Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
[Please pass the word on to any of your friends and colleagues who would normally be reading RISKS via the UK redistribution on catless.ncl.ac.uk, courtesy of Lindsay Marshall. Lindsay noted to me that catless was on a very old Newcastle server, and presumably will be rebooted—eventually. Lindsay has been our heroic maintainer of the risks.org RISKS repository and its redistribution of RISKS issues to the UK for years and years. However, this outage is way beyond his responsibility, and is agonizing. Meanwhile, you can read RISKS as comp.risks or at risks@ftp.sri.com. PGN] [Lindsay responded to my query: "It was a water main. But our big machine room has always been deep underground."]
The Philippines' Commission on Elections' entire database of of 55-million Philippine voters was breached, initially on 27 Mar 2016. Trend Micro reported it on 6 Apr, with subsequent items in *The Register* and *The Guardian*. *The New York Times* reported it on 22 Apr. http://www.nytimes.com/aponline/2016/04/22/world/asia/ap-as-philippines-election-hacking-.html?emc=eta1
"This incident clearly erodes the confidence of citizens in a of government bodies. Some citizens might decide to never provide data again to the Instituto Nacional Electoral, the next time their ID expires," Guzman adds, noting that although it's a relief that financial and bank information were not leaked, "the information could still be used for criminal purposes, since the location[s] of citizens are available." * * * With this leak, Mexico now joins a list of countries where almost the entire population has had their personal information leaked or breached, as 93.4 million represents over 72% of Mexico's estimated population. Belize, Greece, Israel, Philippines, and Turkey have also experienced leaks of the majority of their population's personal information. And of course, let's not forget that Chris Vickery had also discovered 191 million U.S. voters -- data leaking due to a similarly misconfigured database. http://www.databreaches.net/personal-info-of-93-4-million-mexicans-exposed-on-amazon/
Lead editorial, *The New York Times*, 25 Apr 2016, relating to Virginia Governor Terry McAuliffe restoring voting rights to more than 200,000 people who have completed their sentences for felony convictions. This reverses Virginia's previous lifetime ban on voting. [PGN-ed] Final paragraph: Congress should amend the Voting Rights Act to restore preclearance and apply it to all jurisdictions with a recent history of discriminatory voting practices. And state officials who are not busy trying to disenfranchise people should be following Mr McAuliffe's example, and working to make it easier for people to vote.
Daphne Keller and Bruce D. Brown The E.U.'s Dangerous Data Rules Op-Ed, *The New York Times*, 25 Apr 2016 Can Europe protect privacy without creating *splinternets*? Important op-ed. Here's the final paragraph: Privacy is a real issue, and shouldn't be ignored in the Internet age. But applying those national laws to the Internet needs to be handled with more nuance and concern. These developments should not be driven only by privacy regulators. State departments, trade and justice ministries and telecom regulators in France and other European countries should be demanding a place at the table. So should free-expression advocates. One day, international agreements may sort this all out. But we shouldn't Balkanize the Internet in the meantime. Once we've erected barriers online, we might not be able to tear them down.
https://www.washingtonpost.com/news/checkpoint/wp/2016/04/19/night-vision-goggle-case-cause-of-plane-crash-that-killed-14-air-force-says/
A follow-up article on yesterday's article: http://www.fiercewireless.com/story/us-carriers-mum-60-minutes-report-vulnerability-ss7/2016-04-19
David Sanger, *The New York Times* front page, 25 Apr 2016 A New Line of Attack: Using Secret Weapons to Infiltrate Computer Networks
*The Guardian* FBI admits it paid $1.3m to hack into San Bernardino shooter's iPhone The FBI paid about $1.3m for software to hack into the iPhone of San Bernardino gunman Syed Farook, director James Comey told a London audience on Thursday. The staggering price illustrates the growth of the so-called "exploit market" for digital spy tools and cyber weapons as governments increasingly use hacker tricks for law enforcement and war. Prices for such software are rarely disclosed, although anything in the seven-figure range is extremely expensive. https://www.theguardian.com/technology/2016/apr/21/fbi-apple-iphone-hack-san-bernardino-price-paid [Yes, the alleged cost is staggering, However, perhaps the FBI is including all sorts of secondary costs, or having paid multiple sources for multiple exploits, or simply not understanding that the vulnerability that they actually exploited was well known in various communities, and could have have been acquired for free from certain sources! PGN]
In short, a bug bounty hunter (someone looking to find bugs to take advantage of a reward program) was examining Facebook and eventually found a way in, only to discover that someone was already in the specific system. Facebook proclaimed this to be residue left by another bounty hunter (making the later one a hunter-gatherer?), a statement I have some problems with as I personally would clear out malware as fast I'd discover it. The story is summarised here, including a link to the rather interesting writeup of the technical details: http://www.theregister.co.uk/2016/04/22/i_hacked_facebook_and_found_someone_had_beaten_me_to_it/
According to Ann Christy, scammers are gaming the Amazon Kindle Unlimited system by publishing fake books with many pages, and tricking people into downloading them because: 1. They are free to download during the first five days of publication, and 2. They use click farms to force the books to the top of the Kindle Unlimited bestseller list. http://www.annchristy.com/ku-scammers-on-amazon-what-you-need-to-know/ The books themselves encourage the reader to go to the last page of the book to be entered into a contest or some such. This causes Amazon to believe that the entire book was read and results in a maximum payout to the scammer. (Authors earn royalties on Kindle Unlimited books based on the number of pages read—apparently as measured by the last page read.) Since the Kindle Unlimited royalty pool is fixed across all books this means that authors of legitimate books are getting less than they should because the scammers are taking thousands of dollars out of the pool.
http://nymag.com/following/2016/04/people-often-disagree-about-what-emoji-mean.html Investigating the Potential for Miscommunication Using Emoji http://grouplens.org/blog/investigating-the-potential-for-miscommunication-using-emoji/ *Blissfully happy* or *ready to fight*: Varying Interpretations of Emoji http://grouplens.org/site-content/uploads/Emoji_Interpretation.pdf
http://www.csoonline.com/article/3057980/security/hacker-this-is-how-i-broke-into-hacking-team.html http://pastebin.com/raw/0SNSvyjJ
Consider this. http://smbc-comics.com/comics/1460904126-20160417.png
http://www.cnn.com/2016/04/19/politics/us-air-force-plane-crash-afghanistan/index.html
https://www.eff.org/deeplinks/2016/04/burr-feinstein-proposal-simply-anti-security
Many phone numbers these days merely lead to automated voice mail with directions to a website. And some businesses have abandoned phones altogether. http://www.nytimes.com/2016/04/21/fashion/phones-businesses-landline.html
The company releasing the info is Trend Micro/DV Labs as part of their "Zero Day Initiative". http://blog.trendmicro.com/urgent-call-action-uninstall-quicktime-windows-today/http://zerodayinitiative.com/about/ but the actual flaw was discovered by Steven Seeley of Source Incite -- according to the credit line in the reports: http://zerodayinitiative.com/advisories/ZDI-16-241/ http://zerodayinitiative.com/advisories/ZDI-16-242/ The Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) is a clearing house for computer security information, and is simply passing along the information from the Zero Day Initiative advisories https://www.us-cert.gov/ncas/alerts/TA16-105A And for completeness, here is the link to the Wall Street Journal article: http://www.wsj.com/articles/windows-users-its-time-to-dump-apples-quicktime-1461007437
Erm... no. Reading the article, it's clear that it wasn't the service that led to the traffic violation, it was *the journalist blindly following the satnav* that did it. It would've resulted in a (almost) ticket, regardless of whether this happened in a shared Beamer or the author's private Ford. There is a RISKS lesson here, certainly, but it's an old one and it has nothing to do with ReachNow specifically: when you turn on your satnav, do not turn off your brain.
[Fin: Uh...and just whose rating would that be? I can hand out stars, too, and will be more than happy to if you send me the names of the institutions. - Fin] fin@nym.hush.com asked a question about what rating system I was using for the due diligence, in my "Bank Back stabbing" post, for which I plan additional future installments, after I have cooled down enough from my anger with recent incidents, to describe with clarity and conciseness, to best of my ability. In the USA, banks are regulated by the FDIC government organization, which awards stars for a variety of adherence to best practices and level of risk of default, such as having enough money to sustain obligations, diversity of investments across different industry sectors . what we laymen call SAFE and SECURE, from both a financial perspective and a cyber perspective. One star means it has one foot in the grave. Five stars is the best. Via Internet search, we can find sites which list banks in our area, and what their FDIC ratings are, and other info. It is not as well organized for other kinds of financial institutions, some of which have better insurance funds than the FDIC. There are also both government, and better-business-bureau type resources which tell us what kinds of complaints other consumers have had against institutions, and how they were resolved. I don't care if there are a lot of complaints. I care that they are resolved swiftly, politely, and with justice. Then after finding high star, or equivalent, institutions, which apparently behave in a civilized way, my next due diligence interests include rate competitiveness, and ease of access to their services. Alister Wm Macintyre (Al Mac) https://www.linkedin.com/in/almacintyre Panama Papers group: https://www.linkedin.com/groups/8508998
As you probably know by now, this story is now claimed to be a hoax by the original forum poster. The Independent has this update: "Since this story was posted, Mr Marsala has claimed that his original post was a hoax and written as a marketing stunt, but that it had happened to a client of his in 2006. Contacted by The Independent, Mr Marsala said that the post was guerilla [*] marketing for another, unnamed, company." ServerFault has deleted the original question. The real RISK is that these days, anyone can post anything to just about any popular forum and have it taken up and printed by the major news networks without any checking or verification. As if to illustrate this point, one of the sidebars to this story is a link to the story "Women considered to write better code than men as long as they don't reveal their gender, study suggests" http://www.independent.co.uk/life-style/gadgets-and-tech/news/women-better-code-men-github-study-a6870836.html This story reports on a paper "authored by a group of six students from California Polytechnic State University and North Carolina State University, [which] has been published online, *but is not yet peer-reviewed.*" (my emphasis). So: some students wrote a paper, put it on a web site, and it gets picked up by major news networks: before it has even been peer-reviewed. "A lie can travel halfway around the world before the truth can get its boots on" (Incorrectly attributed to Mark Twain: but the truth is still trying to catch up with the incorrect attribution!) Dr Martin Ward STRL Principal Lecturer & Reader in Software Engineering martin@gkc.org.uk http://www.cse.dmu.ac.uk/~mward/ [* "300-pound guerilla my dreams?" (in British currency) PGN]
The reason it sounded too good to be true is that it was. It's a hoax. http://www.repubblica.it/tecnologia/2016/04/15/news/cancella_l_azienda_per_sbaglio_la_disavventura_tecnologica_di_marco_marsala-137693154/ http://www.nydailynews.com/news/national/man-deleted-entire-company-hoax-article-1.2604511
And news that even RISKS users can fall for a hoax: http://www.pcworld.com/article/3057235/data-center-cloud/that-man-who-deleted-his-entire-company-with-a-line-of-code-it-was-a-hoax.html (really, someone who claims the original error, and then follows it up with then claiming that he got the if / of command reversed when attempting a recovery was a good clue).
According to Snopes, this is a hoax: see http://www.snopes.com/man-deletes-company-code/ ... From that: "Marsala admitted to making up the scenario in order to promote his small company, which (naturally) provides outsourced server management services." Not sure that's how I'd go about promoting a server management company ...
Please report problems with the web pages to the maintainer