Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Ellen Nakashima, *The Washington Post*, 14 Dec 2015 https://www.washingtonpost.com/world/national-security/former-national-security-officials-urge-government-to-embrace-rise-of-encryption/2015/12/15/3164eae6-a27d-11e5-9c4e-be37f66848bb_story.html [This is a remarkable article, suggesting (among other things) that law enforcement needs to adapt to the use of encryption rather than expect exceptional systemic access to decrypted and unencrypted information. Mike McConnell notes that strong encryption is a greater strategic need. Michael Chertoff notes that deliberately compromising security to make it easier for law enforcement would run the risk of simply sending bad guys elsewhere. Michael Hayden notes that backdoors and built-in keys would drive the market away. Joel Brenner notes that the likelihood others will gain access is quite high. All four of these men have held very high positions in the U.S. Government. PGN-ed]
Sean Gallagher, Ars Technica, 15 Dec 2015 http://arstechnica.com/information-technology/2015/12/what-the-government-shouldve-learned-about-backdoors-from-the-clipper-chip/ This article revisits arguments Whit Diffie made at a Congressional hearing 22 years ago, relating to the key-escrow approach of the Clipper Chip—all of which seem relevant today, more or less as originally stated: * The backdoor would put providers in an awkward position with other governments and international customers, weakening its value. * Those who want to hide their conversations from the government for nefarious reasons can get around the backdoor easily. * The only people who would be easy to surveil would be people who didn't care about government surveillance in the first place. * There was no guarantee someone else might not exploit the backdoor for their own purposes.
Caroline Craig, InfoWorld, 11 Dec 2015 Closed-door negotiations in Congress threaten to strip privacy provisions from final version of the merged cyber security bill http://www.infoworld.com/article/3013728/government/final-cyber-security-bill-paves-way-for-the-surveillance-state.html
https://www.techdirt.com/articles/20151214/07452133070/lightbulb-drm-philips-locks-purchasers-out-third-party-bulbs-with-firmware-update.shtml Literally. Philips has just slapped fans like us in the face and kicked interoperability out the door. Without any communication they delivered a new firmware to the system that disables adding products that they don't approve of. Basically they are banning other Zigbee Light Link products despite the fact that they are a Connected Lighting Alliance member whose mission is to promote interoperability. As it seems (and unless this is just a huge mistake on Philips' side), they have without a warning turned their open product into a walled garden. They have also destroyed the value of the solutions that the customers have set up based on Philips' promises.
Kevin Quealy and Margo Sanger-Katz, *The New York Times* interactive, 15 Dec 2015, The Experts Were Wrong About the Best Places for Better and Cheaper Health Care http://www.nytimes.com/interactive/2015/12/15/upshot/the-best-places-for-better-cheaper-health-care-arent-what-experts-thought.html While reading this interesting NYTimes article about health care costs, I was surprised to have the article reach out and grab me by the collar. Embedded in the article—flowed into the text, not separate in any way -- was a sentence or two and a little graphic that told me about health care costs in Springfield, MA, where it guessed I was reading from (I live about half an hour away, so not a bad guess). I have attached a screen capture and would be curious if the whole enterprise worked as well in other geographic areas. [Omitted for RISKS. PGN] This is the first time I can remember encountering anything like this in a news story—reaching out to tap the reader on the shoulder in the middle of the article, as opposed to letting the reader click on something. To me, it was at once useful and creepy. On the one hand, I was curious about the results for my local area. On the other, I was creeped out by being reminded of the giant eyeball on the other end that is watching me. [...] [My own browsing of this *interactive* article focuses on San Mateo County, California, which is where SRI is located. I think *The Times* interactive folks have done quite a spectacular job, as the entire article includes statistics related to *my* location. Moreover, from the graphic, it appears that the article is prepared to be instantiated specifically to at least 280 different locations (rough count). At this rate, it won't be long until interactive *Times* articles are personalized down to each county, or each city, or even each household... PGN]
http://www.csoonline.com/article/3014507/security/european-space-agency-records-leaked-for-amusement-attackers-say.html Along with database schemas and server stats, a second post by Anonymous also included 8,107 names, email addresses, and passwords. A third post exposed contact details for various ESA supporters and researchers. The leaked data highlights a troubling problem with regard to passwords used on the compromised domains. Of the 8,107 passwords exposed, 39 percent (3,191) of them were just three characters long (e.g. 'esa', '469', '136', etc.). The second largest set of passwords - 1,314 (16%) - were eight characters long, and based on their construction would have been easily cracked by most rule sets and dictionaries. Passwords such as trustno1, rainbow6, password, 12345678, and those based on the person's name or email address would be the first to fall.
Privacy Nightmare: Own a Drone? FAA Wants Your Credit Card Number http://lauren.vortex.com/archive/001138.html Oh goodie. The FAA has announced its ultra-rushed plan for a drone registry -- they desperately wanted to get this on the books before Christmas. It's worse than even the most vocal critics had anticipated: https://www.faa.gov/uas/registration/faqs/ Over the next 60 days, the FAA is requiring that anyone who flies drones outside (other than very small toy drones) must register on a web site (in theory paper-based filing is possible, but the FAA obviously anticipates most registrations to be over the web). The FAA is also demanding your credit card number before you fly. In fact, they demand $5 via credit card every three years. Forever. [...] No need to worry though, right? All that required personal information -- name, physical/mailing address, credit card data, email address, etc. will be in the warm embrace of a "third party contractor" who no doubt will take really good care of it to meet the abysmal security and privacy practices of the federal government. The black hat hackers are already salivating over this one. Home addresses! Credit cards! "Hey comrade, do they ship Porsches to Moscow?"
http://www.nytimes.com/2015/12/15/world/asia/thailand-lese-majeste-tongdaeng.html?emc=eta1 In a case brought in a Thai military court, the worker, Thanakorn Siripaiboon, was charged with making a "sarcastic" Internet post related to the king's pet. He also faces separate charges of sedition and insulting the king. Mr. Thanakorn could face a total of 37 years in prison for his social media posts, highlighting what has become a feverish campaign to protect the monarchy and rebuff critics of the country's military rulers.
http://arstechnica.com/security/2015/12/13-million-mackeeper-users-exposed-after-mongodb-door-was-left-open/
https://thestack.com/security/2015/12/14/bangladesh-extends-social-media-ban-blocking-twitter-and-skype/ A month after temporarily blocking social media sites including Facebook and WhatsApp, the Bangladeshi government has now taken steps to take down Microsoft's online chat software Skype and social networking service Twitter. Citing 'threats to national security', the government ordered the blocking of the six leading social media apps in Bangladesh - Facebook, Messenger, Line, WhatsApp, Viber and Tango. The decision came after a supreme court ruling which sentenced two opposition leaders, Salauddin Quader Chowdhury and Ali Ahsan Muhajid, to death, having found them guilty of crimes committed in the 1971 war of independence from Pakistan.
Attackers are actively exploiting a critical remote command-execution vulnerability that has plagued the Joomla content management system for almost eight years, security researchers said. http://arstechnica.com/security/2015/12/hackers-actively-exploit-critical-vulnerability-in-sites-running-joomla/
http://www.networkworld.com/article/2991925/security/small-community-banks-using-machine-learning-to-reduce-fraud.html
http://app.scientificcomputing.com/news/2015/12/lie-detecting-software-uses-machine-learning-achieve-75-percent-accuracy [Wow! 75 percent! That means in 25 percent of the cases, everyone is likely to be falsely accused of something? PGN]
“The government owns millions of unused IP addresses which we are selling to get a good return for hardworking taxpayers. We have sold a number of these addresses to telecoms companies both in the UK and internationally to allow their customers to connect to the Internet. We think carefully about which companies we sell addresses to, but how their customers use this Internet connection is beyond our control.'' The government did not reveal how much money was made from selling the IP addresses to the pair of Saudi firms, because it regards this information as commercially sensitive. The Saudi deal was first revealed after hackers claimed that a number of Islamic State supporters' social media accounts are being run from Internet addresses which could be linked to the Department of Work and Pensions. http://www.mirror.co.uk/news/technology-science/technology/british-government-admits-selling-internet-7017287
The Dreaded iHunch? ... very effectively dealt with here: http://steamtraen.blogspot.co.uk/2015/12/a-cute-story-to-be-told-and-self-help.html starting with the observation that this is a tiny study from 2013, which has not yet been peer-reviewed and yet is felt good enough for *The New York Times*. The risks of sensationalist newspaper articles based on dubious science will be familiar to us, I'm sure - but having the sensationalist article written by one of the authors of the dubious science is certainly more efficient than the usual approach.
Ah, why oh why would Google offer links that would point back to itself? > A side note, Google appears to be (in some instances) not providing users > direct links to articles - Google instead provides links to Google with > search terms. Have others noticed this? And if so, can anyone speculate as > to why? You may want to look up what a chap by the name Gordon Welchman did during WW II. What you're looking at is meta-data collection: tracking relationships. Google is tracking whom you are sharing the link with so they can establish a link between you and the originator. From such casual events metrics and profiles are spun, and it's not just Google who does this -- I find especially LinkedIn rather aggressive in this too. I always strip links back to the actual resource before I forward them to others as I find it uncivil to subject someone to unwanted (and mostly undetected) tracking, and links I receive from third parties get the same treatment before I use them. To quote the late Spike Milligan, there is a lot of it about!
Next year is the 25th anniversary of the publication of Practical Unix Security. The book has attracted quite a readership over the years. As a celebration of the anniversary, and as a way of helping raise some funds for two worthwhile non-profit organizations (EPIC and the ISSA Foundation), we are making a special offer to get a copy of the book signed by the authors. We encourage people to participate -- if nothing else, to provide some support to two worthwhile organizations supporting security & privacy work (Details: http://ceri.as/puis).
The most important link was omitted from my post: http://www.politico.com/agenda/story/2015/12/defense-department-cyber-offense-strategy-000331
Please report problems with the web pages to the maintainer