Contact: Kit Walsh, Staff Attorney, firstname.lastname@example.org +1 415-436-9333 x162 Adam Schwartz, Senior Staff Attorney, email@example.com +1 415-436-9333 x176 Corynne McSherry, Legal Director, firstname.lastname@example.org +1 415-436-9333 x122 EFF Lawsuit Takes on DMCA Section 1201: Research and Technology Restrictions Violate the First Amendment Future of Technology and How It's Used Is At Stake The Electronic Frontier Foundation (EFF) sued the U.S. government today on behalf of technology creators and researchers to overturn onerous provisions of copyright law that violate the First Amendment. EFF's lawsuit <https://www.eff.org/document/1201-complaint>, filed with co-counsel Brian Willen, Stephen Gikow, and Lauren Gallo White of Wilson Sonsini Goodrich & Rosati, challenges the anti-circumvention <https://www.eff.org/issues/drm> and anti-trafficking provisions of the 18-year-old Digital Millennium Copyright Act <https://www.eff.org/issues/dmca> (DMCA <https://www.eff.org/issues/dmca-rulemaking>). These provisions—contained in Section 1201 of the DMCA—make it unlawful for people to get around the software that restricts access to lawfully-purchased copyrighted material, such as films, songs, and the computer code that controls vehicles, devices, and appliances. This ban applies even where people want to make noninfringing fair uses of the materials they are accessing. Ostensibly enacted to fight music and movie piracy, Section 1201 has long served to restrict people's ability to access, use, and even speak out about copyrighted materials—including the software that is increasingly embedded in everyday things. The law imposes a legal cloud over our rights to tinker with or repair the devices we own, to convert videos so that they can play on multiple platforms, remix a video, or conduct independent security research that would reveal dangerous security flaws in our computers, cars. It criminalizes the creation of tools to let people access and use those materials. <https://www.eff.org/files/2014/09/16/unintendedconsequences2014.pdf> <https://www.eff.org/deeplinks/2015/01/who-will-own-internet-things-hint-not-users> <https://www.eff.org/deeplinks/2016/01/why-owning-your-stuff-means-owning-your-digital-freedom> <https://www.eff.org/deeplinks/2015/11/new-dmca-ss1201-exemption-video-games-closer-look> <https://www.eff.org/deeplinks/2015/07/jeep-hack-shows-why-dmca-must-get-out-way-vehicle-security-research>, and medical devices <https://www.eff.org/deeplinks/2016/04/pacemakers-and-piracy-why-dmca-has-no-business-medical-implants>. Copyright law is supposed to exist in harmony with the First Amendment. But the prospect of costly legal battles or criminal prosecution stymies creators, academics, inventors, and researchers. In the complaint filed today in U.S. District Court in Washington D.C., EFF argues that this violates their First Amendment right to freedom of expression. EFF Staff Attorney Kit Walsh: "The creative process requires building on what has come before, and the First Amendment preserves our right to transform creative works to express a new message, and to research and talk about the computer code that controls so much of our world. Section 1201 threatens ordinary people with financial ruin or even a prison sentence for exercising those freedoms, and that cannot stand." EFF is representing plaintiff Andrew 'bunnie' Huang, a prominent computer scientist and inventor, and his company Alphamax LLC, where he is developing devices for editing digital video streams. Those products would enable people to make innovative uses of their paid video content, such as captioning a presidential debate with a running Twitter comment field or enabling remixes of high-definition video. But using or offering this technology could run afoul of Section 1201. <http://www.bunniestudios.com/blog/> Huang: "Section 1201 prevents the act of creation from being spontaneous, Nascent 1201-free ecosystems outside the U.S. are leading indicators of how far behind the next generations of Americans will be if we don't end this DMCA censorship. I was born into a 1201-free world, and our future generations deserve that same freedom of thought and expression." EFF is also representing plaintiff Matthew Green, a computer security researcher at Johns Hopkins University who wants to make sure that we all can trust the devices that we count on to communicate, underpin our financial transactions, and secure our most private medical information. Despite this work being vital for all of our safety, Green had to seek an exemption from the Library of Congress last year for his security research. <https://www.cs.jhu.edu/faculty/matthew-d-green/>, Walsh: "The government cannot broadly ban protected speech and then grant a government official excessive discretion to pick what speech will be permitted, particularly when the rulemaking process is so onerous. If future generations are going to be able to understand and control their own machines, and to participate fully in making rather than simply consuming culture, Section 1201 has to go." For the complaint: https://www.eff.org/document/1201-complaint For this release: https://www.eff.org/press/releases/eff-lawsuit-takes-dmca-section-1201-research-and-technology-restrictions-violate Electronic Frontier Foundation, 815 Eddy Street, San Francisco, CA 94109 USA. EFF appreciates your support and respects your privacy <https://www.eff.org/policy>.
https://www.wired.com/2016/07/snowden-designs-device-warn-iphones-radio-snitches/ On Thursday at the MIT Media Lab, Snowden and well-known hardware hacker Andrew "Bunnie" Huang plan to present designs for a case-like device that wires into your iPhone's guts to monitor the electrical signals sent to its internal antennas. The aim of that add-on, Huang and Snowden say, is to offer a constant check on whether your phone's radios are transmitting. If you know anything about RF leakage and analysis, you should be laughing your butt off like I am right now. Talk about playing people for suckers. One obvious flaw—"extraneous" transmissions" to leak data from phones aren't even necessary. All you have to do is salt away the goodies in memory and transmit them in the course of "routine" communications in bulk form later. Hell, I even noted this in my very first YouTube video "Is your cell phone bugged?" (which, I just discovered, is still the top YouTube Search result for that search, and now has more than a million views). I made that thing back almost 10 years ago, long before most people had phones even capable of running what we call malware now, when the odds of being bugged that way were extremely low: https://www.youtube.com/watch?v=ujosfSkHFrQ ("Is your cell phone bugged?")
<https://news.slashdot.org/story/16/07/11/2041203/mit-says-their-anonymity-network-is-more-secure-than-tor> reporting on an article in PC Magazine: Following the recent vulnerabilities in Tor, <https://yro.slashdot.org/story/16/07/08/2034209/researchers-discover-over-100-tor-nodes-designed-to-spy-on-hidden-services> ...researchers at MIT's Computer Science and Artificial Intelligence Laboratory and the Ecole Polytechnique Federale de Lausanne have been working on a new anonymity network that they say is more secure than Tor. <http://www.pcmag.com/news/345994/mit-researchers-devise-new-anonymity-network-following-tor-b> While the researchers are planning to present their new system, dubbed Riffle, at the Privacy Enhancing Technologies Symposium later this month, <https://petsymposium.org/> ...they did say the system uses existing cryptographic techniques, but in new ways. A series of servers are what make up Riffle, each of which "permutes the order in which it receives messages before passing them on to the next," according to a news release. <http://news.mit.edu/2016/stay-anonymous-online-0711> "For instance, messages from senders Alice, Bob, and Carol reach the first server in the order A, B, C, that server would send them to the second server in a different order—say C, B, A. The second server would permute them before sending them to the third, and so on." Nobody would know which was which by the time they exited the last server. Both Tor and MIT's anonymity network use onion encryption. Riffle uses a technique called verifiable shuffle in addition to onion encryption to thwart tampering and prevent adversaries from infiltrating servers with their own code. Last but not least, it uses authentication encryption to verify the authenticity of an encrypted message. The researchers say their system provides strong security while using bandwidth much more efficiently than similar solutions.
The high bit: hospitals can be fined if they are infected with ransomware (or any malware). The U.S. government quietly released a fact sheet on ransomware and patient health information (PHI) last week. The Office of Civil Rights (OCR) at Health and Human Services distributed a document that represents a sea change in policy on breaches due to malware. In particular, OCR explains how malware that encrypts PHI (e.g., ransomware that breaks into a medical device or clinical information system) is considered a breach because the chain of custody was compromised. Moreover, OCR artfully explains how full-disk encryption alone is not sufficient to show a low probability of a breach of PHI. OCR offers tips on their expectations of forensics to show a low probability of a breach (and therefore avoid fines). More information at these two URLs: http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html http://go.virtalabs.com/ocr-ransomware
Zack Whittaker for Zero Day, Jun 28 2016 The patent could prevent iPhone camera from being able to record concerts and classified facilities. Could it be used to prevent recording of protests? http://www.zdnet.com/article/apple-granted-patent-allowing-iphone-camera-to-be-remotely-disabled/ selected text: The patent ... allows an iPhone or iPad camera to receive infrared data that can be used to transmit information about an object or a place—like providing guided tours for a museum exhibit, or offering virtual coupons in a store or retail outlet. But on the flip side, the patent notes that the same system can be used prevent capturing images or videos—such as "a concert or a classified facility," by transmitting a signal that would disable a phone's recording feature. That means just as a singer or performer could prevent illegal pictures or streams from being made, customs officials would be able to block anyone taking photos at a port of entry or a border. What's to say that the technology, if it ever makes it past the drawing board, won't be used by police to prevent photos and videos from protests? [Earlier item from Gene: John Ribeiro, InfoWorld, 21 Jul 2016 Apple recently got a patent for infrared technology that petitioners fear could be used to censor political dissidents, activists, and citizens who are recording police brutality] http://www.infoworld.com/article/3098393/security/petition-urges-apple-not-to-release-technology-for-jamming-phone-cameras.html
On the day of the Eusprig conference: http://www.ft.com/cms/s/0/1fc57f26-4467-11e6-9b66-0712b3873ae1.html#axzz4E7KHOGtl Mark Vandevelde, FT, 7 Jul 2016 Marks & Spencer takes back shop-soiled figures "It is not good," Helen Weir, M&S's chief financial officer, told the *Financial Times* after the error was discovered. She said she was *shocked* when she found out that double-counting in a spreadsheet had led M&S to say that sales had risen 1.3 per cent in the three months to July, when they had actually fallen 0.4 per cent. This is not just a spreadsheet error, this is a Marks & Spencer spreadsheet error... (Thanks to Simon Hurst for that line!) Patrick O'Beirne, Systems Modelling Ltd, XLTest Spreadsheet Auditing http://XLTest.com http://ie.linkedin.com/in/patrickobeirne mob:+353 86 835 2233
Michael Kan, PC World, 15 Jul 2016 Symantec has noticed a "call-barring" function in a newer version of Android malware http://www.pcworld.com/article/3095965/security/this-android-trojan-blocks-the-victim-from-alerting-banks.html selected text: A new Trojan that can steal your payment data will also try to stymie you from alerting your bank. Security vendor Symantec has noticed a "call-barring" function within newer versions of the Android.Fakebank.B malware family. By including this function, a hacker can delay the user from canceling any payment cards that have been compromised, the company said in a blog post. If the customer service numbers of certain banks are dialed, the Trojan will cancel the call, Symantec said. Instead, users will have to use email or another phone to reach their banks.
Katherine Noyes, InfoWorld, 15 Jul 2016 Salesforce 'has to draw the line somewhere,' one analyst says http://www.infoworld.com/article/3095833/cloud-computing/salesforce-update-will-leave-most-android-users-out-in-the-cold.html selected text: An upcoming update to the Salesforce1 mobile app will dramatically reduce the number of supported devices and effectively leave users of all but the latest and most popular devices out in the cold. With its Winter '17 release, due to arrive this October, Salesforce is dropping support for all Android phones except the Samsung Galaxy S5, S6, and S7 along with the Samsung Galaxy Note 4, Google Nexus 5X, and Google Nexus 6P. Following the update, the Salesforce1 downloadable app and the mobile browser app will continue to function as normal on the newly dropped devices, giving users "time to upgrade to a Salesforce1-supported device," the announcement notes. But Salesforce will no longer provide technical support, bug fixes or enhancements. Essentially, Salesforce is focusing its mobile efforts on the latest and most popular devices, it said. Among users of soon-to-be-excluded devices, however, there are already signs on Twitter of some discontent. Holey crap. My brand new Android phone will no longer be supported on the @Salesforce 1 mobile app in a few months. Not cool Salesforce. JodieM (@jodiem) 13 Jul 2016
https://news.slashdot.org/story/16/07/01/2337214/security-researcher-publishes-how-to-guide-to-crack-android-full-disk-encryption He published a step-by-step guide on how one can break down the encryption protections on Android devices powered by Qualcomm Snapdragon processors. The source of the exploit is posted on Github. Android's disk encryption on devices with Qualcomm chips is based only on your password. However, Android uses your password to create a 2048-bit RSA key (KeyMaster) derived from it instead. Qualcomm specifically runs in the Snapdragon TrustZone to protect critical functions like encryption and biometric scanning, but Beniamini discovered that it's possible to exploit a security flaw and retrieve the keys from TrustZone. Qualcomm runs a small kernel in TrustZone to offer a Trusted Execution Environment known as Qualcomm Secure Execution Environment (QSEE), which allows small apps to run inside of QSEE away from the main Android OS. Beniamini has detailed a way for attackers to exploit an Android kernel security flaw to load their own QSEE app inside this secure environment, thereby exploiting privilege escalation flaw and hijacking of the complete QSEE space, including the keys generated for full disk encryption. Later item from LW, 7 Jul 2016:: Android Keystore Encryption Scheme Broken, Researchers Say https://threatpost.com/android-keystore-encryption-scheme-broken-researchers-say/119092/ The default implementation for KeyStore, the system in Android designed to store user credentials and cryptographic keys, is broken, researchers say. In a an academic paper published this week, researchers argue that the particular encryption scheme that KeyStore uses fails to protect the integrity of keys and could be exploited to allow an attacker to modify stored keys through a forgery attack.
Michael Kan, PC World, 7 Jul 2016 A muffled voice buried in a YouTube video can take over your phone, researchers say http://www.pcworld.com/article/3092493/security/heres-how-secret-voice-commands-could-hijack-your-smarthphone.html opening text: Kitten videos are harmless, right? Except when they take over your phone. Researchers have found something new to worry about on the internet. It turns out that a muffled voice hidden in an innocuous YouTube video could issue commands to a nearby smartphone without you even knowing it.
https://consumerist.com/2016/07/13/study-98-of-us-will-sign-away-our-firstborn-because-we-dont-read-the-terms-of-service/ No surprise; of course companies assume/hope we won't read these. Even though I've read tedious stuff—found error on page 99 of a corporate merger document; lawyer remarked he's never seen a corporate officer read one. Found errors in 100+ page refinance package; declined some UA program because of egregious T&Cs—mostly sigh and click these without reading. Hate doing that but who can spend the time parsing a thousand lines of boilerplate blather—and you can't x out disliked material, so what's the point other than forgoing almost everything online? Gabriel Goldberg, Computers and Publishing, Inc. email@example.com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
Dan Goodin, reported on Ars Technica <https://it.slashdot.org/story/16/07/11/2041249/password-reuse-tool-makes-it-easy-to-id-vulnerable-accounts-on-other-sites> Over the past few months, a cluster of megabreaches has dumped account credentials for a mind-boggling 642 million accounts into the public domain, where they can then be used to compromise other accounts that are protected by the same password. Now, there's software that can streamline this vicious cycle by testing for reused passcodes on Facebook and other popular sites. <http://arstechnica.com/security/2016/07/password-reuse-tool-makes-it-easy-to-id-vulnerable-accounts-on-other-sites/> Shard, as the command-line tool has been dubbed, <https://github.com/philwantsfish/shard> ...is designed to allow end users to test if a password they use for one site is also used on Facebook, LinkedIn, Reddit, Twitter, or Instagram, its creator, Philip O'Keefe, told Ars. The security researcher said he developed the tool after discovering that the randomly generated eight-character password protecting several of his accounts was among the more than 177 million LinkedIn passwords that were leaked in May. "I used that password as a general password for many services," he wrote in an e-mail. "It was a pain to remember which sites it was shared and to change them all. I use a password manager now." [ reader "LieutenantLefse" commented on ArsTechnica's forum ...] Mistrose wrote: > Can we stop pushing that line "Readers are once again advised to use > a password manager to store a unique, randomly generated password > that's a minimum of 10 characters long and contains a mix of upper- > and lower-case letters, numbers and special characters. Whenever > possible, people should also used multi-factor authentication" ... > Length is enough, as long as (a) dictionary words aren't used ... You've called out one password misconception and perpetuated another. You're right that it's easier to remember 14 random lowercase letters than 10 random keyboard chars (with upper/lower/numbers/punctuation). But it's even easier to memorize 5 of the 10,000 most common dictionary words, and that's more secure than either (of course the words must be chosen randomly). Compare 26^14, 94^10, and 10000^5. That said I only memorize a few key passphrases and use a password manager for the rest - which has over 70 entries and growing. (I couldn't memorize them all if they were 1 char each.)
Here's another reminder that we shouldn't believe everything we watch on the Internet. You may remember the sensational viral video <https://www.youtube.com/watch?v=-m3N_BnVdOI> from two years ago, in which a man, after jumping off a cliff and into the Sydney Harbour, has a close call with a great white shark. The footage, filmed with a GoPro, is gripping. The man can be heard gurgling and screaming in the water as he fights off the shark. Or you may remember a video <https://www.youtube.com/watch?v=vT_PNKg3v7s> from earlier this year, in which a girl, snowboarding down a slope in the Japanese Alps, is chased by a great bear—but is totally oblivious to it because she was singing Rihanna. Or perhaps this video <https://www.youtube.com/watch?v=QuCiScr2tz8> of a selfie stick fight aboard a boat between an American and Japanese tourist, with the Japanese tourist throwing the American overboard. These viral videos, along with five other viral videos, have been watched a total of over 205 million times all over the world. They have also been broadcast internationally on NBC, Fox, CBS, CNN, Sky News and ABC (US), according to the Guardian. <https://www.theguardian.com/technology/2016/jul/12/faking-it-headline-making-viral-video-hoaxes-were-funded-by-screen-australia>. But here's the thing: the videos were all fake.
These days, many of us regularly feed pieces of ourselves into machines for convenience and security. Our fingerprints unlock our smartphones, and companies are experimenting with more novel biometric markers—voice, heartbeat, grip—as ID for banking and other transactions. But there are almost no laws in place to control how companies use such information. Nor is it clear what rights people have to protect scans of their retinas or the contours of their face from cataloging by the private sector. To read the entire article, go to http://bloom.bg/29jRkSG
Ars via NNSquad http://arstechnica.com/security/2016/07/software-flaw-puts-mobile-phones-and-networks-at-risk-of-complete-takeover/ A newly disclosed vulnerability could allow attackers to seize control of mobile phones and key parts of the world's telecommunications infrastructure and make it possible to eavesdrop or disrupt entire networks, security experts warned Tuesday. The bug resides in a code library used in a wide range of telecommunication products, including radios in cell towers, routers, and switches, as well as the baseband chips in individual phones. Although exploiting the heap overflow vulnerability would require great skill and resources, attackers who managed to succeed would have the ability to execute malicious code on virtually all of those devices. The code library was developed by Pennsylvania-based Objective Systems and is used to implement a telephony standard known as ASN.1, short for Abstract Syntax Notation One.
Study: 78% of Resold Drives Still Contain Readable Personal or Business Data <https://hardware.slashdot.org/story/16/06/29/0320257/study-78-of-resold-drives-still-contain-readable-personal-or-business-data> (Posted by BeauHD on Wednesday June 29, 2016) itwbennett writes: Blancco Technology Group, which specializes in data erasure, bought 200 secondhand PC storage drives (PDF)... <https://consumermediallc.files.wordpress.com/2016/06/datastudy.pdf> ...from eBay and Craigslist to see if they could recover any of the old data saved inside. Their findings: 78 percent of the drives contained residual data that could be recovered, <https://consumerist.com/2016/06/28/study-78-of-resold-drives-still-contain-readable-personal-or-business-data/> ...67 percent still held personal files, such as photos with location indicators, resumes and financial data, and 11 percent of the drives also contained company data, such as emails, spreadsheets and customer information. Only 10 percent had all the data securely wiped, Blancco said. The Consumerist points out that Blancco makes their money... <http://www.blancco.com/en> ...from promising secure data erasure, so the company has a "strong and vested interest in these results." As for why so many of the drives contain unwanted information, the report says it has to do with the difference between "deleting" data and "erasing" data. Your files aren't actually deleted when you drag them to the Trash or Recycle Bin, or by using the delete key—shocking, I know. You can format a drive to erase the data, but you have to be careful of the format commands being used. A quick format, which was used on 40% of the drives in the sample, still leaves some residual data on the drive for someone to possibly access. A full format, which was used on 14% of the drives, will do a better job in removing unwanted files, but it too may still miss some crucial information. The solution Blancco recommends: buy a tool to perform complete data erasure.
Lucian Constantin, 20 Jul 2016 The patches address flaws in more than 80 products http://www.computerworld.com/article/3098024/security/oracle-issues-largest-patch-bundle-ever-fixing-276-security-flaws.html opening text: Oracle has released a new quarterly batch of security updates for more than 80 products from its software portfolio, fixing 276 vulnerabilities. This is the largest Oracle Critical Patch Update (CPU) to date. The average number of flaws fixed per Oracle update last year was 161, according to security vendor Qualys. Furthermore, out of the 276 security flaws fixed in this update, 159 can be exploited remotely without authentication. At the top of the priority list should be the Java patches, which address 13 new vulnerabilities. That's because Java is used in a lot of applications and is installed on a large number of systems.
http://arstechnica.com/information-technology/2016/07/how-oracles-business-as-usual-is-threatening-to-kill-java/ Oracle employees that worked on Java EE have told others in the community that they have been ordered to work on other things. There has also been open talk of some Java EE developers "forking" the Java platform, breaking off with their own implementation and abandoning compatibility with the 20-year-old software platform acquired by Oracle with the takeover of Sun Microsystems six years ago. Yet Oracle remains silent about its plans for Java EE even as members of the governing body overseeing the Java standard have demanded a statement from the company. "It's a dangerous game they're playing," Geir Magnusson, an independently elected member of the Java Community Process Executive Committee, told Ars. "It's amazing--there's a company here that's making us miss Sun." Frankly, the sooner we can get out from under Java for both client and server apps, the better.
Richard Chirgwin, *The Register* via SlashDot (Posted by manishs on Monday July 04, 2016) <https://it.slashdot.org/story/16/07/04/1918235/lenovo-scrambling-to-get-a-fix-for-bios-vulnerability> Lenovo, and possibly other PC vendors, are exposed to a UEFI bug that can be exploited to disable firmware write-protection. <http://www.theregister.co.uk/2016/07/04/lenovo_scrambling_to_get_a_fix_for_bios_vuln/> If the claims made by Dmytro Oleksiuk at Github are correct, an attacker can "disable flash write protection and infect platform firmware, disable Secure Boot, [and] bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise." The reason Oleksiuk believes other vendors are also vulnerable is that the buggy code is inherited from Intel. <http://www.theregister.co.uk/2016/07/04/lenovo_scrambling_to_get_a_fix_for_bios_vuln/> He writes that the SystemSmmRuntimeRt was copied from Intel reference code. Lenovo complains in its advisory that it tried to make contact with Oleksiuk before he published the vulnerability. The company says the vulnerable System Management Mode software came from an upstream BIOS vendor—making it likely that other vendors getting BIOS software from the same outlet will also be vulnerable. There's also a hint that Lenovo agrees with a speculation by Oleksiuk, that the code may be an intentional backdoor: "Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability's presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code."
[ The Thought-Police is alive ... and busier than ever ] <https://yro.slashdot.org/story/16/07/03/1731226/a-new-corporate-ai-can-read-your-emails---and-your-mind> (Posted by EditorDavid on Sunday July 03, 2016) "Okay, as of last night, who were the people who were most disgruntled...? Show me the top 10." An anonymous Slashdot reader shares their report on a fascinating Fortune magazine article: "One company says it can spot 'insider threats' before they happen—by reading all your workers' email." Working with a former CIA consultant, Stroz Friedberg developed a software that "combs through an organization's emails and text messages... <http://fortune.com/insider-threats-email-scout/> -- millions a day, the company says—looking for high usage of words and phrases that language psychologists associate with certain mental states and personality profiles... "Many companies already have the ability to run keyword searches of employees' emails, looking for worrisome words and phrases like 'embezzle' and 'I loathe this job'. But the Stroz Friedberg software, called Scout, aspires to go a giant step further, detecting indirectly, through unconscious syntactic and grammatical clues, workers' anger, financial or personal stress, and other tip-offs that an employee might be about to lose it... It uses an algorithm based on linguistic tells found to connote feelings of victimization, anger, and blame." The article reports that 27% of cyber-attacks "come from within," according to a study of 562 org.
<https://games.slashdot.org/story/16/07/04/170259/steam-warns-users-against-gambling-site-after-youtube-stars-discovered-as-owners> (Posted by manishs on Monday July 04, 2016) Tom Phillips, reporting for EuroGamer: Steam has begun warning users not to use a high-profile Counter-Strike: GO gambling website after its ownership turned out to be two YouTube stars <http://www.eurogamer.net/articles/2016-07-04-youtube-stars-criticised-after-it-emerges-they-owned-gambling-site-they-promoted> -- who were also using YouTube to promote the site. Trevor "TmarTn" Martin and Tom "Syndicate" Cassell are listed in newly-uncovered business records as the president and vice-president, respectively, of online gambling site CS:GO Lotto. The news of CS:GO Lotto's ownership came as a surprise to viewers who have watched the pair promote the site on their channels, where both YouTube stars can be seen gambling—and winning big money—while using it. Neither had publicly disclosed their full roles in the site. TmarTn had not even disclosed his videos as being promotional tools. Attempt to log in to CS:GO Lotto now and you are greeted with the following warning message: "The URL you are attempting to log in to has been blocked by our moderators and staff. This site may be engaged in phishing, scamming, spamming, or delivering malware."
Zack Whittaker for Zero Day, ZDNet, 19 Jul 2016 Its transparency reports only includes data demands to its cloud-stored data. http://www.zdnet.com/article/alexa-have-you-been-wiretapped-by-the-fbi/ selected text: Earlier this year, Gizmodo filed a freedom of information (FOIA) request with the FBI to see if the agency had wiretapped an Echo as part of a criminal investigation. The FBI neither confirmed nor denied whether it tapped the Echo.
https://techcrunch.com/2016/07/01/security-researcher-gets-threats-over-amazon-review/ Amazon retailers sometimes go to extreme lengths to guarantee good reviews, as security developer Matthew Garrett recently discovered when he wrote a one-star review of an internet-connected electric socket. When Garrett politely pointed out that the socket in question was woefully insecure, he received emails from the manufacturer claiming that the review would get employees fired and that other reviewers were campaigning to get Garrett's review taken down. The socket in question is the AuYou Wi-Fi Switch, a $30 device that lets you turn the power from a wall outlet on and off using your phone. It's a nice way to turn your lights on and off if you don't want to invest in smart bulbs, or to turn other plugged-in devices on and off. The AuYou Switch works whether or not you're home—so you can switch your lights on in your apartment while you're still in your office. But like so many Internet of Things devices, the AuYou switch seems to have a serious security flaw. As Garrett explains in his review, if your phone is connected to your home Wi-Fi, it sends the on/off command to the socket directly. But if you're not home, your phone sends the command to a server in China, which then passes the command along to the socket. "The command packets look like they're encrypted, but in reality there's no real cryptography here at all," Garrett explained in his review.
Zack Whittaker for Zero Day, ZDNet, 20 Jul 2016 The critical flaw gives an attacker 'full control' of all connected devices. http://www.zdnet.com/article/hidden-backdoor-account-found-in-dell-network-security-software/
Imagine you've arrived at a concert venue and staked out the optimal spot. You think you're all set until the person in front of you whips out their phone when the show starts to record video and take pictures through the whole damn show, and now it's too crowded for you to move. It's probably something you've experienced at least once given you're here at Stereogum reading about music. Not even tall folks (excluding our own Tom Breihan) are exempt from the Statue Of Liberty phone hold. But Apple has finally obtained a patent after five years that may prevent that from happening in the future. ... So that might be OK—assuming the technology is used /only/ at concerts and doesn't extend to, like, disabling phone cameras during instances of police brutality and/or sociopolitical/religious unrest. If my concert experience has to suck in order to see and hopefully prevent the next Oscar Grant, Eric Garner, or Walter Scott from being killed in the future, then so be it. http://www.stereogum.com/1885570/apple-patents-technology-to-disable-iphone-cameras-at-concerts/news/ <https://www.youtube.com/watch?v=Q2LDw5l_yMI> <https://www.theguardian.com/us-news/video/2014/dec/04/i-cant-breathe-eric-garner-chokehold-death-video>, <http://www.nbcnews.com/storyline/walter-scott-shooting/man-who-recorded-walter-scott-being-shot-speaks-out-n338126>
(Posted by BeauHD on Thursday June 30, 2016) <https://yro.slashdot.org/story/16/06/30/0340220/congressman-wants-ransomware-attacks-to-trigger-breach-notifications> Trailrunner7 quotes a report from On the Wire: A powerful California congressman is pushing the federal government to treat ransomware attacks on medical facilities as data breaches... <https://www.onthewire.io/ransomware-attacks-may-trigger-breach-notifications/> ...and require notifications of patients. The pressure is coming from Rep. Ted Lieu (D-Calif.) and follows comments from officials at the Department of Health and Human Services about the department's plan to issue guidance to health care organizations about ransomware attacks. The Office for Civil Rights section of HHS, which has responsibility for health information privacy, will provide guidance on how to handle ransomware attacks, and Lieu is eager to ensure that the guidance specifically addresses how ransomware attacks relate to data breach regulations. "I welcome the news of HHS providing guidance to health providers on a matter that threatens so many hospital IT systems. However, we need to make clear that ransomware is not the same as conventional breaches. The threat to patients from ransomware is typically due to the denial of access to their medical records and medical services. Not only could this be a threat to privacy, but it could result in medical complications and deaths if hospitals can't access patient information," Lieu said in a statement. He sent a letter... <https://lieu.house.gov/sites/lieu.house.gov/files/LIEU%20HURD%20HHS%20RANSOMWARE.pdf> ...to the deputy director for health information privacy in the Office of Civil Rights at HHS, Deven McGraw, asking him to instruct health organizations and providers to notify patients of an attack if it results in a denial of access to a medical record or a loss of functionality thats necessary to provide patient care. In the past, Lieu has called for a full congressional investigation... <http://www.dailydot.com/layer8/ted-lieu-oversight-vulnerability-disclosure/> ...into the aforementioned widespread flaw in global phone networks that allows hackers to track anyone's location and spy on their phone calls and text messages. He was also one of the first lawmakers to publicly express his pro-encryption view... <https://yro.slashdot.org/story/16/02/17/1347207/congressman-court-order-to-decrypt-iphone-has-far-reaching-implications> ...after a federal judge ordered Apple to help the FBI break into the San Bernardino shooter's iPhone, saying it effectively "forces private-sector companies like Apple to be used as an arm of law enforcement."
Eleven years ago  I replied to an item here about the problem of having a nonsynchronized date and time if the date and time call is not atomic, i.e., the date and time are not obtained in a single operation, with the possibility that midnight could roll over between the date request and the time request, which could lead to embarrassing results - or worse - where someone receives a report with today's date but the time of the report is near midnight. Well, first, that probability is very low. In the original article I posted here, writing a simple program using GWBasic under DOS (Windows 95 wouldn't even exist for another six months), and using an ordinary 386/40 processor on interpreted Basic, it could make 3,023 date and time requests, and using Turbo Pascal (which is compiled) the worst count was 6,200 requests, indicating for a program run every day, the probability it might happen is once in 16.9 years. Second, today I tried the same kind of loop using an old program, Visual Basic 6, and an old computer, a 3.1 ghz 64-bit quadcore processor I bought used about 4 years ago, and for doing date-time non-atomic requests, the number of request pairs I could do in one second ranged from a low of just over 547,000 to about 551,500. So the probability is even lower these days. But, it's still not nil. Is there a simple way to guarantee it cannot happen? And as it turns out, there is. So there is a simple way to solve the problem no matter what speed the computer runs at, and it requires three operations in a certain order. 1. Collect the date2. Collect the time3. Collect the date again Now, if the hour is 1 to 23, it can't have rolled over between events 1 and 2, so use the first date value. If the hour is 0, i.e., midnight or later, it might have rolled over, use the second date value as a precaution. Or simply, test for the hour being zero, if so, use date 2, else use date 1. The nice thing about this is all you have to look at is the hour, you don't have to compute or calculate anything, and you don't have to worry whether or not the date rolled over, whether it has or not is completely irrelevant.  "Date and Time Not Matching in COBOL", RISKS-16.70, 3 Jan 1995 Paul Robinson <firstname.lastname@example.org> - http://paul-robinson.us (My blog)
<https://yro.slashdot.org/story/16/06/29/0834221/europes-net-neutrality-rules-fail-to-ban-bittorrent-throttling> (Posted by manishs on Wednesday June 29, 2016) Europe has finally agreed on a set of net neutrality rules. According to a report on TorrentFreak, these rules offer improvements for some individual members states, various activist groups and experts. But the current language would also allow ISPs to throttle BitTorrent traffic permanently if that would optimize overall "transmission quality." <https://torrentfreak.com/europes-net-neutrality-rules-dont-ban-bittorrent-throttling-160628/> >From the report (edited): "Europe's new net-neutrality rules should ban throttling BitTorrent, but they don't. They leave ISPs a loophole," said Holmes Wilson of Fight for the Future (FFTF), one of the driving forces behind the Save Net Neutrality campaign. "ISPs can say they're doing it for 'traffic management' purposes -- even when their networks aren't clogged, because the rules say they can throttle to 'prevent impending network congestion,'" he adds. In addition to file-sharing traffic, the proposed rules also allow Internet providers to interfere with encrypted traffic including VPN connections. Since encrypted traffic can't be classified through deep packet inspection, ISPs may choose to de-prioritize it altogether. In theory, ISPs may choose to throttle any type of traffic they want, as long as they frame it as a network congestion risk. "So if your ISP is lazy, or wants to cut corners and save money, they can throttle BitTorrent, or VPNs, or Bitcoin, or Tor, or any class of traffic they can identify," Wilson says.
http://lauren.vortex.com/2016/07/ancient-monopolies-keep-you-from-decent-internet-service Many of us tend to assume that here in U.S. we have the most advanced technologies on the planet. So it may be startling to learn that by global Internet standards, numerous experts consider us to be living in something of a Stone Age Internet nation. The reality is stark. Many countries in the world pay far less for their Internet services than we do, and get much faster and more reliable services in the bargain. While many countries have set a national goal of fiber optics directly connecting every home and business, here in the United States phone companies still are arguing that snail's pace Net connections should qualify as broadband. [...] [Long blog item pruned for RISKS. Please read the full version. PGN]
(Posted by EditorDavid on Sunday July 03, 2016) <https://yro.slashdot.org/story/16/07/03/0340234/un-council-seriously-nations-stop-switching-off-the-internet> An anonymous reader writes: "The United Nations officially condemned the practice of countries shutting down access to the internet <http://www.theregister.co.uk/2016/07/01/un_officially_condemns_internet_shutdowns/> ...at a meeting of the Human Rights Council on Friday," reports the Register newspaper, saying Friday's resolution "effectively extends human rights held offline to the internet," including freedom of expression. "The resolution is a much-needed response to increased pressure on freedom of expression online in all parts of the world," <https://www.article19.org/resources.php/resource/38429/en/unhrc:-significant-resolution-reaffirming-human-rights-online-adopted> ...said Thomas Hughes, Executive Director of Article 19, a long-standing British human rights group which had pushed for the resolution. "From impunity for the killings of bloggers to laws criminalizing legitimate dissent on social media, basic human rights principles are being disregarded to impose greater controls over the information we see and share online." Thirteen countries, including Russia and China, had unsuccessfully urged the deletion of the text guaranteeing internet access, and Article 19 says the new resolution even commits states to address "security concerns on the Internet in accordance with their obligations to protect freedom of expression, privacy and other human rights online." But they also called the resolution a missed opportunity to urge states to strengthen protections on anonymity and encryption, and to clarify the boundaries between state and private ICT actors.
Evan Schuman, Computerworld, 6 Jul 2016 Eroding trust is a lot easier than restoring it http://www.computerworld.com/article/3091763/data-privacy/for-facebook-violating-users-privacy-is-going-to-backfire-someday.html selected text [>>> <<< added to highlight one sentence]: A settings change at Facebook has once again put the social site in a negative light concerning users' privacy. Someday, users just might decide that they have had enough. The change happened in October but was only recently noticed, according to The Guardian: Facebook rolled out an update to its internal search engine, letting users search the entire network for the first time. All public posts became searchable for everyone, but private posts weren't affected. >>> When it made the change, though, the social network also removed a privacy setting entirely: it's now not possible to choose to hide your profile from strangers. <<< Every profile on Facebook now shows up when users search for it by name, even those, like mine, with the tightest possible settings, no friends in common, no profile picture, and no content posted. Worse, if you then click on the profile, a large amount of information is still public: any page I've liked, any group I've joined, and, if I had any, every friend I have on the site. And although I can't be added as a friend by strangers -- thanks to the requirement that they be a friend of a friend—I can be followed by them, letting them be notified of any future posts. That's because, helpfully, the ability to turn off that feature isn't under privacy but under a different tab, Followers.
Westerners said the web could never be controlled. Lu Wei, China's departing Internet czar, proved them all wrong. https://foreignpolicy.com/2016/06/29/the-man-who-nailed-jello-to-the-wall-lu-wei-china-internet-czar-learns-how-to-tame-the-web/
[ Virtually Anybody (who is 'SomeBody') is after "Virtual Money" (and all other virtual values) these days... ] How China Took Control of Bitcoin <https://news.slashdot.org/story/16/07/03/205202/how-china-took-control-of-bitcoin> (Slashdot reader Rick Zeman quotes the New York Times) In its early conception, Bitcoin was to exist beyond the control of any single government or country. It would be based everywhere and nowhere... Yet despite the talk of a borderless currency, a handful of Chinese companies have effectively assumed majority control of the Bitcoin network. <http://www.nytimes.com/2016/07/03/business/dealbook/bitcoin-china.html> They have done so through canny investments and vast farms of computer servers dispersed around the country...there are fears that China's government could decide, at some point, to pressure miners in the country to use their influence to alter the rules of the Bitcoin network. The government's intervention in 2013 suggests that Bitcoin is not too small to escape notice.
Iain Thomson, *The Register*, 3 Jun 2016 Lives could have been put at risk by pushy upgrade ttp://www.theregister.co.uk/2016/06/03/windows_10_upgrade_satellite_link/ opening text: When you're stuck in the middle of the Central African Republic (CAR) trying to protect the wildlife from armed poachers and the Lord's Resistance Army, then life's pretty tough. And now Microsoft has made it tougher with Windows 10 upgrades. The Chinko Project manages roughly 17,600 square kilometres (6,795 square miles) of rainforest and savannah in the east of the CAR, near the border with South Sudan. Money is tight, and so is internet bandwidth. So the staff was more than a little displeased when one of the donated laptops the team uses began upgrading to Windows 10 automatically, pulling in gigabytes of data over a radio link. And it's not just bandwidth bills they have to worry about. "If a forced upgrade happened and crashed our PCs while in the middle of coordinating rangers under fire from armed militarized poachers, blood could literally be on Microsoft's hands," said one member of the team.
http://www.infoworld.com/article/3090508/microsoft-windows/win7-and-81-patch-kb-3173040-throws-full-screen-win10-upgrade-warning.html Win7 and 8.1 patch KB 3173040 throws full-screen Win10 upgrade warning Sorry to interrupt, but this is important ... or so says Microsoft Woody on Windows By Woody Leonhard InfoWorld | Jun 30, 2016 selected text: Microsoft just released yet another Win10 upgrade nag system, disguised as a "Recommended" patch for Windows 7 SP1 and Windows 8.1 systems. According to the KB 3173040 article, if you have Windows set to automatically install updates, and have the Windows Update "Check for updates but let me choose whether to download and install them" box checked, your machine will suddenly sprout a full-screen purple message that says ... No, I don't make this stuff up. You have to wonder how many TV weather announcers, how many broadcasting game players, and how many unattended kiosks will suddenly find themselves festooned in Microsoft upgrade purple. I predict a field day in the mainstream press by tomorrow.
Agam Shah, InfoWorld, 30 Jun 2016 Dell has discontinued Venue tablets with Android, and won't push out OS upgrades to current customers http://www.infoworld.com/article/3090544/android/dell-stops-selling-android-devices.html Dell has stopped selling Android devices as it steps away from slate-style tablets to focus on Windows 2-in-1 tablets. Dell won't be offering OS upgrades to Android-based Venue tablets already being used by customers. "For customers who own Android-based Venue products, Dell will continue to support currently active warranty and service contracts until they expire, but we will not be pushing out future OS upgrades," the spokesman said. [Actually, maybe, the risk is not that high. Dell makes a quality product. What kind of quality? I had a Dell desktop system, and the computer and laser printer packed it in within a few months of each other. OK, I admit I had abused the printer with high-volume printing and in the about 1 1/2 years I had it, I was already into my second toner cartridge.]
Paul Rubens, CIO, 4 Jul 2016 Click fraud is more than just a marketing problem—it presents a real security risk to your organization, experts say http://www.infoworld.com/article/3089881/malware/why-cios-should-care-about-click-fraud.html
[TANSTAFS - one more TANSTAFL corollary (this S is just a 3-letter word) ;-] Ashley Madison Admits It Lured Customers With 70,000 Fake 'Fembots' <https://yro.slashdot.org/story/16/07/09/1245248/ashley-madison-admits-it-lured-customers-with-70000-fake-fembots> (Posted by EditorDavid on Saturday July 09, 2016) America's Federal Trade Commission is now investigating the "infidelity hookup site" Ashley Madison. In a possibly-related development, an anonymous reader writes: Ashley Madison's new executive team "admits that it used fembots to lure men into paying to join the site," reports Arts Technica. <http://arstechnica.com/tech-policy/2016/07/ashley-madison-admits-using-fembots-to-lure-men-into-spending-money/> More than 75% of the site's customers were convinced to join by an army of 70,000 fembot accounts, "created in dozens of languages by data entry workers...told to populate these accounts with fake information and real photos posted by women who had shut down their accounts on Ashley Madison or other properties owned by Ashley Madison's parent company, Avid Life Media... In reality, that lady was a few lines of PHP... <https://tech.slashdot.org/story/15/09/02/032213/ashley-madison-source-code-shows-evidence-they-created-bots-to-message-men> In internal company e-mails, executives discussed openly that only about five percent of the site's members were real females." EditorDavid comments: The company only abandoned the practice in 2015, <http://media.ashleymadison.com/avid-life-media-breaks-its-silence/> ...and CNN also reports that for years, if the site's male customers complained, Ashley Madison "threatened to send paperwork to users' homes <http://money.cnn.com/2016/07/08/technology/ashley-madison-dispute-bill/> ...if they disputed their bills—potentially revealing cheaters to their spouses," while one user complained that the site also automatically signed up customers for recurring billing. "We are not threatening you. We are laying the facts to you..." one e-mail read, while another warned that "We do fight all charge backs."
http://www.directionsmag.com/files/view/distmark-51zip/138895 [You have to click on that URL to understand Dan's humor. The resulting "404. Not Found" error message automagically takes you to a map arrow pointing to 404 Fremont Blvd in Monterey CA. PGN]
Kinda bored today on my Linux machine. How about a little self-inflicted https://en.wikipedia.org/wiki/Predicament_bondage ? $ chmod 0 . OK that was fun. But now lunchtime is over, and $ chmod 700 . chmod: cannot access '.': Permission denied Uh oh. $ chmod 700 $PWD Phew.
> Jen Nowell, *Palo Alto Daily Post*, front page story, 13 Jun 2016 [PGN-ed] > A 16-month boy was knocked over by a security robot at Stanford Shopping > Center in Palo Alto, which then ran over him, leaving him bruised and > scared. The 5-foot 300-pound Knightscope K5 Robot failed to stop as it > approached Harwin Cheng, hit him in the head, knocked him to the ground, > and then ran over his right foot. His mother pulled him away just as the > robot was about to run over his left foot. At least, that is what the parents claim, which is presented as fact. For balance, here is [part of] the manufacturer's response (from the *LA Times*): The company said the child ran toward the robot, which veered to avoid him as it was patrolling, and the toddler then ran backward and directly into the robot. When the robot stopped, the boy fell to the ground. "The machine's sensors registered no vibration alert, and the machine motors did not fault as they would when encountering an obstacle," the company said in a statement. A *Wall Street Journal* article adds: "Knightscope says their unit would have registered a vibration if it had run over his foot. Each robot has nearly 30 sensors, including lasers and sonar sensors, Knightscope said." In response to the accident, Knightscope issued its first field incident report in its robots' 25,000 miles of travel. The statement says the machine veered to the left to avoid Harwin, but the child ran backward "directly" into the machine. The machine then stopped and the child fell, the statement said. Hmm. Not so clear-cut after all. Thanks for the other side. However, perhaps removing from service all robots of that type was overreacting? or CYA? PGN]
It occurs to me that absent a societal consensus or the correct way to handle the moral issues arising from self-driving cars, we could make it choice available to the driver. Obviously, it's more complex than this in practice, but some kind of "selfish/altruistic" switch could be either configurable per driver or selected from the dashboard. So, if one were driving the family, the driver could select "protect me at all cost", and if alone, could choose "sacrifice me if there would be more than one pedestrian casualty". We could then judge people, morally and legally, by the choices they would make, should it come to that.
Private Interest -vs- Public Interest This is to be expected: The private backers of the Digital Economy Bill (aka those companies that purchased its introduction and presumably have pre-arranged payment for its passage) have lined the Politicians pockets with more money than Oscar Pistorius' girlfriend. Just proves the old adage: you get what you pay for. As long as we continue to allow politicians to enrich themselves though private interest contributions to their pocketbooks, they will continue to prefer and promulgate that which causes the largest padding of their pocketbooks. This is not really a risk—it is just basic human nature at work and, where such practices are permitted, it is a certain result.
Like many other news items about scientific research, this article reminds me of these immortal lines by Dorothy Parker: "But scientists, who ought to know, Assure us that it must be so. So let us never never doubt What nobody is sure about"
> Bomb disposal robots (properly termed Explosive Ordnance Disposal robots) > have been in use since 1972, when the U.S. military pioneered the > technology. In point of fact, their use was pioneered by British Army bomb disposal teams in 1972, in Northern Ireland. https://en.wikipedia.org/wiki/Wheelbarrow_(robot)
Strictly speaking, this was not a robot but a ROV. I'm pretty sure it was a human operator who had pulled the trigger, just like those who operate drones over Afghanistan. Despite the availability of technology, it seems no one had dared (yet) to let a real autonomous robot to make the decision whom to shoot and when.
Please report problems with the web pages to the maintainer