Mary Shacklett, Tech Pro Research, 29 Jul 2016 Licensing of commercial drones has been limited so far, but it won't be long before usage starts expanding. In them meantime, CXOs need to assess and plan for possible legal ramifications. http://www.techproresearch.com/article/commercial-drones-four-looming-legal-concerns/
Bob Violino, ZDNet, 29 Jul 2016 Efforts are underway to build robotics smartphone applications. http://www.zdnet.com/article/robot-control-theres-an-app-for-that/ selected text: "Many robots have analog controls on them, which are hard to use and not very customizable, and you must touch the robot to change anything," Moorhead said. "Smartphone control enables control [of robots] away from the home, and the ability for the manufacturer to more easily provide variables [to] enhance the experience for the buyer." The downsides are security issues and the need for the phone. "You don't want someone hacking in for fun and have your Roomba turn on at 3 am every morning to wake you up," Moorhead said. "Also, as more vendors move controls off the robots and onto the smartphone, if you lose it you lost the ability to control the robot." [And if you do not have a smart phone at all, you will not be able to use the item. I have run into this risk in another area. Despite being a loyal 7-11 customer, I can get free Slurpee every so often, because I do not have a smart phone. How companies are cutting off business with this forced linkage?]
Lucas Mearian, Computerworld, 26 Jul 2016 The Tesla's Autosteer lane-keeping assistance and traffic-aware cruise control system was engaged http://www.computerworld.com/article/3100650/car-tech/ntsb-tesla-in-fatal-crash-was-speeding-with-autopilot-on.html selected text: The National Transportation Safety Board (NTSB) today released a preliminary report that details the circumstances of the fatal accident involving a Tesla Model S driving with its Autopilot engaged. The 18-wheeler semi truck ... sustained minor damage. [Look at the picture. The damage looks very minor.]
Researchers have once again proved they can take over your vehicle -- but this time, they can kill your brakes. [Updated] Charlie Osborne for Zero Day, ZDNet, 2 Aug 2016 http://www.zdnet.com/article/hackers-hijack-jeeps-once-more-your-brakes-belong-to-them/ selected text: ... Miller's tampering resulted in the brakes being yanked out of the driver's control—and the attack at 25mph was almost enough to fully tip over the Jeep.
http://cphpost.dk/news/municipality-in-northern-jutland-to-start-using-self-driving-buses.html The Danish municipality of Vesthimmerland in northern Jutland is planning to introduce autonomous, electric shuttle buses for public transport. Local politicians hope the initiative will help save both time and money. "We are a large municipality with long transportation times and our calculations show that we have 30 to 40 full-time employees who are driving nonstop," Knud Kristensen, the mayor of Vesthimmerland, told the newspaper Information. http://cphpost.dk/news/driverless-electric-bus-to-be-tested-in-aalborg.html An electric, self-driving shuttle bus is being considered for a public transport route in the north Jutland city of Aalborg. If everything goes to plan in testing, the completely autonomous bus could transport passengers on a 1.6 km-long route by 2018. The Arma bus was designed by French company Navya, which introduced the innovative unmanned vehicle in October 2015. Don Wagner http://donwagner.dk
The FBI is investigating another apparent hack on Democratic Party support organizations, this time the DCCC (Democratic Congressional Campaign Committee), which is distinct from the DNC (Democratic National Committee) whose email hack is also under separate investigation. Once again there is suspicion that this was a Russian attack. At the event in Aspen on Saturday afternoon, Mr. Obama's homeland security adviser Lisa O. Monaco sidestepped specific discussion of the DNC hacking, but acknowledged that the administration might soon have to consider whether the United States' electoral system constitutes critical infrastructure, like the power grid or the cellphone network. http://www.reuters.com/article/us-usa-cyber-democrats-idUSKCN1091Q4 See also: http://www.csmonitor.com/World/Passcode/Passcode-Voices/2016/0729/Opinion-How-to-make-democracy-harder-to-hack
http://www.reuters.com/article/us-usa-cyber-democrats-reconstruct-idUSKCN10E09H?feedType=RSS&feedName=technologyNews One of the anonymous sources who spoke to Reuters claims that "the lack of full disclosure by the FBI prevented DNC staffers from taking steps that could have reduced the number of confidential emails and documents stolen." Last fall, the FBI warned DNC employees to keep an eye out for "unusual activity on the group's computer network," without letting on the potential seriousness of the hack. The DNC didn't find any suspicious activity, but when staffers asked the FBI for more information about the attack on its system, the agency declined.
What's good for the goose is also good for the gander. Either way, our privacy is cooked. http://www.theatlantic.com/politics/archive/2016/07/hacks-and-cyberattacks-in-an-age-of-mass-surveillance/493364/ Trump Shows the Flaws of NSA Surveillance His call for Russian hackers to break into Hillary Clinton's email validate the worst suspicions of security-state critics. Conor Friedersdorf 8:10 AM ET Politics PHILADELPHIA--On Wednesday, Leon Panetta, the former director of the CIA, declared on stage at the DNC that the Republican Party's nominee is unfit for office. He was responding in part to news that Donald Trump "hoped Russian intelligence services had successfully hacked Hillary Clinton's email, and encouraged them to publish whatever they may have stolen, essentially urging a foreign adversary to conduct cyber-espionage against a former secretary of state." For Panetta, that was unforgivable. "Donald Trump today once again took Russia's side," he said. "He asked the Russians to interfere in American politics. It is inconceivable to me that any presidential candidate would be that irresponsible. I say this out of a firm concern for the future of my children and my grandchildren: Donald Trump cannot become our commander in chief. In an unstable world we cannot afford unstable leadership." His outrage is understandable—once again, Donald Trump showed that he lacks the judgment and self-discipline necessary to be a good president of the United States. But Panetta is rather late in foreseeing the possibility of such a leader. A few short years ago, when Edward Snowden revealed the extent of NSA surveillance on American citizens, corporations, and other institutions, NSA defenders insisted that the national security establishment can be trusted, and that civil libertarians were overly paranoid to worry that unprincipled elites would, sooner or later, exploit the era of mass surveillance to manipulate the political process. With the Republican nominee for the presidency openly yearning for a foreign intelligence agency to hack a political rival, Trevor Timm, one of those civil libertarians, took the opportunity to issue a reminder: If elected to the presidency, "Trump would head a vast NSA apparatus he could turn on his political enemies." This was, Timm wrote, "always the overarching concern about NSA: Even IF it's not being abused now, the system would allow future leaders to wreak havoc." And the safeguards that NSA defenders always invoke? "Hopefully if President Trump ever ordered the NSA to hack into the computer systems of domestic opponents or critics, NSA leaders would refuse," Tim Lee noted at Vox. "But the president has the power not only to choose the NSA director but also to prosecute whistleblowers for leaking classified information. So we shouldn't be too confident that internal resistance at the NSA would stop him." Jennifer Granick set forth a specific accounting of weaknesses in NSA oversight. "The president isn't required to inform Congress or the PCLOB if she changes Executive Order 12333," she explained. "She is not required by law to give Congress notice of or the opportunity to review new Presidential Policy Directives affecting surveillance. The FISA Court still has no role in supervising overseas spying, nor must the president inform Congress when she initiates new overseas spying programs. When Office of Legal Counsel opinions justifying surveillance proposals are written, Congress need not be told nor given a copy. If the DOJ changes minimization procedures or FBI guidelines, it is not required to inform Congress. Classification continues to get in the way of oversight. There is no punishment for people who violate the law at a president's behest. And whistleblowers have less, not more, reason to believe they will be protected and not prosecuted." I warned, long before the rise of Donald Trump, that Presidents Bush and Obama were providing all the infrastructure that a tyrant would need to perpetrate grave abuses of power. With his rise, I urged elected officials to tyrant-proof the White House before it's too late. If the prudence of doing so wasn't evident before, is it now, with knowledge that Trump soon won't need the Russians to secure information about the private communications of every legislator and judge in America, but will presumably still want to hack into the communications of his rivals? This danger would be lessened with reforms to the NSA, including a mandate to purge old data from its vast stores. At the same time, Trump's outreach to the Russians underscores the fact that we're now in a reality where any candidate for president, or the president herself, can seek data from foreign-intelligence agencies, data that can almost certainly give them power relative to political adversaries. One wonders what the British Government Communication Headquarters knows about Donald Trump. Might Hillary Clinton ask one day? So reforming the NSA isn't enough. The prudent course, for the U.S. government, is reorienting the agency so that it spends fewer resources spying on Americans and more on helping to protect the private details of our lives from actors foreign and domestic. And there is more to protect beyond our privacy. Says Jack Goldsmith of Harvard Law School, "Does the United States government have a well-worked out plan to ensure that our highly computerized and highly decentralized system for electing the president is protected from foreign disruption via cyber-exploitation or cyber-attack? I have no idea--but I seriously doubt it." Better to address these vulnerabilities before they are exploited than to invite a crisis of democracy even more alarming than a reality-TV star seeking the presidency.
A Twitter-rant full of citations regarding the security risks willfully ignored by the Aus Bureau of Statistics in deciding to retain census PII: https://twitter.com/LiamPomfret/status/760008536713678848 I'm of two minds here. Longitudinal data is incredibly valuable and the ABS has previously handled PII competently, i.e., offline in the national archives. It's not clear that that will continue to be the case though.
Michael Kan, PC World, 1 Aug 2016 http://www.pcworld.com/article/3102824/interpol-arrests-nigerian-email-scammer-who-swindled-60-million.html Interpol has arrested a top Nigerian email scammer who stole more than US$60 million by tricking businesses into handing over funds by posing as trusted suppliers. The 40-year-old Nigerian known as Mike is allegedly the leader of a criminal ring that targeted hundreds of victims across the world, Interpol said on Monday. He and at least 40 other individuals pulled off their scheme by allegedly pretending to be CEOs or suppliers using hacked email accounts of legitimate companies. The criminals then sent fake emails, asking the victims to wire funds or send payment to bank accounts under the scammers' control. The Nigerian at one point conned a victim into paying $15.4 million, Interpol said. To hack the email accounts, the scammers targeted small and medium businesses in the U.S., India, and Romania, among other countries.
NNSquad https://www.wired.com/2016/08/hack-brief-hackers-breach-ultra-secure-messaging-app-telegram-iran/ Amnesty International technologist and researcher Claudio Guarnieri and independent security researcher Collin Anderson traced recent Telegram account breaches in Iran to the SMS messages Telegram sends to people when they activate a new device. The texts contain a verification code that Telegram asks people to enter to complete a new device setup. A hacker with access to someone's text messages can obtain these codes and enter them to add their own devices to the person's account, thus gaining access to their data including chat histories. The researchers think the Iranian hacking group Rocket Kitten is behind the Telegram breaches, based on similarities to the infrastructure of past phishing attacks attributed to the group. There is widespread speculation that Rocket Kitten has ties to the Iranian government. Yet more examples of SMS text messaging vulnerabilities.
Dark Patterns are designed to trick you (and they're all over the Web). No, it's not only you--some user interfaces today intentionally want to confuse and enroll. http://arstechnica.com/security/2016/07/dark-patterns-are-designed-to-trick-you-and-theyre-all-over-the-web/ It happens to the best of us. After looking closely at a bank statement or cable bill, suddenly a small, unrecognizable charge appears. Fine print sleuthing soon provides the answer--somehow, you accidentally signed up for a service. Whether it was an unnoticed pre-marked checkbox or an offhanded verbal agreement at the end of a long phone call, now a charge arrives each month because naturally the promotion has ended. If the possibility of a refund exists, it'll be found at the end of 45 minutes of holding music or a week's worth of angry e-mails.
Asha McLean, ZDNet, 3 Aug 2016 Bitcoin exchange Bitfinex has taken its trading platform offline, telling users that it suffered a security breach which resulted in the loss of potentially millions of dollars. http://www.zdnet.com/article/bitfinex-bitcoin-exchange-offline-after-potentially-costly-security-breach/
via NNSquad https://plus.google.com/+LaurenWeinstein/posts/DuRiEN9X43j REPORT - NOT FULLY CONFIRMED: If you don't have a cell phone, or some other means to receive SMS text messages (and have them enabled, and know how to deal with them), you won't be able to access your Social Security Administration "My Social Security" account starting next month. There is a rumor rapidly spreading on the Net, brought to my attention this morning, claiming that SSA users have been receiving warnings that they MUST receive an SMS text message with a two-factor authentication code to access their accounts starting next month. While I cannot find an official SSA statement regarding this, there is testimony at the House Oversight Committee from late May that appears to confirm the essence of this report: "Additionally, to protect citizens' personally identifiable information further, we continue to improve authentication for our online services. In compliance with Executive Order 13681 ("Improving the Security of Consumer Financial Transactions"), we are changing our current multifactor authentication process for my Social Security from optional to mandatory for all users. Upon implementation this summer, all customers must enter a username, password, and a one-time passcode texted to a registered cell phone in order to access their my Social Security account. In the future, we expect to offer additional multi-factor options, pursuant to Federal guidelines. The National Institute of Standards of Technology is working on a revised guideline, and we are providing input into that process." While the "expectation" of other two-factor options in the future is interesting, the move to block users who do not have cell phones, or text message capable cell phones, or do not have text messaging enabled, or do not know how to access and read text messages—IS UNACCEPTABLE, especially on such short notice. Two-factor authentication systems are important, but keep in mind that SSA by definition is dealing mostly with older users who may have only recently become comfortable with online services at all, and may not make any use of text messaging. Many do not have cell phones or somebody to receive text messages for them. Additionally—and ironically—text messaging is considered to be a substandard means of receiving two-factor authentications. And—get this boys and girls—NIST just a few days ago officially declared that text messaging based two-factor should no longer be used at all—it's simply not safe and secure. It appears that SSA has really mucked this one up. This isn't secure two-factor, it's a three-ring circus. And if deployed as reported, it's going to leave many SSA users out in the cold. Later from Lauren: Official Social Security Administration announcement regarding the required use of text messaging for account access https://www.ssa.gov/myaccount/MoreInformationAboutMFA.html
NNSquad If you're interested in following more on the controversy regarding the Social Security Administration requiring that anyone who wants continued access to their SSA online account *must* be able to receive text messages, my Friday post on this topic has now attracted almost 30 comments, many from SSA users who discovered that the requirement is already in place and have not been able to make it work. https://lauren.vortex.com/2016/07/ssa-cutting-off-users-who-cant-receive-text-messages Comments on my blog are an experiment with which I'm (so far) fairly satisfied. All comments are moderated before publication, and all from real people have been suitable for publication. There is also an increasing volume of spam comment submissions—if these get out of hand I may need to reevaluate, but right now they are tolerable.
Social Security Administration launches lamebrain 2-factor authentication system depending on text messages, with only a couple of days warning, and without verifying that it even worked with Verizon Wireless! Reference: https://lauren.vortex.com/2016/07/ssa-cutting-off-users-who-cant-receive-text-messages
NNSquad http://thenextweb.com/mobile/2016/08/02/your-devices-battery-status-can-be-used-to-track-you-online/ There are a myriad of ways you can be tracked online - from supercookies, to canvas fingerprinting and malware. Now you can add your device's battery status to the list, according to research by Steve Engelhard and Arvind Narayanan - two academics from Stanford University. The attack takes advantage of the HTML5 Battery Status API, which allows servers to determine when they need to send an energy-efficient version of a website. It lets them see how much charge a laptop, tablet, or smartphone has in terms of time remaining until discharge, and as an overall percentage.
http://arstechnica.com/security/2016/08/frequent-password-changes-are-the-enemy-of-security-ftc-technologist-says/ "I saw this tweet and I said, 'Why is it that the FTC is going around telling everyone to change their passwords?'" she said during a keynote speech at the BSides security conference in Las Vegas. "I went to the social media people and asked them that and they said, 'Well, it must be good advice because at the FTC we change our passwords every 60 days." Cranor eventually approached the chief information officer and the chief information security officer for the FTC and told them what a growing number of security experts have come to believe. Frequent password changes do little to improve security and very possibly make security worse by encouraging the use of passwords that are more susceptible to cracking. The CIO asked for research that supported this contrarian view, and Cranor was happy to provide it.
Ian Paul, PCWorld, 28 Jul 2016 http://www.pcworld.com/article/3101396/windows/microsoft-faces-two-new-lawsuits-over-aggressive-windows-10-upgrade-tactics.html opening text: Microsoft is facing two more lawsuits over the company's questionable Windows 10 upgrade tactics. Both suits are seeking class-action status. The first suit was filed in U.S. District Court in Florida. It alleges that Microsoft's Windows 10 upgrade prompts "violated laws governing unsolicited electronic advertisements," as reported by The Seattle Times. The suit also says Microsoft's tactics are against the Federal Trade Commission's rules on deceptive and unfair practices. The second suit was filed in June in Haifa, Israel alleging that Microsoft installed Windows 10 on users' computers without consent. Microsoft already paid out a $10,000 award in a previous U.S. suit over similar circumstances.
Jared Newman, PCWorld, 29 Jul 2016 Take the time to customize typing, browsing, and other settings from the get-go. At the end of the Windows 10 installation, you could hit Express Settings to finish up fast, but taking the time to customize could save you some privacy. http://www.pcworld.com/article/3095284/windows/windows-10-upgrade-dont-use-express-settings-if-you-value-your-privacy.html selected text: ... offer to install the operating system with "Express settings." Although Windows 10 Express settings will get you up and running quickly, that convenience comes at a cost: By skipping over custom settings, you're agreeing to all kinds of data collection and behavior tracking, much of which didn't apply in earlier versions of Windows. Here's our advice: Instead of blindly enabling Express settings in Windows 10, take some time to understand what you're agreeing to. Click the Customize settings link (in tiny text at the bottom of the setup screen), and disable the options you don't want.
[I missed the opportunity to get the free Windows 10 upgrade. I am so disappointed. Mind you, the disappointment is at Microsoft's behaviour, not at "missing out" on Windows 10.] Woody Leonhard, InfoWorld, 29 Jul 2016 Starting 2 Aug, admins will not be able to keep Microsoft from pushing the likes of Candy Crush Soda Saga onto Win10 Pro PCs on their networks because certain Group Policies will be deactivated. http://www.infoworld.com/article/3101947/microsoft-windows/more-forced-advertising-creeps-into-windows-10-pro.html opening text: If you were wondering whether Microsoft could inflict even more damage to Windows' reputation, the answer is yes.
Zack Whittaker for Zero Day, ZDNet, 2 Aug 2016 The flaw, which allows a malicious website to extract user passwords, is made worse if a user is logged in with a Microsoft account. http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/ selected text: But now a new proof-of-exploit shows just how easy it is to steal someone's credentials. The flaw is widely-known, and it's said to be almost 20 years old. It was allegedly found in 1997 by Aaron Spangler and was most recently resurfaced by researchers in 2015 at Black Hat, an annual security and hacking conference in Las Vegas. The flaw wasn't considered a major issue until Windows 8 began allowing users to sign into their Microsoft accounts—which links their Xbox, Hotmail and Outlook, Office, and Skype accounts, among others. Overnight, the attack got larger in scope, and now it allows an attacker to conduct a full takeover of a Microsoft account.
>> If the car is really autonomous, then any "fault" belongs to the >> manufacturer and the mfgr will have to pay the damages. And who holds the data and expertise to determine whether an accident was caused by a "fault"?
[via Dewayne Hendricks] While this device may prevent the phone from disclosing its location in real-time it will not prevent the device from recording the sound in its vicinity nor prevent it from using its motion sensors as an inertial navigation system. Later, once its wireless capability is reactivated, it can report both. It seems to me that of you are concerned enough to see your threats at this level you need to acquire good security trade-craft and take other precautions, such as only using a mobile with a removable battery and pull it out before you set out for a meeting or leave it on (so it looks like your are at your home or office) and use a "burner"phone that is never operated near your normal mobile's locations and is discarded after each meeting. > Detecting When a Smartphone Has Been Compromised > By Bruce Schneier > Jul 27 2016 > <https://www.schneier.com/blog/archives/2016/07/detecting_when_.html>
Ok, I'm going to be judgmental and potentially controversial here, but: If you rely on a computerised system to feed your dependents and don't bother to check in on them yourself, in person, or to have a human pet sitter do so for you - and that _at least_ once a day - frankly, you are a horrible person and you shouldn't be allowed to have pets in the first place. They're real, live creatures. They're not toys. If you can't take proper, emotionally invested case of them, get an effing Tamagotchi. Richard, furious and disdainful
2016-07-28 as the 10,001st day of the Web? 1989-03-12 as the start of the Web? These date seems questionable to me. According to the History of the Web at http://webfoundation.org/about/vision/history-of-the-web/, Sir Tim Berners-Lee, a software engineer at CERN, came up with the concept of the Web in March 1990 (a year later than mentioned in this post) and it wasn't until 1991 that people outside of CERN were invited to join the new Web community. So where does the March 1989 date come from?
http://www.nytimes.com/2016/07/27/business/dealbook/1-billion-for-dollar-shave-club-why-every-company-should-worry.html This NYT article could have been written by Andrew Keen of the breathy "The Internet Is Not The Answer". The book cites the death of mighty Kodak as a tragedy of digitization and nerd billionaires. Kodak was a creaking monopoly who's time had come, and so is Gillette. Gillette just paid a billion dollar fine for not performing the very same logistic optimisation Dollar Shave beat them to. The risk, really, is that Gillette shareholders might well sack the board for their inertia and short sightedness.
CB> "dd if=/dev/zero of=/dev/sda bs=1M" CB> Of course you need to replace sda with the actual device name that connects CB> to the disk you want to clear. And if you don't you'll zap your home disk. So I would use 'sdz' in such examples.
http://www.pcworld.com/article/3101008/connected-home/osrams-lightify-smart-bulbs-suffer-from-several-serious-security-flaws.html A salescritter to convince you that something as simple as a lightbulb needs to be computerized. A security geek to think that something may possibly be wrong with that idea. A whitehat firm to analyse the attack surface. Someone to look at the network traffic for disclosures. Someone to look at the user/management interface. Someone to look at authentication of commands. Someone to look at social engineering risks involved in lightbulb jokes. Someone to note that it is better to light a single candle than to curse the IoT. Someone else to note that the IoT will soon have many more than a million points of light. Someone to pontificate that many IoT devices are not built with security in mind. Someone else to note that, so far, there are very few actual exploits available, despite the number of vulnerabilities. A device systems manager to opine that having a device security manager is not really necessary. A device security manager to at least change the passwords that the device systems manager left on default setting. A bored teenager to sit and play with the lightbulb for hours trying to force the "cool light" setting to actually make it turn blue. An exasperated parent to, very strongly, make the point that a lightbulb that costs over a hundred dollars every time it burns out is *NOT A TOY*! Someone to create a Burned Out High Tech Lightbulb account on Twitter. Someone to propose a "Lightbulb security settings" course to SANS. Someone at (ISC)^2 to call for CBK entries for a CLBSP (Certified Light Bulb Security Professional) designation. Someone to drive a Tesla, on autopilot, through the existing crowd. Someone to note that a Solo would do far less damage. https://electrameccanica.com ...
Please report problems with the web pages to the maintainer