Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
http://www.uspto.gov/blog/ebiz/ A major power outage at USPTO headquarters occurred last night resulting in damaged equipment that required the subsequent shutdown of many of our online and IT systems. This includes our filing, searching, and payment systems, as well as the systems our examiners across the country use. We are working diligently to assess the operational impact on all our systems and to determine how soon they can be safely brought back into service in the coming days. We understand how critical these systems are for our customers, and our teams will continue to work around the clock to restore them as quickly as possible, though the impacts may be felt through the Christmas holiday. We know many people have questions regarding filing and payment deadlines. We are reviewing this topic and will provide an update when we have further information.
http://motherboard.vice.com/read/the-myth-of-galloping-gertie For physics teachers, the footage of Gertie has proved irresistible as a lesson in wave motion--and, specifically, a textbook example of the power of forced resonance. The image of the undulating bridge left its mark on scores of students (including me) as a demonstration of what one canonical version of the film calls `resonance vibrations'. Since then, scores of books and articles, from Encyclopedia Britannica to a Harvard course website, have reported that the Tacoma Narrows was destroyed by resonance. But it turns out it wasn't. A long and fascinating article about a bridge collapse, and the filmed footage that we've all likely seen many times in our lives. [This illustrated article is a fabulous item for RISKS. It is beautifully put together, and clearly illustrated. The `flutter' explanation seems to win out quite clearly, even after so many years of belief in `resonance'. But the explanation is quite elaborate and multifaceted. PGN]
The Jan/Feb 2016 (double) issue of Analog Science Fiction and Fact magazine has an article on challenges of implementing driverless cars. Check out `Home James' article starting page 88. For info about Analog, if it is not sold at your local news stand: www.analogsf.com Robot cars, of today, know the rules of the road, but not the psychology of other participants on the highways. One approach being taken is to try to mimic behavior of the most expert drivers, such as those who drive 150 mph in major auto races. This reminds me of the early days of computers playing Chess, which did not get really good, until programmers consulted Chess Masters, in other words international champions, so then the computers playing chess became as good as those guys. If bugs are found, the software can be patched overnight. If it were only that simple for Volkswagen anti-pollution and anti-theft. Stanford is experimenting with a driverless shuttle bus, traveling around campus @ 12 mph. If the OS does not know what to do, it stops. Have you ever watched bicycle races on sports channels? Those riders seem dangerously close to each other, that way to save energy. Driverless trucks can do the same thing, if linked electronically, so if anything bad happens with the one in front, they all slow down in unison, especially if the one with the best brakes is in the rear. This saves them significant fuel. Human reaction times can't handle that, and following less than a car length behind at 65 mph is illegal. Not addressed are the human self-confident drivers who might see that & think “If they can do that, so can I,'' not knowing `they' are computers.
Keith Naughton, 18 Dec 2015 [Not new to RISKS, but more. PGN] Accident rates are twice as high for driverless cars as for regular cars, but the driverless cars have never been at fault. https://www.autonews.com/article/20151218/OEM11/151219874/humans-are-slamming-into-driverless-cars-and-exposing-a-key-flaw DETROIT (Bloomberg)—The self-driving car, that cutting-edge creation that's supposed to lead to a world without accidents, is achieving the exact opposite right now: The vehicles have racked up a crash rate double that of those with human drivers. The glitch? They obey the law all the time, as in, without exception. This may sound like the right way to program a robot to drive a car, but good luck trying to merge onto a chaotic, jam-packed highway with traffic flying along well above the speed limit. It tends not to work out well. As the accidents have piled up—all minor scrape-ups for now—the arguments among programmers at places like Google Inc. and Carnegie Mellon University are heating up: Should they teach the cars how to commit infractions from time to time to stay out of trouble? [...]
https://www.cs.columbia.edu/~smb/blog/2015-12/2015-12-22.html is an
attempt to demonstrate to policy types just how hard crypto is.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
This is an amazingly intricate situation that is still unfolding. Here are a few relevant URLs, more or less in REVERSE chronological order. https://www.imperialviolet.org/2015/12/19/juniper.html http://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-nsas-fault/ http://www.wired.com/2015/12/juniper-networks-hidden-backdoors-show-the-risk-of-government-backdoors/ https://news.ycombinator.com/item?id=10764274
http://www.nytimes.com/2015/12/22/world/europe/apple-pushes-against-british-talk-of-softening-encryption.html?partner=rss&emc=rss "The best minds in the world cannot rewrite the laws of mathematics," the company told the British Parliament, submitting formal comments on a proposed law that would require the company to supply a way to break into the iChat and FaceTime conversations of iPhone users.
https://www.washingtonpost.com/world/national-security/meet-the-woman-in-charge-of-the-fbis-most-contentious-high-tech-tools/2015/12/08/15adb35e-9860-11e5-8917-653b65c809eb_story.html The advent of strong encryption, however, is presenting Hess with a huge, perhaps insurmountable, challenge. In the past few years, tech firms and app developers have increasingly built platforms that employ a form of encryption that only the user, not the company, can unlock. The bureau's encryption dilemma is exacerbated by a chill that settled over the relationship between the FBI and Silicon Valley in the wake of leaks in 2013 about government surveillance by former National Security Agency contractor Edward Snowden. Firms that feared being tagged as tools of a privacy-invading government became less willing to assist in surveillance “because it was perceived as not a good business model to be seen as cooperating with the government,'' Hess said. It used to be, she said, that companies meeting a legal requirement to provide `technical assistance' generally would try to comply with wiretap orders. “Now all of a sudden we get hung up on the question of what, exactly, does that mean I have to provide to you?'' she said. In recent months, the FBI's conversations with companies have become more productive, she said, “but it's not to the level we were pre-Snowden.'' ... More than any other FBI executive, Hess must navigate the tension between privacy and security. While she might be seen as a kind of female Q, head of the fictional spy agency Skunkworks in the James Bond movies, Christopher Soghoian, principal technologist at the American Civil Liberties Union, sees her as “the queen of domestic surveillance''. Said Soghoian: “All of the most interesting and troubling stuff that the FBI does happens under Amy Hess.'' Whether it's turning on the taps to collect data from tech companies to pass to the NSA (under court order), or covertly entering people's houses to install bugs (with a warrant), he said, “if it's high-tech and creepy, it's happening in the Operational Technology Division.'' ... Privacy advocates also worry that to carry out its hacks, the FBI is using `zero-day' exploits that take advantage of software flaws that have not been disclosed to the software maker. That practice makes consumers who use the software vulnerable, they argue. Hess acknowledged that the bureau uses zero-days—the first time an official has done so. She said the trade-off is one the bureau wrestles with. “What is the greater good—to be able to identify a person who is threatening public safety?'' Or to alert software makers to bugs that, if unpatched, could leave consumers vulnerable? “How do we balance that? That is a constant challenge for us.'' She added that hacking computers is not a favored FBI technique. “It's frail.'' As soon as a tech firm updates its software, the tool vanishes. “It clearly is not reliable'' in the way a traditional wiretap is, she said. [What could go wrong?]
Tim Greene, Network World, 17 Dec 2015 (via ACM TechNews, 18 Dec 2015) Massachusetts Institute of Technology (MIT) researchers' experimental Vuvuzela messaging system offers more privacy than The Onion Router (Tor) by rendering text messages sent through it untraceable. MIT Ph.D. student David Lazar says Vuvuzela resists traffic analysis attacks, while Tor cannot. The researchers say the system functions no matter how many parties are using it to communicate, and it employs encryption and a set of servers to conceal whether or not parties are participating in text-based dialogues. "Vuvuzela prevents an adversary from learning which pairs of users are communicating, as long as just one out of [the] servers is not compromised, even for users who continue to use Vuvuzela for years," they note. Vuvuzela can support millions of users hosted on commodity servers deployed by a single group of users. Instead of anonymizing users, Vuvuzela prevents outside observers from differentiating between people sending messages, receiving messages, or neither, according to Lazar. The system imposes noise on the client-server traffic which cannot be distinguished from actual messages, and all communications are triple-wrapped in encryption by three servers. "Vuvuzela guarantees privacy as long as one of the servers is uncompromised, so using more servers increases security at the cost of increased message latency," Lazar notes. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-e70bx2d991x066779&
http://news.softpedia.com/news/interapp-the-gadget-that-can-spy-on-any-smartphone-497864.shtml Tel Aviv-based Rayzone Group is selling a nifty little gadget called InterApp that [they claim - Lauren] can leverage outdated mobile devices and intercept and extract information from nearby smartphones.
Lucian Constantin, InfoWorld, 16 Dec 2015
The flaw can allow attackers to modify password-protected boot
entries and deploy malware
http://www.infoworld.com/article/3016098/security/vulnerability-in-popular-bootloader-puts-locked-down-linux-computers-at-risk.html
opening text:
Pressing the backspace key 28 times can bypass the Grub2 bootloader's
password protection and allow a hacker to install malware on a locked-down
Linux system.
[These are presumably breaking backspaces. GW]
[Definitely backbreaking. The breakback is mountin'. PGN]
This is a disturbing article, a portion of which is of particular relevance to RISKS: “Mohindra hooked all of Vyapam's computers to a common office network and retained all administrator privileges,'' said Tarun Pithode, an energetic young civil servant who was appointed Vyapam's new director to set things straight after the scam broke. After the multiple-choice exam sheets were scanned, Mohindra could access the computer that stored the results, and alter the answers as he wished. Once the results had been altered on the computer, Mohindra would approach the exam observers and ask for the original answer sheet, claiming that the student had requested a copy under India's Right to Information Act. He would then sit in Trivedi's office and fill out the originals so that they tallied with the altered version saved on the computer. [...] In our review, we found almost every system had been subverted, Pithode said. For example, every question paper set has an `answer key' that is put into a self-sealing envelope before the exam and opened only at the time of tabulating results. Trivedi would seal the envelope in the presence of observers, but later would simply tear open the envelope, make copies of the key, and put the original document into a new envelope. [...] And while the investigation drags on, it has been further muddied by an elaborate and increasingly impenetrable series of allegations and counter-allegations between the ruling BJP and the opposition Congress over the veracity of the evidence seized from Mohindra's computer. http://www.theguardian.com/world/2015/dec/17/the-mystery-of-indias-deadly-exam-scam
*The Register*, 22 Sep 2015 Oh dear: Cisco is warning that screws in a couple of its compact Catalyst switches may be poking into wires carrying live voltages. In this field note, the Borg says the problem occurs when WS-C3560CX or WS-C2960CX switches are installed without a mounting tray—for example, screwed to a desk, shelf, or wall. Screws not installed to the correct depth, “coupled with appreciable force in order to mount the switch, might cause the insulator to be punctured, which exposes a voltage circuit,'' the note states. http://www.theregister.co.uk/2015/09/22/cisco_switch_screw_problem/
A colleague alerted me to this a few days ago and I had an anxious few moments before finding that my own email address was not among those leaked. I was worried because I have been an ESA consultant in the past and am still involved in some ESA projects. My experience is that ESA take network security very seriously where they need to. For example in order to provide them with a new version of my software I have to log in to an FTP server with not just a simple password but with a rather long pass-phrase. The emails and passwords exposed here are, I think, from people who needed to post a message on a bulletin board, wiki, or similar. Such systems very often force you open an account before you can post, but my guess is that most people don't take this very seriously, hence the prevalence of very short and simple passwords like `esa'. With luck, few users will have used the same password on anything that matters, so this may not be a very serious leak, although unfortunate all the same. The lesson, if there is one, is that operators of bulletin boards etc. ought to think carefully before forcing their users to choose a password, as they will choose a simple one if they can, or will be annoyed if they are forced to choose a strong password for some trivial purpose. Forcing them to use a real email address rather than a made up identifier is also unfortunate, as no doubt some of the addresses exposed here will get more spam as a result of this leak.
http://www.csoonline.com/article/3017171/security/database-leak-exposes-3-3-million-hello-kitty-fans.html A database for sanriotown.com, the official online community for Hello Kitty and other Sanrio characters, has been discovered online by researcher Chris Vickery. The database houses 3.3 million accounts and has ties to a number of other Hello Kitty portals. Vickery contacted Salted Hash and Databreaches.net about the leaked data Saturday evening. The records exposed include first and last names, birthday (encoded, but easily reversible Vickery said), gender, country of origin, email addresses, unsalted SHA-1 password hashes, password hint questions, their corresponding answers, and other data points that appear to be website related. Will "My Little Pony" be next?
"Macy's Makes It Difficult For Someone To Give Them Money Because His Last Name Is Slutsky" http://consumerist.com/2015/12/11/macys-makes-it-really-difficult-for-me-to-give-them-my-money-because-my-last-name-is-slutsky/
http://www.nasdaq.com/article/latest-cyberthreat-stealing-your-house-20151208-01179 “The clues were there for months, but property investor Sybil Patrick didn't put them together. The locks to a vacant Harlem brownstone she owns were changed...The case was one of about 30 related incidents in Manhattan in which a group of people allegedly forged or attempted to forge new deeds using easily available online records, to sell the homes and collect the proceeds...'' [*The New York Times* had articles on this happening particularly in Brooklyn a week or so ago. Definitely not *new*, even then. PGN]
In a lab next to the river on New York's Upper West Side a computer will soon start reading. It is part of a cadre of computers that are learning to read more like humans, helping us digest and understand society's huge volumes of text on a large scale. Called the Declassification Engine, it will comb through 4.5 million US State Department cables from the 1930s to the 1980s—everything the department has declassified so far. It's more than any human could read, but the software will analyze the lot, mapping social connections and looking for new narratives about the behavior of US diplomats and officials abroad in the 20th century, says Owen Rambow, a computer scientist at Columbia University, which runs the Declassification Engine. https://www.newscientist.com/article/mg22830512-600-super-literate-software-reads-and-comprehends-better-than-humans/
Hotmail, and its aliases like Live.com, Outlook.com, etc, have devised a special way to prevent spam. If a user decides they no longer want a particular newsletter, they can click the "unwanted mail" button, and flag it as spam. This cascades into events that lead to the blocking of multiple IP addresses belonging to the company that's sending the particular newsletter. Apparently it makes no difference that the customer subscribed to the newsletter him or herself in the first place. Therefore, if you wish to take down a competitor, simply sign up to a newsletter mailing that they offer using your hotmail address, and then flag it as spam when it arrives. Then watch them squirm for weeks trying to get their IP addresses unblocked. It makes no difference if the sender score of the company is very high, nor that their DNS entries are correct. I think all users should refrain from using hotmail services for mission-critical applications.
China's Xi calls for cooperation on Internet regulation; activists warn of threat to speech http://www.usnews.com/news/business/articles/2015-12-16/chinas-xi-calls-for-cooperation-on-internet-regulation Chinese President Xi Jinping called Wednesday for governments to cooperate in regulating Internet use, stepping up efforts to promote controls that activists complain stifle free expression. Xi's government operates extensive Internet monitoring and censorship and has tightened controls since he came to power in 2013.
http://arstechnica.com/security/2015/12/wish-list-app-from-target-springs-a-major-personal-data-leak/ To our surprise, we discovered that the Target app's Application Program Interface (API) is easily accessible over the Internet. An API is a set of conditions where if you ask a question it sends the answer. Also, the Target API does not require any authentication. The only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON file.
If you need to get tech support from your ISP, check their literature, such as monthly billing, to get the correct phone #, or url, because if some site supplies that to you, just maybe you are going to a scammer instead of your ISP. Try not to have all your security in one vendor basket. Ask yourself what will be your situation if the place to supply your security, is itself compromised. Will you also be sucked in, or do you have layered security, using more than one vendor, to reduce probability of all your security being compromised at the same time? Comcast is currently the largest home ISP in USA. Comcast uses Xfinity search. Some Xfinity search pages get a Google AdWords advertisement for a review site called SatTvPro. When people click on the ad, they get to the review site, running an outdated version of Joomla CMS, and silently loading a series of redirects, to try to deliver a ransomware malware to the user's computer. Then it redirects the users to a phishing site which looks just like Comcast Xfinity portal, displaying a warning that Comcast security has detected that they may have malware, and supplies a 1-800 # to get Comcast tech support to fix their PC. The 1-800 # is really to the scammers., who want money from the victim, to get their computer clean again. There is speculation how the crooks got all their pieces, such as the possibility that SatTvPro was compromised by the recently discovered and patched flaw (CVE-2015-8562) present in Joomla versions 1.5.0 through 3.4.5, and is so severe that even though some older versions of the software have reached end of life and are no longer being developed or supported by the Joomla project, a patch has been provided for them. <https://docs.joomla.org/Security_hotfixes_for_Joomla_EOL_versions> http://www.net-security.org/malware_news.php?id=3179 http://www.net-security.org/secworld.php?id=19233
In a sign of our modern times, users who visit JebBush.com are redirected to DonaldJTrump.com, the official campaign site for the billionaire business mogul, through it's not clear who created the redirect. JebBush.com is unaffiliated with Bush's campaign ... I suspect this is aimed at people who use a search engine to find info about candidates, not knowing their official sites. http://www.politico.com/story/2015/12/jeb-bush-website-donald-trump-redirect-216501
I truly hope that IT managers in these departments were informed of the sale, and had updated their firewalls!!
In this discussion of ethics and morality I think that the following adds a twist: http://www.mercurynews.com/news/ci_29245938/university-of-california-pressured-to-count-computer-science-toward-high-school-math-requirement Apparently the University of California is being pushed to count high school computer science courses taken by applying students as if those were mathematics or science courses. This disturbs me for several reasons. First is that I have only on occasion found computer science to be a substitute for the kind of intellectual disciple any of the hard sciences. Second is that what is being called `computer science' at the high school level is typically simple programming. There is no doubt that it would be useful if everyone coming out of high school had at least a thin knowledge of what programming is. However, writing code is an aspect of a much larger social issue: As a society we in the US and much of the rest of the world are not particularly skilled at solving problems. I would rather see coding/programming cast as one tool among several tools that can be used to solve problems. When cast in that light, i.e., that programming is a tool, then I would argue that our university educational focus should not be on the tool - that merely turns universities into trade schools - but rather on the broader context in which such tools may be applied. In other words, I am disturbed by those who advocate ever increasing our educational focus on mechanical trade skills than on teaching students the social, legal, cultural, and scientific understandings that they are going to need when they are called upon to be good engineers, good citizens, and good people.
When I was a kid, people looked forward to life in the 21st century with such delights as a manned colony on the Moon, land transport by nuclear-powered hovercraft, etc.; I don't recall anybody forecasting software-controlled light bulbs with security features... :o) [or even light bulbs with features without security ... PGN]
http://app.scientificcomputing.com/news/2015/12/lie-detecting-software-uses-machine-learning-achieve-75-percent-accuracy PGN: Actually, itıs much worse. Imagine this software is 75% accurate in detecting true liars and exonerating actual truth-tellers—but that only 1% of a population of 10,000 that is being tested actually are liars. So there are 100 liars among the 10,000, and the software correctly fingers 75 of them. Among the other 9,900, the software exonerates 75% of them, or 7,425. But now we have the remaining 2,575 labeled as liars (100 true liars plus 2,475 falsely accused) which means that 96% of those accused actually are falsely accused. Stephen K. Doig, Knight Chair in Journalism, Cronkite School of Journalism, Arizona State Univ., Phoenix, AZ, http://cronkite.asu.edu/faculty/doigbio.php
How did they determine that 75%? According to the article: “To determine who was telling the truth, the researchers compared their testimony with trial verdicts.'' Who decided the verdicts? I believe it was some of those pesky humans. You know, some of those mentioned in “... compared with humans' scores of just more than 50 percent.'' http://app.scientificcomputing.com/news/2015/12/lie-detecting-software-uses-machine-learning-achieve-75-percent-accuracy
In his offer of autographed copies of Practical Unix and Internet Security, Gene Spafford mentions that he had recently worked on some construction projects before coining the term `firewall' for a network traffic filter. I derive a little personal satisfaction from this, as I have for some time been reminding colleagues that a firewall was one a common architectural feature to inhibit the spread of conflagration to adjoining structures, long predating the use of the term in automotive technology (for the barrier between the passenger and engine compartments) which I see cited as origin of the term by modern folk etymologists.
Please report problems with the web pages to the maintainer