Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
David Sanger and Nicole Perlroth, *The New York Times*, 25 July 2016 As Democrats Gather, A Russian Subplot Raises Intrigue (datelined yesterday) http://www.nytimes.com/2016/07/25/us/politics/donald-trump-russia-emails.html Russia hacked the Democratic National Committee e-mails (thousands), and dumped them on wikileaks, about how the DNC was biased against Bernie Sanders. This episode should also be a reminder about how easy it might be to hack the forthcoming election—especially if Internet voting is allowed. It should also raise a lot of "hackles" (would that it were hackless!). PGN http://www.nytimes.com/2016/07/25/us/politics/donald-trump-russia-emails.html
Recent attacks give a glimpse of the sort of cyber-assault that could bring the world economy to a halt. Better defences are needed Jun 16 2016 <http://worldif.economist.com/article/12136/joker-pack> This May Anonymous, a network of activists, briefly hacked into Greece' central bank and warned in a YouTube message that: “Olympus will fall=A6This marks the start of a 30-day campaign against central-bank sites across the world.'' The warning struck a raw nerve. The financial system is little more than a set of promises between people and institutions. If these are no longer believed the whole house of cards will collapse and people will take their money and run. That happened in 2008 because of bad credit decisions; but the same could unfold via a sophisticated cyber-attack. Processes designed to make banking safer have created new vulnerabilities: large amounts of money flow through certain key bits of infrastructure. If such systemic institutions were compromised, a panic similar to those in 2008 could quickly spread. Cyber-attacks are rapidly growing, and financial services are a favoured target of thieves and people intent on causing chaos. The rise in attacks on individual banks, mostly to steal money or information or to shut down the system for the hell of it (often using so-called denial-of-service attacks), is worrying enough. But two recent attacks signal a move from simple “Bonnie and Clyde'' crimes to a new “Ocean' Eleven'' sophistication. In 2013 a raid by the Carbanak gang, named after the malware it used, was discovered when its “mules'' were seen picking up cash that was apparently being randomly dispensed by ATMs in Kiev (a ruse known as ATM jackpotting, whereby criminals hack into a bank' PCs and then send direct commands to the ATMs). The extent of the assault only gradually became clear: the final bill could be high. The largest sums were stolen by hacking into bank systems and manipulating account balances. For example, an account with $1,000 would be credited with an extra $9,000, then $9,000 would swiftly be transferred to an offshore account; the account holder would still have $1,000, so was unlikely to notice or panic. This messing with the numbers showed a new ability and ambition among cyber-criminals. The second attack unfolded over a few days in February, when hackers stole $81m from the Central Bank of Bangladesh' account at the Federal Reserve in New York, in a shockingly ambitious heist. More worrying than its scale was the fact that the raiders hijacked bank personnel' access to SWIFT, a highly secure (or so it was thought) messaging system that connects 11,000 financial institutions and sends around 25m messages a day, helping to settle billions of dollars-worth of transactions. They then sent 35 false payment orders from Bangladesh Bank, via SWIFT, to the central bank' account at the Fed. Experts think it likely that several more such efforts remain to be discovered. A similar, smaller, one has come to light in which hackers tried to take $1m from a bank in Vietnam, in December. Banks are now looking at limiting the number of people who can access SWIFT, and SWIFT itself has raised the possibility of suspending banks with weak security controls. These heists give a glimpse of what could lie ahead. Armageddon for banks could take the form of an attack prepared over several months and then carried out over a day or two of mayhem. In this scenario, the motive would be to cause maximum instability, something that worries regulators more than simple theft. [..] Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/> [More hackles raised.]
Trevor Timm, Freedom, June 30, 2016 https://freedom.press/blog/2016/06/leaked-fbi-documents-reveal-secret-rules-spying-journalists-national-security-letters Opening text: Today, The Intercept published leaked documents that contain the FBI's secret rules for targeting journalists and sources with National Security Letters (NSLs)—the controversial and unconstitutional warrantless tool the FBI uses to conduct surveillance without any court supervision whatsoever. [More hackles... PGN]
The Sensible Safeguards Needed Now for Pokemon GO http://lauren.vortex.com/2016/07/the-sensible-safeguards-needed-now-for-pokemon-go Unless Pokemon GO turns out to be a relatively short-lived popular phenomenon (and actually even if it is, since PoGo will be but the progenitor of many future augmented reality games and other applications) it appears likely that the full real world impacts of the game were seemingly not completely considered before launch, leading to a growing collection of alarming situations. There were signs of some sloppiness from the outset, when it was noted that the PoGo iOS app was asking for far more account permissions than was appropriate. The actual privacy risk in this case was minimal, but the mere fact that the app got out the door this way—given the intense concerns about app permissions generally—suggested a possible lack of due diligence in key respects. While various of the problematic reports we've seen about PoGo can be chalked up to user inattention (plowing a car into a tree, driving off a cliff, etc.), many others cannot be blamed on the users alone, per se. To note but a sampling, these include PoGo being used to attract players to be robbed, a registered sex offender who was supposed to stay away from children using the game to partner with a young child, and very recently, two players who were shot at by a homeowner when they were prowling a residential neighborhood at 1 AM. An array of other trespass-related occurrences have been noted, including players entering restricted areas at a nuclear power plant. Of broader impact is the swarming of neighborhoods, parks, and other public places by far larger numbers of people than they were designed for—or that local authorities are prepared for—at all hours of the day and night. There are serious public safety concerns involved. Such gaming activities become especially inappropriate when they occur at locations that are utterly unsuitable for gaming, like ordinarily quiet and respectful cemeteries and Holocaust museums. Fans of PoGo enthusiastically declare that it's a great way to meet new people and get exercise. Perhaps. In some locales at least, it seems that players are mostly driving around in their cars to reach designated targets, but we'll let that pass for the moment. One suspicion that's difficult to shake is that seemingly there wasn't much (if any?) attention given to purging inappropriate locations from PoGo's ancestor game—Ingress—before deploying them in PoGo. The need for such a purge should have been obvious, given that PoGo would have been reasonably expected to attract far more users than Ingress (as it indeed dramatically has) and would also be far more attractive to children. Historical side note: Ingress was originally developed at Google (in fact, I was one of its earliest players, I believe while it was still in beta), then spun off to a separate company—Niantic—in which Google holds a major stake. As I noted above, PoGo is but the beginning of what will certainly be a long line of innovative and important augmented reality mobile apps. And that makes getting the real world implications of this tech in line with real world requirements and impacts as quickly as possible—without stifling innovation. The most important requirement is to give more control to municipalities and persons who are impacted by these applications and their users. For example, it doesn't exactly take rocket science to figure out that sending users wandering around quiet residential areas in the middle of the night is a recipe for potentially dangerous (even lethal) confusion and confrontations, or that flooding a small park with thousands of people at once—without prior warning to local authorities—can easily lead to serious problems. Niantic needs to immediately work toward providing much better mechanisms for involved homeowners, business owners, municipalities, and other associated entities, to request removal of specific locations from the PoGo location database (much as you can request removal of locations from Google Street View currently). And there should be ways to specify "curfews" for specific locales as well—especially in residential neighborhoods, or areas with special concerns about the safety of late night visitors. It is also crucial that accessing this kind of request/control system not require use of the PoGo app itself, nor ideally use of the Internet in any way—given that many affected persons may not even have Internet access. Obviously, different areas, regions, and countries will have their own individual attitudes and concerns about participation in the PoGo ecosystem, and we can reasonably expect the sorts of removal and/or curfew requests received to vary widely around the globe. But it is not appropriate for these decisions to be made wholly by Niantic alone. And unless they and we get a handle on the real world impacts of augmented reality apps in short order, you can be sure that politicians -- already expressing concerns about this area—will be moving in with their own "control ideas"—that will likely not be of the form that many of us would want, nor that would protect innovation going forward. [We have a huge pile of incremental stuff relating to Pok*, but Lauren's blog seems to cover most of it. Suffice it to say that the resulting transgressions are startling, and the risks abound. P]
Chasing Pokémon, a Baby Step Toward Virtual Reality http://www.nytimes.com/2016/07/22/technology/personaltech/chasing-pokemon-a-baby-step-toward-virtual-reality.html With a charged cellphone in hand, a reporter joins San Francisco's first large planned Pokémon Go event.
Rachel Courtland, IEEE Spectrum, 22 Jul 2016 http://spectrum.ieee.org/tech-talk/computing/hardware/transistors-will-stop-shrinking-in-2021-moores-law-roadmap-predicts After more than 50 years of miniaturization, the transistor could stop shrinking in just five years. That is the prediction of the 2015 International Technology Roadmap for Semiconductors, which was officially released earlier this month. After 2021, the report forecasts, it will no longer be economically desirable for companies to continue to shrink the dimensions of transistors in microprocessors. Instead, chip manufacturers will turn to other means of boosting density, namely turning the transistor from a horizontal to a vertical geometry and building multiple layers of circuitry, one on top of another. For some, this change will likely be interpreted as another death knell for Moore' Law, the repeated doubling of transistor densities that has given us the extraordinarily capable computers we have today. Compounding the drama is the fact that this is the last ITRS roadmap, the end to a more-than-20-year-old coordinated planning effort that began in the United States and was then expanded to include the rest of the world. Citing waning industry participation and an interest in pursuing other initiatives, the Semiconductor Industry Association—a U.S. trade group that represents the interests of IBM, Intel, and other companies in Washington and a key ITRS sponsor—will do its own work, in collaboration with another industry group, the Semiconductor Research Corporation, to identify research priorities for government- and industry-sponsored programs. Other ITRS participants are expected to continue on with a new roadmapping effort under a new name, which will be conducted as part of an IEEE initiative called Rebooting Computing. These roadmapping shifts may seem like trivial administrative changes. But “this is a major disruption, or earthquake, in the industry,'' says analyst Dan Hutcheson, of the firm firm VLSI Research. U.S. semiconductor companies had reason to cooperate and identify common needs in the early 1990', at the outset of the roadmapping effort that eventually led to the ITRS' creation in 1998. Suppliers had a hard time identifying what the semiconductor companies needed, he says, and it made sense for chip companies to collectively set priorities to make the most of limited R&D funding. But the difficulty and expense associated with maintaining the leading edge of Moore' Law has since resulted in significant consolidation. By Hutcheson' count, 19 companies were developing and manufacturing logic chips with leading-edge transistors in 2001. Today, there are just four: Intel, TSMC, Samsung, and GlobalFoundries. (Until recently, IBM was also part of that cohort, but its chip fabrication plants were sold to GlobalFoundries.) These companies have their own roadmaps and can communicate directly to their equipment and materials suppliers, Hutcheson says. What' more, they're fiercely competitive. “They don't want to sit in a room and talk about what their needs are,'' Hutcheson says. “It' sort of like everything' fun and games when you start off at the beginning of the football season, but by the time you get down to the playoffs it' pretty rough.'' “The industry has changed,'' agrees Paolo Gargini, chair of the ITRS, but he highlights other shifts. Semiconductor companies that no longer make leading-edge chips in house rely on the foundries that make their chips to provide advanced technologies. What' more, he says, chip buyers and designers—companies such as Apple, Google, and Qualcomm—are increasingly dictating the requirements for future chip generations. “Once upon a time,'' Gargini says, “the semiconductor companies decided what the semiconductor features were supposed to be. This is no longer the case.'' [...]
http://www.nytimes.com/2016/07/21/business/dealbook/hsbc-foreign-exchange-investigation-currency.html Federal prosecutors charge the bankers with engaging in a front-running scheme related to a foreign exchange transaction in 2011.
Cory Doctorow, *The Guardian*, 21 Jul 2016 The Electronic Frontier Foundation is suing the US government over 'unconstitutional' use of the Digital Millennium Copyright Act <https://www.theguardian.com/technology/2016/jul/21/digital-millennium-copyright-act-eff-supreme-court> The Electronic Frontier Foundation (EFF) filed a lawsuit on Thursday that American copyright wonks, technologists and security researchers have been hotly awaiting for nearly 20 years. If they succeed, one of America's most controversial technology laws will be struck down, and countries all over the world who have been pressured by the US trade representative to adopt this American rule will have to figure out whether they'll still enforce it, even after the US has given up on it. The rule is section 1201 of the Digital Millennium Copyright Act (DMCA) of 1998, the *anti-circumvention* rule that makes it illegal to break an access control for copyrighted works. These access controls often manifest as digital rights management (DRM), and the DMCA gives them unique standing in law. EFF is suing the US government, arguing that section 1201 of the DMCA is unconstitutional, and also that the Library of Congress and the copyright office have failed to perform their duties in the three-year DMCA 1201 exemption hearings. What is digital rights management? If you buy something, it's yours, and you can modify, configure, or use it any way you'd like, even if the manufacturer would prefer that you didn't. But the law forbids you from doing otherwise legal things if you have to tamper with the DRM to do them. Originally, this was used exclusively by the entertainment industries: by adding DRM to DVDs, they could prevent companies from making DVD players that accepted DVDs bought abroad. It's not illegal to bring a DVD home from an overseas holiday and watch it, but if your DVD player recognises the disc as out-of-region, it is supposed to refuse to play it back, and the act of altering the DVD player to run out-of-region discs is unlawful under the DMCA's section 1201. It could even be a crime carrying a five-year prison sentence and a $500,000 fine for a first offense (the act of offering a region-free DVD player for sale, or even the neighbour's kid helping you to deregionalise your DVD player, can be criminal acts). Companies can only use the DMCA if they can argue that their DRM protected a copyrighted work. Nike can't invoke section 1201 of the DMCA to prevent a rival company from offering replacement shoelaces for its trainers, because shoelaces and trainers aren't copyrighted (or copyrightable). But once there/'s software involved, copyright enters the picture because software itself can be copyrighted. The proliferation of *smart* devices has put software—and potentially, the DMCA—into every part of our lives. Your car is a computer that surrounds your body. Auto manufacturers use DRM to prevent independent mechanics from reading out information from broken cars and to prevent diagnostic tool-makers from making smarter diagnostic equipment. Mechanics and tool-makers who want to know what's wrong with your car have to either break the DRM (risking fines or even prison) or get the official manufacturer;s permission to compete, which drives up repair costs. In other words, now that there's software in your car, the DMCA can be invoked to give manufacturers a monopoly over parts, service and features for them. And it's not just cars. Every three years, the US copyright office entertains proposals for limited exemptions to section 1201 of the DMCA. In 2015, they heard from people who have been frustrated by anti-circumvention rules as applied to voting machines (a computer we put a democracy inside of); hospital equipment (a computer we put sick people inside of); medical implants (computers we put inside our bodies); as well as critical infrastructure, financial technology and more.
http://www.nytimes.com/2016/07/22/business/fcc-backs-swedish-company-to-run-american-phone-routing-system.html Major wireless carriers pushed for Telcordia because of the cost savings, but some intelligence officials have raised national security concerns.
"The solution Blancco recommends: buy a tool to perform complete data erasure." Easier and cheaper - download any live boot Linux distro (perhaps https://getfedora.org/en/workstation/download/) to a USB stick, boot it, and "dd if=/dev/zero of=/dev/sda bs=1M" Of course you need to replace sda with the actual device name that connects to the disk you want to clear. Then you only need to worry about the disk sectors that were written and then remapped by the drive firmware. There are sectors on that disk that may contain information that cannot (now) be overwritten by the OS. But to read them you will need access to the drive firmware. Many - perhaps even most) folks won't be able to do that. And in any case, *almost all* of the data is overwritten with zeros.
I vote for pricing the RISK. Just fold it into the cost of the "liability insurance". Except that the owner won't actually be paying an insurance premium as such. If the car is really autonomous, then any "fault" belongs to the manufacturer and the mfgr will have to pay the damages. So the price of the car has to include "insurance"—the risk of liability payouts needs to be included in the price. When you buy the car, you can have the manufacturer set it for totally selfish (protect me at all costs), totally altruistic (always protect other people first), or somewhere in between (protect me, unless it will save at least n lives). The price of the car will change depending on what setting you choose. But don't expect the difference to be very big, at least not if the market sets the price. The chance of being in a potentially fatal accident is less than 1 in 10,000 for the entire life of the car, even with a human driver. With an automated "driver" that will (we hope) make many fewer mistakes, it will be a lot less. My guess is that a totally selfish car will cost around $50 more than a totally altruistic one. Maybe even less than that.
Mea culpa! > This is not Dorothy Parker, but Hilaire Belloc. > http://www.poetry-archive.com/b/the_microbe.html > Martyn
Please report problems with the web pages to the maintainer