Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
[There's very little coverage of this in the Indian press; I noticed this by accident.] Nothing wrong in Internet ban to maintain law and order: Supreme Court Utkarsh Anand, Indian Express, February 12, 2016 http://indianexpress.com/article/india/india-news-india/nothing-wrong-in-internet-ban-to-maintain-law-and-order-supreme-court/ The Supreme Court on Thursday held that Internet services can be stopped temporarily by a state government to maintain law and order situation, and that such a ban did not violate fundamental rights. “What is wrong with such a ban? There can be such a ban for law and order,” observed a bench of Chief Justice T S Thakur and Justice R Bhanumathi, while upholding the Gujarat High Court's judgment declaring the ban right.
James Vincent, *The Verge*, UK politicians green-light plans to record every citizen's Internet history But recommend that no encryption backdoors should be installed <http://www.theverge.com/2016/2/11/10965098/uk-snoopers-charter-select-committee-criticism> Surveillance legislation proposed by the UK last November has been examined in detail by the country's politicians, with a new report recommending 86 alterations, but broadly approving the powers requested by the government. The parliamentary committee scrutinizing the draft Investigatory Powers Bill said that companies like Apple and Facebook should not be required to decrypt messages sent on their services, but approved plans to record every UK citizen's browsing history for 12 months. The committee also gave a thumbs up to the bulk retention of data, and the targeted hacking of individuals' computers, known as "equipment interference." The Investigatory Powers Bill will be the first legislation to fully codify digital surveillance in the UK, and has been dubbed the "snoopers' charter" by critics (a name used to refer to similar laws rejected a few years ago). The Bill has been attacked by ISPs, privacy advocates, the UN, and the world's largest tech companies, with critics agreeing that the Bill is being rushed into law and that its wording is confusing. Critics point to portions of the law like the statement that "data includes any information that is not data." The UK's home secretary and the Bill's principal architect, Theresa May, later explained that this was supposed to refer to things like paper. This latest report repeats these complaints, stressing the need for clarity in the Bill's language. However, it also gives its approval to a number of controversial items. The report's authors says that the bulk interception and surveillance should be "fully justified" in a rewrite of the legislation, and notes that although these powers might contravene the EU's right to privacy, "security and intelligence agencies would not seek these powers if they did not believe they would be effective." This is despite the fact that this sort of mass surveillance (already in place, of course, just not officially legislated) has often proven to be ineffective, as with last year's terrorist attacks in Paris. Similarly, the committee found no faults with the government's plans to force ISPs to store users' web history for 12 months at a time. This information (known as Internet Connection Records or ICRs) would be available to police without a warrant, with the report noting: "We heard a good case from law enforcement and others about the desirability of having such a scheme. We are satisfied that the potential value of ICRs could outweigh the intrusiveness involved in collecting and using them." Evidence submitted to the committee pointed out that these records would reveal "sensitive information" about citizens' political, religious, and sexual preferences, as well their health and daily activities, while ISPs noted that storing this data securely would be a "technical challenge." Experts also testified to the difficulty of sorting this data, as many apps like Facebook and Twitter keep a near-constant connection to the Internet, and Internet users can access sites they're not aware of. One expert noted that he created a blog with a "tiny one-pixel image in the corner" that showed up as Pornhub.com on visitors' Internet history.
Spencer Ackerman and Sam Thielman, *The Guardian, 9 Feb 2016 http://www.theguardian.com/technology/2016/feb/09/internet-of-things-smart-home-devices-government-surveillance-james-clapper James Clapper did not name specific agency as being involved in surveillance via smart-home devices but said in congressional testimony it is a distinct possibility The US intelligence chief has acknowledged for the first time that agencies might use a new generation of smart household devices to increase their surveillance capabilities. As increasing numbers of devices connect to the Internet and to one another, the so-called Internet of Things promises consumers increased convenience -- the remotely operated thermostat from Google-owned Nest is a leading example. But as home computing migrates away from the laptop, the tablet and the smartphone, experts warn that the security features on the coming wave of automobiles, dishwashers and alarm systems lag far behind. In an appearance at a Washington thinktank last month, the director of the National Security Agency, Adm Michael Rogers, said that it was time to consider making the home devices *more defensible*, but did not address the opportunities that increased numbers and even categories of connected devices provide to his surveillance agency. However, James Clapper, the US director of national intelligence, was more direct in testimony submitted to the Senate on Tuesday as part of an assessment of threats facing the United States. “In the future, intelligence services might use the [Internet of Things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials,'' Clapper did not specifically name any intelligence agency as involved in household-device surveillance. But security experts examining the Internet of things take as a given that the US and other surveillance services will intercept the signals the newly networked devices emit, much as they do with those from cellphones. Amateurs are already interested in easily compromised hardware; computer programmer John Matherly's search engine Shodan indexes thousands of completely unsecured web-connected devices. Online threats again topped the intelligence chief's list of worldwide threats the US faces, with the mutating threat of low-intensity terrorism quickly following. ...
http://consumerist.com/2016/02/10/tesla-updates-self-parking-software-after-consumer-reports-raises-concerns/
Has anyone else noticed that Bing can return exaggeratedly high numbers of hits on a search item? Specifically, I was ego-surfing on my own name using the string "m. e. kabay" and nearly fell off my chair when Bing returned the number of hits = 1,850,000,000. Nearly TWO BILLION HITS???? I tried Bing for the word "god" and found only 223,000,000 hits. Therefore according to Bing, I have more hits than god. A Google search returns the far more modest number of hits = 19,100. Comments from the Bing crew? [Maybe they were bitten by Bing Cross-Bee. PGN] Professor of Computer Information Systems, School of Business & Management College of Professional Schools, Norwich University, Northfield, VT, USA
An article in *The Economist* highlights appalling lack of reproducibility in (not only) cancer research papers. The risks here are obvious, and should be added to the risks resulting from the non-publication of negative results. The new "Preclinical Reproducibility and Robustness Channel" mentioned in the article can only start to address this. The main points: For example, when staff at Amgen, a Californian drug company, attempted to reproduce the results of 53 high-profile cancer-research papers they found that only six lived up to their original claims. The problem, though, is not restricted to medicine. An analysis of 98 psychology papers, published in 2015 by 90 teams of researchers co-ordinated by Brian Nosek of the University of Virginia, managed to replicate satisfactorily the results of only 39% of the studies investigated. http://www.economist.com/news/science-and-technology/21690020-reproducibility-should-be-sciences-heart-it-isnt-may-soon
Fiona Macdonald, Science Alert, 12 Feb 2016, (via Timour Shchoukine and Dave Farber) Researcher illegally shares millions of science papers free online to spread knowledge—Welcome to the Pirate Bay of science. http://www.sciencealert.com/this-woman-has-illegally-uploaded-millions-of-journal-articles-in-an-attempt-to-open-up-science A researcher in Russia has made more than 48 million journal articles -- almost every single peer-reviewed paper every published—freely available online. And she's now refusing to shut the site down despite a court injunction and a lawsuit from Elsevier, one of the world's biggest publishers. <http://bigthink.com/neurobonkers/a-pirate-bay-for-science> For those of you who aren't already using it, the site in question is Sci-Hub <http://sci-hub.io/>, and it's sort of like a Pirate Bay of the science world. It was established in 2011 by neuroscientist Alexandra Elbakyan, who was frustrated that she couldn't afford to access the articles needed for her research, and it's since gone viral, with hundreds of thousands of papers being downloaded daily. But at the end of last year, the site was ordered to be taken down by a New York district court—a ruling that Elbakyan has decided to fight, triggering a debate over who really owns science. <http://www.nature.com/news/pirate-research-paper-sites-play-hide-and-seek-with-publishers-1.18876> "Payment of $32 is just insane when you need to skim or read tens or hundreds of these papers to do research. I obtained these papers by pirating them,"Elbakyan told Torrent Freak last year. "Everyone should have access to knowledge regardless of their income or affiliation. And that's absolutely legal." <https://torrentfreak.com/science-pirate-attacks-elseviers-copyright-monopoly-in-court-150916/>. If it sounds like a modern day Robin Hood struggle, that's because it kinda is. But in this story, it's not just the poor who don't have access to scientific papers—journal subscriptions have become so expensive that leading universities such as Harvard and Cornell have admitted they can no longer afford them. Researchers have also taken a stand—with 15,000 scientists vowing to boycott publisher Elsevier in part for its excessive paywall fees. <https://www.theguardian.com/science/2012/apr/24/harvard-university-journal-publishers-prices> <http://www.nature.com/nature/journal/v426/n6964/full/426217a.html> <http://thecostofknowledge.com/> Don't get us wrong, journal publishers have also done a whole lot of good -- they've encouraged better research thanks to peer review, and before the Internet, they were crucial to the dissemination of knowledge. [Long item truncated for RISKS. PGN]
Apple says a fix is on the way to prevent users bricking their iPhones and iPads by setting the date to the 1970s. http://www.zdnet.com/article/apple-owns-up-to-1-january-1970-iphone-bricking-bug/
[Neither source nor manufacturer specified] 4 Jan 2016 A major German motorcycle manufacturer today announced that they were suspending the use of Windows 10 in their large Adventure/Touring-class motorcycles. The rollout, which started in January, resulted in problems with the CANbus interface. A controller area network (CANbus) is a vehicle bus standard designed to allow microcontrollers and devices to communicate with each other in applications without a host computer. Riders were receiving false positive failure indications for various electrical and mechanical components. In addition the main instrument cluster would sometimes display the adapted equivalent of the Windows 'Blue Screen of Death'; this could be cleared by restarting the vehicle. Affected owners were advised to bring their bikes back to a dealer, who will roll the software back to Windows 7.
Woody Leonhard, InfoWorld, 12 Feb 2016 There are reports of the patch causing similar lockup problems with Excel 2013 and Outlook 2013 http://www.infoworld.com/article/3032642/microsoft-windows/office-2013-patch-kb-3114717-freezes-32-bit-word-2013-on-win-7-81-10.html February's Patch Tuesday continues its tempestuous ways. Now there's word that one of the optional Office 2013 patches, KB 3114717, makes many installations of Word 2013 unusable. In addition, there are reports -- apparently related—of lockups and slowdowns with Excel 2013 and Outlook 2013. When KB3114717 is installed typing in a .docx Document becomes nearly impossible and CPU load goes to 100% (.doc has no issues). This happens with Word 2013 only, Word 2016 is not affected. Tested on Windows 8.1 Enterprise, Windows 10 Enterprise 10240 and Windows 10 Enterprise 1511. Poster amcmill (who isn't listed as a Microsoft employee) gave a definitive response last night in one of the Microsoft Answer forum threads on the subject: [snipped post] Of course, amcmill didn't mention that uninstalling the patch in Windows 10 is an ongoing pain. Every time you reboot Windows 10, the patch will reinstall, and you'll have to remove it all over again—unless you dig into the wushowhide utility, KB 307930, which I discussed in a similar context last month. Just be glad you don't have Windows 10 and its forced updates .... if you're lucky. [Or is that "farce updates"?]
A recent release of Adobe Creative Cloud had a bug: when you sign in, it deletes the first folder on the hard drive (in collating order). That's usually a hidden file, like maybe a system folder—or the .bzvol directory that Backblaze uses to store backups. *http://www.bbc.com/news/technology-35577498* Exactly *why* Creative Cloud was deleting a folder is not explained in the article. Some of the bugs that pop up in software make me think of early books about Dianetics and Scientology by L. Ron Hubbard: the "reactive mind" or "bank" that does things automatically that are often not what you wanted to happen. Maybe we should turn Scientology auditors loose on ours software programs...
The boxy, glass-enclosed booths that were once ubiquitous on city sidewalks are all but a memory now ” except for the four that are being replaced by refurbished models. http://www.nytimes.com/2016/02/11/nyregion/and-then-there-were-four-phone-booths-saved-on-upper-west-side-sidewalks.html
Russian Group of Hackers reportedly cracked into the Kazan-based Energobank and messed up with the Ruble-Dollar exchange rates. In Feb 2015, a hacking group, known by the name METEL, successfully breached into the Russian Regional Bank for just 14 minutes and caused the exchange rate to fluctuate between 55 and 66 rubles per dollar, which finally resulted in the increment of Ruble's value. According to Russian security firm, Group-IB, who investigated the incident, the Metel Hacking group infected Kazan-based Energobank with a virus known as the Corkow Trojan and placed more than $500 million in orders at non-market rates. “This is the first documented attack using this virus, and it has the potential to do much more damage,” Dmitry Volkov, the head of Group-IB’s cyber intelligence department, told Bloomberg. The hackers had taken the advantage of Spear Phishing Technique, which appears to come from a legit source. A single click on the link in the malicious mail took over the access to the system followed by ultimate exploitation. After gaining the access to a local system, the trojan was able to cause a havoc deepening the attack to its Intranet. This way, the malware named Corkow found the isolated system which handles the money transaction exclusively to the outer world. Corkow malware, initially discovered in 2011, regularly updates itself to evade detection by antivirus programs, and has infiltrated more than 250,000 computers worldwide and infected at least 100 financial institutions. The Energobank claimed losses of 244 million rubles ($3.2 million) due to the trades. But, the Moscow Exchange had denied the allegations of any hacking attempt by the fact that; the changes in the Stock Market would be an output of Trader's mistakes. They also not found any hint of currency manipulation. The attack was earlier ported to target ATMs of Russia, affecting Russian bank card system that resulted in hundreds of millions of rubles being stolen via ATMs in August. Another attack with the same malware also facilitated hackers to use credit card limitlessly. Metel is only known to be active in Russia (affected 73% Russian Banks), although it may present a threat to financial institutions across the globe. Authority has not yet handcuffed any of its criminals who are raising a global bank threat. http://thehackernews.com/2016/02/russian-exchange-hacked.html
In 2013, an Asiana Airlines Boeing 777 grounded short of the runway at San Francisco International Airport while landing, hitting the seawall and cartwheeling along the runway. Astonishingly, only three people were killed, two of them from trauma injuries sustained while apparently not wearing their seat belts (which is required of all passengers on landing). The aircraft was destroyed. The weather was clear, and there was almost no wind. The pilot flying was conducting a manual approach, since the glideslope on Runway 27L was out of operation. Speed decayed well below what it should have on short final approach, and it was noticed very late, leaving the crew unable to arrest the speed drop and sink rate on very short final. Monitoring speed on approach to landing is basic to any piloting of aircraft; it is central to pilot training from the first hour on. Many pilots, both professional and amateur, asked themselves how this could have happened. The US NTSB has answered, in July 2014. Gabe Goldberg resurrects a newspaper article from nearly two years ago, which suggested that Asiana Airlines wanted to locate the primary cause of the crash of its Boeing 777 aircraft at San Francisco (SFO) in clear weather on a windless day in "poor software design" and the operation of the Boeing 777 autothrottle system. These presumably refer to submissions to the NTSB which the journal had seen. The NTSB's public meeting, at which the conclusions of their investigation are presented (but not the detailed reasoning) and comments are invited, took place on 24 June, 2014, nearly three months after the article that Goldberg cited. Risks readers may prefer primary sources. The NTSB's final report is: http://www.ntsb.gov/investigations/AccidentReports/Reports/AAR1401.pdf since July 2014, a month after the Public Meeting. It includes the submission of the Aviation Accident and Railway Investigation Board of South Korea. The NTSB concludes that the primary cause was as follows: The National Transportation Safety Board determines that the probable cause of this accident was the flight crew's mismanagement of the airplane's descent during the visual approach, the pilot flying's unintended deactivation of automatic airspeed control, the flight crew's inadequate monitoring of airspeed, and the flight crew's delayed execution of a go-around after they became aware that the airplane was below acceptable glidepath and airspeed tolerances. Contributing to the accident were (1) the complexities of the autothrottle and autopilot flight director systems that were inadequately described in Boeing's documentation and Asiana's pilot training, which increased the likelihood of mode error; (2) the flight crew's nonstandard communication and coordination regarding the use of the autothrottle and autopilot flight director systems; (3) the pilot flying's inadequate training on the planning and executing of visual approaches; (4) the pilot monitoring/instructor pilot's inadequate supervision of the pilot flying; and (5) flight crew fatigue, which likely degraded their performance. There is only one issue relating to systems design, namely complexity of AT/AP/FD, cited with regard to the Operating Manual and the airline's training. Everything else refers to human performance, namely behavior, training and supervision. Unusually, all four Board members who signed the report filed personal statements. There was obviously some disagreement on what kind of causal role the AT control played, and whether to recommend to the FAA that a design review be conducted. Apparently there are some anecdotes that some AT behaviour on these aircraft is "unexpected". But the Boeing 777 had been in service for two decades up to this accident, with the only previous accident a result purely of a fuel systems failure (and featuring an almost-miraculous rescue by the cockpit crew; Captain Peter Burkill became one of James Reason's "heros" in talks Jim gave on outstanding human performance). The statement by the Aviation and Railway Accident Investigation Board (ARAIB) of South Korea, says, in stark contrast, ARAIB believes that this accident is one of a series of recent accidents caused by a failure of the pilots to recognize unexpected operations of the autothrottle system. ARAIB is deeply concerned that the Report fails to engage in in-depth investigation and to address the issue of a deficiency in the low-speed alert and speed protection of the B777 automation system, particularly as it was a key agenda in the investigative hearing. The NTSB and ARAIB's joint investigative efforts have been focused on this very issue, so it comes as a surprise that the issue was only dealt with superficially in the Report and not as a probable cause of the accident. ARAIB recognizes that a deficiency in the automation system related to speed protection has been a major cause of several recent aviation accidents. In this respect, international standards need to be developed and implemented to improve aviation safety. It is hard to see what the ARAIB is talking about. Astonishingly, they apparently don't consider the failure of the crew to monitor airspeed on final approach, and to keep it within reasonable bounds, to be causal. I invite Risks readers to ask any pilot they know what heshe thinks about that piece of reasoning. It is obscure to which "recent accidents" the ARAIB is referring. As far as I can see, there haven't been any. The automation in question is similar on both Boeing 777 and Boeing 787 aircraft, as discussed by the NTSB. The only other major aviation incidents to these aircraft are: * the fuel systems anomaly mentioned above on the Boeing 777 at PHR, and * three incidents involving conflagrations of lithium-based batteries on Boeing 787 aircraft. Such systems as AT are quite different amongst different aircraft, and, as Board Member Weener remarks in his personal note, pilots have to learn the operation of the system installed on the particular aircraft they are operating. Weener points out that there is just "one data point" about any possible issue with this AFCS, namely this accident. He disagreed with recommending that the FAA conduct a special review in advance of determining from other less formal incident data whether there was any issue which generalised. Peter Bernard Ladkin, University of Bielefeld, Causalis Limited, Causalis IngenieurGmbH www.rvs.uni-bielefeld.de www.causalis.com
"Who owns the data streaming out of your home? Apparently not you. So do you have a legal right to interfere with that data exiting?" It has occurred to me that we could make an improvement in IoT generally just by assigning ownership of data streams. A single datum is more or less worthless, of course. But a stream has value and that value should reside with the originator of the stream. Compare the situation with all those software licenses that we all click through. They exist exactly because without them, the end-user has lots of rights over the software installed on his or her computer. Likewise, assigning ownership to any data stream would help make it clear what legal agreements were needed and what strength they had. On the other side, I can already hear a response that the present situation suits the commercial organisations just fine: they get all the data for free. But assigning ownership would help the commercial position just as much because anything that has value can be bought, worked on and sold, and turn a profit. Currently the commercial organisations are selling the information which is derived from raw streams: I would suggest that the principle that the value of a stream resides with the originator _of_that_stream_ would still apply. If your organisation takes a stream of data and filters it or combines it with another stream, that output becomes a new stream and the value of that stream resides with your organisation. Notice that a stream has value which certainly depends on the kind of data which is sent in each packet but also on the frequency, timeliness, jitter and other QoS of the stream. As a principle, would it work?
I wrote a large online exam system for a university and this was eventually re-written into an Internet voting application! Some e-exam requirements for server hardness, individual logins, privacy and equity of access were close to requirements for online balloting. That was 1999. Internet voting for any kind of serious ballot is nuts. However, integrity controls for supervised (so not vote-from-home) electronic balloting are pretty promising and I would direct you to Pret a Voter and friends. I had technical issues running both exams and elections online. They were always resolved satisfactorily one way or another, at the time even with low or non-existent transparency. These days I would think students who did not get the marks they expected would ask for proof their exam answers were marked unchanged. If I were writing the exam system again I would look to provable security and a range of other techniques to remove "blind" trust on software, networks and machines. I hope this helps!
A view from the US: My impression is that it’s done only by outfits which can afford the expense of rooms of dedicated computers wired so they do not talk to the outside, with dedicated staff to set up the exams. I know of it only at a medical school (e.g., ours). At (somewhat typical) Drexel, we'd need rooms with several hundred terminals; so we use paper and teaching assistants. Letting students use their own laptops has a series of problems (cheating, sick computers, etc.). Do let me know what you find. And have you yet chosen a flag?
Although, of course, there are plenty of risks associated with "doing
university exams on computers", there are also plenty of benefits.
When I was in university, you had to present your student card for checking
during the exam. But there was no crosscheck that you submitted your work
under your own name. It was possible to have the better student submit his
work as the lesser student and vice versa. Then the better student could
redo "his" exam later having done a practise run submitting his work for the
lesser student.
With computer exams: Assign the workstations beforehand, check IDs at the
entrance, and direct students to their previously assigned workstation. Keep
"possible cheating associates" well apart!
With computers you can randomize the questions: randomize the order,
randomize multiple choice answers, randomize the numbers in
calculations. That reduces the risk of cheating. ("What does the guy to my
left have on question 22? And the girl to my right?)
Some questions require an intermediate answer half way along. To give those
that didn't get that first part right a chance to do the latter part
correctly, you have to provide them with the intermediate answer in the
second half of the question. With a computer-exam you can mark a question
as: Q15: We'll give you the answer in Q16, so you cannot review/correct this
answer after clicking through to Q16.
You can enforce rules like: "you are not allowed to go back and correct
answers. Your first answer stands".
There are of course many other advantages of using computers to take
exams. (immediate grading, dynamic (moving) questions, etc., etc.)
Proper risk-management will weigh the advantages against the new risks and
make an informed decision.
R.E.Wolff@BitWizard.nl http://www.BitWizard.nl/ +31-15-2600998
Delftechpark 26 2628 XH Delft, The Netherlands. KVK: 27239233
Please report problems with the web pages to the maintainer