Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
[Not the kind of payday loan people want...] Bloomberg, 28 Aug 2015 HSBC Holdings Plc said most of the 275,000 payments from U.K. business customers it failed to process Friday will be completed by the end of the day after a software problem held up transactions before a long weekend. To read the entire article, go to http://bloom.bg/1NLnjqV
The 7 Sep 2015 edition of Forbes Magazine (cover story about Tesla) has an article pages 46-48 about the future of oil drilling, how humans are to be replaced by robots. There is an illustration on page 48 of how this will work, where personnel back at HQ will manage all the hardware at the drilling site, in much the same way as military drones over the Middle East, and Asia, are operated by remote pilots at NATO military bases. I see things which can go wrong with this notion. The page 48 illustration looks to me to be *exactly* what BP had at the time of the Gulf of Mexico oil spill. People back at HQ had lots of feeds telling them exactly what was going on at the drill site, but were clueless even before the explosion ripped out their Internet connections. I watched US Coast Guard hearings into that disaster. The hardware back at HQ reminded me of computer security logs. You have to be ultra-trained in what the heck all that means, to make heads or tails of it, but a lot of corporate hiring is of people with no relevant experience. There are similar things going on with ground transportation disasters. Hardware seems to be designed with the assumption that nothing will ever go wrong, so the info about what's going on is not made user-friendly. The first a place knows that they have had a major disaster is when human witnesses nearbye phone in what they see, so human technicians are sent out to investigate, who may not have the right tools or training to deal with it properly. The data is at HQ, but no one there knows how to interpret it. State-of-art needs to be upgraded, in many industries, to make the data intelligible to non-technical management, so it does not need specialist training for translation. Also more industries need rapidly deployable First Responders, with a good spectrum of resources, similar to what city Public Utilities have. People on-site, at the BP Gulf Oil disaster, could have averted it, had they been given relevant training, and documentation, which they did not get. Will the same mentality program the robots? They are getting data faster, from deep below the ground, expect that soon the oil workers will have the data on their smart phones. There's more problems, which we learn from the killer drones. Every auto driver knows that we need to avoid tailgating, or going too fast for conditions, because when there is trouble ahead, our eyes see it, our brain interprets the situation, then tells our body to react, changing steering, speed of auto. This does not happen instantaneously. The military drones have an added dimension called "latency," or the time it takes, for what the drone sees, to bounce off a satellite in space, get to the remote operator, to decide what to do, then there is the signal in the reverse direction. So if the drone sees a potential enemy, and the remote pilot says to kill that enemy, then thanks to latency, the drone will miss, as the target has probably moved in the mean time. That's why our military blows up entire buildings - schools, restaurants, housing complexes. They don't move, and there is a suspect inside. That's one reason why there is a high rate of innocent bystander collateral damage killed by that technology. So if the automated oil rigs are to be managed by operators at HQ, is there any data for which the latency will make reactions too slow? The killer drones can be hacked. How about the feed between HQ and an automated oil well, to cause an accident on purpose? Already some oil wells are fully automated.
FYI—And some people can't understand why campaigns like "Black Lives Matter" are gaining so much support... Don't police officers have to announce themselves as police officers (including wearing a uniform and showing a badge) in order to not get shot at themselves when they pull out a deadly weapon? How does an armed police drone properly announce itself so as not to get shot down? And how exactly is an ordinary citizen to know that his/her life is *not* in danger when some drone (police or otherwise) starts shooting at him/her? There still is a Second Amendment to the Constitution, and imminent deadly force can be met with deadly force—particularly when the only thing left `dead' is an inanimate drone. Quotes: “Less than lethal weapons like rubber bullets, pepper spray, tear gas, sound cannons, and Tasers are therefore *permitted* on police drones.'' “At least 39 people have been killed by police Tasers in 2015 so far.'' “Rost said he needs to use drones for surveillance in order to obtain a warrant in the first place.'' [Going fishing, are we?] Justin Glawe, Armed Drones for Cops Are Now Legal, 26 Aug 2015 ND: First State Legalizes Taser Drones for Cops, Thanks to a Lobbyist http://www.thedailybeast.com/articles/2015/08/26/first-state-legalizes-armed-drones-for-cops-thanks-to-a-lobbyist.html
FYI—Let's see: a number of high efficiency precision corner reflectors mounted on the drone would do a pretty good job on this IR laser cannon and/or its operator. If these corner reflectors weren't individually too large, they wouldn't reflect back very much in the microwave wavelengths, thus making it harder for radar detection and guidance. Millions of dollars of equipment ruined by a few dollars worth of corner reflectors. https://en.wikipedia.org/wiki/Corner_reflector And what could possibly go wrong with a 2kw continuous invisible IR laser in an urban environment ? Lemme guess: the name of the weapon? "Archimedes" ? Shouldn't we worry that this IR cannon "cure" could be worse than the drone disease? http://www.sciencebuzz.org/blog/archimedes-heat-ray “Other than numerous safety warnings to ensure *no one was blinded by the two-kilowatt infrared laser*, there was no fanfare. No explosions, *no visible beam*.'' “Boeing's developed a laser cannon specifically designed to turn unmanned aircraft [and your entire neighborhood] into flaming wreckage.'' http://www.wired.com/2015/08/welcome-world-drone-killing-laser-cannon/ Welcome to the World, Drone-Killing Laser Cannon Jordan Golson, *WiReD*, 27 Aug 2015 http://www.wired.com/wp-content/uploads/2015/08/IMG_6496-copy-582x418.jpg
FYI: "The main issue seems to be that the [Vice News] fixer uses a complex encryption system on his personal computer that a lot of ISIL militants also utilise for strategic communications." The journalists were also using cars that could have been used as car bombs. Water bottles were also found; 100% of terrorists are known to use water. http://www.aljazeera.com/news/2015/09/vice-news-fixer-arrested-encryption-software-150901200622345.html Umut Uras, Vice News fixer 'charged over encryption software', 2 Sep 2015 Turkey official tells Al Jazeera charges made after fixer found to have encryption software used by ISIL on his laptop. Three staff members from Vice News were charged with "engaging in terrorist activity" because one of the men was using an encryption system on his personal computer which is often used by the Islamic State of Iraq and the Levant (ISIL), a senior press official in the Turkish government has told Al Jazeera. Two UK journalists, Jake Hanrahan and Philip Pendlebury, along with their Turkey-based Iraqi fixer and a driver, were arrested on Thursday in Diyarbakir while filming clashes between security forces and youth members of the outlawed and armed Kurdistan Workers' Party (PKK). On Monday, the three men were charged by a Turkish judge in Diyarbakir with "engaging in terrorist activity" on behalf of ISIL, the driver was released without charge. The Turkish official, who spoke on condition of anonymity, told Al Jazeera: "The main issue seems to be that the fixer uses a complex encryption system on his personal computer that a lot of ISIL militants also utilise for strategic communications." Speaking to Al Jazeera, Tahir Elci, the head of the Diyarbakir lawyers association, said: "I find it ridiculous that they were taken into custody. I don't believe there is any accuracy to what they are charged for. "To me, it seems like an attempt by the government to get international journalists away from the area of conflict. [...]
FYI—And companies are asking the govt to provide them with even more immunity from liability? This is yet more of the same type of "socializing losses while privatizing profits" scheme that we have come to know & love from the recent financial crisis. According to the FTC complaint, “there were no fewer than 10 practices that taken together, unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft.'' “Apparently both the username and password for a Wyndham property management system developed by Micros Systems Inc. was *micros*.'' “The company had no security controls whatsoever in many of these areas.'' The 2007 FTC guidebook “advises companies to *consider encrypting sensitive information*'' ["Consider" ? As in a street sign that says *Consider Stopping*?] “The FTC [is] in a very tricky position—trying to hold companies accountable for failing to implement reasonable security measures without ever defining what those reasonable measures are.'' “How were we supposed to implement adequate security when no one ever told us what that means?'' Josephine Wolff, *Slate*, 26 Aug 2015 What Exactly Does Reasonable Mean? The FTC's maddening attempts to hold companies liable for cybersecurity lapses. http://www.slate.com/articles/technology/future_tense/2015/08/the_ftc_punishes_wyndham_for_failing_to_protect_customer_data.html
Medium via NNSquad https://medium.com/@alexrubalcava/a-roadmap-for-a-world-without-drivers-573aede0c968 The reaction to the first car bombing using an AV is going to be massive, and it's going to be stupid. CNN will go into "missing airplane" mode. There will be calls for the government to issue a stop to all AV operations, much in the same way that the FAA ordered a ground stop after 9/11. But unlike 9/11, which involved a decades-old transportation infrastructure, the first AV bombing will use an infrastructure in its infancy, one that will be much easier to shut down. That shutdown could stretch from temporary to quasi-permanent with ease, as security professionals grapple with the technical challenge of distinguishing between safe, legitimate payloads and payloads that are intended to harm. The scenario described above—using an AV to commit a violent crime—involves no hacking. Hacking is the second major barrier to adoption that will present unique problems to AVs. Yep, like I've been saying for ages. To be clear, I fully support autonomous vehicle research, because I believe it will save millions of lives just through advanced driver assist systems. But once you go truly autonomous, the Pandora's Box opens in ways most of us have only begun to think about.
http://www.nytimes.com/2015/09/02/technology/personaltech/google-says-its-not-the-driverless-cars-fault-its-other-drivers.html The cars have been involved in a smattering of minor accidents because they observe traffic laws to the letter—and people don't.
The above subject line is the title of an article by Mike Isaac and Nicole Perlroth in *The New York Times*, 29 Aug 2015 (page B2 in the National Edition). Charlie Miller and Chris Valasek have been hired by Uber's offices in Pittsburgh to help ensure the security and safety of Uber's self-driving car and robotics research. (See RISKS-28.80 and .81 on their most recent exploits.) Whatever you think of Uber, the desire for greater security and safety is welcome. However, Uber is also going to need more people with broad expertise in total system architectures for trustworthy systems. Despite the hype, trustworthy self-driving cars in a completely automated highway that is meaningfully risk-free seem to be a long ways off.
Many new vehicles are equipped with keyless ignition systems. The vehicle is started with a button, so long as a electronic key fob is present. Unfortunately, this creates the potential for a number of hazards not found in keyed ignition systems. Apparently, some of these vehicles will continue operation if the key fob is no longer in the vehicle. With some of the quieter running power plants (e.g., hybrids), they will eventually activate their internal combustion power plants when the batteries run low. This creates a carbon monoxide hazard when the car is in a closed space (e.g., garage). The hazard happens when the owner leaves the vehicle without successfully turning off all the ignition (e.g., clumsy button push with gloved hand). Solutions to this problem are not simple. Simply requiring the presence of a working key fob opens the possibility of unexpected system shutdown if the key fob stops functioning (e.g., bad battery). The complete Money article is at CNN: money.cnn.com/2015/08/26/autos/keyless-ignition-lawsuit/index.html
http://arstechnica.com/security/2015/09/many-new-top-level-domains-have-become-internets-bad-neighborhoods/ There were many who warned that the Internet Corporation for Assigned Names and Numbers' (ICANN) decision to allow a host of new commercial generic top-level Internet domains was going to create a huge opportunity for Internet scammers and hackers. The approval of top-level domains (TLDs) beyond those assigned to countries and generic ones such as .com, .org, and .net created an opportunity, some in the security industry warned, for criminals to set up "look-alike" domains in the new namespace that aped legitimate sites already registered in .com or elsewhere. Well, the warnings were spot-on. Uh, like nobody predicted this, right? As Gomer Pyle would say, "Surprise, surprise, surprise!"
Lucian Constantin (credit: Michael Homnick), PC World, 1 Sep 2015, ISP-provided routers are full of security vulnerabilities Attackers could exploit the flaws to hijack DNS requests or completely take over affected devices http://www.infoworld.com/article/2978777/networking/popular-belkin-wi-fi-routers-plagued-by-unpatched-security-flaws.html opening text: If your Wi-Fi network is using the popular Belkin N600 DB router, be warned: it may have several vulnerabilities that could allow hackers to take it over.
FYI—The FCC wants to *ban open-source firmware for your wifi router*. Note that although this rule supposedly affects only 5GHz, it would affect *ALL* routers because no one is going to make a 2.4GHz-only router. Brian Benchoff, Save WiFi: Act Now To Save WiFi From The FCC, 2 Sep 2015 http://hackaday.com/2015/09/02/save-wifi-act-now-to-save-wifi-from-the-fcc/ Right now, the FCC is considering a proposal to require device manufacturers to implement security restricting the flashing of firmware. We posted something about this a few days ago, but completely missed out on a call to action. Contrary to conventional wisdom, we live under a system of participatory government, and there is still time to convince the FCC this regulation would stifle innovation, make us less secure, and set back innovation in the United States decades. [Henry also goes on to excerpt from the following items, truncated for RISKS, but URLs left for those readers who might be documenting this.] http://hackaday.com/2015/08/31/fcc-introduces-rules-banning-wifi-router-firmware-modification/ https://libreplanet.org/wiki/Save_WiFi/Individual_Comments https://apps.fcc.gov/kdb/GetAttachment.html?id=1UiSJRK869RsyQddPi5hpw%3D%3D&descY4280%20D02%20U-NII%20Device%20Security%20v01r02&tracking_number9498 https://www.federalregister.gov/articles/2015/08/06/2015-18402/equipment-authorization-and-electronic-labeling-for-wireless-devices https://www.federalregister.gov/articles/2015/08/06/2015-18402/equipment-authorization-and-electronic-labeling-for-wireless-devices http://hackaday.com/2015/08/31/fcc-introduces-rules-banning-wifi-router-firmware-modification/ https://apps.fcc.gov/kdb/GetAttachment.html?id=1UiSJRK869RsyQddPi5hpw%3D%3D&descY4280%20D02%20U-NII%20Device%20Security%20v01r02&tracking_number9498 https://apps.fcc.gov/oetcf/kdb/forms/FTSSearchResultPage.cfm?id9498&switch=P
Citizen Lab via NNSquad https://citizenlab.org/2015/08/iran_two_factor_phishing/ This report describes an elaborate phishing campaign against targets in Iran's diaspora, and at least one Western activist. The ongoing attacks attempt to circumvent the extra protections conferred by two-factor authentication in Gmail, and rely heavily on phone-call based phishing and "real time" login attempts by the attackers. Most of the attacks begin with a phone call from a UK phone number, with attackers speaking in either English or Farsi. The attacks point to extensive knowledge of the targets' activities, and share infrastructure and tactics with campaigns previously linked to Iranian threat actors. We have documented a growing number of these attacks, and have received reports that we cannot confirm of targets and victims of highly similar attacks, including in Iran. The report includes extra detail to help potential targets recognize similar attacks. The report closes with some security suggestions, highlighting the importance of two-factor authentication.
Katherine Noyes, Orange Hosting, IDG News Service (08/26/15) via ACM TechNews, Monday, August 31, 2015 Many of the world's top computer science experts met last week at the Heidelberg Laureate Forum to determine how the widespread collection of data about consumers can be prevented from causing harm in the future. Much of today's data collection happens on the websites people visit, and that can spill over into surveillance by governments, according to the Electronic Frontier Foundation's (EFF) Jeremy Gillula. Most of the participants at the forum agreed there is a need for better mechanisms for protecting individuals' privacy, as well as for more transparency on the part of those collecting and using the data. "We need a policy approach" that offers not just privacy by design, but privacy by default, says Carnegie Mellon University professor Alessandro Acquisti. Although public policy and legislation are one approach to the problem, some experts do not see much reason for optimism in that direction. The EFF already has published a "Do Not Track" policy, which organizations can adopt, and it is working on a Privacy Badger, a browser extension for Firefox and Chrome that blocks spying ads and invisible trackers. The EFF also advocates end-to-end encryption because government agencies cannot do mass surveillance if all the data is encrypted, according to Gillula. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-e0a0x2d36fx063635&
In the midst of all of the hype and hoopla over self driving cars, let's pause for a reality check: None of the many rosy media discussions of the future of autonomous vehicles show any awareness that there are no credible network plans at all to support these vehicles - at scale - in cities and in the countryside. Meanwhile among the engineers, there is a growing consensus that autonomous vehicles will need dense networks supporting gigabyte low latency streams for every vehicle. e.g. at least "300gBytes/ per month" of *coordinated* secure networks of LTE WiFi DSRC-V2V meshes , and satellites according to Andeas Mai, Director Smart Connected Vehicles at Cisco http://viodi.com/2015/06/15/300-gbytes-of-data-per-month-per-car/ Here are some other recent relevant quotes about network requirements for autonomous vehicle: Intel: “Approximately 1 GB of data will need to be processed each second in the car's real-time operating system.'' https://www-ssl.intel.com/content/www/us/en/automotive/driving-safety-advanced-driver-assistance-systems-self-driving-technology-paper.html Telecom Italia: “A primary bottleneck is the overall sum of application and network latencies, which are far too high today.'' http://www.networkcomputing.com/cloud-infrastructure/enabling-the-self-driving-car/a/d-id/1319538 BMW: “... need ultra-reliable networks, low-latency, and they must work everywhere.'' http://www.computerworlduk.com/news/it-vendors/bmw-5g-could-be-key-self-driving-car-deployment-3501253/ Ericsson" “... self-driving cars, will rely on as-yet-undefined 5G technology. The networks that we have today have nowhere near that quality-of-service guarantee.'' http://www.computerworlduk.com/news/it-vendors/the-smartest-cars-may-need-5g-ericsson-says-3497872/ When thinking about self driving cars, I try to remember the words of two former colleagues at IFTF: One of our founders Roy Amara observed that “When thinking about the future we tend to over estimate the impacts in the near-term and under estimate impacts in the long term.'' or as aptly paraphrased by former long time IFTF Fellow Paul Saffo, “Never mistake a clear view for a short distance.'' Mike Liebhold, Distinguished Fellow, Institute for the Future, IFTF.org
(via Dave Farber) I would have to think that humans are an existence proof that driving a car doesn't necessarily require high long-haul bandwidth. I'm sure one could collect 1 GB of data per second just from optical/radar/sonar/lidar sensors in the car, of the road ahead, along with GPS for general proximity, digital maps carried onboard, etc., etc. We can also expect that an increasing amount of the information absorbed from other than the car's organic sensors would be short-range wireless, e.g., car-car and car-curb data, that require little in the way of complex infrastructure, but which can augment situational awareness (just like I get digital sign data today telling me that travel time to particular destinations is X minutes presently). If the average 100 IQ human with modest visual ability and reflexes can successfully navigate, it's not at all clear to me why my future Subaru++ is going to require the equivalent of a streaming Hollywood movie, from long distances, to compete. Stapleton-Gray & Associates, Inc., Albany, CA
http://www.nytimes.com/2015/08/31/technology/tools-for-tailored-learning-may-expose-students-personal-details.html Many technological tools used by schools are designed to customize learning, but concern is developing over the collection and use of data on individual students.
[My sentiments exactly.] http://www.computerworld.com/article/2977085/social-business/one-billion-people-facebook-monday-itbwcw.html
Fahmida Y. Rashid, InfoWorld, 1 Sep 2015 http://www.infoworld.com/article/2979054/windows-security/windows-7-8-10-now-all-collecting-user-data-for-microsoft.html Uncomfortable with Windows 10 slurping personal data? Too bad -- Microsoft rolls out similar snooping capabilities to Windows 7, Windows 8
FYI—Why is Microsoft doing this? Google/Facebook envy? FBI/NSA NSL? http://www.ghacks.net/2015/08/28/microsoft-intensifies-data-collection-on-windows-7-and-8-systems/ Microsoft intensifies data collection on Windows 7 and 8 systems Martin Brinkmann, GHacks, 28 Aug 2015 Microsoft has been criticized by privacy advocates in regards to the data hunger of its Windows 10 operating system. The operating system slurps data like there is no tomorrow, especially when systems are set up using the express settings. http://www.ghacks.net/2015/07/30/windows-10-and-privacy/ Experienced users may disable telemetry and data collection partially during setup, and then some more afterward using the Registry or Group Policy. [Long item truncated for RISKS.]
I can't test this myself, since I don't have windows 10 (and might never have it), but I wonder if any of those complaining about unwanted data transmissions have tried editing the hosts file to see whether this solves the problem? It would do so on a Unix-like system, but, as I said, I can't try it myself, so wondered whether anyone else has tried doing so.
A 16-page PDF report on the Target breach has been issued by the US Senate Committee on Commerce, Science, and Transportation. <http://www.commerce.senate.gov/public/?a=Files.Serve&File_id$d3c229-4f2f-405d-b8db-a3a67f183883> It is dated March 2014, but I just found the link in an article about Federal Trade Commission (FTC) involvement. http://www.msn.com/en-us/news/us/ftc-investigates-target-data-breach/ar-AAdQDA5?ocid=iehp At the time of the Senate report, the investigations had not yet figured out: . Details of the Fazio penetration. . How the attackers got from the access granted Fazio, to Target's POS terminals. . How the attackers found default account password access for BMC software IT management system; or if the password interface was bypassed. There are some nice diagrams at the end of the report, such as a time line of when Target allegedly received warnings, apparently ignored, of what the attackers were up to. There are also lots of links to more info. The body of the report talks about other things Target could have done to avert this disaster.
HuffPost via NNSquad http://www.huffingtonpost.com/entry/ashley-madison-hack-creates-ethical-conundrum-for-researchers_55e4ac43e4b0b7a96339dfe9 Frederick and other experts agreed that the research applications of these data are potentially endless. At the most basic level, you could use them to tease out patterns of infidelity (or at least interest in infidelity) in terms of geography, age, race, religion, sex, height or income. But with the tremendous benefits come serious risks. As sex researchers dig into the data from the Ashley Madison hack, they're confronted with a set of thorny questions: Is the data reliable? Is it proper for researchers to analyze? Is it even legally permissible to access? “We're in uncharted ethical waters with the Internet and all the data that's coming out of social networks. The Ashley Madison hack is just a particularly difficult example of a much larger issue,'' said Dr. Sharlene Hesse-Biber, a sociologist and research ethics expert at Boston College. The reliability question is the most pressing; after all, if the data are so unreliable that they're not usable, the ethics and logistics don't matter. Early, non-academic analysis of the data has shown that a huge share of the 36 million accounts in the hack were fake, inactive or incomplete. And Ashley Madison made essentially no effort to verify any of the information in these accounts—even email addresses—so much of that information may wind up being useless. You mean researchers are concerned that users might have put FALSE information on forms at an online marriage cheating site? Surely you jest! (I know, I know, don't call you Shirley.)
> highly embarrassing for the men and women ... a huge portion of Ashley Madison's software development efforts are aimed at refining their fembot army, to make it seem that women are active on the site. Either they did this because the number of real women was vanishingly small, or because they didn't want men to hook up with real women and stop buying credits from the company. Whatever the reason, it appears that the Ashley Madison money-making scheme was bots all the way down. http://gizmodo.com/ashley-madison-code-shows-more-women-and-more-bots-1727613924
Where I live it is: Please take your card. Please take your cash. In that order. You are not getting your cash if you don't remove your card. Seems to solve most problems.
Please report problems with the web pages to the maintainer