Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Evelyn Brown, *NIST News*, 4 May 2016 via ACM TechNews, 6 May 2016 A new draft publication from the U.S. National Institute of Standards and Technology (NIST) proposes incorporating proven security design principles and concepts into cyber-physical systems at every step, from conception to deployment. NIST Special Publication 800-160, based on the international ISO/IEC/IEEE Standard 15288 for Systems and Software Engineering, recommends a comprehensive, ground-up approach to baking in security. NIST fellow Ron Ross says current procedures for organizations--purchasing commercial components and then tacking on security measures--"do not go far enough in reducing and managing complexity, developing sound security architectures, and applying fundamental security design principles." The draft publication applies security precepts to all of the ISO/IEC/IEEE standard's listed technical processes, as well as to crucial non-engineering processes involving systems such as management and support services. The recommended strategy begins with mission or business owners "valuing" their assets and then applies security design principles and systems engineering processes to develop suitable security requirements, architecture, and design. "The systems security engineering considerations...give organizations the capability to strengthen their systems against cyberattacks, limit the damage from those attacks if they occur, and make their systems survivable," Ross says. Consultant Robert Bigman predicts the recommendations "will become the de facto standard for integrating 'trustability' [hopefully, trustworthiness!!!] into the design, development, deployment, and operation of systems used both within government and commercial critical infrastructure industries." http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-f04bx2e319x065379& [It's about time. The low bar for untrustworthy supposedly-secure systems has been pitiful. PGN
Patrick Thibodeau, *Computerworld*, 5 May 2016, via ACM TechNews, 6 May 2016 The White House released a report this week examining the problems associated with poorly designed systems that increasingly are being used in automated decision-making. The report warns algorithms may have so much power in day-to-day life that it may be important to develop ethical frameworks for designing automated computer systems. In addition, the report says automated computer systems may need to be transparent for testing and auditing. Meanwhile, a second effort has been studying the future of algorithms through a series of four workshops held across the U.S. to examine artificial intelligence's (AI) impact on society. "We're increasingly relying on AI to advise decisions and operate physical and virtual machinery--adding to the challenge of predicting and controlling how complex technologies will behave," says the U.S. Federal Trade Commission's Ed Felten. The federal government will produce an AI report following workshops in Seattle, to be followed by meetings in Washington, D.C., Pittsburgh, and New York City in July. The most pressing concern is algorithmic systems designed to inadvertently discriminate because of bad design. The report notes a system also could use a poorly designed matching system or could inadvertently restrict the flow of information.
Vincent Conitzer, *Prospect Magazine*, 4 May 2016 ACM TechNews, 6 May 2016 Read TechNews Online at: http://technews.acm.org There is little emphasis on the philosophical ramifications of artificial intelligence (AI) research and development at AI conferences and other scientific forums, with most researchers preferring to focus on technical achievement, writes Duke University professor Vincent Conitzer. He says this tendency can be partly traced to AI scientists' push to have their work respected by peers. Bringing attention to philosophical issues in AI are experts such as Nick Bostrom, director of Oxford University's Future of Humanity Institute. He is concerned with an "intelligence explosion" in which humans build machines that exceed human intelligence, which in turn build something that is even more intelligent, leading to ever-escalating generations of smarter systems. Another factor creating a disconnect between mainstream AI researchers and those worried about the future has been inaccurate predictions of how progress in the field would unfold, even in the short term. Issues about AI are being raised outside of the discipline, with the American Association for the Advancement of Science calling for 10 percent of the AI research budget to be channeled into examining its societal effects. Conitzer says it is in the AI community's interest to get involved in this debate, lest the discussion be less informed. Currently absent is a way to engage with the more opaque long-term philosophical issues, but AI's ability to make ethical decisions is one subject in which immediate momentum appears possible. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-f04bx2e315x065379&
A risk of overexposure to a voice-based user interface. http://www.mcsweeneys.net/articles/william-toms-versus-jennifer-the-robot
Summary and FAQ We performed the first in-depth empirical security analysis of a popular emerging smart home programming platform---Samsung SmartThings. We evaluated the platform's security design, and coupled that with an analysis of 499 SmartThings apps (also called SmartApps) and 132 device handlers using static code analysis tools that we built. What are your key findings? Our key findings are twofold. First, although SmartThings implements a privilege separation model, we found that SmartApps can be overprivileged. That is, SmartApps can gain access to more operations on devices than their functionality requires. Second, the SmartThings event subsystem, which devices use to communicate asynchronously with SmartApps via events, does not sufficiently protect events that carry sensitive information such as lock pincodes. Why SmartThings? Recently, several competing smart home programming frameworks that support third party app development have emerged. These frameworks provide tangible benefits to users, but can also expose users to significant security risks. We analyzed Samsung-owned SmartThings because it has the largest number of apps among currently available smart home platforms, and supports a broad range of devices including motion sensors, fire alarms, and door locks. Can you explain overprivilege, and what you found specifically for SmartThings? Overprivilege is a security design flaw wherein an app gains access to more operations on protected resources than it requires to complete its claimed functionality. For instance, a battery manager app only needs access to read battery levels of devices. However, if this app can also issue operations to control the on/off status of those devices, that would be overprivilege. We found two forms of overprivilege for SmartThings. First, coarse-grained capabilities lead to over 55% of existing SmartApps to be overprivileged. Second, coarse SmartApp-SmartDevice binding leads to SmartApps gaining access to operations they did not explicitly ask for. Our analysis reveals that 42% of existing SmartApps are overprivileged in this way. How can attackers exploit these design flaws? We exploited framework design flaws to construct four proof-of-concept attacks that: (1) secretly planted door lock codes; (2) stole existing door lock codes; (3) disabled vacation mode of the home; and (4) induced a fake fire alarm. Details on how these attacks work are in our research paper linked below. https://iotsecurity.eecs.umich.edu
PTI, New Delhi, 1 May 2016 A 15-year-old boy who accidentally shot himself with his father's revolver while taking a selfie died in Ludhiana on Sunday. With bullet stuck in his head, critically injured Ramandeep Singh was shifted to a hospital in Ludhiana where he succumbed to his injuries. The incident occurred Friday night night when Ramandeep was trying to take a selfie on his mobile phone with the licensed .32 bore revolver while pointing the weapon to his head, Pathankot Deputy Superintendent of Police (City) Manoj Kumar said. http://indianexpress.com/article/india/india-news-india/pathankot-boy-gun-selfie-injured-2777970/
https://www.washingtonpost.com/news/to-your-health/wp/2016/05/03/researchers-medical-errors-now-third-leading-cause-of-death-in-united-states/
http://www.fastcompany.com/3059524/voter-id-laws-may-have-actually-increased-the-likelihood-of-voter-fraud-by-hackers
http://dilbert.com/strip/2016-05-01
Radio frequency emission are considered incidental system noise in virtually all laptops, smartphones and other electronic devices, but scientists at Disney Research have found a way to use these spurious electromagnetic (EM) signals to uniquely identify even seemingly identical devices. Read more at: http://phys.org/news/2016-05-fingerprint-noise-differentiate-identical-electronic.html#jCp
A radical left web site recently posted personal data, including home and e-mail addresses, of people attending two party conferences of the Alternative für Deutschland, a German political party situated to the right of the current German government. The names include those of current AfD members, AfD ex-members and others attending the conferences as guests. Several hundreds of affected people have filed criminal charges. So far, exposure of the data has led to harassment of several AfD members and at least one murder threat. Ironically, the person who went public with the death threat is not even an AfD member. http://www.newday.mk/data-leakage-participants-list-afd-party-congress-on-the-net-showed-up/ http://www.swr.de/landesschau-aktuell/bw/tuebingen/hass-mail-nach-afd-parteitag-tuebinger-student-erhaelt-todesdrohung/-/id=1602/did=17377092/nid=1602/2lk1u6/
Caroline Craig, InfoWorld, 6 May 2016 Not only are warrantless searches exploding in number, the boundaries of warrants themselves are expanding http://www.infoworld.com/article/3066712/privacy/warrantless-searches-surge-as-online-privacy-dwindles.html
https://www.theguardian.com/technology/2016/may/04/windows-10-updates-ruining-pro-gaming-streams Forcing a gaming PC to update mid-game during a livestream to up to 130,000 followers isn't best advert for the software
In a posting dated 3 May 2016, Paul Robinson describes a world in which broadband Internet access is nearly ubiquitous. Apparently, Mr. Robinson spends all his time in large metropolitan areas. There are vast swaths of rural America where dial-up is still the only option for Internet access. Ah, but you have a smartphone which can be used as an Internet hotspot. Good luck finding a data connection in rural America. The cellular service providers have no incentive to spend money to upgrade towers to support data service because there are so few smartphone users in these areas. And there are so few smartphone users because there is no data service. Paul Russell, Lakeville, Indiana USA
[Lindsay Marshall <Lindsay.Marshall@newcastle.ac.uk> reports: I am seeing signs of life from catless! So resuscitation is in progress. No web yet and not visible to the outside world, but I'm getting error messages. LM [As of Thursday 5 May, we have moved all of the catless-based RISKS subscribers to the SRI distribution system. CATLESS subscribers should be receiving this issue directly from SRI.COM. Some of you will be very grateful when CATLESS once again becomes CATalogued as browsable. PGN] Dear Lindsay, Thanks for the notice. Wow - that's a page turned, closing the NCL redistribution of RISKS! I hope that Peter will propose a vote of thanks by acclamation on behalf of all UK based RISKS readers! I remember when you set this list up... and transatlantic bandwidth was scarce. How the Internet has changed! It's another world now. Thanks so much and warmest regards, [Yes, ABSOLUTELY! We are deeply indebted to Lindsay Marshall for his steadfast help in maintaining the official searchable RISKS repository. PGN]
This is good to know. I was assuming that the repository went offline because of the "Man accidentally 'deletes his entire company' with one line of bad code" story from the Independent that was making the rounds about that time. Schweitzer Engineering Laboratories, Pullman, WA 99163 http://www.selinc.com
This was sent to me by Chris Cartledge: >Every Risks reader sh/could read this: >http://www.bbc.co.uk/programmes/b078z5m8 >Kind Regards and Best Wishes >Chris Cartledge
Please report problems with the web pages to the maintainer