Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Coral Davenport, *The New York Times*, 18 Sep 2015 http://www.nytimes.com/2015/09/19/business/volkswagen-is-ordered-to-recall-nearly-500000-vehicles-over-emissions-software.html The Obama administration on Friday directed Volkswagen to recall nearly a half-million cars, saying the automaker illegally installed software in its diesel-power cars to evade standards for reducing smog. The Environmental Protection Agency accused the German automaker of using software to detect when the car is undergoing its periodic state emissions testing. Only during such tests are the cars' full emissions control systems turned on. During normal driving situations, the controls are turned off, allowing the cars to spew as much as 40 times as much pollution as allowed under the Clean Air Act, the E.P.A. said. `The Environmental Protection Agency issued the company a notice of violation and accused the company of breaking the law by installing software known as a `defeat device' in 4-cylinder Volkswagen and Audi vehicles from model years 2009-15. The device is programmed to detect when the car is undergoing official emissions testing, and to only turn on full emissions control systems during that testing. Those controls are turned off during normal driving situations, when the vehicles pollute far more heavily than reported by the manufacturer, the E.P.A. said. “Using a defeat device in cars to evade clean air standards is illegal and a threat to public health,'' said Cynthia Giles, the E.P.A.'s assistant administrator for the Office of Enforcement and Compliance. “Working closely with the California Air Resources Board, E.P.A. is committed to making sure that all automakers play by the same rules. E.P.A. will continue to investigate these very serious violations.'' The software was designed to conceal the cars' emissions of the pollutant nitrogen oxide, which contributes to the creation of ozone and smog. The pollutants are linked to a range of health problems, including asthma attacks and other respiratory diseases. It will be interesting to see if VW can negotiate the fines for this massive fraud down to something less than staggering. [Henry Baker noted that the affected diesel models include: * Jetta (Model Years 2009 2015) * Beetle (Model Years 2009 2015) * Audi A3 (Model Years 2009 2015) * Golf (Model Years 2009 2015) * Passat (Model Years 2014-2015)] [See also https://www.washingtonpost.com/news/the-switch/wp/2015/09/23/opm-now-says-more-than-five-million-fingerprints-compromised-in-breaches/ [We've noted in RISKS previously that this kind of shenanigan could easily be used in voting machines (especially proprietary ones), which when run in test mode do everything correctly, but when run in live elections might surreptitiously do whatever else they might have been programmed to do. PGN]
http://hackaday.com/2015/09/23/ethics-in-engineering-volkswagens-diesel-fiasco/ Like the Space Shuttle Challenger disaster, like the Johnstown flood, and like that one scene at the beginning of Fight Club, this will be one for the engineering ethics text books. If this does turn into a criminal investigation - and chances of that are good - we will eventually learn how this complete abdication of law and social responsibility came to be. Until then, we're left to guess how one of the biggest blunders of automotive history came to be, and where Volkswagen and the diesel car will be in the years to come. I have for many years publicly asserted that ethics are a *fundamental* aspect of engineering—including software engineering. I have frequently faced arguments from persons claiming that I'm wrong—that engineers should just write the code as they're told to do, and that their role is not to independently apply any ethical considerations whatsoever. I cannot even really begin to explain how strongly I disagree with that view, or how devastating to consumer and user trust that view can be. [Lauren Weinstein]
One of the scariest parts of the massive cybersecurity breaches at the Office of Personnel Management just got worse: The agency now says 5.6 million people's fingerprints were stolen as part of the hacks. That's more than five times the 1.1 million government officials estimated when the cyberattacks were initially disclosed over the summer. However, OPM said Wednesday the total number of those believed to be caught up in the breaches, which included the theft of the Social Security numbers and addresses of more than 21 million former and current government employees, remains the same. [CNBC: “We recently learned that as far back as 2007, the Inspector General was warning that OPM was vulnerable to a breach, but nothing was done to prevent it. ... US Gov blames China for breach, ignoring implications of their own front door back door mentality.''] And this is the same government that wants access to our encryption keys. But don't worry! Simply change your passwords and fingerprints and you'll be just fine. Yeah. LW
Neil Savage, IEEE Spectrum, 21 Sept 2015, via ACM TechNews, 23 Sep 2015 Carnegie Mellon University (CMU) researchers are working on designs for an ingestible sensor that would combine silicon circuitry and nutrients and could be powered by stomach acid. One of the major hurdles when designing ingestible sensors is convincing regulators they would be safe. The approach of Christopher Bettinger's team at CMU is to use organic and biodegradable materials that are already considered safe to ingest. They envision silicon logic circuits encapsulated in a biodegradable hydrogel, which would enable it to squeeze through tight openings. The antennas and electronics would be made of small amounts of digestible minerals such as manganese, magnesium, and copper. In addition, the silicon Bettinger's team proposes using to power the logic circuits of their ingestible sensors can be converted by the body into silicic acid. The sensor would be powered by a battery with a cathode made of melanin and an anode made of manganese oxide. When the battery reaches the stomach, acidic gastric juices would act as an electrolyte and transport current. During testing, the design has been able to provide 5 milliwatts of power for up to 20 hours. The researchers say ingestible sensors could be used to study the microbiome, look for infections, and monitor medication uptake. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-e1e8x2d43fx063701& [Fascinating possibilities here. Remotely reprogrammable? remotely surveillable? what about integrity risks? privacy risks? and what could happen maliciously, accidentally, or even *in-jestibly*? stupid gas-tric(k)s? PGN]
Ars Technica via NNSquad http://arstechnica.com/security/2015/09/trojan-targets-online-poker-sites-peeks-at-players-cards/ Anybody who has ever played poker, online or offline, always suspects that they might be the victim of cheating when the cards aren't going their way. Now there's evidence to suspect that the hunch is real when it comes to two of the world's most popular online gambling portals. "Several hundred" gamblers on the Pokerstars and Full Tilt Poker platforms have been hit with a cheating trojan, according to ESET security researcher Robert Lipovsky. But don't worry boys and girls, Internet voting would be perfectly safe! Nothing can go wrong! No th ing ca n g o wr
http://deity.gov.in/sites/upload_files/dit/files/draft%20Encryption%20Policyv1.pdf Users / Organizations within B group (i.e. B2B Sector) may use Encryption for storage and communication. Encryption algorithms and key sizes shall be prescribed by the Government through Notifications from time to time. On demand, the user shall be able to reproduce the same Plain text and encrypted text pairs using the software / hardware used to produce the encrypted text from the given plain text. Such plain text information shall be stored by the user/organisation/agency for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country.
Data Breaches via NNSquad
http://www.databreaches.net/oops-error-by-systema-software-exposes-millions-of-records-with-insurance-claims-data-and-internal-notes/
According to a source who contacted DataBreaches.net, as part of research on
data leaks, the self-described "technology enthusiast" ("TE") downloaded
some random data from a publicly available subdomain on Amazon Web Services
(AWS). Inspection of the files revealed many GB of SQL database backups
with "names, social security numbers, addresses, dates of birth, phone
numbers, as well as various financial and medical injury data." TE informs
DataBreaches.net that after discovering the treasure trove of personal
information on or about August 30, he immediately began to notify the proper
agencies and authorities. DataBreaches.net withheld publication until now
to give TE time to notify more entities and to give the software firm time
to notify its affected clients.
(AP): http://www.usnews.com/news/business/articles/2015/09/20/apnewsbreak-south-korea-backed-app-puts-children-at-risk Security researchers say they found critical weaknesses in a South Korean government-mandated child surveillance app—vulnerabilities that left the private lives of the country's youngest citizens open to hackers. In separate reports released Sunday, Internet watchdog group Citizen Lab and German software auditing company Cure53 said they found a catalogue of worrying problems with "Smart Sheriff," the most popular of more than a dozen child monitoring programs South Korea requires for new smartphones sold to minors. With "friends" like the S. Korea government, who needs enemies?
Software aps get updated by downloading patches, to the software on the computer. Hardware aps get updated by downloading firmware into the hardware. Both have their risks of vendor oops, and vendor policies. D-Link inadvertently provided purchasers with tools to aid malware developers. http://www.net-security.org/secworld.php?id=18869
AVG privacy (not) policy lists data it collects from users, to sell to advertisers, to fund its fee service. This policy will be implemented starting October 15. AVG has published a blog post <http://now.avg.com/understanding-the-new-privacy-policy/> explaining the decision to go this route, along with the full privacy policy's content <http://www.avg.com/gb-en/privacy-new> , so users can read it and decide if they want to use its services, switch to the paid AVG version,, or to an AVG competitor. They claim that the info to be shared will be non-personal, such as web search history, what aps are on our computers, not personal id like name e-mail address, info which is used for id theft. http://news.softpedia.com/news/avg-proudly-announces-it-will-sell-your-browsing-history-to-online-advertisers-492146.shtml
Fahmida Y. Rashid, InfoWorld, 21 Sep 2015 The XcodeGhost malware on iOS and OS X provides an object lesson for developers: Never rely on unofficial versions or alternative repositories for your tools Instead of trying to sneak a malicious iOS app past Apple's verification process onto the App Store, malware writers went after developers looking for shortcuts. [...] http://www.infoworld.com/article/2985129/security/sloppy-dev-practices-allowed-malware-into-apple-app-store.html
http://www.nytimes.com/2015/09/21/business/apple-confirms-discovery-of-malicious-code-in-some-app-store-products.html Security researchers said hackers took advantage of the fact that many Chinese developers use copies of code that are held on Chinese servers, resulting in a malicious version of Xcode.
http://www.nytimes.com/2015/09/22/technology/skype-service-disrupted-for-some-users-worldwide.html Microsoft's Internet calling unit did not specify how many of its roughly 300 million global users were affected.
Delete, Dump and Destroy: Canada's Government Data Severely Compromised <http://yro.slashdot.org/story/15/09/20/1658223/delete-dump-and-destroy-canadas-government-data-severely-compromised?sdsrc=prev> Image Doctoring Is Tough To Spot, Even When We're Looking For It <http://science.slashdot.org/story/15/09/20/0436230/image-doctoring-is-tough-to-spot-even-when-were-looking-for-it?sdsrc=next> Private Medical Data of Over 1.5 Million People Exposed Through Amazon <http://yro.slashdot.org/story/15/09/20/0144248/private-medical-data-of-over-15-million-people-exposed-through-amazon?sdsrc=next> Symantec Subsidiary Thawte Issues Rogue Google Certificates <http://tech.slashdot.org/story/15/09/19/2313220/symantec-subsidiary-thawte-issues-rogue-google-certificates?sdsrc=next>
http://arstechnica.com/security/2015/09/symantec-employees-fired-for-issuing-rogue-https-certificate-for-google/ Unauthorized credential was trusted by all browsers, but Google never authorized it.
http://www.nytimes.com/2015/09/24/technology/personaltech/iphone-6s-hands-free-siri-is-an-omen-of-the-future.html Voice recognition and artificial intelligence have improved so fast that we are nearing `ambient computing' or robotic assistants that are always on hand.
http://www.nytimes.com/2015/09/11/automobiles/as-head-up-displays-become-common-distraction-becomes-an-issue.html The technology, which shows data like a vehicle's speed in front of the driver, is moving beyond performance cars and appearing in more models.
http://arstechnica.com/tech-policy/2015/09/france-confirms-that-google-must-remove-search-results-globally-or-face-big-fines/ Google's informal appeal against a French order to apply the so-called "right to be forgotten" to all of its global Internet services and domains, not just those in Europe, has been rejected. The president of the Commission Nationale de l'Informatique et des Libert?s (CNIL), France's data protection authority, gave a number of reasons for the rejection, including the fact that European orders to de-list information from search results could be easily circumvented if links were still available on Google's other domains. If Google complies with this order, they'll have set the stage for every country around the world to demand the right to globally censor literally anything that their governments find *inconvenient* in Google search results. Not just EU and other Western countries, but Putin's USSR^h^h^h^h Russia, China, and other repressive regimes. Politicians will rush to sanitize their search results. Religious entities will want to remove contradictory references. There will be no end to it. It will be a stampede to a lowest common denominator of useless pablum. I've been warning of this for years but now we're at the literal cusp of a global information censorship disaster. *This must stop now.*
http://prpl.works/2015/09/21/yes-the-fcc-might-ban-your-operating-system/ Over the last few weeks a discussion has flourished over the FCC's Notification of Proposed Rule Making (NPRM) on modular transmitters and electronic labels for wireless devices. Some folks have felt that the phrasing has been too Chicken-Little-like and that the FCC's proposal doesn't affect the ability to install free, libre or open source operating system. The FCC in fact says their proposal has no effect on open source operating systems or open source in general. The FCC is undoubtedly wrong.
Numerical codes for various things were useful on 80 byte punched cards, but horribly mistake-prone. Memory and processing power have improved a lot since then, so there is space for plain human readable English. I'm reminded of this whenever I can't remember the post office's two character abbreviation for the state in an address.
> Using such a system, attackers could trick a self-driving car into > thinking something is directly ahead of it, thus forcing it to slow down. On the other hand, a human-driven car can be forced to stop using a simple laser pointer costing a few dollars. Caltrops can work equally effectively against both types of vehicle. Lauren Weinstein responded: > All you need to do to stop a robo car is stand in front of it (and have > your friend stand behind). Agreed. So why is it a story that a self-driving car can be "tricked" into stopping using a setup costing $60?
All you need to do to stop a robo car is stand in front of it (and have your friend stand behind). Or just drop an obstruction in front and rear. Wear Nixon masks if you're worried about cameras. The robo car is dead in the water. A human-driven car has a driver who can get out and deal with it. The robo car (without a cooperative passenger to take the initiative) ... doesn't.
Something is pretty bogus with this article. They claim the dirtiest TLD is .ZIP, but the domain isn't active yet. Its DNS currently has a temporary wildcard with an A record of 127.0.53.53 to try to help flush out any old private usages of the name.
Why "the government"? They, especially ours, are the least of the problem. Whole armies of hackers will compete in the game of finding and exploiting any backdoor.
One mechanism to prevent some forms of malware involves convincing your local DNS server that certain names don't exist. http://www.circleid.com/posts/20100728_taking_back_the_dns/ Modern versions of Bind use rpz (response policy zones) to specify names that by local policy should be treated specially. The following two lines could be added to your local rpz zone. vortex-win.data.microsoft.com CNAME . settings-win.data.microsoft.com CNAME . That prevents any machines in your environment from finding the ip addresses for those names. Of course Microsoft could escalate (like all good virus writers) and hardcode some starting ip addresses, use fast flux dns servers, use a random domain name generator to produce domain names to contact for the telemetry data, etc. But the use of any of those techniques would then make it even more obvious that Microsoft intends to use your computer, electricity, and bandwidth for their own purposes, even if that usage conflicts with your usage.
How about a mode where the adblocker still requests the ads from the network, but just doesn't show them to the user? Bandwidth savings are gone, but who cares as I have plenty. And the ad companies will just have to work harder to detect who is really seeing their ads or not.
Given that the ad blocking proponents keep complaining about "bandwidth" and "tracking", I have a feeling this wouldn't quiet them.
> or, worse, when a passenger unintentionally has one card read at the > starting station and a different one read at the final station. Yup, in which case both cards now are in the "I am now riding in the vehicle" state...
Please report problems with the web pages to the maintainer