Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
(Article in Hebrew, use Google Translate) http://www.nrg.co.il/online/1/ART2/759/045.html There is a serious problem in the information system serving the "Tipat Chalev" (Drop of Milk) network of clinics in Israel. Those clinics monitor the health of babies, their growth, and vaccinate them. The problems are that wrong data is recorded for the babies—no record of vaccinations which were administered, vaccinations that were not in fact administered have been recorded, information about baby's development recorded for the wrong patient, etc. There are also interruptions during data entry, causing the nurses in the clinics not to be sure if the data was actually entered into the system. The problem was caused by conversion from one computerized system into another computerized system. There are allegations that the Ministry of Health is covering up the problem. However, now the problem was brought to the attention of the Knesset.
Sigh! “A vulnerability in Cisco NX-OS Software running on Cisco Nexus 3000 Series Switches and Cisco Nexus 3500 Platform Switches could allow an unauthenticated remote attacker to log in to the device with the privileges of the /root /user with bash shell access.'' The vulnerability is due to a user account that has a default and static password. This account is created at installation and cannot be changed or deleted without impacting the functionality of the system." https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-n3k
http://www.theregister.co.uk/2016/03/04/france_to_jail_tech_execs_over_encryption/
[From a friend who prefers not to be identified.] > Date: March 5, 2016 > Subject: Big Brother is tracking all of us...except for terrorists > Interesting video (in French, sorry, but the picture speaks for itself) > sent by an unknown Middle-eastern technician to his "brothers and sisters" > explaining how to disable the remote tracking features of a Galaxy4 smart > phone. > As the instructor says, "don't panic"...
The U.S. Supreme Court ruled in both the "Citizens United" and the "Hobby Lobby" cases that corporations are persons no less than living, breathing persons. That is, the Supreme Court eliminated the distinction between corporeal persons and corporate persons. The FBI is demanding that Apple perform a task that Apple would not otherwise do. The 13th amendment to the U.S. Constitution prohibited involuntary servitude. It makes no exception for national security, criminal investigations, or acts of terrorism. In any case, I have not heard that the FBI is willing to pay Apple's costs for subverting the security of its iPhone. Those costs would not merely be the labor costs of actually unlocking one phone; they would also include the costs of lost sales when potential customers stop trusting Apple. Lacking any offer of compensation, what the FBI proposes would be a violation of the last phrase of the 5th amendment of the Constitution: "nor shall private property be taken for public use, without just compensation."
*The Washington Post* via NNSquad https://www.washingtonpost.com/opinions/apple-vp-the-fbi-wants-to-roll-back-safeguards-that-keep-us-a-step-ahead-of-criminals/2016/03/06/cceb0622-e3d1-11e5-a6f3-21ccdbc5f74e_story.html That's why it's so disappointing that the FBI, Justice Department and others in law enforcement are pressing us to turn back the clock to a less-secure time and less-secure technologies. They have suggested that the safeguards of iOS 7 were good enough and that we should simply go back to the security standards of 2013. But the security of iOS 7, while cutting-edge at the time, has since been breached by hackers. What's worse, some of their methods have been productized and are now available for sale to attackers who are less skilled but often more malicious.
While the White House denies any internal disagreement over its legal battle with Apple, the differences in the administration have become increasingly apparent. http://www.nytimes.com/2016/03/06/us/politics/competing-interests-on-encryption-divide-top-obama-officials.html
[Google via NNSquad] Today, Google joined a variety of technology companies to file an amicus brief in US federal court. Together, we are voicing concern about the use of a broad statute from the 18th century, the All Writs Act, to require companies to re-engineer important security features that protect people and their data. http://googlepublicpolicy.blogspot.com/2016/03/joining-together-to-avoid-troubling.html [PGN suggests also: http://www.apple.com/pr/library/2016/03/03Amicus-Briefs-in-Support-of-Apple.html
It's yet another reminder: If strong encryption is outlawed, only outlaws would have strong encryption; If encryption tools without backdoors are outlawed, only outlaws would have encryption tools without backdoors; If encryption without keys escrow is outlawed, only outlaws would have encryption without keys escrow; etc., etc...
I read the 50-page James Orenstein decision ,,, (you should, it's pretty interesting.) It has many references to the California case so it obvious the judge expects it to be used as a precedent. I blogged about it here: https://jl.ly/Internet/nyapple.html
Peter Houppermans discusses the implications of the FBI winning the lawsuit to make Apple build tools to break the security of a specific iPhone. I don't disagree that whatever precedent the Apple vs FBI lawsuit sets, there are lots of similar lawsuits waiting to be decided the same way. But I dispute that companies will find it "more economical" to build pervasive backdoors into their kit. Global companies have been dealing with country-local restrictive legislation for a long time, and move their centres of operations around as they see fit. Banks and financial services firms, for example. There is a far larger global market for data privacy than the US alone. The European Union itself is (at least) a third larger in terms of population and its members implement legal systems which support data privacy and which will exist for the foreseeable future. I would guess that privacy-supporting kit will continue to be developed, because global companies such as Apple can sell it in markets where privacy is protected, such as most EU countries. Savvy US residents could avail themselves of trips to such places to obtain such kit, and US Homeland Security would have a new task trying to stop such kit from entering the US. There is a precedent for such a state of affairs, and it's not been pretty for most of the last century. > The implications of a win are that it will no longer be possible to > protect ANY information held on US provided equipment and services. May well be. US companies who wish to protect their data could find ways to use Canadian or EU cloud services, maybe set up by global companies such as Apple, Amazon and Google. Peter Bernard Ladkin, University of Bielefeld and Causalis www.rvs.uni-bielefeld.de www.causalis.com
This whole line of reasoning is so wrong on so many fronts. The reason that the FBI is requesting Apple to "break into" the iPhone in question is because Apple has ALREADY CREATED the backdoor into the device that permits them to do this. If Apple had not done so, there would be no way for Apple to comply no matter what tantrums anyone decided to throw. Just as Apple has created backdoor access for themselves to turn over backups and so forth stored in iCloud (the definition of "Cloud" being, of course, Third Party operated computer system over which the data owner has no control or influence over the security of what is stored there). Apple can get itself out of the mess it has created for itself by cutting the petard of its own making which is being used to hoist them: Give the user the complete and total ability to control the security of the Hardware and Software such that not even Apple has access once "Secure" mode is engaged. Apple should back up the impenetrable security of such a system with a $1,000,000.00 bond that once engaged, no one will be able to access the data on the device or the iCloud unless the correct password is provided (or guessed within the guessing limits), and that this may entail application of rubber hoses, waterboards, electric charges, and other tortures to the person in order to compel disclosure of the password. Then it will be up to the Device Owner to decide whether they want the device to be secure or not, and Apple will have no responsibility whatsoever for the outcomes of that decision.
Among many other things, the Apple case is about campaign contributions. Apple is one of the most valuable companies on Earth, so some not-so-subtle suggestions from time to time "It's a nice little company you've got there, Apple; it would be such a shame for the govt to screw you over with bad laws and precedents". And the other tech giants know that they're next on the menu. How do we know this? Check the calendar: it's presidential election season.
>I will bet $$$ that this is just the tip of an iceberg, as it is >breathtakingly stupid for the IRS to have been snookered by a KBA attack. My tax accountant said a lot of her clients have had refund fraud, and it's so common that the fix, a form where you swear it wasn't you attached to your real return, is now quite routine.
ACLU lawsuit regarding US military drone killings., led to a US gov filing with the court. http://i2.cdn.turner.com/cnn/2016/images/03/04/ppg.letter.pdf https://www.aclu.org/issues/national-security/targeted-killing The court ordered the government to show the judge some key documents on the secret killing by drone program. https://www.aclu.org/blog/speak-freely/court-considers-releasing-key-documents-governing-secretive-targeted-killing https://www.aclu.org/sites/default/files/field_document/65._order_directing_government_to_produce_three_documents_2.25.16.pdf Obama administration to go public with more details on drone killing program. http://www.cnn.com/2016/03/04/politics/drone-program-obama-administration/ Update on how to hack government drone. This is not a new capability, it is just another well qualified researcher finding something, that others before him have found out, such as crooks, and nations we have been spying on. https://securityaffairs.co/wordpress/45039/hacking/hacking-professional-drones.html http://www.wired.com/2016/03/hacker-says-can-hijack-35k-police-drone-mile-away/ https://securityaffairs.co/wordpress/43168/laws-and-regulations/surveillance -drones-hacking.html In USA it is illegal to interfere with a drone in flight, because the courts have ruled that a drone is an aircraft, without differentiating rules for drones, from rules for their larger cousins. 18 U.S. Code 32, prescribes up to 20 years in prison for anyone who willfully sets fire to, damages, destroys, disables, or wrecks an aircraft in flight. <https://www.law.cornell.edu/uscode/text/18/32> This also includes bringing down a drone via trained bird, big net, radio frequency gun, bigger drone, or hacking it. I hope no penalties if the owner of the drone crashes it, by accident, or battery depletion, and no damage to anyone else, Or if on the public highways, a motorist collides with a drone, which did not have right of way. http://drones.newamerica.org/primer/ http://www.slate.com/blogs/future_tense/2016/03/04/proposed_connecticut_law_would_ban_putting_guns_on_drones.html
Please report problems with the web pages to the maintainer