Robert Hackett, November 5, 2015, Fortune http://fortune.com/2015/11/05/fireeye-stock-plunge-china-obama/ (As the article notes, the reasons the FireEye CEO is giving for their plunging stock don't explain why the stocks of their competitors have risen.)
There's a battle between: * Advocates of quality privacy in a world of untrustworthy government officials, and an epidemic of fraud. * Law Enforcement leaders blaming encryption for their inability to solve crimes and serve the public. This contributes to great harm for many people, illustrated in this article: http://www.kshb.com/news/national/encrypted-evidence-is-increasingly-hampering-criminal-investigations-police-say?google_editors_picks=true I believe this is part of a larger challenge. What can and should be done about a person's electronic life, after they die, go missing, get kidnapped, are temporarily disabled with mental health problems? I believe in an optional "side door" into our electronic lives. We could create an Excel, on a CD, into a safety deposit box, or custody of our lawyer, or other safe place. The Excel would contain a chart of our Internet and other accounts, with passwords for each. This could be accessed by a search warrant, or a person we have informed the bank has our authority to access it, when we become a crime victim, or are disabled. After we die, our descendant beneficiaries then have the tools to preserve Internet history of loved ones who had accounts on social media, change our last position on Linked In, to Deceased. This is a system which is not accessible by border guards when we travel abroad; stalkers; ex's; broad range of Internet fraudsters who could access law enforcements' proposed "back door"; or phishers, unless they phool the bank, with social engineering. When there was a change of management in my former day job, I'd visit the new manager, with a document, telling him or her that If I am gone at any point in the future, here is a road map of security check points for our computer servers, with the passwords needed at each access point that I have, in my role as Master Security Officer. Could you please put this in a safe place, available for the next person who gets my job? From time to time we change the most critical passwords. Here is a list of the people whom we currently notify of the replacements. When you are more oriented with your role with us, perhaps you would like a briefing on weak points, we are aware of, in our overall security. Many people are using OS versions, and other resources, no longer supported by the original vendor. I believe that when a vendor decides it will no longer support some old version, that the ability to access it should go into some wayback repository, which can be accessed by people armed with both money and a search warrant, when there are crime victims whose electronic life was on such old stuff. This is related to backups. When our PC has a melt down, we want a replacement version of software we were using, and the means to transfer the data from our backup into it. As for the allegation that encryption slows down access to the content, if you have legal access, and a math chip to handle the decrypting, there is no slow down. Institutions which give guidance on wills, estate planning etc. might also advise clients on how they can make their electronic lives accessible by trusted loved ones, in the event of an unexpected emergency. These ideas won't solve all the problems, but are a start at thinking outside the boxes.
One of the reasons why law enforcement leaders are so adamant about destroying citizenry privacy, is that among the mass of Internet users are criminals and terrorists, sharing in that privacy. I believe that Internet regulators and law enforcement have fallen down on their job of protecting and serving the Internet public. If they did their job properly, then a great deal of the threat of Internet criminals and secret terrorist communications would go away. Check out the work of KNUJON (no junk backwards), http://www.knujon.com/ After I joined KNUJON, the volume of my unwanted e-mail dropped astronomically. For every 1 spam I get today, I used to get 10,000 before joining Knujon. I tried to sell my former day job on using KNUJON protection. All co-workers told me "Everyone gets spam, Al. Get over it." They would not believe, nor try it out. When I left that day job, they were having to upgrade server which manages e-mail, because the volume of spam was overwhelming them. The company could run perfectly fine on servers with 1/10 the capacity, but for the spam problem. Something like 90% of e-mail is some scam via spam, from an anonymous source. These anonymous crooks are enabled by crooked Internet registrars, identified by Knujon. http://www.pcworld.com/article/159058/spam_sources.html http://krebsonsecurity.com/tag/knujon/ If the powers that be decided to end these crooked practices, we all would suffer a lot less from malware, spam, fraud, etc. and law enforcement's job would be so much easier. There is a legitimate need for some anonymity for crime victims to have a life unbothered by people they have an order of protection against. There are systems in place to protect these people in the physical world, which need to be extended into the virtual world. That's another case of the judicial system failing to protect and serve Netizens. Blame for crooks on the Internet also rests with most Internet users. When we get a spam e-mail, and just delete it, we are enabling the spammer to stay in business, but if we first forward that spam to KNUJON, they will work on putting the spammers into the slammer.
*WiReD* via NNSquad http://www.wired.com/2015/11/trade-pact-could-bar-governments-from-auditing-source-code/ But if the international trade deal called the Trans-Pacific Partnership is adopted, the US and other member countries would be prohibited from requiring that companies from other member states hand over the source code of their products. Volkswagen's home country Germany is not one of the TPP's potential member states, so this restriction wouldn't apply to that company, but it could potentially limit US regulators' access to Japanese and South Korean cars, among other products. It could also put the kibosh on an idea proposed by Internet pioneer Vint Cerf and a group of other experts to require manufacturers to release the code that runs WiFi routers. "WHAT COULD GO WRONG?"
The government of New Zealand has released full text of the controversial Trans-Pacific Partnership Trade deal. This will fuel revived protests and meaningful debate by ordinary people who are not politicians. US Presidential candidate debaters will have to face more detailed questions about TPP than in the past. Text of the Trans-Pacific Partnership http://www.mfat.govt.nz/Treaties-and-International-Law/01-Treaties-for-which-NZ-is-Depositary/0-Trans-Pacific-Partnership-Text.php TPP Full Text TPP Final Table of Contents https://ustr.gov/trade-agreements/free-trade-agreements/trans-pacific-partnership/tpp-full-text Articles about what's there that many people do not like. http://www.theguardian.com/business/2015/nov/05/tpp-trade-deal-new-zealand-releases-text-online http://www.stuff.co.nz/national/politics/73745864/Trans-Pacific-Partnership-trade-agreement-text-released http://www.commondreams.org/news/2015/11/05/full-text-tpp-released-public-and-its-horrible
Concern about Linux security hits WaPo. Net Of Insecurity: The kernel of the argument Craig Timberg, Nov 5, 2015, Washington Post http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kernel-of-the-argument/
There are many dimensions to spy scandals. Who spies on whom, for what reasons, and do they have their government legal authority to do so? Do they store the captured info where it can be re-stolen by other hackers? To save money, some passage of spy info is automated, then data requests are sent through the network which go beyond agreed-to scope and topics. Investigations into alleged spying, then get passed along to the news media by Wikileaks. Other nations, revealed as having been spied upon, launch their own investigations. We hear these stories & wonder what else is going on, which has not yet been leaked, and if any of this spying explains other stuff in our news. USA NSA spies on everyone they can. So does Germany BND, and we suspect many more nations have similar practices. What has been leaked about BND is much less than what has been leaked about NSA, but this is not proof that BND spying is less than NSA's, under the cockroach theory that if we find out about some, there may be much more. Allegedly some of the spying by the German BND agency was without authority from higher authorities. Of course if the "back door" enthusiasts in US law enforcement get their way, then millions of criminals world wide will be spying on everyone who uses technology of US manufacturers. http://www.ibtimes.com/germany-surveillance-scandal-2015-bnd-intelligence-agency-spied-allies-ngos-vatican-2174347 http://www.msn.com/en-us/news/world/report-germany-spied-on-us-embassies-vatican/ar-CC52hA?ocid=iehp http://www.spiegel.de/international/topic/nsa_spying_scandal/ http://www.spiegel.de/international/germany/german-bnd-intelligence-spied-on-friends-and-vatican-a-1061588.html https://euobserver.com/political/130691 http://www.thelocal.es/20151107/german-intelligence-spied-on-several-allies http://cyberlaw.stanford.edu/publications/new-german-spying-scandal-big-deal https://www.rt.com/news/321183-germany-spying-surveillance-bnd/ German BND has apparently both: been conducting spying of other nations, on behalf of the NSA; and also spying on the USA, we not yet know if just on German behalf, or for some other nation. Meanwhile it has come out that NSA had a similar arrangement with Britain's GCHQ to spy on the Germans. http://sputniknews.com/europe/20151026/1029116938/germany-spy-row-merkel-bnd-nsa.html The German American double agent was apparently loyal to neither, when he was caught offering to sell his booty to the Russians, by using e-mail being spied upon, which we might not have known about but for Snowden. Then yet another German government employee was caught spying for the Americans. http://20committee.com/2014/07/09/the-u-s-germany-spy-scandal-just-got-a-lot-worse/ When government agencies have the authority to order companies to cooperate, and keep silent about it, then any number of pieces of commercial hardware, and innocent business operations, can be engaged in surveillance. Iran believes it, when they arrest tourists and journalists. Microsoft Windows has been dramatically increasing surveillance of its customers. Is this at the request of NSA? Many hobbyist drones, in America, are made in China. Do they secretly report back to their maker any info they pick up? If commercial airliners have been subverted to engage in spying on territories they fly over, then that increases the risk of them being hit by bombs and other weapons by various combatants in conflict zones. Remember Japan Airlines 007? Airbus in the news at present, so far, is the crash in Egypt, and leak that German BND allegedly spied on Airbus, on behalf of US NSA. http://www.bbc.com/news/world-europe-32542140 Why is the USA spying on Airbus? Is it to help Boeing? http://www.airliners.net/aviation-forums/general_aviation/read.main/266565/ We have a US Presidential contender who lost her job at HP because she allegedly spied on top executives to try to figure out who was leaking confidential corporate secrets. Now here is Airbus complaining about being spied upon, when not so long ago it in turn was spying on its own employees. http://news.bbc.co.uk/2/hi/business/7978713.stm
RISKS readers will recall the UK Connected for Health IT programme that, as the Minister (Hunt) s quoted as saying, cost billions and "came to virtually nothing in our biggest ever IT disaster". Hunt has asked a US Professor to conduct a review to guide the way forward for NHS IT. The review will be done by Robert Wachter, who Hunt calls an “expert on the promise and pitfalls of new IT systems.'' Computer Weekly says that Wachter is the interim chairman of the Department of Medicine at the University of California, San Francisco, and the author of *The Digital Doctor*, which looks critically at the rise of healthcare IT systems in the US. Does any reader know whether he is well qualified to conduct this review? http://www.computerweekly.com/news/4500256573/Hunt-announces-NHS-technology-review
[Courtesy of Dr. Deborah Peel" <email@example.com>] http://fivethirtyeight.com/features/its-2015-why-havent-our-medical-records-entered-the-digital-age/
*Engineer* is an aspirational title in software development. Traditional engineers are regulated, certified, and subject to apprenticeship and continuing education. Engineering claims an explicit responsibility to public safety and reliability, even if it doesn't always deliver. The title *engineer* is cheapened by the tech industry. Ian Bogost, *The Atlantic* Doing so undermines a long tradition of designing and building infrastructure in the public interest. http://www.theatlantic.com/technology/archive/2015/11/programmers-should-not-call-themselves-engineers/414271/ HB: "Software Engineering" is—and always has been—an oxymoron. The reason: software is where you put all the stuff that the real (hardware) engineers couldn't deal with. The dark secret of computers is the unholy mess of legacy hardware decisions that have to be duck-taped over with software. This is not a good foundation for "engineering" a program or system. The world should cheer the fact that 1980's-style "software engineering" never caught on. It would have smothered computer science in the crib -- just when a large number of innovative ideas were being developed. Even more importantly, the critically important *encryption technology* -- on which much of the security of the current Internet relies—isn't a science today at all, but an *art*—a collection of ad hoc techniques that sometimes more-or-less works. To a first approximation, a computer system is secure today if and only if a handful of really, really smart people can't figure out a way to break it. That's it! There are almost no theorems in encryption today that don't depend upon very squirrelly assumptions. You simply can't "engineer" an artifact in the absence of a physical, a chemical, and a mathematical basis on which ground your calculations. Also, before waxing too poetically about registered & regulated engineers, I would draw attention to the almost-disaster of the Citigroup Center and the ongoing San Francisco Bay Bridge fiasco. https://en.wikipedia.org/wiki/Citigroup_Center http://www.sacbee.com/news/investigations/bay-bridge/article2577571.html [Long item truncated for RISKS. PGN]
http://www.nytimes.com/2015/11/08/realestate/when-neighbors-tangle-online.html Publicly accessible websites critical of board members and how buildings are managed are leading to defamation lawsuits.
Efforts to discover who was responsible for misconduct at the German carmaker have been hampered by a culture of silence and a fear of delivering bad news to superiors. http://www.nytimes.com/2015/11/09/business/international/volkswagen-says-whistle-blowers-pushed-it-to-admit-gas-car-cheating.html
"Each weblink would become a legal landmine and would allow press publishers to hold every single actor on the Internet liable." Here's a soon-to-be-illegal link to the leaked .docx file: https://doc-0k-70-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/m3ce9rvo3adi9nf3bghj67gs48ubbfga/1446991200000/12661172298641601008/*/0B6d07lh0nNGNaXFzUFBPaE0tY0E?e=download https://juliareda.eu/2015/11/ancillary-copyright-2-0-the-european-commission-is-preparing-a-frontal-attack-on-the-hyperlink/ Ancillary Copyright 2.0: The European Commission is preparing a frontal attack on the hyperlink [...]
There's an old joke about a man whose spouse's credit card had been stolen by identity thieves, but he didn't report it because the identity thieves racked up smaller monthly charges than his spouse did. (rimshot!) Perhaps OPM should utilize CryptoWall for encrypting government employee data, because: * CryptoWall charges less than EMC; and * CryptoWall implements better encryption than EMC. Dan Goodin, Ars Technica, 5 Nov 2015 Booming crypto ransomware industry employs new tricks to befuddle victims. High-pressure tactics try to extort more people into paying to recover their data. http://arstechnica.com/security/2015/11/booming-crypto-ransomware-industry-employs-new-tricks-to-befuddle-victims/ Ransomware that uses strong cryptography to hold entire hard drives' worth of data hostage keeps getting nastier, as criminals attempt to find new ways to extort more people into paying increasingly hefty ransoms to recover their files. A case in point is Chimera, a relative newcomer to the crypto ransom racket that targets primarily businesses. In an attempt to turn up the pressure on infected victims, the malware threatens to publish their pictures and other personal data somewhere on the Internet unless a ransom of $638 in bitcoins is paid. There's no evidence yet that the new cryptoware title has made good on the threat to post victims' private data online, but it's a likely bet the prospect is enough to convince some undecided victims to go ahead and pay the fee. The threat, according to a blog post published Tuesday, comes only after the cryptoware has encrypted data stored not only on local hard drives but also those on network drives. To add drama to the attack, all file extensions are changed to .crypt. Chimera is also programmed to target specific employees within an infected company, presumably to make sure the ransom demand doesn't get missed. A second example of cryptoware turning up the pressure on victims is the latest version of CryptoWall, one of the early entrants in the industry. The recently released CryptoWall 4.0 now replaces names of encrypted files with pseudo-randomly generated letters and numbers, presumably to further befuddle victims who are suddenly unable to access their data. The new version appears to continue encrypting data with 2,048-bit RSA keys, which when implemented correctly are practically impossible to break. That's not the only attention-grabbing ploy. The notification the malware sends to deliver the news that victims' data has been encrypted congratulates them on becoming a part of the "large community CryptoWall." Besides the snarky tone, the notice is also notable for its almost pristine grammar and spelling and its clarity in explaining how strong crypto works. "Encryption is a reversible transformation of information in order to conceal it from unauthorized persons but providing at the same time access to it for authorized users," the notice reads, according to this blog post published by antivirus provider Bitdefender. "To become an authorized user and make the process truly reversible i.e. to be able to decrypt your files you need to have a special private key. In addition to the private key you need the decryption software with which you can decrypt your files and return everything in its place." The notice goes on to warn users not to attempt to break the encryption lest the files be lost forever. CryptoWall 4.0 also employs advanced mechanisms to avoid detection by antivirus and Firewall programs, according to researchers at Heimdal Security. The refinements show that cryptoware purveyors operate much like other online businesses, which are constantly updating their products and services in an attempt to bring in new business. That dedication only makes sense, given FBI estimates earlier this year that CryptoWall alone generated losses of more than $18 million. A separate report estimated US damages of $325 million from CryptoWall 3.0. That translates into huge profits, especially when considering the revenue is tax-free. Now that crypto ransomware is a threat that won't be going away any time soon, there's been a fair amount of debate about whether victims should pay the ransom as demanded. Recently, an FBI agent reportedly told businesses it may be easier for them to pony up. The comments generated howls of protest among security professionals, who warned there's no guarantee the fees will ensure the encrypted data is restored. The critics are right that there can be no certainty that the ransomware operators will make good on their promise. And there's always the possibility a programming error or law enforcement takedown will allow keys to be recovered without paying the fee, as was the case last year with the CryptoLocker brand. Then again, there are plenty of reports of victims with no other recourse who paid the ransom and recovered their files. Ultimately, the decision should be made on a case-by-case basis. No doubt, paying the increasingly large fees is a risk, and it only rewards truly pernicious and illegal behavior. Then again, for people who have lost data valued in the thousands or hundreds of thousands of dollars, paying a $700 ransom may be worth the risk and cost, although the move shouldn't be taken lightly.
Related to the "voice everywhere" phenomenon... Injecting voice commands into microphone cables: http://phys.org/news/2015-10-explore-stealthy-voice.html Facebook listens to your background, "to identify things you're listening to": https://m.facebook.com/help/iphone-app/369513256545845?refidi It gets more interesting when speech recognition is both ubiquitous and searchable: http://nautil.us/issue/28/2050/what-searchable-speech-will-do-to-you http://www.brodie-tyrrell.org/
I was very interested in Lauren's pointer to the Huffington post piece on Wikipedia: http://www.huffingtonpost.com/ryan-castle/wikipedia-deepak-chopra-o_b_8449394.html I use Wikipedia a lot, and find it helpful. However, I almost never use Wikipedia when I am looking for information about recent events, and certainly never in isolation. The article also points out why I don't use Wikipedia for *any* information on technical or security topics, and, particularly, why I don't contribute to Wikipedia on these topics: "These editors are no more empowered than any other volunteer editor, but their ideological zeal and willingness to viciously attack any opposing editor has driven off most impartial editors. After all, Wikipedia is 100% volunteer, so why would someone voluntarily spend their time being called a moron and facing endless opposition to every neutral edit?" I'm a specialist, and an expert. The Wikipedia article on computer viruses is obviously being written and maintained by people who aren't. https://en.wikipedia.org/wiki/Computer_virus The material is definitely incomplete, often to the point of being misleading. It's full of internal contradictions, since the editors don't know enough about the technology to understand the implications of what is there. (Even though one of my books is cited: https://en.wikipedia.org/wiki/Computer_virus#cite_note-11 ) https://en.wikipedia.org/wiki/Malware The malware entry is not quite as bad, although I'd never recommend it as a reference. I was amused to find an entry for "riskware," a term I've never heard used in all the reference material I've reviewed: https://en.wikipedia.org/wiki/Riskware I've complained about this before, and been asked why I didn't do something about it. Well, this is why. If I made any edits, and took the time to find references and citations, they'd probably just be reverted anyway by well-meaning but non-expert editors. They don't know the field or the topic, so there is no reason they'd even recognize who I was. https://en.wikipedia.org/wiki/Robert_Slade
Please report problems with the web pages to the maintainer