Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Softpedia via NNSquad http://news.softpedia.com/news/microsoft-helps-out-healthcare-sector-with-new-data-encryption-algorithm-496249.shtml Homomorphic encryption is a method of encryption that encodes data in such a way that it allows developers to work with the encrypted data in the same way they would if it was in unencrypted form. Operations ran on homomorphic encrypted data yield the same results as when ran on the data's cleartext version. Microsoft's new algorithm, named SEAL (Simple Encrypted Arithmetic Library) is modeled after homomorphic encryption principles, and allows developers to carry out addition and multiplication operations on the encrypted data. For now, the Redmond company says that SEAL can only handle genomic data used in bioinformatics.
David E Sanger and Nicole Perlroth, *The New York Times*, 17 Nov 2015 http://www.nytimes.com/2015/11/17/world/europe/encrypted-messaging-apps-face-new-scrutiny-over-possible-role-in-paris-attacks.html?smid=tw-share&_r=0 American and French officials say there is still no definitive evidence to back up their presumption that the terrorists who massacred 129 people in Paris used new, difficult-to-crack encryption technologies to organize the plot. But in interviews, Obama administration officials say the Islamic State has used a range of encryption technologies over the past year and a half, many of which defy cracking by the National Security Agency. Other encryption technologies, the officials hint, are less secure than terrorist and criminal groups may believe, and clearly they want to keep those adversaries guessing which ones the N.S.A. has pierced. Some of the most powerful technologies are free, easily available encryption apps with names like Signal, Wickr and Telegram, which encode mobile messages from cellphones. Islamic State militants used Telegram two weeks ago to claim responsibility for the crash of the Russian jet in the Sinai Peninsula that killed 224 people, and used it again last week, in Arabic, English and French, to broadcast responsibility for the Paris carnage. It is not yet clear whether they also used Telegram’s secret-messaging service to encrypt their private conversations. [...] Security experts counter that such arguments ignore the fact that even end-to-end encrypted technology leaves a trail of metadata behind that can be used to parse who is talking to whom, when and where. “Encryption is really good at making it difficult to hide the content of communications, but not good at hiding the presence of communications,'' said Matt Blaze, a computer security expert at the University of Pennsylvania. Mr. Blaze also noted that the authorities can still read communications if they hack into the target's device, or what security experts call the end point. “All the encryption in the world doesn’t help if the end point that holds the keys are compromised. So this idea that encryption make terrorists' communications go completely dark has a pretty big asterisk next to it.'' [...]
http://macdailynews.com/2015/11/14/edward-snowden-and-spread-of-encryption-blamed-after-paris-terror-attacks/ "As Paris reels from terror attacks that claimed at least 128 lives, fierce blame for the attack is being directed toward American whistleblower Edward Snowden and the spread of strong encryption catalyzed by his actions," Patrick Howell O'Neill reports for The Daily Dot ... O'Neill reports, "Fox News hosts Greg Gutfeld and Dana Perino, George W. Bush's former press secretary, took to Twitter to directly blame and even curse at Snowden." I've already seen various officials giving interviews claiming that if they had backdoors into crypto this might have been stopped. Of course, at this point, there's no indication that encrypted comms were even involved. But officials have been waiting for this excuse. As you may recall, I've been predicting that at the first significant terrorist attack, officials would get back to demanding control over crypto—and the inclusion of crypto backdoors—the loss of security and privacy for all of us be damned.
It's really, really hard to be more cynical than spook apologists in exploiting a tragedy for political purposes. 'Edward Snowden and spread of encryption blamed after Paris terror attacks' http://www.dailydot.com/politics/paris-attack-encryption-snowden/ 'The terrorists have read Snowden' The Obama Administration encryption critics decided in October to merely bide their time, waiting for a propitious Paris moment: https://www.lawfareblog.com/administration-decision-encryption-policy 'Despite the Administration's apparently final decisions on the encryption argument, I'm willing to bet anyone a cup of coffee that we have not seen the end of this discussion between now and January 21, 2017. From the article below: "the [new French] law allows government agents to break into the homes of suspected terrorists for the purpose of planting microphone bugs, surveillance cameras, and to install keyloggers on their computers" Well, we see now how much those *bugs, cameras and keyloggers* helped. Uh oh, this just in: 'Is ISIS Using PlayStation 4 To Communicate?' http://www.ibtimes.com/isis-using-playstation-4-communicate-islamic-state-could-use-ps4-spell-out-attack-2185042 Is there enough room in Guantanamo for all the Playstation 4 owners/users? [Does anyone else see any irony in this use of the 'Sony' Playstation?] Arik Hesseldahl, Recode.Net, 14 Nov 2015 France Has A Powerful and Controversial New Surveillance Law https://recode.net/2015/11/14/france-has-a-powerful-and-controversial-new-surveillance-law/ As it plans its response to a series of six terrorist attacks Friday night that killed 129 and injured 352, the government of France will likely step up its efforts to keep tabs on the movements and communications of people within its borders. As it happens, the attacks have occurred only a few months after legislators in that country passed a sweeping new surveillance law that gives the government broad powers to closely monitor the mobile phone and Internet communications of French citizens. Passed by the French Parliament in May in response to the attacks on the Paris-based magazine Charlie Hebdo, the law allows government to monitor phone calls and emails of people suspected of connections to terrorism without the authorization of a judge. http://www.theverge.com/2015/5/5/8553271/french-parliament-terrorism-surveillance-bill-charlie-hebdo But it goes further than that. The law requires Internet service providers to install black boxes that are designed to vacuum up and analyze metadata on the Web-browsing and general Internet use habits of millions of people using the Web, and to make the data available to intelligence agencies. In exceptional cases, the law allows the government to deploy what are called ISMI catchers to track all mobile phone communications in a given area. These catchers are basically designed to impersonate cell towers, but they intercept and record communications data from phones within its range, and can also track the movements of people carrying the phones. Finally, the law allows government agents to break into the homes of suspected terrorists for the purpose of planting microphone bugs, surveillance cameras, and to install keyloggers on their computers, devices that capture data on every keystroke and mouse click. Critics of the law complain that there's not much oversight and that the conditions under which the laws powers can be triggered are vague. As The Verge noted in July, the government can authorize the surveillance for major foreign policy interests" or to counter "organized delinquency." https://www.hrw.org/news/2015/07/28/dispatches-france-state-snooping-now-legal http://www.theverge.com/2015/7/24/9030851/france-surveillance-law-charlie-hebdo-constitutional-court Surveillance operations are overseen by a nine-person committee led by Prime Minister Manuel Valls. But that committee has only an advisory role, and cannot overrule decisions by the prime minister. Arik Hesseldahl: @ahess247
"[A criminal's] most dangerous weapon is the flush toilet ... a perfect evidence-disposal system installed in every home in America" Russell Brandom, The Verge, 16 Nov 2015 The problem with cracking down on PlayStations to stop terrorists If you're scared of gaming consoles, you're scared of privacy https://www.theverge.com/2015/11/16/9746216/playstation-terrorism-surveillance-privacy-concerns There's a joke in the legal world that criminals' most dangerous weapon is the flush toilet. Imagine, a perfect evidence-disposal system installed in every home in America, available whenever you hear the detectives knock on your door. Tens thousands of potential arrests have been flushed down toilets over the years. So why do we keep toilets around? Well, they're useful for other things. Today, instead of the flush toilet, we learned about the PlayStation 4. In a now-retracted story, Forbes made the case that PlayStation's private chat and VoIP features may have been used in plotting the attacks, kicking off a wave of concerns over gaming networks and their potential use in plotting terrorist acts. But while Forbes has since backed off the claim that a PS4 was found in an attacker's apartment, the air of suspicion hasn't fully lifted. There really have been cases of ISIS sympathizers using the PlayStation network to communicate or recruit, and it's the kind of offbeat channel an intelligence officer might miss. PlayStation's network is open to anyone with the right console, and there's lots of noise to distract anyone who might look there. As the UK's Investigatory Powers Bill heads to parliament, the political will to clamp down on those networks is stronger than it's ever been. So why shouldn't we? The first thing to say is that the PlayStation network isn't particularly secure. It's not end-to-end encrypted, and Sony is open about the company's right to surveil users, even if it doesn't have much of an apparatus to do so. Unlike encrypted chat apps like Telegram and WhatsApp, the PlayStation networks weren't designed with security in mind, and most users care far more about latency and downtime than they do about privacy. If an intelligence service is looking for you specifically, it's just not that good of a place to hide. What the networks do have is a lot of people, which makes them useful for meeting inconspicuously. You won't stand out if you set up a private chat on PSN, the way you might if you log onto a protected chat room or IRC channel. It's the protection of the crowd, the same way you might talk more freely in a noisy bar where you won't be overheard. This kind of privacy is more about cultural expectations than strict security, and it's particularly important because of that. It can be used by terrorists, sure, but so can dimly lit restaurants and crowded parks. If that's scary, then all private spaces are scary. If you believe that logic, you've made a boogeyman out of privacy itself. All of which brings us back to the flush toilet. In the wake of a tragedy, shock makes us value security over all else, often forgetting smaller virtues in the rush to protect ourselves. It's a natural impulse, but it's worth considering where it might take us, left unchecked. With enough fear, anything comes to look threatening: a gaming console, a toilet, a smartphone. Will destroying them make us more or less powerful?
http://arstechnica.com/security/2015/11/police-body-cams-found-pre-installed-with-notorious-conficker-worm/ A report that police cameras are shipping with Conficker.B pre-installed is testament to the worm's relentlessness. It's also troubling because the cameras can be crucial in criminal trials. If an attorney can prove that a camera is infected with malware, it's plausible that the vulnerability could be grounds for the video it generated to be thrown out of court, or at least to create reasonable doubt in the minds of jurors. Infected cameras can also infect and badly bog down the networks of police forces, some of which still use outdated computers and ineffective security measures.
Editor's note (11/16/15): Following the terrorist attacks in Paris on November 13 and the ensuing debate about counterterrorism efforts and encrypted communications, Scientific American is republishing the following [2013] article. [...] http://www.scientificamerican.com/article/nsa-nist-encryption-scandal/
http://www.theguardian.com/world/live/2015/nov/16/paris-attacks-france-terrorism-isis-obama-hollande-war Bratton [NYC Police Commissioner] told MSNBC host and former Republican congressman Joe Scarborough that "You have to be on the offense. Offense is intelligence" on MSNBC, and said that encryption was a problem. "We are losing a lot of that intelligence momentum because of that issue." Privacy advocate Lauren Weinstein, who worked on the Department of Defense's proto-Internet project Arpanet, said secure encryption backdoors are a pure impossibility. "If there was a scientifically provable way to do this, we could have the discussion," Weinstein told the Guardian, "but it doesn't make sense to have the discussion when everybody who's looked at this and is honest about it says that it would make us more vulnerable. "The math will get you every time."
ICANN assigns domain names, has oversight over Internet registrars, but there is no oversight for ICANN. They are in a transition, including a mission statement of making the Internet worthy of consumer trust. But meanwhile no one in ICANN seems to be working towards that goal, and the spam keeps rolling in, supported by registrars, which ICANN is supposed to police. Instead ICANN denies its responsibility to Internet users, puts obstructions in the way of people who identify causes of Internet abuse and fraud. http://www.circleid.com/posts/20151026_consumer_trust_not_at_icann_compliance/ KNUJON, and other efforts, identify registrars responsible for 89% of the sources of spam and cyber-crime, but it can take 5 years before ICANN does anything about this. Perhaps law enforcement could pay some of them a visit, to confirm or deny KNUJON et al allegations. [KNUJON also noted in RISKS-29.08. PGN]
It was once considered unbecoming, or annoying itself, to moan publicly about trifling personal ordeals. Now we tolerate, even encourage, the microcomplaint. http://www.nytimes.com/2015/11/15/fashion/the-microcomplaint-nothing-too-small-to-whine-about.html
The Windows 3.1 incident at Orly reminded me of the net.wars column I wrote after Microsoft officially retired XP (which is still running my desktop here): http://www.pelicancrossing.net/netwars/2014/05/software_is_forever.html www.pelicancrossing.net, Twitter: @wendyg
This inspires discussion of what might happen in a future where there are many such cars on the road. 2-8 Nov 2015 BBW (Bloomberg Business Week) has a time line of the history of driverless cars, forecasting future optimistic expectations (ignoring cyberrisks): * 2017 GM & Google cars without steering wheel nor gas pedal; * 2020 self driving industrial vehicles hurt driver job market; * 2025 fully automated vehicles on Earth and Mars; * 2030 All taxi fleets are now driverless; * 2035 driverless cars shrink in size, with fuel consumption = gains, and smaller parking spaces; * 2040 price drop in driverless cars, for more buyers, but easier trip invites more urban sprawl; * 2045 restrictions on driver vehicles; * 2050 vehicle crashes become a thing of the past; * 2055 auto insurance shifts from owners to vehicle manufacturers; * 2060 autonomous vehicles become mandatory. (will this include police cars & other 1st responders?) Many risks mentioned in past posts: * Autonomous military ordinance gets hacked. * Electronic Smog. * Google did not know they needed to report accidents with driverless cars. They thought paying off owner of other vehicle was good enough. * Ethics—who to save, sacrifice, when cannot save everyone. * Humans drive recklessly, violate speed limits, driverless cars at a disadvantage. * Humans in trouble when follow flawed map apps—ditto for driverless? * Uploading software patches, without proper testing, often leads to outages. If that causes driverless to crash, blame whom? * Who is to be held accountable when driverless public transportation crashes—the programmer, who did not know his code to be used for that purpose?
"and because I know of only one report of a driver-present car running into a driverless one that stopped for a pedestrian (as required by law)" Google very helpfully is listing all accidents that involved Google cars. The one that got the most press was one that involved injuries, but there have been several before and after that. https://static.googleusercontent.com/media/www.google.com/en//selfdrivingcar/files/reports/report-0515.pdf
> This event actually inspires some discussion of what might happen > in a future where there are many such cars on the road. (PGN) In some states, insurance is for the driver. In some states, insurance is for the automobile. In no states, is there a requirement that a passenger have a licence to be a passenger. Ipso facto, at the scene of an accident, there may be no one with an ID and no one with insurance.
But then again they wouldn't have become brilliant authors if they spent their time doing that. Indeed they might cheerfully use Wikipedia every day, ever cautious not to read articles about topics they know—worst of which being articles describing they themselves—lest they need more than a chuckle to get over it.
[via Dave Farber] The power of capitalism is remarkable. The level of sophistication of "spy" tech in the commercial world, for the purposes of gathering and correlating this data, rivals, and in a few ways clearly surpasses similar efforts in the national security spaces. The "economy of scale" of reaping "all the things" rather than being selective has enabled both efforts, but in the commercial world it is profit (well, potential profit in many cases) driven vs. being a cost center in the gov spaces. Dangerous? Oh yes. Likely in ways we have not even imagined yet.... Still, amazing to watch it all develop. Keep dodging all the friendly fire...
You will clearly get many responses to this, but 2010 - http://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf 2011 - http://eprint.iacr.org/2015/963.pdf 2012 - http://www.cl.cam.ac.uk/~rja14/Papers/unattack.pdf 2014 - http://sec.cs.ucl.ac.uk/users/smurdoch/papers/oakland14chipandskim.pdf I suspect the details of the European chips and the US chips are identical, since they are both using EMV standards. EMV = Europay, Mastercard, Visa [Don't forget Ross Anderson and Steven Murdoch, Why Payment Systems Fail: What lessons might we learn from the chip cards used for payments in Europe, now that the U.S. is adopting them too? CACM Inside Risks article, June 2014, http://www.csl.sri.com/neumann/insiderisks.html . John Levine also suggested looking at Ross Anderson's Virus Bulletin keynote from last month: https://youtu.be/FY2YKxBxOkg . PGN]
Um... we've had these in the UK for what seems like half a lifetime (nearly as long as cameras which capture images electronically instead of on film) -- they work exactly as described. As I understand it, the problem was that criminals could, with some difficulty, replicate magnetic strips on a kitchen-table basis, but they are unlikely to be able to fabricate ICs. I'm told that the trouble with the earliest ones was that both cards and readers had to handle either magnetic strips or Chip&PIN; the readers read the strip first, and if the card had a chip then a bit was set in the strip to say "read the chip", but criminals could replicate the strip with this bit not set, defeating the security features of the chip. Main fraud problems now are the usual shoulder-surfing, strategically-placed 'security' cameras capturing PINs, tampered readers, etc. along with cardholder-not-present unauthorised transactions. Incidentally, Brits traveling overseas are warned that when using credit/debit cards they may be offered billing in pounds sterling rather than local currency, which seems like a good idea, but they may then be charged at a terrible exchange rate, only discovered when they get back home. As already mentioned in RISKS, a more-recent innovation is contactless near-field RFID cards, which don't need to be inserted in a reader, you just hold it nearby, and if the transaction value is less than 30 pounds (about $45) you don't even need a PIN(!). What I found scary was an ATM which read my card contactlessly—normally ATMs require you to take your card out at the end of the transaction, but with this one I had to be sure to select the "do you want another transaction? **NO**" to 'close' the session. (And also as already mentioned, fun & games if you use a contactless travel card on public transport kept too close to your contactless credit/debit card, see RISKS-28.93 & 94.) From time to time there are breathless articles in UK newspapers pointing out that an ever-smaller proportion of transactions are being done with physical cash, and looking forward to the glorious day when it will be abolished altogether. Wonderfully convenient, but anybody with access to your data will be able to see exactly what you spend your money on, AND track your movements.
> The irony of course is that TLS (STARTTLS) is basically clown-grade email > encryption. No, the irony is STARTTLS push coming from Google barely 6 months after the MCS Holdings "incident": http://arstechnica.com/security/2015/03/google-warns-of-unauthorized-tls-certificates-trusted-by-almost-all-oses/ The not really funny part is that apparently this is legitimate academic research publishable in an ACM SIG. Because if I were Google trawling user's e-mails for targeted advertising with the "major providers complicit in TLA spying" brouhaha on top, I'd want to do some damage control, too. Selling it as native advertising aka "repurposed bovine waste" is not surprise either: advertising is what Google does. Remember the actual encrypted e-mail service provider? Lavabit, anyone?
[I frequently cull a single item from Bruce's CRYPTO-GRAM. At this point, I think I should suggest that if you are interested, you should subscribe. Here's just the table of contents for the latest issue. PGN] CRYPTO-GRAM November 15, 2015 by Bruce Schneier CTO, Resilient Systems, Inc. schneier@schneier.com https://www.schneier.com For back issues, or to subscribe, visit <https://www.schneier.com/crypto-gram.html> You can read this issue on the web at <https://www.schneier.com/crypto-gram/archives/2015/1115.html> The Doxing Trend [Doxing has to do with hacking for documents] The Rise of Political Doxing Breaking Diffie-Hellman with Massive Precomputation (Again) Schneier News Australia Is Testing Virtual Passports Resilient Systems News The Effects of Surveillance on the Victims
Please report problems with the web pages to the maintainer