Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
https://www.whitehouse.gov/blog/2016/04/13/announcing-presidents-commission-enhancing-national-cybersecurity Michael Daniel, Ed Felten, and Tony Scott, 13 Apr 2016 In February, the President announced a Cybersecurity National Action Plan (CNAP) to take a series of short-term and long-term actions to improve our nation's cybersecurity posture. A central feature of that plan is the non-partisan Commission on Enhancing National Cybersecurity, comprised of leading thinkers from business, technology, and academia and charged with making recommendations to the nation for actions that can be taken over the next decade to strengthen cybersecurity in both the public and private sector. Today, we are pleased to announce that the President and the bipartisan Congressional leadership have selected the 12 individuals to serve on the Commission. They are: * Tom Donilon, former Assistant to the President and National Security Advisor (Chair) * Sam Palmisano, former CEO of IBM (Vice Chair) * General Keith Alexander, CEO of IronNet Cybersecurity, former Director of the National Security Agency and former Commander of U.S. Cyber Command * Annie Anton, Professor and Chair of the School of Interactive Computing at Georgia Tech. * Ajay Banga, President and CEO of MasterCard * Steven Chabinsky, General Counsel and Chief Risk Officer of CrowdStrike * Patrick Gallagher, Chancellor of the University of Pittsburgh and former Director of the National Institute of Standards and Technology * Peter Lee, Corporate Vice President, Microsoft Research * Herbert Lin, Senior Research Scholar for Cyber Policy and Security at the Stanford Center for International Security and Cooperation and Research Fellow at the Hoover Institution * Heather Murren, former member of the Financial Crisis Inquiry Commission and co-founder of the Nevada Cancer Institute * Joe Sullivan, Chief Security Officer of Uber and former Chief Security Officer of Facebook * Maggie Wilderotter, Executive Chairman of Frontier Communications These 12 individuals will be charged with recommending bold, actionable steps that the government, private sector, and the nation as a whole can take to bolster cybersecurity in today's digital world, and reporting back by the beginning of December. They will hold their first public meeting tomorrow at the U.S. Department of Commerce, where they will be joined by Secretary of Commerce Penny Pritzker, Assistant to the President for Homeland Security and Counterterrorism Lisa Monaco, and others to discuss the critical work that lies ahead for the Commission. From the beginning of his Administration, the President has made it clear that cybersecurity is one of the most important challenges we face as a Nation. For more than seven years, we have acted comprehensively to make progress towards three goals: * Raise the level of cybersecurity in both the public and private sectors. * Deter, disrupt, and interfere with malicious cyber activity aimed at the U.S. or its allies. * Respond effectively to and recover from cyber incidents. Recent accomplishments in pursuit of these goals include the Cyber Threat Intelligence Integration Center (CTIIC) attaining initial operating capability; reaching an unprecedented set of commitments with China's President on cybersecurity; deploying strong authentication for 81 percent of accounts on federal systems; and implementing the Cybersecurity Act of 2015 to enhance cybersecurity information sharing and improve cyber-defense throughout the nation. [...]
The Burr-Feinstein discussion draft now released: Compliance with Court Orders Act of 2016 http://www.feinstein.senate.gov/public/index.cfm?a=files.serve&File_id=5B990532-CC7F-427F-9942-559E73EB8BFB Here's my short-version summary It would compel "covered entities" (very broad: device manufacturer, software manufacturer, electronic communication service, provider of a remote computing service, or any person who provides a product or method to facility a communication or processing or storage of data) to comply with court orders [*] to provide data or otherwise assist in efforts to prosecute crimes (resulting in death; foreign intelligence, espionage, and terrorism; Federal crime against a minor; serious violent felony; serious Federal drug crime; state crimes equivalent to the previous ones). However, the draft bill does not prescribe penalties for noncompliance, and seems to leave that up to the courts. That could be quite a slippery slope—and could easily tend to act as a not-so-veiled threat. * The draft says "an order or warrant", so presumably a subpoena would be sufficient? When I testified for the Senate Judiciary Committee on 9 Jul 1997, Senator Leahy began the first morning session by getting Bob Kerry to admit that he did not know that his own Kerry-McCain bill required only a subpoena, and not a warrant. I think what constitutes a "court order" is a potentially sticky wicket here. Incidentally, my testimony in the second session that day is at http://www.csl.sri.com/neumann/judiciary.html, along with my answers to subsequent written questions from Senators Thurmond, Grassley, Leahy, and Feinstein. At the end of the first session. Senator Feinstein excused herself to go to another hearing, but remarked that if FBI Director Freeh said he needed access to essentially everything, we'd better give it to him.
http://thehill.com/policy/cybersecurity/overnights/276219-overnight-cybersecurity-long-awaited-encryption-bill-lands The measure, from Chairman Richard Burr (R-N.C.) and ranking member Dianne Feinstein (D-Calif.), would force companies to provide "technical assistance" to government investigators seeking locked data. Little has changed in the bill since an initial discussion draft was first made public by The Hill last week. The measure still states that a company must provide "information or data" to the government "in an intelligible format" when served with a court order. The obvious outcome of this of course would be the rapid deployment of even more third-party apps to layer strong crypto without government backdoors onto the systems that the government mandates must be made hacker, criminal, and terrorist attack friendly via government backdoors. Next, the government plans to make it illegal to speak in unfamiliar languages, and will mandate the installation of cameras in every room of every home and business that can be enabled under court order. Just wait until you see what they'll demand in the future for data collection and remote control from and over autonomous vehicles! [It is also likely to open up a huge market for non-U.S. meaningfully secure operating systems and well-embedded strong cryptography, and noncompliant apps. Unfortunately, the U.S. government itself may have to resort to non-U.S. products if they cannot get them domestically—which represents a huge set of risks, PGN]
The WashPo says: The FBI cracked a San Bernardino terrorist's phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter. ... The new information was then used to create a piece of hardware that helped the FBI to crack the iPhone's four-digit personal identification number without triggering a security feature that would have erased all the data, the individuals said. ... Even without a new flaw, that suggests something like the plan many people suggested to make an image of the device's memory and restore it after each group of PIN guesses. https://www.washingtonpost.com/world/national-security/fbi-paid-professional-hackers-one-time-fee-to-crack-san-bernardino-iphone/2016/04/12/5397814a-00de-11e6-9d36-33d198ea26c5_story.html?hpid=hp_hp-cards_no-name%3Ahomepage%2Fcard
Pages 60-65 of April 4-10 BBW is on history of hacking on-line elections, in the Americas. It has reportedly happened in Columbia, Costa Rica, El Salvador, Guatemala, Honduras, Mexico, Nicaragua, Panama, and Venezuela. A person accused of participating in this election rigging, is now allegedly working in the Donald Trump campaign. [...] http://www.bloomberg.com/content-service/blog/2016-04-08/hack-election-comohackear-una-eleccion/
Today I spent a while on the phone puzzling out an error in my SunTrust account, eventually determined to be me having transferred money from my line of credit (check protection) instead of my checking account. Mea culpa. To try to prevent making the same error again, I asked that they remove the line of credit from my Internet access. They said they could not. I asked if I could decrease the credit limit on the account, and they said "sure". All I needed to do was send them authorization from my email account. My personal email account. I asked if I could instead use the "Secure Message" system within my on-line account, and was told that I couldn't submit the change from there; the message had to come from my personal account. I spent a long time on the phone trying to get to someone who would understand that my personal email address didn't count as "secure" or "authenticated", to no avail.
CI, Thanks for the Japanese to English translation. You were unsure about the Cache. I think the explanation, that you quoted, is BS. Approx 35 years ago I first started working with cache. The concept was that accessing data from disk drives took thousandths of seconds, while accessing from memory took millionths of seconds. Systems may be faster today, but the same ratio may apply. So we in IT had the option of setting aside a portion of memory for cache, which was memory of most recent disk accesses, on the theory that that data might be needed again very soon, so by having the latest updated copy in the cache, it could be accessed faster. Also, copying the updated data to disk could happen as micro seconds permit, without holding up the parade of other activities. In case of some disruption, making sure info in cache written back to disk was a priority. Failures in this system could occur if * The overall system did not have enough "gas" to handle normal loads, and typical busy time periods. By "gas" I mean speed, disk capacity, memory, processors, file balancing, all the "stuff" needed for a well tuned computer system. * Badly written software messed with the amount of memory assigned to cache. * To get good cache results, programs need to nibble on data in reasonable size chunks, and the routines need to be of reasonable size. We might not get this, with poorly written programs. * The cache memory worked thanks to a battery, recharged like a miniature UPS, whose battery does not live forever. As it wears out, there is a system error message to warn IT that we need to schedule hardware maintenance to replace the cache battery. If no one is paying attention to the hardware warning messages, then the cache benefit could come to a sudden surprising halt. * Performance tools show how efficiently cache is functioning, to indicate whether the organization can benefit from buying more memory. They also show where there are potential bottlenecks, such as activity waiting on a communication line which is overloaded (needs to be faster, more band width), or bottleneck waiting on data thru some processor (maybe we need more processors, such as a math chip). If the tools tell IT that certain upgrades are needed to improve performance, but management won't approve the expenditure, then the result can be inconvenience for some of the users. Performance Tools also identify bottlenecks thanks to the specific programs which are badly written, with some info on where in the programs they have problems. * Software updates should go through some kind of testing. They had a backup machine. Did they use that for testing, since the main one was very busy? http://itpro.nikkeibp.co.jp/atcl/news/16/040601011/ According the article above, a critical region handling routine was installed in the week before and this caused a deadlock of the application cache (not sure exactly what/where the cache is) and handling of disk access.
The media love stories about politicians and their finances. However, there is a big difference between tax avoidance and tax evasion. I doubt there is any reader of this who does not take steps to avoid paying taxes they don't need to. Of course, there might be some who attempt to evade paying taxes too, but I suspect the balance to be in favour of the former. The journalists writing in high-handed tones, and the political opponents trying to make capital [pun intended] out of the stories are very likely to be avoiders too ... and possibly evaders. British Prime Minister, David Cameron, has come under fire from the opposition leader Jeremy Corbyn for Cameron's late father's revealed involvement in one offshore investment company, leading to the PM publishing his tax returns. Corbyn responded, only for the media to uncover his failure to properly declare income from three pensions. This is now becoming a bigger story. Another example of the Streisand Effect?
Please report problems with the web pages to the maintainer