Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
http://www.theguardian.com/uk-news/2016/apr/17/drone-plane-heathrow-airport-british-airways
http://www.fiercewireless.com/story/report-ss7-still-vulnerable-more-year-after-hack-first-reported/2016-04-18
http://9to5mac.com/2016/04/18/ss7-hack-iphone-congressman/ [This is a fascinating article. Senator Lieu is concerned that mobile phones are vulnerable to surveillance by anyone (not just law enforcement) —because of the SS7 vulnerability. The article also quotes Karsten Nohl, who demonstrated the vulnerabilities for Senator Lieu: "The ability to intercept cellphone calls through the SS7 network is an open secret among the world's intelligence agencies—including ours—and they don't necessarily want that hole plugged." PGN]
*The Independent* "I run a small hosting provider with more or less 1535 customers and I use Ansible to automate some operations to be run on all servers. Last night I accidentally ran, on all servers, a Bash script with a rm -rf {foo}/{bar} with those variables undefined due to a bug in the code above this line." http://www.independent.co.uk/life-style/gadgets-and-tech/news/man-accidentally-deletes-his-entire-company-with-one-line-of-bad-code-a6984256.html [Also noted by Dan Jacobson.] http://www.independent.ie/business/technology/man-deletes-his-whole-company-after-typing-wrong-bit-of-code-34629615.html This is not new(s), although it is nevertheless RISKS-worthy. PGN]
Before opening financial accounts, I do some due diligence about the place, which isn't easy, thanks to bank secrecy. Then every few years I do this again for all places I got accounts, because stuff happens we can find out about, such as a 5 star rating falling to 2 stars. Several banks in my city are UNRATED. Needless to say, I have accounts with none of them, except one which WAS rated, then had a merger over a year ago, became unrated, and is still that way. I keep notes on what I'm doing, try to reconcile bank statements, then go visit them to ask when I can=92t explain things. Also I sometimes visit to do non-standard operations. This can lead to interesting life experiences learning about hidden bank rules. * When we open a CD (Certificate of Deposit), there is a contract with the rules. Apparently banks may change these rules, retroactively, and if the customer not like it, tough. Banks are like landlords and their leases, in this regard. Customers cannot change contracts retroactively, without signature of other party. In recent years, many US judges have ruled that only the customers are bound by contracts, not the banks. "We're supposed to report, on our tax returns, ALL funds (and other assets) received from ALL persons and institutions, with very few exceptions. The institutions are also supposed to report this to gov taxing authorities. MANY DO NOT. (There also was a recent US Tax Court ruling where someone got in trouble for not properly reporting extremely large allowance paid adult children.). Fortunately, if I notice this missing info, I can go ASK them, but then I have to supply the account #, the CD #, etc, which can include a CD which matured & was closed out, so where did I put the paperwork on now gone CD, whose interest I need to report on my taxes? * Many banks consider themselves exempt from gov regulations, can make up new rules, then say "We have to do this by gov rules," without providing any citation, and I cannot find that on any gov site. When they do that to me, I close the account, because I find that behavior to be intolerable.
HuffPo via NNSquad http://www.huffingtonpost.com/entry/uber-customer-data-privacy_us_570e518ae4b0ffa5937da329 The ride-sharing company said that between July and December 2015, it had provided information on more than 12 million riders and drivers to various U.S. regulators and on 469 users to state and federal law agencies.
http://www.wired.com/2016/04/researchers-cracked-microsoft-googles-shortened-urls-spy-people/?mbid=nl_41516 Vitaly Shmatikov: "If someone wanted to inject a lot of malicious content into people's computers, it's a pretty interesting way of doing it, By scanning you can find these folders, you put whatever you want in them, and it gets automatically copied to people's hard drives."
http://appleinsider.com/articles/16/04/14/apple-to-deprecate-quicktime-for-windows-after-discovery-of-two-flaws
http://motherboard.vice.com/read/house-republicans-anti-net-neutrality-bill-obama-fcc Brushing aside a veto threat from President Obama, Republicans in Congress passed a controversial bill on Friday that public interest groups say would kneecap federal net neutrality Internet protections. Open Internet advocates call the "No Rate Regulation of Broadband Internet Access Act," which was approved in a 241-173 vote largely along party lines, just the latest GOP attempt to undermine federal rules protecting net neutrality, the principle that all content on the Internet should be equally accessible. [See also Jon Brodkin, Ars Technica, 13 Apr 2016 White House threatens veto of GOP's anti-net neutrality bill "No Rate Regulation" legislation would strip FCC of consumer protection powers. http://arstechnica.com/business/2016/04/white-house-threatens-veto-of-gops-anti-net-neutrality-bill/ Noted by Monty Solomon. PGN]
Sean Gallagher, Ars Technica, 14 Apr 2016 Researchers search for Microsoft, Google short URLs, find exposed personal data. http://arstechnica.com/security/2016/04/guess-what-url-shorteners-short-circuit-cloud-security/
http://arstechnica.com/cars/2016/04/bmws-car-sharing-service-launches-and-almost-lands-ars-a-ticket/
David Kravets, Ars Technica, 11 Apr 2016 Drivers in accidents could risk losing license for refusing to submit phone to testing. http://arstechnica.com/tech-policy/2016/04/first-came-the-breathalyzer-now-meet-the-roadside-police-textalyzer/
1,600 schools, governments, and aviation companies already backdoored. Dan Goodin, Ars Technica, 15 Apr 2016 http://arstechnica.com/security/2016/04/3-million-servers-are-sitting-ducks-for-crypto-ransomware-infection/
Dan Goodin, Ars Technica, 14 Apr 2016 Security firm urges Windows users to uninstall media player. http://arstechnica.com/security/2016/04/apple-stops-patching-quicktime-for-windows-despite-2-active-vulnerabilities/
https://www.bostonglobe.com/lifestyle/2016/04/14/things-know-about-ransomware/zOCkuVP3GzdiRbyCq7JSeP/story.html
Sean Gallagher, Ars Technica, 8 Apr 2016 Crypto-ransomware has turned every network intrusion into a potential payday. http://arstechnica.com/security/2016/04/ok-panic-newly-evolved-ransomware-is-bad-news-for-everyone/
"The Smart Reply feature which was available only on Android and iOS now works on the web. It "reads" your emails and crafts a reply for you. Three replies, actually. You can pick one (and edit it if need be) before you send the email. Inbox "learns" from your choices to craft better replies and more complex sentences with each iteration." http://www.makeuseof.com/tag/top-google-updates-2016-youll-want-know/ Well, that's certainly risk free. I mean, who here has ever clicked the wrong box/button/link on a web page? And I've always wanted Google to save me the trouble of reading email to "craft" replies. Machines should think, people should ... check Facebook, I guess. Gabriel Goldberg, Computers and Publishing, Inc., 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
Andrew gave a TEDx talk (i.e., a local TED-like talk at Princeton University), on the topic of "Internet Voting? Really?" Here's the 21-minute video, professionally edited by the TED people. https://www.youtube.com/watch?v=abQCqIbBBeM
Elections don't have to be online to be hacked. The central tabulators that count the votes in most US election districts are nothing but computers and it has been proven that they can be directly or remotely hacked. Since the software used is proprietary, the results are not verifiable or at least not verifiable within a useful timespan, i.e., before a candidate is sworn into office, after which federal officials cannot be directly recalled by voters even if it is proven that the election was stolen. Our elections, like our currency, are backed only by faith and credit in the US government. I wonder how many computer professionals retain their faith in an electoral system that cannot be verified? As long as they weren't partisan, they could probably incorporate as a religion, The Church of Divine Election Protection, and become tax exempt.
I am not a lawyer, but I debate legal principles on various forums, which may lead some people to believe that I know what I am talking about. The context of my response are two posts on the Burr-Feinstein bill, via posts # 3 and # 2: <http://catless.ncl.ac.uk/Risks/29.46.html> Which was apparently down when I tried to retrieve the links. I had been reading, in many posts and stories. that laws like this mean that many US consumers of electronics would seek the products of other nations, which they think would have privacy protections, outside the loss of them from US firms. But then, while I was following Panama Papers coverage, = video https://www.youtube.com/watch?v=VzccIZUEYws <http://www.linkedin.com/redir/redirect?url=https%3A%2F%2Fwww%2Eyoutube%2Eco m%2Fwatch%3Fv%VzccIZUEYws&urlhash=mzWd&_t=tracking_anet> Reminded me, that in the absence of any international court of justice with jurisdiction, the US has been enforcing US laws on people and companies actions extraterritorially. For example, a Dutch company does something in Africa, which is a violation of US laws, so the US drags that company into US courts. The US usually only does this if the company has a foot print in the USA, which is a reason some companies refuse to have a foot print in the USA. There have also been cases of refugees, who get asylum in the US, who are then able in US courts to sue their homeland for the actions for which the US gave them asylum. The US authorizes this under ATS (Alien Tort Statute of 1789). Other nations are very annoyed about this US behavior. They think it is improper for US courts to rule on violation of International Law, where the USA is not directly involved. The US Supreme Court ruled on some of this in the SOSA case, which is pretty complicated. The US DEA (Drug Enforcement Agency) had sent spies into Mexico to try to infiltrate Drug Cartels). They were not good at that job. (Maybe they needed advanced CIA training.) They were caught, tortured by a cartel. Via further DEA spying, they thought they identified who was responsible, but were unable to get them extradited thru Mexican courts. So, DEA hired a Mexican national to kidnap an alleged torturer and bring to the USA for trial. US court found the accused to be innocent, because of insufficient DEA evidence. That person then went thru US courts to charge the DEA sub-contractor with kidnapping, which is illegal in both USA and Mexico. US Supreme Court said the kidnapped person had grounds for a civil law suit. One Lesson is that if the US wants to kidnap someone from another nation, the plan had better have enough evidence for conviction, or else put them in a CIA jail which is really secret. That is a precedent. =D8 Customer-X does a (free?) download of encryption protection ap-Y = from non-US firm-Z, thinking that if gov agents grab the device, seeking = what=92s on it, they cannot get that from the company, because it is a non-US company. =D8 FALSE ! This precedent applies. The fact that customer-X is using = a company-Z product means that company-Z will now be vulnerable to the = same kind of subpoena and court case which US-based companies are vulnerable = to, by virtue of the foot print of Customer-X being in the USA. =D8 Companies outside the US, which want to protect themselves from = this, will have to ban sales to people who are inside the USA. =20 Alister Wm Macintyre (Al Mac) Linked In https://www.linkedin.com/in/almacintyre=20 Panama Papers group: https://www.linkedin.com/groups/8508998
Please report problems with the web pages to the maintainer