Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The first sentence is a real howler. I am a big fan of celnav (I own 5 sextants and know how to use them), but teaching celnav out of fear of GPS sabotage demonstrates a profound lack of understanding about both GPS and navigation in general. There are plenty of reasons to know how to use a sextant, but these land-lubber senators have completely missed the boat. -p Joe Uchill - 07/15/16 11:27 AM EDT Senators back celestial navigation for all Navy personnel Senators Joni Ernst (R-Iowa) and Gary Peters (D-Mich.) are pushing the Navy to teach all its sailors the ultimate backup plan in case of navigation systems sabotage—celestial navigation. The pair sent a letter to Secretary of the Navy Raymond Mabus, Jr. asking why the celestial training was only being taught to some, but not all, personnel. "Though celestial and nautical navigation skills are more challenging to acquire, they are absolutely critical for our sailors," they wrote. Navy boats—and most navigation systems worldwide—rely on the Global Positioning System run by the U.S. Air Force. But GPS operates on low-power satellite broadcasts that are not difficult to jam. This academic year, the Naval Academy began teaching celestial navigation again, the first time since 2006. The centuries-old practice of telling location by star locations is less susceptible to mechanical malfunction. "We owe it to our sailors, enlisted and officer, to ensure these skills are being taught and our sailors are being held to the highest standard before we send them to the fleet. It is imperative that this standard is kept throughout the service." http://thehill.com/policy/cybersecurity/287901-sens-back-celestial-navigation-for-all-navy-personnel
FYI—Wow! The govt could have purchased another half of a non-working F-35 for that sum! The govt should by all means weaken encryption so these frauds can be stopped in their tracks. ;-) Another ill-fated "TPP" scheme gone awry. https://www.washingtonpost.com/news/powerpost/wp/2016/07/01/3-1-billion-lost-to-id-theft-tax-fraudsters-in-2014-at-least/ Joe Davidson, *The Washington Post*, 1 July 2016 $3.1 billion—at least—lost in bogus tax refunds to ID thieves in 2014 Even during this era of cyber-insecurity, here's a chilling figure: 3.1 billion. That's the number of dollars the Internal Revenue Service (IRS) paid in bogus tax refunds in 2014 because of identity theft refund fraud, according to the Government Accountability Office. The IRS has a Taxpayer Protection Program (TPP) that sounds like it should provide security. It does, but not enough to prevent IRS from paying $30 million to identity theft fraudsters in 2014, based on the 1.6 million screened by the program. That's just one of the ways Uncle Sam fights identity theft fraud. About 7,200 of them were bogus. In total, IRS processed more than 150 million individual tax returns in 2015. Overall, the GAO report indicates the IRS does a decent job of detecting and stopping ID fraud, which is a big business. Crooks attempted to get $25.6 billion from bogus refunds in 2014. The IRS beat them most of the time, stopping or recovering the theft of $22.5 billion, 88 percent of the attempted pillage. But in the remaining cases, crooks got the $3.1 billion. That could be a low-ball estimate, however. GAO says the IRS might have been beaten an unknown number of times for an undetermined amount of money by undetected cheating. Regarding TPP authentication, IRS likely underestimated how many fraudulent returns it passed "because the agency did not include potential IDT (identity theft) returns that closely matched information returns provided by third parties, such as W-2s" said James R. McTigue, Jr., GAO's director of strategic issues. TPP is designed to reduce identity theft fraud by verifying the identities of suspicious tax filers. But it has some holes. "TPP uses single-factor authentication procedures that incorporate one of the following authentication elements: 'something you know,' 'something you have,' or 'something you are,'" GAO said. "TPP's single-factor authentication procedures are at risk of exploitation because some fraudsters obtain the PII (personally identifiable information) necessary to pass the questions asked during authentication." Criminals can find answers to at least one of those "somethings" by searching the web or even purchasing information from vendors. IRS did a risk assessment in 2012 and "determined that improper authentication through TPP posed low or moderate risks to both the agency and taxpayers, and therefore required no more than single-factor authentication." [Long item pruned for RISKS. PGN] The GAO report was requested by four members of Congress, including Sen. Susan Collins (R-Maine), chairwoman of the Special Committee on Aging. "While the IRS has developed tools and programs to detect and prevent refund fraud due to identity theft," she said in a statement, "GAO's report shows that substantial improvement is still needed."
(Posted by BeauHD on Thursday June 30, 2016) <https://it.slashdot.org/story/16/06/30/0522216/us-efforts-to-regulate-encryption-have-been-flawed-government-report-finds> -- from a report via The Guardian: U.S. Republican congressional staff said in a report released Wednesday that previous efforts to regulate privacy technology were flawed and that lawmakers need to learn more about technology before trying to regulate it. <https://www.theguardian.com/technology/2016/jun/29/government-encryption-regulation-report-criticism> The 25-page white paper is entitled Going Dark, Going Forward: A Primer on the Encryption Debate and it does not provide any solution to the encryption fight. However, it is notable for its criticism of other lawmakers who have tried to legislate their way out of the encryption debate. It also sets a new starting point for Congress as it mulls whether to legislate on encryption during the Clinton or Trump administration. "Lawmakers need to develop a far deeper understanding of this complex issue before they attempt a legislative fix," the committee staff wrote in their report. The committee calls for more dialogue on the topic and for more interviews with experts, even though they claim to have already held more than 100 such briefings, some of which are classified. The report says in the first line that public interest in encryption has surged once it was revealed that terrorists behind the Paris and San Bernardino attacks "used encrypted communications to evade detection." <https://yro.slashdot.org/story/16/02/17/1347207/congressman-court-order-to-decrypt-iphone-has-far-reaching-implications> Congressman Ted Lieu is pushing the federal government to treat ransomware attacks on medical facilities as data breaches and require notifications of patients. <https://yro.slashdot.org/story/16/06/30/0340220/congressman-wants-ransomware-attacks-to-trigger-breach-notifications>
FYI—Theresa May, James Comey, Cyrus Vance, et al, can't wait to go full Stasi, as well. 'Putin-in-the-middle' attacks, anyone? https://meduza.io/en/news/2016/07/07/putin-gives-federal-security-agents-two-weeks-to-produce-encryption-keys-for-the-internet Putin gives federal security agents two weeks to produce 'encryption keys' for the Internet, Meduza, 7 july 2016 After signing controversial anti-terrorist legislation earlier today, President Putin ordered the Federal Security Service (the FSB, the post-Soviet successor to the KGB) to produce encryption keys to decrypt all data on the Internet. According to the executive order, the FSB has two weeks to do it. Responsibility for carrying out Putin's instructions falls on Alexander Bortnikov, the head of the FSB. The new "anti-terrorist" laws require all "organizers of information distribution" that add "additional coding" to transmitted electronic messages to provide the FSB with any information necessary to decrypt those messages. It's still unclear what information exactly online resources are expected to turn over, given that all data on the Internet is encoded, one way or another, and in many instances encryption keys for encrypted information simply don't exist. [Long item pruned for RISKS. PGN. There's LOTS MORE as well:] https://meduza.io/en/feature/2016/06/27/the-duma-s-new-big-brother-legislation-kills-russia-s-internet-companies-and-hurts-ordinary-web-users-here-s-how
The continuing saga of corporations losing control due to relatively straightforward software problems. It's not a new problem and is likely to get much worse. In these series some examples of problems with the choice of how to represent "time". Now Southwest Can Act Like Other Airlines. Uh-Oh? http://www.msn.com/en-us/money/companies/now-southwest-can-act-like-other-airlines-uh-oh/ar-AAhM9Qn?li=BBmkt5R "Red-eye flights. Southwest negotiated red-eye flying with its pilots in June 2012 but hasn't been able to take advantage of these overnight flights to the East Coast and Midwest. Technology has been the chief culprit," This reminds me of comments at a recent conference at about banks losing a lot of money because they can't charge interest during a daylight saving change because of the ambiguities in their time representations. The cost is in the many millions of dollars. http://sot2016.cfa.harvard.edu/ The leap second is another product of a naive choice of representation. The minute is not fundamental. The precise calculations can be done using seconds. So there is no reason to undefined the minute. We can simply rename time zones every few centuries. The leap second is like Southwest solving the red-eye problem by landing planes at the nearest airport at midnight local time and then taking off again as another flight number rather than having a representation not tied to the name of the day.
[Note: This item comes from reader Randall Head. DLH] Lisa Vaas, Naked Security, 27 Jun 2016 https://nakedsecurity.sophos.com/2016/06/27/irs-hacked-again-say-goodbye-to-that-pin-system/ In the wake of automated attacks speeding up, the US tax overlords—the Internal Revenue Service (IRS)—has [sic] likewise sped up plans to deep-six its repeatedly hacked PIN system. The IRS on Thursday announced that it's removed its electronic filing PIN tool (e-File PIN), formerly available on IRS.gov or by toll-free phone call, following additional questionable activity. Additional, as in, on top of 800 identity thefts that had already caused the IRS to suspend the PIN system in March 2016 (though it told taxpayers who already had an IP PIN at the time to continue to file their tax returns as they normally would). The e-File PIN, also known as the Identity Protection (IP) PIN, is a supposedly special, strong form of two-factor authentication (2FA) meant to protect taxpayers from ID fraud: a six-digit number that, oddly enough, the US tax authority only sent to taxpayers who'd already been victimized. Those PINs were for victimized taxpayers to include on future tax returns as an extra layer of security, since cybercrooks had already stolen their taxpayer IDs—i.e., their Social Security Numbers (SSNs). The idea was that without a valid IP PIN, you couldn't login, even if you were a crook armed with somebody's SSN. Great! we said, as did the vast majority of readers. Why can't everybody get one? The problem with the PIN retrieval system, presumably, was that it used the same knowledge-based authentication that led to last year's breach of the agency's Get Transcript service: a service that allowed taxpayers to retrieve details of their past tax returns. Applicants had to answer four questions about themselves to get a number, along the lines of "On which of the following streets have you lived" or "What is your total scheduled monthly mortgage payment?" But scammers can dig out, guess, or buy personal data like that online. That can enable them to get the PIN, with which they then try to file a bogus return. Even before last year's Get Transcript breach, a report by the Government Accountability Office pointed out the weaknesses in the PIN retrieval system. But for whatever reason, the IRS left it in place. And along with that status quo came an increase, over recent years, in automated attacks from crooks who've gone out of their way to get access to innocent users' online tax submission accounts. In February, we got wind of the thieves having struck again. This time, they used a list of known SSNs to repeatedly try to access the IRS's Get My Electronic Filing PIN portal. At the time, the crooks were after the PINs corresponding to 464,000 previously stolen SSNs and other taxpayer data. The IRS blocked that automated bot, but not before it had successfully grabbed 100,000 PINs. [...]
Posted by BeauHD, 30 Jun 2016, via The Stack: <https://developers.slashdot.org/story/16/06/30/0255250/2-million-person-terror-database-leaked-online> A 2014 version of the World-Check database containing more than 2.2 million records of people with suspected terrorist, organized crime, and corruption links has been leaked online. <https://thestack.com/security/2016/06/29/2-million-person-terror-database-leaked-online/> The World-Check database is administered by Thomson-Reuters and is used by 4,500 institutions, 49 of the world's 50 largest banks and by over 300 government and intelligence agencies. <http://financial.thomsonreuters.com/content/dam/openweb/documents/pdf/governance-risk-compliance/fact-sheet/world-check-risk-screening-fact-sheet.pdf> The unregulated database is intended for use as "an early warning system for hidden risk" and combines records from hundreds of terror and crime suspects and watch-lists into a searchable resource. Most of the individuals in the database are unlikely to know that they are included, even though it may have a negative impact on their ability to use banking services and operate a business. A Reddit user named Chris Vickery says he obtained a copy of the database, <https://www.reddit.com/r/privacy/comments/4q840n/terrorism_blacklist_i_have_a_copy_should_it_be/> ...saying he won't reveal how until "a later time." <https://www.rt.com/news/348874-world-check-database-leaked/> To access the database, customers must pay an annual subscription charge, that can reach up to $1 million, according to Vice, <https://news.vice.com/article/vice-news-reveals-the-terrorism-blacklist-secretly-wielding-power-over-the-lives-of-millions> ...with potential subscribers then vetted before approval. Vickery says he understands that the "original location of the leak is still exposed to the public Internet" and that "Thomas Reuters is working feverishly to get it secured." He told The Register... <http://www.theregister.co.uk/2016/06/29/global_terror_database_worldcheck_leaked_online/?mt=1467196913211> ...that he alerted the company to the leak, but is still considering whether to publish the information contained in it.
[TANSTAFS—a corollary of TANSTAFL <There Ain't No Such Thing As a Free Lunch>] Researchers Find Over 6,000 Compromised Redis Installations <https://developers.slashdot.org/story/16/07/09/0448257/researchers-find-over-6000-compromised-redis-installations> (Posted by EditorDavid on Saturday July 09, 2016) An anonymous SlashDot reader wrote: Security researchers have discovered over 6,000 compromised installations of Redis, <https://www.riskbasedsecurity.com/2016/07/redis-over-6000-installations-compromised/> ....the open source in-memory data structure server, among the tens of thousands of Redis servers indexed by Shodan. "By default, Redis has no authentication or security mechanism enabled, and any security mechanisms must be implemented by the end user." The researchers also found 106 different Redis versions compromised, suggesting "there are a lot of Redis installations that are not upgrading to the most recent versions to fix any known security issues." 5,892 infections were linked to the same email address, with two more email addresses that were both linked to more than 200. "The key take away from this research for us has been that insecure default installations continue to be a significant issue, even in 2016." EditorDavid commented: Redis "is designed to be accessed by trusted clients inside trusted environments," according to its documentation. <http://redis.io/topics/security> "This means that usually it is not a good idea to expose the Redis instance directly to the Internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket... Redis is not optimized for maximum security but for maximum performance and simplicity."
[Note: This item comes from friend Jen Snow. DLH] Dave Lee, Food chain Wendy's hit by massive hack Popular US food chain Wendy's has been hit by a massive cyber attack, the company has confirmed. Jul 8 2016 <http://www.bbc.com/news/technology-36742599> The company reported suspicious activity earlier this year, but the scale of the breach is far bigger than first anticipated. At least 1,025 of its restaurants were targeted - with debit and credit card information stolen. The company did not speculate how many people may have been affected, though it did say all of the locations were in the US. Malware - malicious software - had been installed on point-of-sale systems in the affected locations. The chain said it was confident the threat had been removed, and was now offering help to customers who may have been affected. Help includes the offer of one year of "complimentary" fraud protection services. Suspicious activity In a statement outlining the details of the attack, Wendy's said the malware could have been operational in its restaurants from as early as Autumn 2015. Suspicious activity was noticed in February of this year. The company went public with this discovery in May - saying it believed around 300 restaurants had been affected. But with the number rising to more than 1,000, this hack ranks among one of the most significant in US history. The Wendy's hack bears some similarity to the attack on Target in 2013. In that breach, around 40 million customers' details were stolen via malware installed on point-of-sale computers. Wendy's has blamed a third-party for the intrusion, saying a "service provider" that had remote access to the till systems was compromised. The company did not say who that service provider was, nor did it explain why it had remote access to the tills of 1,025 of the firm's 5,700 restaurants. [snip] Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>
(Posted by manishs on Friday July 01, 2016) <https://it.slashdot.org/story/16/07/01/140242/why-twitter-cant-even-protect-tech-ceos-from-getting-hacked> Over the past few weeks, we have seen a number of CEOs—including Google's Sundar Pichai, and Facebook's Mark Zuckerberg—become victims of Twitter hacks. One must ask, what's wrong with Twitter that so many people -- including high-profile names—keep getting hacked? BuzzFeed dives deep into the problem, and says it's how Twitter interacts with third-party apps that's at fault. <https://www.buzzfeed.com/josephbernstein/why-twitter-cant-even-protect-tech-ceos-from-hacks> >From the article: Over the past several weeks, however, a three-person hacking team called OurMine has made clear that years after the problem first came to light, third-party authentication is still a security nightmare for Twitter. By gaining access to apps with third-party write access, OurMine has been able to post to the Twitter accounts of tech bigwigs like Facebook CEO Mark Zuckerberg, Google CEO Sundar Pichai, and Uber CEO Travis Kalanick. In other words, whichever write-authorized app connected to your Twitter is least secure is exactly how secure your Twitter account is. [...] The public nature of Twitter, whose main point is to share information as quickly and widely as possible, has made these attacks a much bigger issue for Jack Dorsey's company than they are for Facebook. And there's very little Twitter can do to solve the problem that doesn't defeat the incentives for third-party writing privileges in the first place: Speed and functionality. Adding layers of security—like an extra login—to access Twitter through a third-party app defeats the purpose of speedy cross-platform sharing. And disabling third-party writing would anger developers and hurt engagement, a cost Twitter probably isn't willing to bear.
http://thetechportal.com/2016/07/05/security-researcher-uncovers-high-risk-bios-vulnerability-lenovo-pcs/ According to researcher Dmytro Oleksiuk aka Cr4sh, the erroneous code exploits the 0day privileges escalation vulnerability in Lenovo's BIOS. This bug allows users to exploit the flash write protection, disabling of UEFI Secure Boot, Virtual Secure Mode and Credential Guard on most Windows Enterprise powered Lenovo PCs. And this is just a small list of possible evil things that can be executed using this vulnerability. The vulnerability is present in most ThinkPad Series laptops, ranging from the newest T450s to the oldest X220s. The faulty firmware drivers seems to have been copy-and-pasted by the PC-manufacturer using data supplied by Intel. Though it is still uncertain whether the vulnerable code is available in the public, but it has already been detected in another HP laptop dating back to 2010.
http://fortune.com/2016/06/29/symantec-norton-vulnerability/ Google's "project zero" team, a group of security analysts tasked with hunting for computer bugs, discovered a heap of critical vulnerabilities in Symantec and Norton security products. The flaws allow hackers to completely compromise people's machines simply by sending them malicious self-replicating code through unopened emails or unclicked links. The vulnerabilities affect millions of people who run the company's endpoint security and antivirus software, rather ironically to protect their devices. Indeed, the flaws rendered all 17 enterprise products (Symantec brand) and eight consumer and small business products (Norton brand) open to attack. [Gene Wirchenko noted Charlie Osborne for Zero Day, ZDNet, 29 Jun 2016 http://www.zdnet.com/article/symantec-antivirus-product-bugs-as-bad-as-they-get/ PGN]
(Posted by manishs on Friday July 01, 201) <https://it.slashdot.org/story/16/07/01/1437254/you-can-now-browse-through-427-millon-stolen-myspace-passwords> Stan Schroeder, writing for Mashable: An anonymous hacker managed to obtain an enormous number of user credentials in June 2013 from fallen social networking giant MySpace—some 427 million passwords, belonging to approx. 360 million users. <https://it.slashdot.org/story/16/05/27/1845202/hackers-claim-to-have-427-million-myspace-passwords> In May 2016, a person started selling that database of passwords on the dark web. Now, the entire database is available online for free. <http://mashable.com/2016/07/01/myspace-password-database/#GxHE3Yw52mqx> Thomas White, security researcher also known by the moniker "Cthulhu," put the database up for download as a torrent file on his website, here. "The following contains the alleged data breach from MySpace dating back a few years. As always, I do not provide any guarantees with the file and I leave it down to you to use responsibly and for a productive purpose," he wrote. The file is 14.2 GB in size; downloading it might take some time. It is password-protected, but White made the password available on Twitter and his site.
[Via Dave Farber] [The usual pattern of using horrible defendants to create horrible precedents. Not only does this ruling continue to chip away at personal privacy, it seems to also establish a precedent that computer security will always be ineffectual. Michael Winser] http://www.eweek.com/security/home-computers-connected-to-the-internet-arent-private-court-rules.html A federal judge for the Eastern District of Virginia has ruled that the user of any computer that connects to the Internet should not have an expectation of privacy because computer security is ineffectual at stopping hackers. The June 23 ruling came in one of the many cases resulting from the FBI's infiltration of PlayPen, a hidden service on the Tor network that acted as a hub for child exploitation, and the subsequent prosecution of hundreds of individuals. To identify suspects, the FBI took control of PlayPen for two weeks and used, what it calls, a "network investigative technique," or NIT's program that runs on a visitor's computer and identifies their Internet address. Continues... http://www.eweek.com/security/home-computers-connected-to-the-internet-arent-private-court-rules.html>
[Interesting Times...] (Posted by BeauHD on Thursday June 30, 2016) <https://tech.slashdot.org/story/16/06/30/208253/netherlands-gets-first-nationwide-internet-of-things> The Netherlands has become the first country in the world to implement a nationwide long-range (LoRa) network for the Internet of Things, says Dutch telecoms group KPN on Thursday. "As from today the KPN LoRa network is available throughout The Netherlands," KPN said in a statement. Phys.Org reports: "The rollout of a low data rate (LoRa) mobile communications network is critical to connect objects as many may not be able to link up with home or work Wi-Fi networks to gain Internet access. The LoRa network is complementary to KPN's networks for the 2G, 3G and 4G phones. KPN has already reached deals to connect some 1.5 million objects, a number which should steadily grow now that the LoRa network is available across the country. Tests are being carried out at the Schiphol airport in Amsterdam -- one of Europe's busiest air hubs—for baggage handling. Meanwhile in the Utrecht rail station an experiment is under way to allow LoRa to monitor rail switches."
Internet enabled devices provide unprecedented ease-of-access. That access is double edged. It makes remote management easier and more convenient; but the existence of connectivity also provides malevolent actors new avenues for attack. * From the Senrio blog article: "In today's age of constant connectivity the allure of remotely checking on your home and loved ones is appealing and manufacturers of Wifi Cameras promise a 'second set of eyes around the home or office.' However, you may not be the only one peeping in. The dangers of unsecured webcams and baby monitors have been reported in 2014 with cautionary tales warning consumers to change their default passwords. So that's the end of the story, right? Adding a password will protect me from creepy strangers looking into my home. Not so fast. Researchers at Senrio discovered a vulnerability in a popular Wifi camera that lets attackers overwrite the administrator password." It is worth noting that more than twenty years ago, in the "Computer Security Handbook, Third Edition" (1995, Wiley), I observed that firms should place critical assets within walled compartments with access controlled by firewalls, separating them from both the general organizational intranet and the public Internet. What holds true for money transfer, trading, and industrial control systems also holds true for baby cams, refrigerators, and HVAC systems. The ZDnet article can be found at: http://www.zdnet.com/article/security-flaw-in-120-d-link-wi-fi-iot-products-can-be-exploited-with-one-click/ The underlying blog post is at: http://blog.senr.io/blog/home-secure-home
Grant Gross, ComputerWorld, 29 Jun 2016 The Computer Fraud and Abuse Act limits online discrimination research, the group says http://www.computerworld.com/article/3089478/security/aclu-lawsuit-challenges-us-computer-hacking-law.html selected text: The American Civil Liberties Union on Wednesday filed a lawsuit challenging a 30-year-old hacking-crimes law, saying the law inhibits research about online discrimination.
(Posted by manishs on Tuesday June 28, 2016) <https://hardware.slashdot.org/story/16/06/28/1559232/how-sony-microsoft-and-other-gadget-makers-violate-federal-warranty-law> Reader citadrianne shares a Motherboard article: There are big "no trespassing" signs affixed to most of our electronics. If you own a gaming console, laptop, or computer, it's likely you've seen one of these warnings in the form of a sticker placed over a screw or a seam: "Warranty void if removed." In addition, big manufacturers such as Sony, Microsoft, and Apple explicitly note or imply in their official agreements that their year-long manufacturer warranties—which entitle you to a replacement or repair if your device is defective—are void if consumers attempt to repair their gadgets or take them to a third party repair professional. What almost no one knows is that these stickers and clauses are illegal under a federal law passed in 1975 called the Magnuson-Moss Warranty Act <http://motherboard.vice.com/read/warranty-void-if-removed-stickers-are-illegal> To be clear, federal law says you can open your electronics without voiding the warranty, regardless of what the language of that warranty says. <http://motherboard.vice.com/read/warranty-void-if-removed-stickers-are-illegal>
NNSquad https://torrentfreak.com/uk-bill-introduces-10-year-prison-sentence-for-online-pirates-160706/ The UK Government's Digital Economy Bill, which is set to revamp current copyright legislation, has been introduced in Parliament. One of the most controversial changes is the increased maximum sentences for online copyright infringement. Despite public protest, the bill increased the maximum prison term five-fold, from two to ten years. Oscar Pistorius just received a sentence of about half that for murdering his girlfriend.
Stephanie Condon, ZDNet, Between the Lines, Jun 27 2016 In a setback for consumers seeking more privacy online, an appeals court largely sided with Google and Viacom over their use of cookies on a children's website. http://www.zdnet.com/article/google-viacom-win-appeal-in-lawsuit-over-childrens-privacy/
via NNSquad http://arstechnica.com/tech-policy/2016/07/teen-girl-who-texted-friend-to-commit-suicide-must-stand-trial/ Massachusetts' top court ruled Friday that a teenager may stand trial on involuntary manslaughter charges in connection to text messages she sent urging her friend to commit suicide. In a unanimous ruling, the Supreme Judicial Court said a local grand jury had enough probable cause to indict Michelle Carter in connection to the 2014 suicide of Carter Roy III, who was found dead about 50 miles south of Boston in a Fairhaven parking lot. Carter was 17 at the time of Roy's suicide, and she is accused of sending Roy several texts, including one saying "get back in" the day the 18-year-old teen took his own life via carbon monoxide fumes inside his truck. Very sad case, but clearly prosecutor overreach by a DA trying to make a name for themselves. [Beware of giving advice—especially on social media and even e-mail. PGN]
Lucian Constantin, PC World, 1 Jul 2016 Firmware exploit can defeat new Windows security features on Lenovo ThinkPads The exploit targets a zero-day discovered in the UEFI firmware of ThinkPads http://www.pcworld.com/article/3091104/firmware-exploit-can-defeat-new-windows-security-features-on-lenovo-thinkpads.html opening text: A newly released exploit can disable the write protection of critical firmware areas in Lenovo ThinkPads and possibly laptops from other vendors as well. and Lucian Constantin, PC World, Jul 5 2016 Nasty Lenovo UEFI exploit also affects products from other vendors The same critical vulnerability was found in the firmware of an HP laptop and several Gigabyte motherboards. http://www.pcworld.com/article/3091766/security/lenovo-thinkpwn-uefi-exploit-also-affects-products-from-other-vendors.html opening text: A critical vulnerability that was recently found in the low-level firmware of Lenovo ThinkPad systems also reportedly exists in products from other vendors, including HP and Gigabyte Technology.
Lucian Constantin, 5 Jul 2016 Android smartphone makers can help law enforcement break full-disk encryption on Qualcomm-based devices. http://www.pcworld.com/article/3091091/security/android-full-disk-encryption-can-be-brute-forced-on-qualcomm-based-devices.html
(Posted by manishs on Wednesday June 29, 2016) <https://it.slashdot.org/story/16/06/29/1519257/android-malware-pretends-to-be-whatsapp-uber-and-google-play> itwbennett writes: Security vendor FireEye said on Tuesday that malware that can spoof the user interfaces of Uber, WhatsApp and Google Play... <http://www.csoonline.com/article/3089498/data-breach/this-malware-pretends-to-be-whatsapp-uber-and-google-play.html> ...has been spreading through a phishing campaign over SMS. Once downloaded, the malware, which has struck Android users in Denmark, Italy and Germany, will create fake user interfaces on the phone as an 'overlay 's top of real apps. These interfaces ask for credit card information and then send the entered data to the hacker.
<https://yro.slashdot.org/story/16/07/03/224256/interview-with-an-nsa-hacker-published-by-the-intercept> (Posted by EditorDavid on Sunday July 03, 2016) The Intercept published a 4,000 word article based on a journalist's three-hour interview with an "NSA hacker" <https://theintercept.com/2016/06/28/he-was-a-hacker-for-the-nsa-and-he-was-willing-to-talk-i-was-willing-to-listen/> ...who recently left the agency for a career in cybersecurity. Offering a portrait of life within the U.S. intelligence agency, "Lamb" says he worked on "ridiculously cool projects that I'll never forget... Technically challenging things are just inherently interesting to me." He's the author of some of the memos leaked by Edward Snowden about how the NSA tries to identify Tor users or break into sys-admin accounts. ("One of his memos outlined the ways the NSA reroutes (or "shapes") the Internet traffic of entire countries, <https://www.documentcloud.org/documents/2919677-Network-Shaping-101.html> and another memo was titled "I Hunt Sysadmins.") <https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/> "If you tell me, 'This can't be done,' I'm going to try and find a way to do it." EditorDavid comments: It's interesting that he ended one memo with "Current mood: devious" and wrote in another that Tor "generally makes for sad analysts". But in his interview, he warns that "There is no real safe, sacred ground on the Internet. Whatever you do on the Internet is an attack surface of some sort and is just something that you live with."
http://www.cavebear.com/cavebear-blog/internet_quo_vadis/ I perceive a rather different future than most. Rather than seeing a future in which there is a global Internet, I perceive a future in which we will have a network of internets. I use the phrase "islands and bridges" to describe that future. Because users of today use "Apps" they care little about the end-to-end principle as applied to IP packets. Thus the door has been opened to an increasingly intense use of walled gardens that are connected to "the dangerous outside" by portals tuned to allow only traffic from certain Apps. It is not a big step for those walled gardens (such as China or Facebook) to harden the walls and intensify the portals so that they become essentially private Internets. Each of these Internets could, if it chooses, have its own entire IPv4/6 address space, its own DNS, its own everything. These rather explicit islands would be connected by equally explicit, and highly controlled, bridges created using application-level-gateway, also sometimes called "proxy" techniques. The forces that are pushing us in these directions are strong: security fears, nationalism, culturalism, national security interests in channeling traffic so that it may be observed, commercial interests in channeled traffic so that it may be regulated and subject to fees, etc.
*WiReD* via NNSquad https://www.wired.com/2016/06/researchers-sue-government-computer-hacking-law/ But four academic researchers who specialize in uncovering algorithmic discrimination say that a decades-old federal anti-hacking statute is preventing them from doing work to detect such discrimination. They say a provision of the Computer Fraud and Abuse Act could be used to criminally prosecute them for research that involves scraping publicly available data from these sites or creating anonymous user accounts on them, if the sites's terms of service prohibit this activity. The researchers, along with First Look Media Works, which publishes The Intercept, filed a lawsuit today against the Justice Department, asserting that opening fake profiles to pose as job and housing seekers constitutes speech and expressive activity that is protected under the First Amendment. They further argue that because sites can change their terms of service at any time without informing visitors, this can suddenly turn any speech or activity on the site into a criminal act--a violation, they say, of the Fifth Amendment right to due process, which requires proper notice to the public of what constitutes criminal behavior.
Please report problems with the web pages to the maintainer