Seemingly conclusive Dutch report via *The Guardian* http://cdn.onderzoeksraad.nl/documents/report-mh17-crash-en.pdf
The following article argues that a penetration tester was able to access aircraft control systems through ACARS. http://www.scmagazineuk.com/european-aviation-body-warns-of-cyber-attack-risk-against-aircraft/article/444487/
Computer-based systems are not trusted, so the stars are your backup. Better keep a lodestone in your pocket. http://www.sltrib.com/home/3062676-155/cybersecurity-fears-are-making-us-sailors
Back in September 2005, IEEE Spectrum magazine published my article "Why Software Fails," that examined the underlying causes of notable IT project failures. Then, in June 2007, I started writing the Risk Factor blog for the magazine, with the goal of tracking information technology development and operational failures/ooftas both large and small. Since the beginning of the year, my Spectrum colleague Josh Romero and I have been working quite hard organizing, verifying and analyzing the data collected from over 1,750 Risk Factor blog posts (as well as other public information) and figuring out a convenient way to display the most significant/interesting failures that have happened since my 2005 article. The project (somewhat ironically) turned out to be a bit more complex and time consuming than planned, but we are now finally done. The landing page for our effort is now available here: http://spectrum.ieee.org/static/lessons-from-a-decade-of-it-failures. More links will be posted over the next few weeks. I hope you enjoy them.
http://arstechnica.com/security/2015/10/how-the-nsa-can-break-trillions-of-encrypted-web-and-vpn-connections/ "Since a handful of primes are so widely reused, the payoff, in terms of connections they could decrypt, would be enormous," researchers Alex Halderman and Nadia Heninger wrote in a blog post published Wednesday. "Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections." Not just NSA. Also all the other major powers East and West as well, especially working in tandem.
http://www.nytimes.com/2015/10/12/opinion/americas-aging-voting-machines.html The federal government should play a big role in making national elections run more smoothly. [Amen! PGN]
After a $2,500 software download, Model S drivers can let the car take over on the Interstate, the first car sold to consumers with such capabilities. http://www.nytimes.com/2015/10/16/automobiles/tesla-adds-high-speed-autonomous-driving-to-its-bag-of-tricks.html
Over 600 drivers have been banned from driving even though the UK Driver Vehicle Licencing Agency (DVLA) has admitted that equipment used to test their eyesight between 2010 and 2015 was faulty. Around 80% of those who agreed to be reassessed have since had their driving licences restored. The tests in question are mandatory for some medical conditions, and involve tracking random flashing lights on a screen while focusing on a target straight ahead. A software fault in the equipment caused the lights to shine less brightly than they should. The DVLA denies responsibility because "this software issue originated at the point of manufacture and not as a result of any action or inaction by the DVLA". An exclusive contract with a chain of opticians, Specsavers, enables them to claim that "It is because we started doing all the official tests that we had access to enough data to realise there were anomalies". Using a strange definition of "rectified", Specsavers stated "The software issue has been rectified and Specsavers has taken the decision to replace the machine entirely". http://www.theguardian.com/money/2015/oct/17/motorists-banned-dvla-eyesight-test-faulty-equipment http://www.theguardian.com/money/2015/oct/17/motorists-banned-dvla-eyesight-test-faulty-equipment [Also noted by Clive Page at Leicester UK: Some of those affected want compensation, but it is hard to sue a government agency like the DVLA, and it refuses to say which brand of machine was at fault. PGN]
He was caught. Driver and another passenger were let go. http://abcnews.go.com/US/armed-robbery-suspect-uber-getaway-car-police/story?id=34388517
UltraDNS Server Problem Pulls Down Websites, Including Netflix, for 90 Minutes The problem stemmed from a malfunction in a server on the East Coast that is part of the system of UltraDNS, a content delivery company. http://www.nytimes.com/2015/10/16/technology/ultradns-server-problem-pulls-down-websites-including-netflix-for-90-minutes.html
Youngsters who check their phones constantly and snap if you interrupt them may have a texting problem, a new study found.
Cash Drops and Keystrokes: The Dark Reality of Sports Betting and Daily Fantasy Games http://www.nytimes.com/interactive/2015/10/15/us/sports-betting-daily-fantasy-games-fanduel-draftkings.html http://nyti.ms/1VTOQfz
A new method of authenticating artwork uses manufactured DNA to give each piece a unique identifier. http://www.nytimes.com/2015/10/13/arts/design/developing-dna-as-a-standard-for-authenticating-art.html
http://www.nytimes.com/2015/10/12/technology/apple-is-said-to-deactivate-its-news-app-in-china.html The app displays an error message instead of news articles, possibly in an effort to avoid running afoul of Chinese censorship policies.
Australia's ABC via NNSquad http://www.abc.net.au/news/2015-10-13/majority-of-isps-not-ready-to-start-collecting-metadata/6847370 Craig runs a small ISP in regional Australia and his business will not be ready to collect metadata. He said he had begun the lengthy process to explain to the Government how the data will be retained, but it was taking too much time and was putting the business at risk. "We've now reached 400 pages of this document [the DRIP]. It's a very complicated process and it's eating into our profitability," he said. "The amount of time we're spending on it is so high that it has become an unviable thing to continue on. "We have to look after our clients, customers and keep working." He said he would be reducing the amount of services he offered clients because data retention regulations had made offering them non-profitable. "There are already parts of our business that we are going to have to just switch off the lights because of the data retention side of things," he said. Mr Stanton said it was possible smaller ISPs would close down rather than struggle on.
With the US credit debit card industry switching to chip technology, the US gov has updated a web site with THE RULES for people doing business with merchants, and merchants doing business with the gov. There are more rules here than I was previously aware of, and some of these rules are a changing. https://www.usa.gov/expand-business#item-211583
http://gizmodo.com/video-explainer-how-criminals-can-easily-hack-your-chi-1736669839 In this video explainer from Computerphile, Professor Ross Anderson from the Computer Laboratory at the University of Cambridge explains how criminals can compromise the Chip & PIN system. At first glance it seems much harder to overcome than the humble old magnetic strip but, as he explains, crooks are smart and have found plenty of ways to circumnavigate the difficulties.
[via Dave Farber] The FBI statement on microchips, before it disappears again. October 13, 2015 Alert Number I-100815(REVISED)-PSA Questions regarding this PSA should be directed to your local *FBI Field Office*. Local Field Office Locations: www.fbi.gov/contact-us/field <http://www.ic3.gov/egress.aspx?u=http%3a%2f%2fwww.fbi.gov%2fcontact-us%2ffield&hp0C10174DA8E715FAA9E2937F48C0D91FA20372019A6642D5E367C0BD5AEF6D> NEW MICROCHIP-ENABLED CREDIT CARDS MAY STILL BE VULNERABLE TO EXPLOITATION BY FRAUDSTERS By October 2015, many U.S. banks will have replaced hundreds of millions of traditional credit and debit cards, which rely on data stored on magnetic strips, with new payment cards containing a microchip known as an EMV chip. While EMV cards offer enhanced security, the FBI is warning law enforcement, merchants, and the general public that no one technology eliminates fraud and cybercriminals will continue to look for opportunities to steal payment information. TECHNICAL DETAILS *What is an EMV credit card?* [image: EMV Chip] The small gold chip found in many credit cards is most often referred to as an EMV chip. Cards containing this chip are known as EMV cards, as well as chip-and-signature, chip-and-pin, or smart cards. The name EMV refers to the three originators of chip-enabled cards: Europay, MasterCard, and Visa. EMV chips are now the global standard for credit card security. With traditional credit cards, the magnetic strip on the back of the card contains static personal information about the cardholder. This information is used to authenticate the card at the point of sale (PoS) terminal, before the purchase is authorized. When a consumer uses an EMV card at a chip PoS terminal, that transaction is protected using the technology in the microchip. Additionally, consumers will be able to continue to use the magnetic strip on the EMV card at retailers who have not yet implemented chip PoS terminals. When the card is equipped with a personal identification number (PIN), which is known only to the cardholder and the issuing financial institution, issuers will be able to verify the user's identity. Currently, not all EMV cards are issued to consumers with the PIN capability and not all merchant PoS terminals can accept PIN entry. EMV transactions at chip PoS terminals provide more security of consumers' personal data than magnetic strip PoS transactions. In addition, EMV card transactions transmit data between the merchant and the issuing bank with a special code that is unique to each individual transaction. This provides the cardholder greater security and makes the EMV card less vulnerable to criminal activity while the data is transmitted from the chip enabled PoS to the issuing bank. THREAT Although EMV cards provide greater security than traditional magnetic strip cards, an EMV chip does not stop lost and stolen cards from being used in stores, or for online or telephone purchases when the chip is not physically provided to the merchant, referred to as a card-not-present transaction. Additionally, the data on the magnetic strip of an EMV card can still be stolen if the merchant has not upgraded to an EMV terminal and it becomes infected with data-capturing malware. Consumers are urged to use the EMV feature of their new card wherever merchants accept it to limit the exposure of their sensitive payment data. DEFENSE Consumers should closely safeguard the security of their EMV cards and PINs. This includes being vigilant in handling, signing, and activating a card as soon as it arrives in the mail, reviewing statements for irregularities, and promptly reporting lost or stolen credit cards to the issuing bank. Consumers should also shield the keypad from bystanders when entering a PIN, as PINs are vulnerable to cybercriminals who work to steal these numbers to commit ATM and cash-back crimes. The FBI encourages merchants to handle the EMV card and its data with the same security precautions they use for standard credit cards. Merchants handling sales over the telephone or via the Internet are encouraged to adopt additional security measures to ensure the authenticity of cards used for transactions. At a minimum, merchants should use secure servers and payment links for all Internet transactions with credit and debit cards, and information should be encrypted, if possible, to avert hackers from compromising card information provided by consumers. Credit card information taken over the telephone or through online means should be protected by the retailer to include encrypting digital information and securely disposing written credit card information. If you believe you have been a victim of credit card fraud, reach out to your local law enforcement or FBI field office, and file a complaint with the Internet Crime Complaint Center (IC3) at www.IC3.gov <http://www.ic3.gov/>.
[In case people are still interested in chip cards ...] Chip+pin isn't for you, it's for the bank. If you're evaluating the risk of something, you need a security model. From everything I've heard, the main risk that chip+whatever defends against is card skimming, copying enough information from the card to make a usable clone card. All chip cards defeat this, even the contactless ones you just tap, by replacing the card info on the magstripe with a transaction-specific packet of information computed by the chip. Chip+pin is resistant against fraud where the physical card has been stolen, but that turns out to be quite rare, perhaps 5% of all card fraud, so it's not a big deal. European banks love chip+pin because, as others have noted, they have persuaded the regulators that a transaction that their system claims was PIN validated (which turns out not to be the same as actually having entered the PIN) is presumed to be real and it's up to prove to the customer that it wasn't him, which he usually can't do. In the US, the fraud rules haven't changed, if you challenge a transaction it's still up to the bank to prove it was you, so there's no incentive to go to the significant cost of upgrading the banks' cruddy old systems to handle PINs.
http://lauren.vortex.com/archive/001132.html Recently in "Research Request: Seeking Facebook or Other 'Real Name' Identity Policy Abuse Stories" http://lauren.vortex.com/archive/001131.html I requested that readers send me examples of social media abuses that have targeted themselves or persons they know, with an emphasis on "identity" issues such as those triggered by Facebook's "real name" policies. These are continuing to pour in—and please keep sending them—but I wanted to provide a quick interim report. Executive summary: Awful. Sickening. I knew some of these would be bad, but many are far worse than I had anticipated anyone being willing to send me. It seems very likely—though obviously I couldn't swear to this under oath—that these abuses have resulted in both suicides and homicides. And if we as an industry don't get a handle on these issues, we ultimately risk draconian government crackdowns that will simply enable more government censorship and create even more problems. Here are some of the more obvious observations I can derive from the messages I'm being sent (not in any particular order for now): There is no longer any realistic dividing line between the online and offline worlds. Abuse taking place online can quickly spill offline, affecting targeted persons' physical lives directly and devastatingly. Most forms of social media abuse are interconnected. That is, we cannot realistically demarcate between "identity policy" abuses (e.g., Facebook's "real name" requirements), and other forms of social media abuse (such as comment trolling, Gamergate, and far more). Women are disproportionately targeted by social media abuse (as a male I find this fact to be personally offensive), but yes, many men are also attacked as well. A lack of realistically useful and advanced moderation and abuse report/flagging tools, and/or insufficient surfacing of these tools to users, combined with "lackadaisical" (that's the most polite term I can use) attention to these reports in many cases, exacerbates existing problems. Social media systems with strict "real name" requirements are especially problematic and can be extremely dangerous. This particularly relates to the 800-pound gorilla of Facebook in this context (Google+ wisely dropped its real name requirements quite a ways back). Facebook's identity "real name" policies have been effectively "weaponized" by abusers. Many FB users who are already targeted and marginalized in their offline lives (domestic violence victims, LGBT, racial and religious minorities, and so many more) still need to use FB to stay in contact, but (in an attempt to protect themselves) are using "real appearing" pseudonyms instead of their real names. If one of their protagonists discovers their FB identity, it is not uncommon for the abuser to report the victim to FB (for example, as a twisted form of "revenge") in an attempt to expose them online and offline, and to destroy their ability to be safely online. Social media firm reactions to flagging and abuse complaints -- particularly in the case of Facebook—can be erratic and seemingly arbitrary. Complaints that in one instance might target an innocent person might cause an account suspension, but one targeting a guilty person may be ignored. Innocent parties may be required by FB to jump through a series of humiliating and embarrassing hoops to try regain access, including persons whose protective pseudonyms have been exposed and persons whose actual, real names have been falsely flagged as fakes. In some cases, Facebook actually suggests to affected users that they go to court and change their name legally to match FB's rules! Governments in general (which tend to see censorship as a solution rather than the problem it actually is) and law enforcement in particular, usually make these matters worse, not better. The police tend to be clueless at best, and often explicitly "stop wasting our time" antagonistic. Victims of bullying and online threats to their offline lives who go to the police are usually informed that there's nothing to be done to help them, or victims are told to just "stop using the Internet" as a proposed (inane) solution. We could go on with this list, but I'm sure you get the idea. I'm forced to add that not all of the reaction to my research request on these topics has been positive. I've received some responses that attempt to minimize the entire controversy. They've told me I'm wasting my time. They've suggested that in a relative sense "so few" people are actually victimized by these problems (compared with the billions using these system) that it would be ridiculous for the companies involved to make significant changes just to cater to to a small group of actual victims and a much larger group of supposed malcontents. I can't emphasize how forcefully I categorically reject that entire line of reasoning. The inherent suggestions that because "relatively" few persons might be affected (and that still means vast numbers of warm bodies at these scales) could somehow excuse the abysmal status quo—are entirely and completely unacceptable, untenable, and unethical. It's true that we can't put precise numbers on the victims. After all, most of these vulnerable persons are already trying to protect themselves from exposure, being forced into essentially a "shadow" universe of social media identities. And we'd expect that most would also be understandably unwilling to discuss their situations with a stranger such as myself. But many have been so willing, and I thank them for their trust. And I believe we can safely extrapolate to the reality that there are one hell of a lot of people being victimized by these issues. And in fact, the numbers shouldn't really matter at all. How many deaths or lives otherwise ruined attributable at least significantly to social media abuses are tolerable? I would assert that the answer in an ethical sense at least is zero. Does this mean we can quickly solve all these problems? Is there a magic wand? Of course not. But that doesn't mean we shouldn't try. And remember, once politicians get their claws into these controversies, you can bet that the kinds of "solutions" they push will aim to further their agendas more than anything else. These are problems we must ourselves work toward eliminating. Obviously, education outreach must be a major part of this effort, especially to law enforcement and other government agencies. But we also need to have a much better handle on these situations as an industry, because the problems are ultimately not isolated to single firms. There need to be individuals and teams within the involved firms who not only are working internally on these issues, but who also participate broadly in related public communications efforts. These companies need to work together toward understanding the impacts of their ecosystems in these contexts—a formal or informal industry consortium to specifically further such interactions would seem a useful concept for consideration. Most of all, it's crucial that we as individuals—not just those of us who have built and used the Internet for many years, but also users who have so far only barely gotten their feet wet on the Web—recognize that it is intolerable for the Net to be turned into a tool for the destruction of lives, and that it's up to us to pave the path toward changes that will truly help the Net to flourish for the good of our societies, rather than allowing the Net (and ourselves) to be shackled by politically shortsighted restrictions. Take care, all.
The other way to read this is that it's illegal to use any digital device that may potential run a telephony app even if the car is stopped. Laws that presume physical objects have one purpose are problematic in a world (re)defined by software. In a sense it's like the days when cities wanted to ban bolt cutters because they could, potentially, be used to steal bicycles. Or banning video recorders because one use could be to violate copyright.
Apple has dumped the ad blocker that blocked in-app ads from the App Store Apple has removed an ad blocking app from its App Store that block ads in other apps, as well as a number of other non-ad blocking apps that employ similar "deep packet inspection" techniques, citing privacy concerns. Apple's iOS 9 operating system saw the company approve ad blocking apps for the first time. Most just block ads on the Safari web browser, but some developers took the idea further by creating apps that installed root certificates in order to block app-based ads. Apple's problem is that by doing so, these kinds of apps (ad blockers, and some others) had sight of everything a user was doing online, from browsing to making purchases. The Safari team, however, had created a secure way to block content, which doesn't allow for the ad blockers to track user behavior. Popular ad blocking apps that block ads on Safari, including Crystal and Purify, are not affected by Apple's latest move. It only affects apps that installed root certificates on user's phones, which included some ad blockers and other apps. On the face of it, it had seemed bizarre that Apple had approved such ad blockers in the first place, even aside from the clear privacy concerns. http://www.businessinsider.com/apple-removes-been-choice-and-other-ad-blockers-from-its-app-store-2015-10
Please report problems with the web pages to the maintainer