is a big deal. Now comes word of a journal retracting 60 articles at once. The reason for the mass retraction is mind-blowing: A peer review and citation ring was apparently rigging the review process to get articles published. You've heard of prostitution rings, gambling rings and extortion rings. Now there's a peer-review ring. The publication is the Journal of Vibration and Control (JVC). It publishes papers with names like “Hydraulic engine mounts: a survey'', and “Reduction of wheel force variations with magnetorheological devices.'' The field of acoustics covered by the journal is highly technical: Analytical, computational and experimental studies of vibration phenomena and their control. The scope encompasses all linear and nonlinear vibration phenomena and covers topics such as: vibration and control of structures and machinery, signal analysis, aeroelasticity, neural networks, structural control and acoustics, noise and noise control, waves in solids and fluids and shock waves. JVC is part of the SAGE group of academic publications. Here's how it describes its peer review process: [The journal] operates under a conventional single-blind reviewing policy in which the reviewer's name is always concealed from the submitting author. All manuscripts are reviewed initially by one of the Editors and only those papers that meet the scientific and editorial standards of the journal, and fit within the aims and scope of the journal, will be sent for peer review. Generally, reviews from two independent referees are required. An announcement from SAGE published July 8 explained what happened, albeit somewhat opaquely. In 2013, the editor of JVC, Ali H. Nayfeh, became aware of people using `fabricated identities' to manipulate an online system called SAGE Track by which scholars review the work of other scholars prior to publication. Attention focused on a researcher named Peter Chen of the National Pingtung University of Education (NPUE) in Taiwan and “possibly other authors at this institution.'' After a 14-month investigation, JVC determined the ring involved `aliases' and fake e-mail addresses of reviewers—up to 130 of them—in an apparently successful effort to get friendly reviews of submissions and as many articles published as possible by Chen and his friends. “On at least one occasion, the author Peter Chen reviewed his own paper under one of the aliases he created,'' according to the SAGE announcement. The statement does not explain how something like this happens. Did the ring invent names and say they were scholars? Did they use real names and pretend to be other scholars? Doesn't anyone check on these things by, say, picking up the phone and calling the reviewer? In any case, SAGE and Nayfeh confronted Chen to give him an “opportunity to address the accusations of misconduct,'' the statement said, but were not satisfied with his responses. In May, “NPUE informed SAGE and JVC that Peter Chen had resigned from his post on 2 February 2014.'' Each of the 60 retracted articles had at least one author and/or one reviewer “who has been implicated in the peer review'' ring, said a separate notice issued by JVC. Efforts by *The Washington Post* to locate and contact Chen for comment were unsuccessful. The whole story is described in a publication called *Retraction Watch* under the headline: SAGE Publications busts `peer review and citation ring.' '' Update: Some additional information from the SAGE statement: “As the SAGE investigation drew to a close, in May 2014 Professor Nayfeh's retirement was announced and he resigned his position as Editor-in-Chief of JVC. Three senior editors and an additional 27 associate editors with expertise and prestige in the field have been appointed to assist with the day-to-day running of the JVC peer review process. Following Professor Nayfeh's retirement announcement, the external senior editorial team will be responsible for independent editorial control for JVC.'' Note to readers: Thanks for pointing out my grammatical error. No excuses. Fred Barbash, the editor of Morning Mix, is a former National Editor and London Bureau Chief for *The Washington Post*.
In Twitter's desperation to become a global competitor to Facebook, it's running headlong into its commitment to free speech—and free speech is losing. http://readwrite.com/2014/05/27/twitter-pakistan-russia-blocked-tweets
Woody Leonhard | InfoWorld, 11 Jul 2014 Security Advisory 2982792 revokes fake SSL certs for Windows 8/8.1/RT/Server 2012, but for Windows 7/Server 2008 the situation not as clear http://www.infoworld.com/t/microsoft-windows/microsoft-zaps-bogus-ssl-certs-emergency-patch-2982792-246030 opening text: Yesterday, Dustin Childs at the Microsoft Security Response Center advised that Microsoft is revoking "improperly issued" SSL certificates for Google sites and others. According to Security Advisory 2982792, the 45 bogus certificates were issued by the National Informatics Centre, which works under the root Certificate Authority of the Government of India Controller of Certifying Authorities. More troubling, the subordinate CAs could be used—indeed, may have already been used—to issue even more bad certificates. Apparently, the folks at Google caught the bad certs, and Yahoo is also affected. [Also noted by Gene Wirchenko: Woody Leonhard, InfoWorld, 14 Jul 2014 "Black Tuesday patch KB 2962872 crashes InstallShield, causes slowdowns" http://www.infoworld.com/t/microsoft-windows/black-tuesday-patch-kb-2962872-crashes-installshield-causes-slowdowns-246112 PGN]
Eric Knorr | InfoWorld, 14 Jul 2014 How bad is computer security in the business world? Complete disarray, if you believe a friend of mine who's worked in the industry forever. Behold his hair-raising tales http://www.infoworld.com/t/security/horrifying-confessions-of-security-sleuth-246101
Two can play this game! Now for the other side!
The original author got pilloried for this over on Full Disclosure, for
revealing a "bug" that's been known for around thirty years, and working
exactly as documented. It's sad to see RISKS picking it up.
Exactly as documented excuses anything?
If a person chops a foot off by swinging an axe around, whose fault is it?
The axe's? The manufacturer's (both of the axe and the tool-she)? Or,
heaven forbid, the user's fault?
If the tool is dangerous to use and could have been designed to be
safer, then yes, the manufacturer should take the hit. Think of product
safety recalls. Ford Pinto, anyone?
We seem to have a culture of "It's not my fault!", and finding someone else
to blame does not bode well for the future.
We do. One example is blaming the user instead of correcting the
tool. (I am sorry I gored your ox there, but it was his fault for being
there like a sitting duck.)
I have tended to avoid C and UNIX because of the attitude to safety.
Dave, not everyone in the industry has been around for 30 years to have heard about this when it was initially noticed, nor have they deeply contemplated the implications of wildcard behavior on their own. It's certainly not anything new, but it's sure as anything a threat to anyone who doesn't know about it. So bringing it up again, and possibly giving it wide recognition is no bad thing. I'm regularly working with people who are half my age, Dave. They don't necessarily know about things like this because they haven't been told. And if this kind of thing doesn't get brought up again now and then, they'll never find out.
Again, it's not a bug but a user error, for which at least four workarounds exist and have done so for many years. The best one is the "--" option (supported by all utilities using the GNU option parser) which means "no further options beyond this point". Thus, a safe form of the removal command would be: rm <flags>—* Unix provides a use with a toolbox, containing some sharp and heavy things. It's not its job to protect users from themselves, but rather from each other.
Lauren Weinstein <lauren@vortex.com> said: > If this isn't enough to get you off of Facebook, frankly I don't > know what is. Sorry Lauren, can't agree with that, being one who's mental state is good enough to not be that easily manipulated and who place little if any value on anything that comes out of Facebook or any of the other meaningless Web drivel. I see no computer Risk in this at all. Maybe it should have been discussed in Psychology Today under the topic of "modern neurotics". Bill Gunshannon, bill@cs.scranton.edu University of Scranton Scranton PA
Please report problems with the web pages to the maintainer