Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The US government will be performing GPS jamming experiments near China Lake. The FAA, which publishes Notices to Airman (NOTAMs) has a category for GPS events. https://pilotweb.nas.faa.gov/PilotWeb/noticesAction.do?queryType=ALLGPS&formatType=DOMESTIC And I quote: ADDITIONALLY, DUE TO GPS INTERFERENCE IMPACTS POTENTIALLY AFFECTING EMBRAER PHENOM 300 AIRCRAFT FLIGHT STABILITY CONTROLS, FAA RECOMMENDS EMBRAER PHENOM PILOTS AVOID THE ABOVE TESTING AREA AND CLOSELY MONITOR FLIGHT CONTROL SYSTEMS DUE TO POTENTIAL LOSS OF GPS SIGNAL Awesome. [Mark Thorson notes that a large area of southern California may be affected. http://www.dailymail.co.uk/sciencetech/article-3630029 He was also found it particularly interesting that Embraer Phenom 300 business jets should avoid the area entirely because their flight stability controls may be affected. Uh, what? PGN]
Lucas Mearian, ComputerWorld, 6 Jun 2016 Autopilot was not activated in the car http://www.computerworld.com/article/3079807/car-tech/tesla-model-x-autonomously-crashes-into-building-owner-claims.html selected text: The owner of a brand-new Tesla Model X SUV said the car suddenly accelerated at "maximum speed" by itself, jumped a curb and slammed into the side of a shopping mall while his wife was behind the wheel. The owner of the Model X, Puzant Ozbag, said the vehicle had been delivered only five days earlier to his home in Irvine, Calif., where the accident also took place. He said his wife had not activated any self-driving features at the time of the crash. Puzant, who wasn't in the SUV at the time of the crash, said it was fortunate that the vehicle's front wheels were turned slightly left as his wife was pulling into the parking space because if they'd been straight, the Model X would have plowed into a nail salon and could have killed someone. The accident, which occurred at about 2:30 p.m., injured his wife's arm and caused major damage to the SUV's front end. His wife's arm was burned during the crash, likely from the airbags being deployed, and remains swollen today, Puzant said. If the Model X accident turns out to have been caused by a faulty autonomous vehicle system, it would not be the first reported by a Tesla owner. Last month, a Model S owner from Utah reported that his sedan started itself and rammed into the back of a trailer bed after he'd placed the vehicle in park and gone into a store to run an errand.
Just like your phone or computer, your web-connected car needs to get the occasional software update. Most of these system tweaks happen quietly without too much interruption to your life, but occasionally one goes wrong and you end up with a Lexus with navigation and infotainment systems that can't be used because they are stuck in a reboot loop. Lexus says it is working around the clock to find a solution for a satellite communication issue after many owners of vehicles with Lexus' Enform system with navigation said the head units for their systems stopped working. https://consumerist.com/2016/06/08/lexus-owners-say-update-bricked-cars-navigation-systems/ And asynchronous updates pushed by car manufacturers over the air seemed like *such* a good idea. Who (aside from readers of this list) could have anticipated anything going wrong? It seems to me that "satellite communication" is the problem, not the "issue". And, while I'd hardly use Windows as the example of reliable updates, at least restore points occasionally undo update mischief. Maybe Lexus will introduce them as a priced feature.
http://www.bostonglobe.com/lifestyle/2016/06/09/scary-glitch-affects-luxury-cars/kj4wg2lhphlJDC3gATGuPM/story.html Carmaker Toyota and its luxury brand Lexus rushed to fix a software bug Wednesday that had caused a malfunction in vehicles' GPS, climate control and ''infotainment,'' or front console radio systems. It disabled the backup camera and hands-free phone functions as well. Errant data broadcast Tuesday by the company's traffic and weather service confounded vehicles' ''Enform'' infotainment system installed in 2014, 2015, and 2016 Lexus vehicles and the 2016 Toyota Land Cruiser, the company said. The data made the subscription-based ''Enform'' system continuously reboot itself, rendering it unusable and drawing the ire of many a driver. What is most worrisome about this particular bug is that it wasn't isolated to one function. The good news is that this particular system doesn't seem critical to the driving (unless, perhaps, the navigation system is going the driving!). The problem is not so much that a car might have a 1e8 lines of code—it is in the difficulty of isolating subsystems and unanticipated interactions between the various systems. And between cars .
http://www.bbc.co.uk/news/technology-36478641 "Errant data broadcast by our traffic and weather data service provider was not handled as expected by the microcomputer in the vehicle navigation head unit (centre display) of 2014-16 Model Year Lexus vehicles and 2016 Model Year Toyota Land Cruiser," a spokeswoman explained. "In some situations, this issue can cause the head unit to restart repeatedly, affecting operation of the navigation system (if equipped), audio and climate control features. The data suspected to be the source of the error was corrected last night." The firm said "many" vehicles had been affected. The affected vehicles have been recalled.
I think there have been recalls for several other vehicles along these lines as well. The Fait 500e and Mitsubishi Outlander which has been hacked, see for some juicy details. https://www.theguardian.com/technology/2016/jun/06/mitsubishi-outlander-car- hacked-security I also saw somewhere there was a bug in the web browser on the Tesla but they seem to have fixed it same day over the inter web...
[Here is something I just sent to my Allstate Auto Insurance agent, which may also be of interest to you.] The topic of "car hacking" is troublesome to me, and I know Allstate has also been looking into this threat. Here is another link which may interest you. I found it because I follow cyber security issues on Linked In. The comments on this link, are also worth viewing. http://www.csoonline.com/article/3081480/hardware/securing-your-car-from-cyberattacks-is-becoming-a-big-business.html There are several issues: * Most any new technology has a business psychology of being first to market share, then worry about security and privacy and other issues later, which turn out to be much more expensive to perfect, than had they be designed in from the start. So we now have millions of cars on the road which can be hacked. Look at how long it took for the air bag problem to be recognized and addressed properly. A Congress hearing last year learned that there are still new cars being sold with the defective air bags. My car had one of them, and I got mine replaced. Most people with them, are not yet replaced. * Even when some companies try to behave responsibly, they invariably include standard chips, which can include irresponsibility without the buyers being aware, such as Iiot at present time, which is now into millions of consumer products. * A lot of manufacturing is outsourced in such a way that it is vulnerable to Manchurian chips, which is extra stuff to support extra activities (usually crooked, or foreign state surveillance, or cyber war) not what the customer ordered, and almost impossible to detect. * Given the rise in interconnectedness of all kinds of gadgets, when there is risk of malware, hacking, other threats, is there anything the end user of the gadgets can do to mitigate the threat? That is the topic of the link above. It may be useful for Allstate to track, by vehicle manufacturer model, which is vulnerable to hacking, which have these cyber security protections available, review their relative merits, recommend the best to their customers driving those vehicles. The process, of software updates, has been shown to be vulnerable to crooks using that avenue to deliver badware. I am very disturbed by this notion that some manufacturers wish to deliver software upgrades to autos when they are in the world of consumer usage, because that invites the bad people to use that channel on vehicles on a highway, to trigger massive pile ups. I much prefer the notion that we take our car to get the upgrade, some place where the car is not being driven concurrently, and the upgrade can then be tested. This is a model I saw for much of my career with back office computers. An upgrade is due. We wait on a time period with low activity by our users. Stop everything. Get a complete backup. Apply the upgrade. Test that it meets standards. Then decide whether to return to the backup, without the upgrade, or continue forwards. Do another backup before resuming normal operations. Making sure the update model is safe - this is something I think the industry needs to address PDQ, because we are headed towards mainstream news finding out, causing a panic, legislators craft bad laws. My comment on the bugs rate: I was a programmer for over 50 years. My bugs rate depended on the programming tools made available to me by the software environment in which I worked. There were tools for testing, for checking coding standards, a format checker to find out if the code was "grammatically correct" in computer language. Have you ever prepared some document, where you plan to run off many copies - you check and check, someone else checks, no one sees a typing error until after you have run off the many copies. Programming can be like that, we make a typing error while keying in the program. I did not go by the standard of # bugs by lines of code, but rather # bugs by application run for the end users, because that was priority to fix. Most of our bugs were not an error made by the programmer at time of software development, but because programs were originally designed for one purpose, then the company later used those programs for another purpose, for which they were not originally designed, and thus did not work right, and needed to be fixed to meet the new conditions. Those bugs were not a single typo in one line of code, but rather a package of logic, where many changes needed in multiple places. Even so, the notion of 15 bugs per 1,000 lines of code is unheard of for my career, even with the most rudimentary of programmer tools. 5 bugs per million lines of code is about the worst I ever saw in my career, going into production, after testing, then discovered later VW was one of the first car manufacturers to get a bad rep in the cyber security world for how they handled news of hackable cars. Here they are doing something which may help repair their reputation: https://www.youtube.com/watch?list=PLH-T358uPi7fY1nz0B9d4BOMjXsHY6-Nc
[via Dave Farber] Drones hacked and crashed by research team to expose design flaws. Five graduate students and their professor have discovered three different ways to send rogue commands from a computer laptop to interfere with an airborne hobby drone's normal operation and land it or send it plummeting. The Johns Hopkins University, Baltimore, USA, computer security team has raised concerns about the ease with which hackers could cause these increasingly popular robotic devices to ignore their human controllers and land or, more drastically, crash. http://eandt.theiet.org/news/2016/jun/drone-hacking.cfm
This is a pithy RISKS-relevant illustration of how utilities are linked in an emergency, and how pervasive the effects can be. Courtesy of Cliff Jones and Brian Randell in Newcastle. http://www.raeng.org.uk/publications/reports/living-without-electricity
http://www.nytimes.com/2016/06/09/world/africa/monkey-kenya-survives-blackout-internet-vervet.html The primate jumped on a transformer at a hydroelectric power station, starting a chain reaction that knocked out lights and the Internet.
The headline is a nice summary: "Creepy startup will help landlords, employers and online dates strip-mine intimate data from your Facebook page" British startup Score Assured is used by landlords and others to learn about individuals - after their customer sends the individual an "invitation" (sort of an invitation to a lynch mob, IMHO), they are required to provide credentials for Facebook, LinkedIn, Twitter and/or Instagram accounts, according to the WashPost. The data mining software then crawls postings and develops a profile. I love this quote from the co-founder: "If you're living a normal life, then, frankly, you have nothing to worry about." But perhaps he's (unfortunately) correct on this one: "People will give up their privacy to get something they want." Of course there's no way to correct whatever conclusions it draws. What's almost as incredible as the product is that the reporter was willing to share her information with the company, and let them crawl her pages. https://www.washingtonpost.com/news/the-intersect/wp/2016/06/09/creepy-startup-will-help-landlords-employers-and-online-dates-strip-mine-intimate-data-from-your-facebook-page/
http://engineering.stanford.edu/news/%E2%80%8Bdavid-dill-why-online-voting-danger-democracy If, like a growing number of people, you're willing to trust the Internet to safeguard your finances, shepherd your love life, and maybe even steer your car, being able to cast your vote online might seem like a logical, perhaps overdue, step. No more taking time out of your workday to travel to a polling place only to stand in a long line. Instead, as easily as hailing a ride, you could pull out your phone, cast your vote, and go along with your day. Sounds great, right? Absolutely not, says Stanford computer science professor David Dill <https://profiles.stanford.edu/david-dill>. In fact, online voting is such a dangerous idea that computer scientists and security experts are nearly unanimous in opposition to it. [Long item PGN-truncated for RISKS.]
via NNSquad http://www.engadget.com/2016/06/07/fbi-ecpa-ammendment-browsing-metadata-no-warrant/ Tech companies and privacy advocates are warning against new legislation that would give the FBI the ability to access "electronic communication transactional records" (ECTRs) without a warrant in spy and terrorism cases. ECTRs include high-level information on what sites a person visited, the time spent on those sites, email metadata, location information and IP addresses. To gain access to this data, a special agent in charge of a bureau field office need only write a "national security letter" (NSL) that doesn't require a judge's approval.
NNSquad http://www.thedailybeast.com/articles/2016/06/10/dea-wants-inside-your-medical-records-to-fight-the-war-on-drugs.html The feds are fighting to look at millions of private files without a warrant, including those of two transgender men who are taking testosterone. Marlon Jones was arrested for taking legal painkillers, prescribed to him by a doctor, after a double knee replacement. Jones, an assistant fire chief of Utah's Unified Fire Authority, was snared in a dragnet pulled through the state's program to monitor prescription drugs after someone stole morphine from an ambulance in 2012. To find the missing morphine, cops used their unrestricted access to the state's Prescription Drug Monitor Program database to look at the private medical records of nearly 500 emergency services personnel--without a warrant.
Steven M. Bellovin, Matt Blaze, Susan Landau, Stephanie K. Pell It's Too Complicated: The Technological Implications of Ip-Based Communications on Content/Non-Content Distinctions and the Third Party Doctrine http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2791646 For more than forty years, electronic surveillance law in the United States developed under constitutional and statutory regimes that, given the technology of the day, distinguished content from metadata with ease and certainty. The stability of these legal regimes and the distinctions they facilitated was enabled by the relative stability of these types of data in the traditional telephone network and their obviousness to users. But what happens to these legal frameworks when they confront the Internet? The Internet's complex architecture creates a communication environment where any given individual unit of data may change its status--from content to non-content or visa-versa--as it progresses Internet's layered network stack while traveling from sender to recipient. The unstable, transient status of data traversing the Internet is compounded by the fact that the content or non-content status of any individual unit of data may also depend upon where in the network that unit resides when the question is asked.
http://www.newsweek.com/father-internet-worries-our-digital-history-disappearing-468642?utm_medium=email&utm_source=Father-of-the-Internet-Worries-Our-History-Is-Vani&utm_campaign=newsweek_email_newsletter This is a very serious problem.
FYI—The organized crime syndicate known as "Civil Asset Forfeiture" can now steal money from your bank accounts without a warrant using a new "ERAD" machine. "It shows [Oklahoma] is paying ERAD Group Inc., $5,000 for the software and scanners, then 7.7 percent of all the cash the highway patrol seizes." This is major escalation by the highwaymen from the older *red light camera scams* and *speed trap scams*. Aaron Brilbeck, News 9, 7 Jun 2016 [long item, pruned for RISKS. PGN] OHP Uses New Device To Seize Money Used During The Commission Of A Crime http://fusion.net/story/5055/red-light-camera-programs-coming-to-a-screeching-halt/ https://www.motorists.org/blog/7-ways-to-shut-down-a-speed-trap/ BTW, Cyrus Vance seems to be funding his anti-Fourth Amendment "Going Dark" campaign using civil asset forfeiture funds. Vance has thereby scored a hat-trick: using violations of the Fifth & Fourteenth Amendments to fund violations of the Fourth Amendment! http://www.nytimes.com/2015/11/08/nyregion/cyrus-vance-has-dollar-808-million-to-give-away.html https://en.wikipedia.org/wiki/Due_Process_Clause http://www.news9.com/story/32168555/ohp-uses-new-device-to-seize-money-used-during-the-commission-of-a-crime
NNSquad https://torrentfreak.com/takedown-staydown-would-be-a-disaster-internet-archive-warns-160607/ To end this cycle they're pushing for a new mechanism provisionally titled 'Takedown, Staydown' or 'Notice and Staydown'. This would order web platforms to ensure that once content is taken down it will never appear again on the same platform. These proposals are currently under review by the US Copyright Office. But while copyright holders feel this would be a great tool for them, it's perhaps unsurprising that content platforms are less enthusiastic. After weighing in earlier in the year, the latest warnings from the Internet Archive, a gigantic public repository of a wide range of media, and are among the sternest yet. Noting that even the current system is regularly abused by those seeking to silence speech, the Archive says that on a daily basis it receives wrongful takedowns for content that is in the public domain, is fair use, or is critical of the content owner. Therefore, further extending takedown rights could prove extremely problematic. "We were very concerned to hear that the Copyright Office is strongly considering recommending changing the DMCA to mandate a 'Notice and Staydown' regime. This is the language that the Copyright Office uses to talk about censoring the web," the Archive warns.
NNSquad http://boingboing.net/2016/06/09/internet-greybeards-and-upstar.html#more-465741 This week, the Internet Archive is hosting a three-day event (which finishes today) called The Decentralized Web Summit, whose goal is to figure out how to build a new Internet that is "locked open," an idea that emerged from Internet Archive founder Brewster Kahle's 2015 series of talks and articles about how technologists can build networks and protocols that are resistant to attempt to capture, monopolize and control them. I attended the first two days, and the event was inspiring and brilliant. Speakers included Vint Cerf, one of the inventors of the core Internet technologies; and Tim Berners-Lee, who invented the Web. Executive Summary: I don't view this concept as generally practical, for a whole bunch of reasons, some of which are fairly obvious. There will likely be limited niche situations where it can be successfully applied, however. Foundational problems include relative centralization and limited/oligarchical nature of ISPs and associated backbones (for technical, financial, and "political" reasons), the real-world issues associated with peering of high-volume traffic, and the infrastructure/operating costs associated with maintaining reliable circuits and systems. Note the failures of various community "mesh" environments to prove practical and reliable, for example. Protocols are not the fundamental problem in these contexts.
* Quartz* June 09, 2016 Alexa will put up with just about anything. She has a remarkable tolerance for annoying behavior, and she certainly doesn't care if you forget your please and thank yous. But while artificial intelligence technology can blow past such indignities, parents are still irked by their kids' poor manners when interacting with Alexa, the assistant that lives inside the Amazon Echo. "I've found my kids pushing the virtual assistant further than they would push a human. [Alexa] never says `That was rude' or I'm tired of you asking me the same question over and over again.' " Avi Greengart, a tech analyst and father of five who lives in Teaneck, New Jersey. Perhaps she should, he thinks. http://qz.com/701521/parents-are-worried-the-amazon-echo-is-conditioning-their-kids-to-be-rude/
[Try not to fall off your chair laughing at this one!] *The Telegraph* via NNSquad http://www.telegraph.co.uk/news/2016/06/08/morocco-bans-reading-newspapers-in-public/ But in Morocco, reading newspapers in public has been banned after editors claimed they were losing millions in revenue because people kept sharing them. [I suppose the next step would be to ban reading newspapers online, because the editors would be losing millions in revenue when people keep reading the papers—and did not even have to share! But the next step after that would be to ban newspapers altogether, which has already been tried in other countries. PGN]
http://betanews.com/2016/06/07/snoopers-charter-vote/ The controversial Snooper's Charter—or the Investigatory Powers Bill as it is officially known—has been voted into law by UK MPs. An overwhelming majority of politicians (444 to 69) voted in favor of the bill which has been roundly criticized by both the public and technology companies. The Investigatory Powers Bill grants the UK government, security, and intelligence agencies greater powers for monitoring Internet usage, as well as permitting bulk data collection and remote hacking of smartphones. The law allows for the kind of mass surveillance that Edward Snowden warned about, and while the bill may have passed a majority vote, there are still those who fear not enough has been done to safeguard individuals' privacy. Ultimately, an unintended big boost for end-to-end encryption. [SuperDuperSnooperPooperScooperLooper? PGN] [See also http://www.chicagotribune.com/news/sns-wp-blm-britain-encrypt-41ce0ee2-2ce5-11e6-b9d5-3c3063f8332c-20160607-story.html ] [Henry Baker noted further coverage on this item: http://www.telegraph.co.uk/technology/2016/06/08/can-the-government-read-your-texts-how-the-snoopers-charter-will/ Lord Hague has predicted that Western societies will enact laws and regulations against unbreakable encryption—while conceding that the technology has always existed. "Let us spy on you or we'll choke off civil liberties." http://www.theregister.co.uk/2016/06/08/william_hague_infosec_keynote_speech/
[After hearing about the OMB fiasco and so many recent data-gathering breaches, why is this surprising? PGN] *The Washington Post* reports that Russian government agents have attacked and penetrated the DNC (Democratic National Committee) network as well as candidate networks, including those of Hillary Clinton and Donald Trump, and some GOP PACs. The intruders so thoroughly compromised the DNC's system that they also were able to read all email and chat traffic, said DNC officials and the security experts. <https://www.washingtonpost.com/world/national-security/national-intelligence-director-hackers-have-tried-to-spy-on-2016-presidential-campaigns/2016/05/18/2b1745c0-1d0d-11e6-b6e0-c53b7ef63b45_story.html>. https://www.washingtonpost.com/world/national-security/russian-government-hackers-penetrated-dnc-stole-opposition-research-on-trump/2016/06/14/cf006cb4-316e-11e6-8ff7-7b6c1998b7a0_story.html
NNSquad https://community.letsencrypt.org/t/email-address-disclosures-preliminary-report-june-11-2016/16867 The result was that recipients could see the email addresses of other recipients. The problem was noticed and the system was stopped after 7,618 out of approximately 383,000 emails (1.9%) were sent. Each email mistakenly contained the email addresses from the emails sent prior to it. This kind of rudimentary error goes all the way back to early ARPANET days. It really inspires confidence in the Let's Encrypt operation - NOT!
Charlie Osborne for Zero Day | 14 Jun 2016 Thousands of emails were disclosed before the issue was noticed. http://www.zdnet.com/article/lets-encrypt-accidentally-leaks-user-email-data/
Peter Sayer, ComputerWorld, 8 Jun 2016 Attackers could have rewritten logs of their Facebook Messenger chats with you to introduce falsehoods and malicious links http://www.computerworld.com/article/3080949/security/hackers-could-have-changed-facebook-messenger-chat-logs.html selected text: Roman Zaikin of Check Point Software Technologies discovered a flaw in Facebook's chat system that made it possible for an attacker to modify or remove any sent message, photo, file or link in a conversation they were part of. He demonstrated in a video how he could change an earlier message from an innocent "Hi!" to what could be a link to ransomware attack. But the chat logs could just as easily have been modified to create (or suppress) evidence of a spouse's unreasonable behavior in child custody battles, or any number of other scenarios. "These chats can be admitted as evidence in legal investigations and this vulnerability opens the door for an attacker to hide evidence of a crime or even incriminate an innocent person," Check Point researchers wrote Tuesday, in a blog post describing the flaw.
Joseph Cox, Motherboard, 8 Jun 2016 With no warning, one of the world's largest criminal botnets—a massive collection of computers used to launch attacks—has disappeared. Researchers have reported huge drops in traffic for two of the most popular pieces of malware which rely on it. “We can only tell that the Dridex and Locky spam campaigns stopped since June 1 in our observation. We cannot confirm how the botnet was brought down yet,'' Joonho Sa, a researcher for cybersecurity company FireEye, told Motherboard in an email. Dridex is a piece of malware typically used to empty bank accounts, while Locky is a particularly widespread form of ransomware, which encrypts a victim's files until they pay a hefty bounty in bitcoin. The two campaigns have been linked in the past. It's not clear what exactly will happen to Locky victims now that its infrastructure has seemingly gone offline. There's a chance that those infected with the ransomware may be unable to successfully pay the criminals and have their files unlocked. http://motherboard.vice.com/read/one-of-the-worlds-largest-botnets-has-vanished
Nice list you have here. Be a real shame if something were to happen to it. For a mere $10,000, you can buy peace of mind from Gene's Protection Service. For protection at a price, you can't afford to refuse. Lucian Constantin, IDG News Service, 26 Apr 2016 There's no evidence that companies that declined to pay extortion fees to the Armada Collective were attacked, researchers say http://www.csoonline.com/article/3061411/security/empty-ddos-threats-earn-extortion-group-over-100-000.html selected text: Extorting money from companies under the threat of launching distributed denial-of-service attacks (DDoS) against their online properties has proven lucrative for cybercriminals. So much so that one group has managed to earn over $100,000 without any evidence that it's even capable of mounting attacks. Companies should be prepared to handle DDoS attacks, but giving into extortion is never recommended, because it encourages more cybercriminals to engage in this type of activity. And there's no guarantee that once you pay one group, another one won't come knocking.
http://news.softpedia.com/news/eu-exploring-idea-of-using-government-id-cards-as-mandatory-online-logins-505026.shtml According to this document, dated to May 25, 2016, the European Commission is exploring the theoretical possibilities of forcing online platforms and EU citizens into using government IDs as online identities.
A national radio network might have each local station broadcast its own commercial break for two minutes before returning to the national jingle and program. But what if some local stations' commercials only last 1:59? They end up switching back too early, sending the final one second of the capital city's commercials into the ears of local listeners, unbeknownst to engineers in the capital city. (Until I told them (BCC, Taiwan.)
> researchers at the University of Michigan haven't just imagined > that computer security nightmare; they've built and proved it works. > ... they detailed the creation of an insidious, microscopic > hardware backdoor proof-of-concept. Ken Thompson's Turing award lecture "Reflections on Trusting Trust" describes creating a similar situation back in 1984. He modded the C compiler to insert a backdoor into the LOGIN code, and to insert that backdoor generator when the "C" compiler was recompiled, so there was no source code for the infiltration. http://cm.bell-labs.com/who/ken/trust.html I'd guess the chip layout toolset could be similarly infiltrated, particularly if it's binary only. It could even propagate forward if the update & upgrade systems collaborate.
You're certainly right that this doesn't solve the main problem. Still, it's plausible that the app creator is the data read from the cards. The linked article doesn't mention this nuance, but telling folks users not to install it isn't completely ridiculous. The barn door has been left open, please don't send photos of the cow to 4chan.
Back in the 1980s, Sperry installed a centralized traffic system along Long Island (NY)'s major highways (Long Island Expressway, Northern State ...) their service roads and local streets. The only visible part is the highway's informational signs and road sensors. When I toured the main facility, it was explained that it linked to side-street traffic lights to help shunt traffic around congestion. That was before GPS and smart phones with real time traffic updates. Perhaps there's some data awareness or sharing for better situational awareness and response. A friend in the fire dept told me that they have a device to get all green lights, but the feature is enabled ONLY AS REQUIRED ON A PER-USE BASIS. Abuse is not tolerated. It is monitored and audited. Just in case you wanted to create your own express "Lexus-lane", please do not. -- Jeffrey S Jonas
Enclosed and attached is the information relative to the 30th Isodarco Winter Course (www.isodarco.it). We hope that you will find this information of interest and you will join us in this intellectually challenging experience. We also hope that you will pass this information to your friends and colleagues and forward it to your mailing list. Attached is a pdf poster that you can print on European or American standard paper sizes, we hope that you will kindly post it on your bulletin board. Thank you for your collaboration and best personal regards. Carlo Schaerf *ISODARCO* <http://www.isodarco.it/> INTERNATIONAL SCHOOL ON DISARMAMENT AND RESEARCH ON CONFLICTS /since 1966-Italian Pugwash Group/ 30th Winter Course *ADVANCED AND CYBER WEAPONS SYSTEMS:* *TECHNOLOGY AND ARMS CONTROL* *ANDALO (TRENTO) – ITALY,8-15 JANUARY 2017* ***Director of the School:Carlo Schaerf*(ISODARCO, Rome, Italy). *Directors of the Course:**Giampiero Giacomello*(Department of Political Sciences SPS, University of Bologna, Italy); *Riccardo Antonini*(Technical Scientific Expert, Presidency of the Italian Council of Ministers, Rome, Italy). The search for the ultimate weapon has always motivated military planners and engineers to exploit for military purposes new scientific discoveries and technological advances, thereby causing qualitative arms races. The breadth and pace of development in computers, networks, robotics and artificial intelligence suggests the emergence of new generations of weapons, in cyberspace and in the physical world, that will be compact, unmanned and, perhaps, with independent decision-making capability. Could the speed of action-reaction in future conflicts require to put humans "out-of-the-loop". This conclusion would be quite dangerous, because autonomous weapon systems, in cyber and real space, will inevitably be prone to serious hardware limitations and unreliability, design and programming errors, deception, tampering or, simply, hacking. This ISODARCO Course aims at understanding modern autonomous weapons technology as well as the possibilities and prospects of related arms control limitations. Long list of Principal Lecturers, more info, and online application available at http://www.isodarco.it/>www.isodarco.it . [PGN-ed]
Please report problems with the web pages to the maintainer