Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
http://www.nytimes.com/2015/08/16/business/technical-problem-suspends-flights-along-east-coast.html FAA: Software Update May Be Responsible for Malfunction http://www.nytimes.com/aponline/2015/08/16/us/politics/ap-us-flight-control-delays.html Air Traffic Control Problem Delays Hundreds of U.S. Flights http://www.nytimes.com/2015/08/17/business/air-traffic-control-problem-delays-hundreds-of-us-flights.html
The light rail system in Nieuwegein should block crossing traffic with a red traffic light. However, a photo shows the tram passing, while the traffic light for bicycles is green. http://www.ad.nl/ad/nl/1039/Utrecht/article/detail/4121869/2015/08/15/Beveiliging-sneltram-valt-niet-te-vertrouwen.dhtml Here's a brief summary of the Dutch content: Last 5 years 18 accidents happened with the light rail system, some of them fatal. The representative of Regiotram, the operator of the system, acknowledges that there is somewhere an error. The will search in the tram computers and traffic control system. And they will talk with the tram drivers. The trams communicate wireless with the traffic control system. The problem can be in the communication or in the traffic control systems, states the Regiotram representative. A representative of Nieuwegein states that the "passing time" may be set too sharp. That time is set sharp to prevent that people start crossing while the traffic lights are still red. This will be one of the topics of research.
Apparently the NTSB has said something to the effect of: > The point being that there was a event with catastrophic effect > (technical term) subject to a single point of failure, namely the > human error involved in unlocking too early. I have enormous respect for the NTSB with their hard work in getting to the bottom of various incidents and accidents. But here things are seriously wrong! In anything flying there are a million (ok that's exaggerated) buttons that effectively say `self-destruct'. This must especially be true for the prototypes. The test pilots are tasked with understanding what they are doing, exploring the limits and setting rules for the future "normal" pilots. When the test pilots report: "we've established that the plane will shake uncomfortably if you deploy the landing gear at an airspeed above XXX knots." the manufacturer will put something to the effect of "do not deploy the landing gear above YYY knots." in the manual where YYY is on the order of 0.8 XXX (or whatever safety margin they deem appropriate). The lower landing gear button does not get disabled above that speed. In an emergency the pilots may still decide: "We're going to die if we don't slow down. Let's try the landing gear.", even if they are going way too fast for normal landing gear deployment. On SS2, the test pilots should be aware of, among many, many other things that unlocking the boom above mach 1.4 will cause a Rapid Unscheduled Disassembly. R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2600998 Delftechpark 26 2628 XH Delft, The Netherlands. KVK: 27239233
For back issues, or to subscribe, visit <https://www.schneier.com/crypto-gram.html>. You can read this issue on the web at <https://www.schneier.com/crypto-gram/archives/2015/0815.html>. Bruce Schneier, CRYPTO-GRAM, August 15, 2015 Backdoors Won't Solve Comey's Going Dark Problem At the Aspen Security Forum two weeks ago, James Comey (and others) explicitly talked about the "going dark" problem, describing the specific scenario they are concerned about. Maybe others have heard the scenario before, but it was a first for me. It centers around ISIL operatives abroad and ISIL-inspired terrorists here in the US. The FBI knows who the Americans are, can get a court order to carry out surveillance on their communications, but cannot eavesdrop on the conversations, because they are encrypted. They can get the metadata, so they know who is talking to who, but they can't find out what's being said. "ISIL's M.O. is to broadcast on Twitter, get people to follow them, then move them to Twitter Direct Messaging" to evaluate if they are a legitimate recruit, he said. "Then they'll move them to an encrypted mobile-messaging app so they go dark to us." [...] The FBI can get court-approved access to Twitter exchanges, but not to encrypted communication, Comey said. Even when the FBI demonstrates probable cause and gets a judicial order to intercept that communication, it cannot break the encryption for technological reasons, according to Comey. If this is what Comey and the FBI are actually concerned about, they're getting bad advice—because their proposed solution won't solve the problem. Comey wants communications companies to give them the capability to eavesdrop on conversations without the conversants' knowledge or consent; that's the "backdoor" we're all talking about. But the problem isn't that most encrypted communications platforms are securely encrypted, or even that some are—the problem is that there exists at least one securely encrypted communications platform on the planet that ISIL can use. Imagine that Comey got what he wanted. Imagine that iMessage and Facebook and Skype and everything else US-made had his backdoor. The ISIL operative would tell his potential recruit to use something else, something secure and non-US-made. Maybe an encryption program from Finland, or Switzerland, or Brazil. Maybe Mujahedeen Secrets. Maybe anything. (Sure, some of these will have flaws, and they'll be identifiable by their metadata, but the FBI already has the metadata, and the better software will rise to the top.) As long as there is *something* that the ISIL operative can move them to, some software that the American can download and install on their phone or computer, or hardware that they can buy from abroad, the FBI still won't be able to eavesdrop. And by pushing these ISIL operatives to non-US platforms, they lose access to the metadata they otherwise have. Convincing US companies to install backdoors isn't enough; in order to solve this going dark problem, the FBI has to ensure that an American can only use backdoored software. And the only way to do that is to prohibit the use of non-backdoored software, which is the sort of thing that the UK's David Cameron said he wanted for his country in January: But the question is are we going to allow a means of communications which it simply isn't possible to read. My answer to that question is: no, we must not. And that, of course, is impossible. Jonathan Zittrain explained why. And Cory Doctorow outlined what trying would entail: For David Cameron's proposal to work, he will need to stop Britons from installing software that comes from software creators who are out of his jurisdiction. The very best in secure communications are already free/open source projects, maintained by thousands of independent programmers around the world. They are widely available, and thanks to things like cryptographic signing, it is possible to download these packages from any server in the world (not just big ones like Github) and verify, with a very high degree of confidence, that the software you've downloaded hasn't been tampered with. [...] This, then, is what David Cameron is proposing: * All Britons' communications must be easy for criminals, voyeurs and foreign spies to intercept. * Any firms within reach of the UK government must be banned from producing secure software. * All major code repositories, such as Github and Sourceforge, must be blocked. * Search engines must not answer queries about web-pages that carry secure software. * Virtually all academic security work in the UK must cease—security research must only take place in proprietary research environments where there is no onus to publish one's findings, such as industry R&D and the security services. * All packets in and out of the country, and within the country, must be subject to Chinese-style deep-packet inspection and any packets that appear to originate from secure software must be dropped. * Existing walled gardens (like IOs and games consoles) must be ordered to ban their users from installing secure software. * Anyone visiting the country from abroad must have their smartphones held at the border until they leave. * Proprietary operating system vendors (Microsoft and Apple) must be ordered to redesign their operating systems as walled gardens that only allow users to run software from an app store, which will not sell or give secure software to Britons. * Free/open source operating systems—that power the energy, banking, ecommerce, and infrastructure sectors—must be banned outright. As extreme as it reads, without all of that, the ISIL operative would be able to communicate securely with his potential American recruit. And all of this is not going to happen. Last week, former NSA director Mike McConnell, former DHS secretary Michael Chertoff, and former deputy defense secretary William Lynn published a Washington Post op-ed opposing backdoors in encryption software. They wrote: Today, with almost everyone carrying a networked device on his or her person, ubiquitous encryption provides essential security. If law enforcement and intelligence organizations face a future without assured access to encrypted communications, they will develop technologies and techniques to meet their legitimate mission goals. I believe this is true. Already one is being talked about in the academic literature: lawful hacking. Perhaps the FBI's reluctance to accept this is based on their belief that all encryption software comes from the US, and therefore is under their influence. Back in the 1990s, during the first Crypto Wars, the US government had a similar belief. To convince them otherwise, George Washington University surveyed the cryptography market in 1999 and found that there were over 500 companies in 70 countries manufacturing or distributing non-US cryptography products. Maybe we need a similar study today. This essay previously appeared on Lawfare. http://www.lawfareblog.com/back-doors-wont-solve-comeys-going-dark-problem Aspen Security Forum: http://www.aspeninstitute.org/events/2015/07/22/aspen-security-forum-2015 Comey's remarks at the forum: https://www.youtube.com/watch?v=7RyVXLKO0DM http://www.aspentimes.com/news/17381873-113/fbi-director-reveals-hidden-threat-of-isis-at Mujahedeen Secrets: https://en.wikipedia.org/wiki/Mujahedeen_Secrets Identifying encryption programs from the metadata: https://www.schneier.com/blog/archives/2015/07/more_about_the_.html What Cameron wants: http://www.theguardian.com/uk-news/2015/jan/12/uk-spy-agencies-need-more-powers-says-cameron-paris-attacks Zittrain's rebuttal: https://medium.com/message/dear-prime-minister-cameron-20th-century-solutions-wont-help-21st-century-surveillance-ff2d7a3d300c Doctorow's explanation: http://boingboing.net/2015/01/13/what-david-cameron-just-propos.html Washington Post op-ed: https://www.washingtonpost.com/opinions/the-need-for-ubiquitous-data-encryption/2015/07/28/3d145952-324e-11e5-8353-1215475949f4_story.html Lawful hacking: http://scholarlycommons.law.northwestern.edu/cgi/viewcontent.cgi?article=1209&context=njtip The First Crypto Wars: http://www.newamerica.org/oti/doomed-to-repeat-history-lessons-from-the-crypto-wars-of-the-1990s/ George Washington University survey from 1999: http://cryptome.org/cpi-survey.htm
Newly disclosed N.S.A. documents show that the agency gained access to billions of emails through a `highly collaborative' relationship with AT&T. http://www.nytimes.com/2015/08/16/us/politics/att-helped-nsa-spy-on-an-array-of-internet-traffic.html https://www.eff.org/deeplinks/2015/08/eff-claims-government-spying-atts-help-further-confirmed-new-york-times-article
[via Dave Farber] There's a better version of the article on the World Wide Web here: https://www.propublica.org/article/nsa-spying-relies-on-atts-extreme-willingness-to-help The story was co-written with ProPublica, which runs an ordinary Web site. The URL that you provided, Dave (based at nytimes.com), refuses to provide the article to users who will not accept cookies, and has other limits to try to force people to "log in" to their proprietary platform before they can read this or any other story. I continue to be amazed at how people who are opposed to mass surveillance of the public's communication, continue to use and share URLs that only work if every reader accepts mass surveillance of their reading habits. If the New York Times knows who is reading their articles, and from where and when, then NSA does too (and the provided URL was "http", not even "https"). The Times does NOT honor the "Do Not Track" header. For shame, NY Times; stop riding on your newsprint reputation to enshrine an unprecedented online reader-tracking system. And Dave should not be pushing their news-reader-surveillance scheme on his readers.
If the dispensary had sent the email from a gmail account and used BCC, the mail probably wouldn't get out at all. Since roughly 21 July 2015 Gmail classifies as spam most (or all?) of the email sent to more than 5-10(?) BCCs. As a result the sender gets an error-message email for EACH of the BCC addresses. As there is no real way to complain, the issue is still not solved. Google offers as a solution to create a Google Group, which is for various reasons not a real alternative for most of the customers. Risks? Various groups and individuals (including clubs, churches, schools, self-employed people and a book author) are left without a way to distribute information, mostly after years of using Gmail for that purpose. In our case a speaker canceled his presentation in our club and we were unable to advice our 200 members. That was a nuisance, but not life-threatening. Do I have to spell out the possibilities of more serious complications? The real risk is relying on a free service offered by a company perceived as a serious business, but run in an amateurish way. For the problem discussion see https://productforums.google.com/forum/#!topic/gmail/uH2hN6S5OyM;context-place=topicsearchin/gmail/category$3A%28report-an-issue%29|sort:relevance I hope the link works for you. In the forum there are more shorter complaints on the same theme, which - probably due to lack of proper monitoring - are not connected to the main line which now includes 168 items.
http://arstechnica.com/security/2015/08/isps-e-mail-password-reset-system-is-a-guy-named-shawn/ Silverman pointed out how ridiculous this system is but accepted Shawn's offer and received the password. Before ending the chat, Shawn tried to sell Silverman antivirus software, computer tech support, or "identity protection." Silverman declined. The Frontier system then e-mailed Silverman a full transcript of the chat, including the password in plain text. The only information Frontier obscured was his account number. [Nope, this story is NOT from "The Onion" ...]
Pretty much the current state of password-based security on the Internet today, as illustrated by Chico and Groucho Marx in "Horse Feathers" (1932): https://www.youtube.com/watch?v=ySqec8WrEQQ
http://www.cracked.com/personal-experiences-1738-wikipedias-war-women-4-weird-realities-inside.html Despite being such an influential site, Wikipedia has fewer than 10 percent female editors. That leads to some strange problems. For example: The entries on porn stars and Pokemon are both more extensively detailed than the entries on prominent women. This page on American novelists is divided into "Female American Novelists" (for the women-folk) and "American Novelists" (for the men). They once removed all the female movie directors from their list of horror directors. Wikipedia is basically edited by anonymous 13-year-old boys living in their parents' basements, using names like "ballbusterman" and "vomitboy." It's not a real, attributed encyclopedia, it's an anonymous gang bang where the opinions of idiots are valued, and authority and experience are ignored. It's OK if you want to look up movie information or a chart of disk space conversion parameters. Beyond that it has largely become a disgrace where drive-by page vandalism is the order of the day. By the way, "Cracked" has some seriously insightful stories these days.
In this aging bull market, investors are showing signs of a sea change in their attitudes. http://www.nytimes.com/2015/08/16/business/doubt-starts-chipping-away-at-the-markets-mind-set.html
http://www.nytimes.com/2015/08/18/technology/data-crunching-is-coming-to-help-your-boss-manage-your-time.html Employers of all types are using a wide range of technological tools to monitor workers' efforts and motivate them.
As more readers move toward online social networks, and as publishers desperately seek scale to bring in revenue, many have deplored a race toward repetitive journalism. http://www.nytimes.com/2015/08/17/business/where-clicks-reign-audience-is-king.html
The company is conducting an experiment in how far it can push white-collar workers to get them to achieve its ever-expanding ambitions. http://www.nytimes.com/2015/08/16/technology/inside-amazon-wrestling-big-ideas-in-a-bruising-workplace.html
Lots of us are irritated by the "Get Windows 10" popup which regularly appears on our desktops. Many of us do not want to install Windows 10 - at least not until the pros and cons (risks?) become clearer. To remove the irritation we uninstall KB 3035583, https://support.microsoft.com/en-us/kb/3035583 AND disable automatic Windows update installation—at least for recommended updates. -The risk of potentially unpatched systems to Windows users is clear. -The damage to Microsoft caused by annoying millions of users is mitigated by their market dominance. If it is free you (the user) are not the customer! (you knew this already...)
Please report problems with the web pages to the maintainer