Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Asiana Airlines said Monday that contributing factors to the July 2013 crash in San Francisco included poor software design and the failure of the plane's low-speed alerting system to activate in time for a safe recovery. http://www.frequentbusinesstraveler.com/2014/03/asiana-secondary-cause-of-crash-was-poor-software-design/ Gabriel Goldberg, Computers and Publishing, Inc. gabe@gabegold.com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
The shift system operates electronically and the gear requested by the driver is transmitted from the shifter via the CANbus to the Transmission Control Module which makes the requested shift. http://consumerist.com/2016/02/08/more-than-100-crashes-caused-by-confusing-jeep-chrysler-dodge-gear-shifters/ ...sometimes. Gabriel Goldberg, Computers and Publishing, Inc., 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
All human endeavors involving information are subject to overlooked data, erroneous computations, and a variety of other failings. Recently, a team led by Andrea Manica (University of Cambridge) extracted the genome of an Ethopian who died 4,500 years ago, a significant accomplishment. However, when cross comparing the results with modern reference genomes, a team member failed to convert the modern dataset to the same format as the extracted DNA data. This failure to normalize formats led to incorrect conclusions about the relatedness of the ancient individual to more modern populations. Pontus Skoglund (Harvard Medical School) and his colleague, David Reich, obtained the raw data from Manica, and came to different conclusions. When told of the discrepancy, Manica's team investigated and discovered the processing error. The Nature erratum report is at: http://www.nature.com/news/error-found-in-study-of-first-ancient-african-genome-1.19258 Bob Gezelter, http://www.rlgsc.com
With the "Internet of things" (IoT), security is an afterthought? Whether it's your automobile, your refrigerator or your tea kettle, so-called "smart" Internet of things devices are consistently and alarmingly showing that they're anything but. Most IoT devices are insecure by design. They leak user info. They identify the device, where it is being used, what the user is doing. It is not just PII given out, it is also surveillance of the customers made available to almost anyone. Identify whether the user is at home or not. The data goes out clear text, very few have any security protocols. Difficult to identify who, in the supply chain, to hold accountable, and get the problems fixed. http://www.theregister.co.uk/2016/01/19/iot_smart_devices_are_dumb/ https://www.dropbox.com/s/36nxibezelxrduk/FTC-PrivacyCon-2016.pdf <https://www.techdirt.com/articles/20150721/17481331719/car-hack-demonstrates-why-security-researchers-shouldnt-have-to-worry-about-copyright-exposing-weaknesses.shtml> <https://www.techdirt.com/articles/20150824/06411532041/internet-not-so-smart-things-samsungs-latest-smart-fridge-can-expose-your-gmail-password.shtml> <https://www.techdirt.com/articles/20151015/13551232547/easily-hacked-tea-kettle-latest-to-highlight-pathetic-internet-things-security.shtml> "Smart" Door Bell It is accessible to crooks from the "insecure" side of the door & the camera only shows the back of someone leaving, so a person can break in, then disable it. They don't have to break in. Unscrew 2 screws outside the home, press a button, and now they can change anything in the home's IoT. They can "hack" their way in, insecurity by design. Fortunately the screws are non-standard. Some bugs have been fixed, more have been reported. https://www.techdirt.com/articles/20160112/11405333312/ding-dong-your-easily-hacked-smart-doorbell-just-gave-up-your-wifi-credentials.shtml "Smart" Thermostat Nest has fixed several bugs, there are more reported, with their hardware, software, and customer service. https://www.techdirt.com/articles/20160121/05125933392/nest-thermostat-goes-internet-things-darling-to-cautionary-tale.shtml Do you have web cams in your home? Forget about stopping that info going out to other people, unless you put masking tape over the camera. Weigh yourself in the bathroom - forget about privacy of other people not knowing the results. Who owns the data streaming out of your home? Apparently not you. So do you have a legal right to interfere with that data exiting? http://www.govtech.com/security/Is-Privacy-Compromised-By-Growth-of-IoT-Devices.html Smart devices need to become user-friendly. http://www.argusinsights.com/smarthomeapps2016/
http://www.nytimes.com/2016/01/31/business/fake-online-locksmiths-may-be-out-to-pick-your-pocket-too.html Odds are good that when you search Google for someone to help you get into your home or car, results will include poorly trained subcontractors who will squeeze you for cash.
Ian Paul, PCWorld, 3 Feb 2016 If you don't do your research, buying a third-party Type C adapter is a little like playing Russian roulette with your gadgets. http://www.pcworld.com/article/3029368/hardware/dodgy-usb-type-c-cable-fries-vigilante-engineers-1000-laptop.html?google_editors_picks=true selected text: Benson Leung's good intentions have finally caught up with him. The Google engineer who launched a crusade against bad USB-C cables in late 2015 just uncovered another sub-standard USB-C cable—and this time it's cost him a $1,000 laptop. The Google engineer recently tested Surjtech's 3M USB 3.1 Type-C to standard Type-A USB 3.0 adapter cable, but those tests didn't get very far at all. Leung said that as soon as he connected the cable to his Chromebook Pixel, via a small USB power delivery (PD) analyzer, both the PD and his laptop ceased working properly. The problem with the Surjtech cable ... was that the device was completely miswired ... . The offending cable is currently unavailable on Amazon. Why this matters: Type-C adapters are particularly important cables right now since they're shipping with phones that use the newer tech as a charging port. http://www.howtogeek.com/240777/watch-out-how-to-buy-a-usb-type-c-cable-that-wont-damage-your-devices
Google to scrub web search results more widely to soothe EU objections http://www.reuters.com/article/us-google-eu-privacy-idUSKCN0VJ29U To address the concerns of European authorities, the Internet giant will soon start polishing search results across all its websites when someone conducts a search from the country where the removal request originated, a person close to the company said. That means that if a German resident asks Google to de-list a link popping up under searches for his or her name, the link will not be visible on any version of Google's website, including Google.com, when the search engine is accessed from Germany. Live in the EU and want to know what your government masters are trying to keep you from seeing on Google search? You'll have to use a proxy or VPN to access Google. I strongly recommend you do so for other than the most innocuous searches. Don't blame Google for this, blame your bureaucratic and political czars of censorship who want to control every aspect of what you see, hear, and think. You poor slaves.
Eric Lichtblau, *The New York Times*, 8 Feb 2016 http://www.nytimes.com/2016/02/09/us/hackers-access-employee-records-at-justice-and-homeland-security-depts.html?smprod=nytcore-iphone&smid=nytcore-iphone-share&_r0 WASHINGTON—In the latest cyberattack targeting the federal government, an intruder gained access to information for thousands of employees at the Justice Department and the Department of Homeland Security, but officials said Monday that there was no indication that sensitive information had been stolen. Most of the information appeared to have been culled from internal government directories, including employeesâ email addresses, phone numbers and job titles. Motherboard, a technology news site, reported on Sunday that it had been approached by a hacker who claimed to have obtained employee information on about 20,000 people at the F.B.I. and 9,000 at the Department of Homeland Security. [...]
[net-security.org] AnonSec hackers claim that they have breached a number of NASA's systems, and they have published a data trove containing video recordings made by the agency's aircrafts and drones, the drone's flight logs, and the names, email addresses and telephone numbers of some 2,400 agency employees. They apparently attempted to interest *The Guardian* and WikiLeaks into analyzing the stolen info and publishing the results, but after having received no answer, they decided to do it themselves by torrenting the dump. The leak was accompanied by an extensive document describing the things they had to do to compromise NASA's systems (attacks and exploits) and the extent of the compromise. [...] http://www.net-security.org/secworld.php?id397
Lorenzo Franceschi-Bicchierai, Motherboard, 9 Feb 2016 Last Friday, parents and kids who own the Internet-connected toys made by VTech finally received some much-awaited news: The company's app store and learning portal was back online after being shut down for more than two months following the embarrassing data breach that exposed the personal data of more than 6 million children. “After further strengthening our data protection, the Learning Lodge service is now back online. We are committed to the privacy and protection of the information you entrust with VTech.'' [VTech's president King Pang wrote in an email to customers, which a parent shared with Motherboard.] What Pang didn't say in the email, however, is that VTech seems to be trying to skirt any responsibility for a future hack, deflecting the blame to its own customers. In its Terms and Conditions for the Learning Lodge, VTech now includes the following ominous language in all-caps: “YOU ACKNOWLEDGE AND AGREE THAT ANY INFORMATION YOU SEND OR RECEIVE DURING YOUR USE OF THE SITE MAY NOT BE SECURE AND MAY BE INTERCEPTED OR LATER ACQUIRED BY UNAUTHORIZED PARTIES.'' It's unclear when this language was added, but the document says it was updated on December 24 of last year. (VTech did not respond to a request for comment on the Terms and Conditions but said key functions of the Learning Lodge came back online on January 23.) But security and privacy experts are concerned that this could be an attempt to skirt lawsuits in case of a future data breach—and they believe consumers should be aware of the move to avoid liability, especially considering that VTech is now getting in the house monitoring business. Rik Ferguson, the vice president of security research at Trend Micro, said the clause is “outrageous, unforgivable, ignorant, opportunistic, and indefensible,'' and likened it to `weasel words'. Despite this surprising change—a British law professors told me he's never seen a clause like that before—legal experts doubt the provision has any real value. http://motherboard.vice.com/read/hacked-toy-company-vtech-tos-now-says-its-not-liable-for-hacks It's better to burn out than fade away. [Robert Schaefer noted with respect to this item: It has been conjectured that maybe, perhaps, someday lawsuits would bring improvements in off-the-shelf software, but the law works both ways. EULAs (that thing you click on before being able to actually use the product) are intended to prevent lawsuits. PGN]
Larry Hardesty, MIT News, 3 Feb 2016 via ACM TechNews, 5 Feb 2016 Read the TechNews Online at: http://technews.acm.org Researchers at the Massachusetts Institute of Technology (MIT) and Texas Instruments have developed a virtually hack-proof radio-frequency identification (RFID) chip, which they presented this week at the International Solid-State Circuits Conference in San Francisco. MIT graduate student Chiraag Juvekar says the chip is designed to foil side-channel attacks, which analyze patterns of memory access or fluctuations in power consumption when a device is conducting a cryptographic operation, in order to extract its cryptographic key. The RFID chip's effectiveness in preventing such attacks is courtesy of two design advances: an on-chip power supply whose link to the chip circuitry would be virtually impossible to sever, and an array of "nonvolatile" memory cells that can store whatever data the chip is working on when it starts to lose power. The device utilizes ferroelectric crystals and a bank of 3.3-volt capacitors as an on-chip energy source, while 571 1.5-volt ferroelectric cells are embedded into its circuitry. When the chip's power source, an external scanner, is removed, the chip harnesses the 3.3-volt capacitors and completes as many operations as possible, then stores the data it is working on in the 1.5-volt cells. When power is reintroduced, the chip recharges the capacitors so that if another interruption occurs, it will have sufficient power to store data. It then resumes its previous computation and if that computation was an update of the secret key, it will finish the update before responding to a query from the scanner, thwarting power-glitch attacks. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-e9d0x2dcd3x065505&
Woody Leonhard, InfoWorld, 5 Feb 2016 The mystery update has too many parallels with last year's Get Windows 10 patch debacle, so you may not want to install it. http://www.infoworld.com/article/3030211/microsoft-windows/experts-recommend-dont-install-microsoft-patch-kb-3123862.html selected text: On Wednesday Microsoft released another mystery patch, KB 3123862, which appears as an optional, unchecked patch in Windows Update and closely parallels last year's reviled Get Windows 10 patch, KB 3035583—a patch we're still fighting. If you install the optional update, you find that KB 3123862 gives you brand-spanking-new copies of the following: * Explorer.exe, the Windows File Explorer, and ExplorerFrame.dll, which contains supporting files—icons, menus, bitmaps—for Explorer.exe * Shell32.dll, the heart of the Windows interface * Authui.dll, which controls logins If that doesn't send a chill up your spine, you haven't been following along. The parallels to KB 3035583 are uncanny—and disquieting.
Here are some more things to consider for RISKS (that I have been reading since the mid 1980s) from the AFCEA (Armed Forces Communications and Electronics Agency) conference. Cybersecurity expert at Springs AFCEA conference: Secure networks don't exist. Businesses and government agencies that operate computer networks should assume hackers will get past their defenses and should focus instead on finding and removing them before they can do damage, a cybersecurity expert said Wednesday at a conference in Colorado Springs. http://gazette.com/cybersecurity-expert-at-springs-conference-secure-networks-don't-exist/article/1569242 Air Force Academy's Innovation Center has big cyber plans. A small center growing at the Air Force Academy's Fairchild Hall will play a big part in the study of the military's role in cyberspace. Academy Superintendent Lt. Gen. Michelle Johnson told a crowd Wednesday at the Rocky Mountain Cyberspace Symposium at The Broadmoor that the Air Force Cyber Innovation Center, being established this year on the campus, will eventually study technical, social and legal problems in the online world. http://gazette.com/air-force-academys-innovation-center-has-big-cyber-plans/article/1569200#cxrecs_s The Air Force plans to revolutionize how it handles computer warfare by beefing up its force of cyberspace experts while contracting out easier jobs, like running the service's network. Gen. John Hyten announced the groundbreaking shift at the Rocky Mountain Cyberspace Symposium on Tuesday at The Broadmoor, which drew more than 2,000 electronic security experts. Under Hyten's plan, each of the Air Force's wings will include a cyberspace squadron of computer experts by 2026. http://gazette.com/article/1569128 Warren Pearce, Colorado Springs, 719-548-1748, wwpearce@comcast.net
The *San Francisco Chronicle* (paywalled) and other sources have been reporting on-going deep, inside packet-level, monitoring of network traffic at all University of California campuses. Currently, the best summary may be found at http://utotherescue.blogspot.com/2016/01/ucop-ordered-spyware-installed-on-uc.html. See also https://www.timeshighereducation.com/news/university-california-campus-monitoring-concerns-raised It appears that network monitoring was put into place after the 2015 UCLA incident that resulted in the notification of 4.5 million people about possible id theft. The network monitoring hardware is reported to be able to store 30 days of full packets, though this seems improbable. The risk here is that the University of California Office of the President (UCOP) installed this hardware and then instructed campus staff to keep the installation secret. At one point, UCOP incorrectly used attorney/client privilege as a reason for secrecy, though this was later retracted. Other risks are that it is unknown where the data is being stored, who has access to it and if and when it is being destroyed. The current president of UC is Janet Napolitano, who previously headed DHS. Christopher Brooks, University of California Berkeley, Academic Program Manager & Software Engineer cxh@eecs.berkeley.edu, 707.332.0670
http://www.nytimes.com/2016/02/02/technology/at-uc-berkeley-a-new-digital-privacy-protest.html Under a program initiated by Ms. Napolitano, the former secretary of Homeland Security in the Obama administration, the university system began installing hardware and software in its data centers that would monitor patterns of digital traffic, like what websites are being visited by faculty and students, or telltale signs of cyber intruders. The program, which was begun with little notice or consultation, soon rankled a group of professors at one campus, Berkeley, which has a deep-seated ethos of academic freedom as the cradle of the free speech movement in the 1960s. In recent days, the professors have begun speaking out publicly about the issue. "My primary concern is monitoring the private information of students and faculty in secret," said Eric Brewer, a professor of computer science at U.C. Berkeley. "I'm sure there's good intent. But I can't see a good reason for doing it."
https://plus.google.com/+LaurenWeinstein/posts/iprFnhPwaYF You may have heard about the "Let's Encrypt" project that is ostensibly pushing for widespread adoption of SSL on websites by offering free SSL certificates on demand. What you may not have heard is that despite widespread objections (their discussion/comments threads on this are long indeed) they have apparently refused to make any certs available with expiration periods longer than 90 days, for a variety of mostly highly questionable reasons. They argue that if you run their full system you won't care, because all your certs will automatically be renewed. But in practice, many environments cannot (for policy and/or technical reasons) deploy automatic certificate management systems, and manually updating certs—especially for multiple machines—is often entirely impractical on such a frequent basis. Worse, it's exactly the sites with limited time and person resources, especially on legacy systems, who could have most benefited from these certificates, but have the least ability to participate in their automated environment or roll their own automated systems. And when a cert expires, given the heavy-handed, often unnecessarily panic-inducing, hard to bypass warnings of some browsers these days, it effectively can cut users off from important resources. In some situations, that's downright dangerous. It is a real shame that Let's Encrypt is being—frankly—so half-assed about what could have been a great program.
http://yro.slashdot.org/story/16/02/03/0315233/shopping-mall-sms-parking-notifications-could-be-used-to-track-any-car Westfield's Scentre Group has removed SMS notifications for its ticketless parking system after it was discovered they could be used to track other people's cars unnoticed. The system allows you to enter any licence plate, which in turn will be scanned upon entry and exit at mall parking facilities -- and when the free parking time is up, a notification message is sent to the mobile phone number entered, with the exact location of the car.
Lucian Constantin, InfoWorld, 29 Jan 2016 JSPatch could allow malicious developers to bypass Apple's strict application review process and access restricted iOS functions http://www.infoworld.com/article/3027590/ios/increasingly-popular-update-technique-for-ios-apps-puts-users-at-risk.html selected text: For example, after adding the JSPatch engine to their application, which requires just 7 lines of code, developers can configure the app to always load JavaScript code from a remote server they control. This code is then interpreted by the JSPatch engine and converted into Objective-C. "JSPatch is a boon to iOS developers," security researchers from FireEye said in a blog post. "In the right hands, it can be used to quickly and effectively deploy patches and code updates. But in a non-utopian world like ours, we need to assume that bad actors will leverage this technology for unintended purposes." The problem is that hot patching is at odds with the iOS security model, which partially draws its strength from Apple's walled garden, its carefully controlled app store. There are some security-related restrictions that Apple imposes on third-party apps and which are solely enforced through the app store review process. JSPatch allows developers to bypass such policies.
The Voting News Weekly, 1-7 Feb 2016 Newly-appointed Election Assistance Commission Executive Director Brian Newby has decided—without public notice or review from his agency's commissioners—that residents of Alabama, Kansas and Georgia can no longer register to vote using a federal form without providing proof of U.S. citizenship. The action by the new executive director of the U.S. Election Assistance Commission is being roundly criticized by voting rights activists, who say the "secretive move" will create additional barriers for potential voters, and one of the agency's own commissioners, who says it contradicts policy and precedent. U.S. House Speaker Paul Ryan told black lawmakers Wednesday that he supports new voting rights protections they've championed, but said he won't bypass a committee chairman to move legislation. In the Iowa Democratic party's chaotic attempt to report caucus results on Monday night, the results in at least one precinct were unilaterally changed by the party as it attempted to deal with the culmination of a rushed and imperfect process overseeing the first-in-the-nation nominating contest. Early voters in Maryland's primary will cast their ballots on paper that will be scanned by a machine—just as election day voters will—after elections officials nixed the use of their ES&S ExpressVote ballot-marking devices for early voting. A federal court panel ruled that two of North Carolina's 13 congressional districts were racially gerrymandered and must be redrawn within two weeks, sparking uncertainty about whether the March primary elections can proceed as planned. The U.S. Supreme Court denied a request from Republican members of Congress to put on hold a Virginia election map that gives Democrats a chance to pick up a seat in this year's election. Renewed fighting between communities has sparked tensions as presidential elections in the Central African Republic draw closer, while Haiti's outgoing president prepared to leave office despite having no replacement after a botched election.
https://medium.com/@espringe/amazon-s-customer-service-backdoor-be375b3428c4#.1x6v4if1b
FYI—UEFI was supposed to make PC HW safer, but unauditable UEFI has turned into a security nightmare. In the PC world, there are turdlets all the way down... "with about 20 lines of code on Windows, you can cause the same havoc", so this problem isn't specific to Linux. [Yes, and it has appeared in RISKS before. PGN] https://www.phoronix.com/scan.php?page=news_item&px=UEFI-rm-root-directory In A UEFI World, "rm -rf /" Can Brick Your System Written by Michael Larabel in Hardware on 1 February 2016 at 08:14 AM EST. Running rm -rf / on any UEFI Linux distribution can potentially perma-brick your system. As a public service announcement, recursively removing all of your files from / is no longer recommended. On UEFI distributions by default where EFI variables are accessible via /sys, this can now mean trashing your UEFI implementation. There is this systemd bug report requesting that UEFI variables be mounted as read-only by default. Lennart Poettering had initially responded and simply said, "Well, there are tools that actually want to write it. We also expose /dev/sda accessible for root, even though it can be used to hose your system. The ability to hose a system is certainly reason enough to make sure it's well protected and only writable to root. But beyond that: root can do anything really." He then closed the ticket. There were many community comments since then, but systemd developers have stood their ground and will not be mounting the EFI variables as read-only as they do write to the variables in some cases. Matthew Garrett who is also often involved in the UEFI Linux situation tweeted, "systemd is not responsible for allowing kernel code that I wrote to destroy your shitty firmware. I think you get to blame me instead." It's not a systemd-specific issue at all but any distribution (or operating system for that matter) mounting EFI variables not as read-only. Should your system get bricked, you can always turn your computer into bottle openers... ;) Matthew says with about 20 lines of code on Windows, you can cause the same havoc. He points out that mounting EFI variables as read-only could break some user-space applications and isn't the solution to the problem. He does have some ideas for addressing this issue, but didn't elaborate or issue any new patches yet. For now, be forewarned you probably don't want to rm -rf / your Linux system if using modern UEFI hardware. Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.
(Scientific data analysis is buggy because researchers aren't professional coders.) In 1994, I found that the pseudorandom number generator in CERNLIB had a short "period", that is, after fewer samples than required to complete a Monte Carlo calculation typical for the time, the PRNG would repeat its previous "random" numbers verbatim. This had to do with the generator having been written in the 1960s when particle physics apparati were smaller and less complex. Monte Carlo calculations are used to find the "acceptance" of a particle detector, loosely speaking, the sensitivity of the detector to a given event. The published event count is the observed event count divided by the acceptance, whose calculation depends on a quality random number source. I'm not able to find my USENET post just now, but I expect my address was crawford@scipp.ucsc.edu. The day after I blasted this news throughout every corner of the scientific community, a CERN staff member mailed me the source to a PRNG with a much longer period. To paraphrase his cover letter, he wrote "Here's what you need, but the guy who maintains that part of CERNLIB won't accept my patch because I'm British and he's French." It was later pointed out to me that important results would be verified by duplicating experiments. If the detector is different, then it is unlikely that the acceptance calculation would err by the same amount. Also there are some experiments that seed their PRNGs with a radiation source. I asked my advisor why all the software was written by grad students rather than hiring professional engineers: "Because students need jobs". Michael D. Crawford mike@soggywizards.com http://soggywizards.com/
Storm in a teacup: http://www.theregister.co.uk/2016/01/28/israel_power_grid_attack_boring_ransomware/ ... He's a politician; you can't expect him to actually understand what he's talking about...
https://www.facebook.com/4/groups , unless one uses https://www.facebook.com/search/4/groups !
ISO 8601 (the correctly-formatted name) gives several date formats, each with the advantages stated if not mixed with each other. For example, today can be written as 2016-01-31, 2016-W04-7, 2016-031, 20160131, 2016W047, 2016031, and in longer forms for dates which may be before year 0000 or after year 9999. For applications in which proper sorting is needed but human readability is not desired, one can use (at constant width) bases other than 10.
I can't be sure because the details are sketchy (mostly, I think, because these people haven't been able to get anyone to talk to them), but it seems that the cellphones in question ARE NOT at their house, So the problem is that someone is being TOLD the phone is at their house, when in fact it is not. So jamming at their house won't help - the phone wasn't there anyway! They need to get whoever is providing location service to debug the problem. Given the lack of details, I can't be sure what they've done, but my approach would be to talk to the local PD and file a harassment complaint against the company in question. Being brought up on charges should bring someone's attention to the problem.
Our most precious possessions are probably freedom & good health for ourselves and loved ones, but when something takes away part of our electronic lives, the emotional impact can drive normal humans to risk our most precious possessions to try to recover what has been lost. 3+ million smart phones are stolen in a year, says consumer reports. http://www.consumerreports.org/cro/news/2014/04/smart-phone-thefts-rose-to-3-1-million-last-year/index.htm If the "find my stolen property" ap worked correctly, using it to trace the crooks could get yourself killed. Going after the alleged crooks is a form of vigilantism. http://www.nytimes.com/2014/05/04/us/when-hitting-find-my-iphone-takes-you-to-a-thiefs-doorstep.html?_r=0 Especially when the GPS location is not exact, and you attack an innocent person who has a phone like yours. https://iphone.appstorm.net/general/opinion-general/unbelievable-find-my-iphone-stories-the-good-the-bad-and-the-ugly/ Victims of falsely being accused of location with stolen devices, have in fact contacted local PD. This has not helped them resolve the situation. You are correct that the bad info is pointing at GPS of the home. Jamming would not solve that. The homes visited by the police, and vigilantes wanting their property back, would need to collect some id info from visitors, take that to a lawyer, to figure out who to sue, if any lawyer would take such a case. The lawyer may need to do a deposition on the brand name of phone, service provider, ap, whatever system it uses, so that a properly qualified technician can conduct a cyber security audit of whatever they are using to locate the wrong house, to find out where the technology is being used inappropriately. Then, that can be the grounds for a million dollar law suit. Perhaps a law firm would be willing to do this for a class action suit on behalf of many victims: * Victims of the mistaken identity (see several links below) * Victims who lost their phones & find my phone sent them to the wrong place * Insurance companies that paid off for stolen property, which could not be recovered. But it is not yet obvious to victims, and people whom they consult, what needs to be done to solve this. The victims of the mistake identities have been suffering harassment for years, without resolution. I suspect nothing will be resolved, until some of these mistaken identity victims defend themselves under the 2nd amendment, forcing authorities to take serious action, like having the FTC do million dollar fines on companies marketing bogus apps. Here's a confusing story where bullets were fired into a home, killing a baby inside, allegedly the wrong house of a stolen phone, but the trial seems to be entirely focused on who is in the drug traffic. http://fox6now.com/2015/11/30/he-shot-the-wrong-house-trial-begins-for-darmequaye-cohill-charged-in-shooting-death-of-bill-thao/ I speculate that either: * There is something wrong with the hardware or software on the ap detecting the missing phone, which investigators would need to actually find to figure it out. * There is an ap for crooks, which lets them steal mobile devices, then send out a bogus GPS location, to any other apps trying to find out where they are located. * When the *find my phone* software cannot find it, it does not give an error message, it instead provides wrong info. This can happen with badly written software. * GPS coordinates may be accurate, but whatever system was supposed to key in what geography that really is, in the mapping software, has got bad input. [*either*? or some combination of the above? PGN] There are multiple victims, all over the map. The same kind of problem is playing out in other jurisdictions. Some victims get much more news media attention than others, and some journalists act like it is only happening at one home. http://www.cultofmac.com/408285/apple-thinks-this-house-is-the-bermuda-triangle-of-lost-iphones/ Australia, Melbourne You can *find my phone*, but the police will do nothing about it. https://iphone.appstorm.net/general/opinion-general/unbelievable-find-my-iphone-stories-the-good-the-bad-and-the-ugly/ Britain, Nottingham Perhaps we all need insurance to cover risk that the police will smash into our property, when we totally innocent, then not pay to repair the damage done. http://www.cnet.com/news/stolen-iphones-tracker-app-sends-police-to-wrong-house/ http://www.neowin.net/news/police-burst-into-wrong-house-to-recover-stolen-iphone http://www.telegraph.co.uk/technology/news/9108550/Police-break-into-wrong-house-after-iPhone-mistake.html This sort of thing happens more often with "swatting" where someone calls the police, falsely claiming to be your home, talks about some horrible crime they are engaged in, so the police send SWAT or other forces to break in to your place with a no knock warrant, may kill or maim you in the process. Good luck getting compensation. The police may have no idea who it was who made the swatting phone call. http://www.cato.org/raidmap While many land line systems can tell the 911 operator where the phone call came from, the wireless world has not seen fit to provide such traceability. Canada, London, Ontario Teenager uses *find my phone* ap, follows the map to demand its return, gets shot dead. http://www.businessinsider.com/teenager-killed-after-using-an-app-to-find-his-lost-cell-phone-2015-6 USA, Atlanta, Georgia This is the story that started the RISKS thread. They have to keep their door locked, because some people are very angry at the occupants, thinking their phone is in there, and they are ready to do violence to get it. The mistaken identity victims have got into the habit of asking brand name of phone, phone service, app, involved. http://fusion.net/story/214995/find-my-phone-apps-lead-to-wrong-home/ Speculation how it may be happening. For example, thanks to copyrighted maps, some map companies put bogus info in their maps—then if that bogus info shows up on another company's maps, then that is proof of infringement. But many companies might buy and use the same map software, which includes the bogus info, and not know it is bogus. http://www.androidauthority.com/why-you-cant-trust-find-my-phone-apps-668949/ On one occasion, the police arrived because the phone was supposedly in the possession of a missing girl. http://www.wtoc.com/story/31083297/find-my-phone-app-pings-wrong-house USA, Boston, MA Some good advice here. https://www.reddit.com/r/boston/comments/3cw4by/so_someone_stole_my_phone_and_i_know_where_it_is/ USA, Edgewater, Florida This home has been identified by where is the stolen phone ap, and calls to 911 identifying crime in progress there. http://abcnews.go.com/Business/cell-phone-flaw-homeowners-danger/story?id231998 USA, Las Vegas, Nevada This guy gets both owners of missing phones coming to his door, and police responding to domestic disturbance calls, whose GPS allegedly is his home. He now has a sign in front of his home, about the problem, telling people they should call the police, not bother him. http://www.imore.com/lost-phones-tell-their-owners-theyre-home-las-vegas-man USA, New Orleans, LA Owners of the missing devices may have a case for lawsuit against Sprint, where they PAID for a service which is not working as advertised. http://www.wdsu.com/GPS-Tracks-Missing-Phones-To-Wrong-House/10980226 http://abcnews.go.com/Business/cell-phone-flaw-homeowners-danger/story?id 231998 USA, Rochester, Minn The police raid was on the wrong house. The guy they were after, was across the street, and 3 houses down. I think some people may be expecting more precision from GPS etc. than it is really capable of. The police claim they found the home to raid, thanks to a tracking device on a stolen phone. http://www.fox9.com/news/14020031-story Local police dispute this story. http://www.postbulletin.com/news/crime/officials-call-wrong-house-raid-story-erroneous/article_cd125535-70be-55f8-8602-c99f5c1f39dc.html USA, Seattle, WA Theft victim thinks he has located home where stolen item is located, but police say the GPS ping is not probable cause to act. http://www.seattletimes.com/seattle-news/privacy-laws-applied-backward/ This can also be a nightmare for the people who just want their smart phone. https://forums.att.com/t5/Wireless-Account-Questions/5-days-Cust-Serv-Nightmare-for-a-lost-stolen-phone/td-p/4104908
Great idea. We could start with GPS and find out who has got a hidden dependency. It might accelerate the adoption of E-LORAN as a backup. Then we can move on to a power blackout (if the 2003 blackout wasn't trial enough). But first, let's ask for an insurance quote to cover for the consequential damage from the trials ...
One of my colleagues has just announced that he belongs to a University "working group discussing the possibility of organising computer-based exams" and has solicited responses within just a few days. This seems to me like a textbook example of doing something because we can rather than because there's a real need for it, but I could be wrong about that so I have urged that there should be an experimental study of students' typing vs writing skill to see if it is now unfair to get students to write by hand. Does anyone know of any universities currently doing this and what problems they've encountered? [Do you think this resembles the Electronic Voting and Internet Voting integrity problems? PGN]
Please report problems with the web pages to the maintainer