Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
*The Telegraph* via NNSquad
http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/11970391/Internet-firms-to-be-banned-from-offering-out-of-reach-communications-under-new-laws.html
Companies such as Apple, Google and others will no longer be able to offer
encryption so advanced that even they cannot decipher it when asked to
under the Investigatory Powers Bill ... It will also require Internet
companies to retain the web browsing history of their customers for up to
a year. ... It came as David Cameron, the Prime Minister, pleaded with the
public and MPs to back his raft of new surveillance measures.
[This is evidently David Cameron's next attempt, following on after
previously wanting to ban *all* cryptography. COMMENTS:
* John Day noted in Dave Farber's forum: When you outlaw encryption
without backdoors, only outlaws will have encryption without backdoors.
* Henry Baker commented: The UK has suspended the laws of algebra and
logic. Good luck with that!
PGN]
No one's weather radio is working in the entire Mid-South. The problem has been going on for a week. http://www.wbrc.com/story/30414750/weather-radios-down-severe-weather-expected MEMPHIS, TN (WMC) "It has saved my life two or three times," Weather radio user Shirley Son said. Son has relied on her weather radio for ten years, but now all she hears is static. No warnings, no weather. [...]
Odd decision table compares saving lives of two cats being equivalent to saving lives of four dogs, and values a horse even less. https://theconversation.com/of-cats-and-cliffs-the-ethical-dilemmas-of-the-driverless-car-49778 [I guess it would be a boonDOGgle CATaloguing the fiNAGled relative merits of different species, RACCOONoitering among various POSSUMbilities SQUIRRELed away among roadkill alternatives. However, some of the analysis needs to address risks more broadly: not just trading off damage to different animal species, but also to passengers, vehicles that might have been commanDEERed by a huge buck, and potentially also to the environment. The tradeoffs also become interesting (for example) for a driverless safari vehicle that is remotely piloted by a well-sheltered guide and electronically locked to keep its passengers from exiting when confronted by angry beasts. You would not want to become RHINOckwurst. However, now that we have HORSEless carriages, perhaps it was certainly logical that we would get to DRIVERless and PASSENGERless vehicles (e.g., drones and robots). On the other hand, if we still had PASSENGER PIGEONS, we might have conceived of them pecking at the touch-sensitive screen to control a car (as was apparently done with missiles in WW II). However, nothing in the foregoing to the contrary notwithstanding, now that we seem to believe we can trust untrustworthy computers controlling autonomous entities, perhaps we don't need the less reliable members of the animal kingdom any more. End of technosarcasm/rant/whatever it might be. PGN]
[Browse on "Fyunch Click" if you are not a Facebookworm and
don't understand the reference. PGN]
Earlier this week, my (Android) phone was next to the radio when this NPR
story came on,
"OK Google: Where Do You Store Recordings Of My Commands?"
<http://www.npr.org/sections/alltechconsidered/2015/10/29/451981811/ok-google-where-do-you-store-recordings-of-my-commands>
and when the radio played the first search question, including the "get
phone's attention" keyword, within half a sentence, my phone was chiming in,
like a backup singer.
Startling, to say the least.
I'm sure I'm not the only listener this happened to...
And I think I saw a news item within the past week on how [hackers] are
directly voice commands at other peoples' phones.
Time to see if there's a way to customize the "attention" word for my phone.
[1] From Niven & Pournelle, THE MOTE IN GOD'S EYE, and THE GRIPPING HAND, of
course.
(This was also a minor (non-tech) plot point in Grant Morrison's Justice
League WORLD WAR III, over a decade ago, with the kid who inadvertently got
Johnny Thunderbolt's pen with the Bandeisian Thunderbolt (stuck) in it,
where reciting "Say you love Satan" included the release phrase ("ceie-u")
for said Band. Thund.) (Great stuff, I heartily recommend Morrison's
Justice League run. All avail in trade book format.)
And, as a member of the list I'd posted to has subsequently noted, there's
the (apocryphal) tale of a speech input demo at a lecture, where someone
from the back of the crowd shouted out
FORMAT C COLON RETURN
[Something like that was in RISKS perhaps 20 years ago, and then again in
RISKS-19.65: NCR phone instruction for Tower Star multiport removal:
pronouncing "execute rm -r star". But I've always wondered about how
ambiguity-resolving punctuation might be treated in voice-actuated
systems. Perhaps Victor Borge had the answer to that when he developed
explicit audibles for punctuation. PGN]
[Note: This item comes from friend Judi Clark. DLH](via Dave Farber) Lauren Kirchner, ProPublica, 30 Oct 2015 http://www.propublica.org/article/what-we-know-about-the-computer-formulas-making-decisions-in-your-life We reported yesterday on a study of Uber's dynamic pricing scheme that investigated Uber's surge pricing patterns in Manhattan and San Francisco and showed riders how they could potentially avoid higher prices. The study's authors finally shed some light on Uber's black box, the algorithm that automatically sets prices but that is inaccessible to both drivers and riders. That's just one of a nearly endless number of algorithms we use every day. The formulas influence far more than your Google search results or Facebook newsfeed. Sophisticated algorithms are now being used to make decisions in everything from criminal justice to education. But when big data uses bad data, discrimination can result. Federal Trade Commission chairwoman Edith Ramirez recently called for *algorithmic transparency*, since algorithms can contain "embedded assumptions that lead to adverse impacts that reinforce inequality." Here are a few good stories that have contributed to our understanding of this relatively new field. [...]
After hours purchase on the Home Depot website. Entered my Chase credit card number at checkout. Transaction complete. A couple minutes later I got two emails. One from Home Depot, with a card denied message. Why they didn't wait for approval before confirming is a mystery. And then there is no option on the website to re-enter another card. After calling in, a new order number was generated which wasn't tied to my online account with them, resulting in a zombie transaction on the account. The second one was from Chase. It tells me that the transaction was denied, lists the transaction and asks "Do you recognize this charge? Then, if I allowed my email agent to display images, it would have showed me two buttons with http links for YES and NO, which would have directed me to the appropriate page on their website. As I don't generally allow images to be displayed, it showed me the ALT tags of such images, which were YES and ... YES! And YES, I did choose YES if you're wondering.
It was with some irony that I read the entry in RISKS-29.06 of a Merryl Lynch article warning that "Cybersecurity is one of the top global risks today." Irony, because 10 minutes earlier I'd been trying to safely handle an email asserting to be from Merryl Lynch: From: Feedback, Bol <bolfeedback@ml.com> Date: 27 October 2015 at 13:40 To: "steve.loughran@gmail.com" <steve.loughran@gmail.com> You have received a secure message from Bank of America Merrill Lynch If you have concerns about the validity of this message, please contact the sender directly. Messages will expire after 90 days. This message can be read from a computer or mobility device as follows: *To view this secure message from a computer:* 1. Click the *securedoc.html* attachment to open (download) the secure message. For best results, save the file first and open it from the saved location using a Web browser. 2. *First-time recipients* may need to register after opening the *securedoc.html* attachment. 3. * Existing recipients*, enter current password. 4. Click the *Open* button. If you are unable to open the message, select the *Open Online* link. *To view this secure message from a mobile device (e.g. smartphone, tablets):* 1. Forward this message with the *securedoc.html* attachment to mds@bankofamerica.com. You will receive a new email containing a link to access the secure message. 2. *First-time recipients* may need to register after opening the link. If you have not previously registered, click the *Open* button to initiate registration. *Additional Information* - First-time recipients are advised to read the Recipient Guide <http://securemsg.bankofamerica.com/Secure_Email_Recipient_Guide_en.pdf> - Review the Help, FAQs and Guides <http://securemsg.bankofamerica.com/> As I was actually expecting a message, I did actually d/l and view it, initially in text editor and then in a disposable Linux VM. Needless to say, it contains a large amount of unreadable Javascript code [omitted by PGN] This is pretty much exactly the checklist of what you'd expect from phishing: an email from a bank saying "read this", with the "this" being an HTML page containing obfuscated javascript and a binary payload. If Merryl Lynch are *rightly* concerned about security, perhaps they should look at their own processes for communicating with customers and consider whether it encourages safe practises from their customers, or simply gets them to expect banks to given them HTML messages with scripted payloads so leads them wide open to phishing attacks
(Sources: USA Today, Verge, Week) If our economy, bank ATMs, and Internet, all crashed tomorrow, for how many days do you have cash for emergencies, and kitchen reserves, before you are flat broke, and out of food? For thousands of Americans, this happened to them in October. RushCard failed Oct-12 and took almost 2 weeks to get fixed. It operates outside the consumer protections of standard debit and credit cards. Now US gov agencies are looking into imposing regulations and oversight over this formerly underground economy. The outage was allegedly triggered the company changing over to a new processing provider. Did they believe in testing? Even after announcements that the problems had been fixed, may customers report a string of nightmares proving that they are not able to access their money, and customer service has absurdly long wait times. Didn't it dawn on them to increase customer service bandwidth after an outage? RushCard is for the poorest Americans, who do not have access to traditional banking services, so many RushCard customers did not have cash for basic needs. According to The Week Nov-6 issue: . 17 million Americans are "unbanked" without any bank accounts. . 58 million Americans are "under banked" without debit cards or savings accounts. These poorest of the poor rely on payday-loans, check cashers, pawn shops, and other services with high service charges, like the RushCard. RushCard is now offering "fee free" from Nov-1 to Feb-29, to compensate customers inconvenienced by the 10+ day outage. Also a fund is being setup to compensate customers who had extra expenses to cope financially during the outage. http://www.theverge.com/2015/10/30/9646864/rushcard-outage-russell-simmons-compensate-card-holders-losses http://www.usatoday.com/story/money/columnist/tompor/2015/11/01/rushcards-glitch-puts-prepaid-cards-spotlight/74888816/ Examples of nightmares for RushCard customers, which continued AFTER RushCard claimed the problem had been fixed. http://thinkprogress.org/economy/2015/10/30/3717811/rushcard-announcement/ US Consumer Financial Protection Bureau (CFPB) statement about the RushCard situation: http://www.consumerfinance.gov/newsroom/statement-by-cfpb-director-richard-cordray-on-rushcard-prepaid-card-incident/
FYI—Zerodium is the quicker sticker upper: At $1 million, Zerodium is 2x more exorbitant, so it can handle any iMess that comes its way. At least these bug bounties are finally getting near a market-clearing price; companies will finally now be able to "afford" to build high-quality software code. Funny thing—these same companies couldn't "afford" to build quality code when the bounties cost only $10,000. These zero-day bounties are all fun-and-games today, but this whole bounty market will end in big tears, when software developers learn that they can "build in" bugs that they (or their friends) can later sell to reap the bounties. http://thehill.com/policy/cybersecurity/258883-1m-bounty-paid-for-iphone-hack Katie Bo Williams, The Hill, 2 Not 2015 Hackers get $1M bounty for breaking into iPhone A security firm that hunts for undiscovered software bugs is paying out $1 million to a hacking group for breaking into Apple's mobile operating system. The company, Zerodium, compiles what are known as zero days, or security flaws that are unknown to the software manufacturer. It announced in September that it would pay $1 million for jailbreaking Apple's newly-released iOS 9. The reward is the largest such bounty ever offered. "Our iOS #0day bounty has expired, and we have one winning team who made a remote browser-based iOS 9.1/9.2b #jailbreak (untethered). Congrats!" Zerodium tweeted on Monday. According to the terms of the bounty, the iPhone exploit must "be achievable remotely, reliably, silently, and without requiring any user interaction except visiting a web page" or reading a text message. Bug bounties are becoming increasingly popular as companies struggle to keep up with an onslaught of cyber intrusions. In May, United Airlines began offering free miles to people who uncover security flaws in its websites and digital infrastructure. Zerodium's offer required hackers not to disclose the vulnerability to Apple, so that its customers can use the hack in secret. Critics say that Zerodium's tactics could lead to zero-day flaws falling into the hands of governments with poor human rights records that would use the information as a surveillance tool. [...]
[From Jonathan M. Smith via Dave Farber] After a lifetime of saying tech companies suck, I've now helped make it official exactly how much they suck by spending three years assisting in designing and implementing a complex scoring system on human rights, free expression, and privacy. Today those rankings have been released. You can see the front-page The Guardian story here: http://www.theguardian.com/technology/2015/nov/03/data-protection-failure-google-facebook-ranking-digital-rights - or visit our site for more detail and interactive data: https://rankingdigitalrights.org/2015/11/03/index-now-online/
Moon Hyun-seok, a senior official at the Korea Communications Commission, told The Associated Press that "Smart Sheriff" has been removed from the Play store, Google's software marketplace, and that existing users are being asked to switch to other programs. The government plans to shut down the service to existing users "as soon as possible," he said. Smart Sheriff's maker, an association of South Korean mobile operators called MOIBA, declined comment. Smart Sheriff's disappearance is a blow to South Korea's contentious effort to keep closer tabs on the online lives of its youngest citizens. Less than a year ago, the government and schools sent letters to students and parents to encourage them to download Smart Sheriff. A law passed in April requires all new smartphones sold to those 18 and under to be equipped with software which parents can use to snoop on their kids' social media activity. Smart Sheriff, the most popular of more than a dozen state-approved apps, was meant to keep children safe from pornography, bullying and other threats, but experts say its abysmal security left the door wide open to hackers and put the personal information of some 380,000 users at risk. http://www.usnews.com/news/business/articles/2015/11/01/apnewsbreak-south-korea-pulls-plug-on-child-monitoring-app
http://www.huffingtonpost.com/ryan-castle/wikipedia-deepak-chopra-o_b_8449394.html Worth reading this entire article. The body of editors who are dominating Deepak Chopra's biography page are a dozen or so skeptics* who are so extreme in their views that they resort to online activism, many of whom consider the concept of spirituality or a mind-body connection to be a threat to human intelligence. They consider Deepak Chopra to be the embodiment of these concepts and so treat his biography as an opportunity to explain how foolish and dangerous his beliefs are. These editors are no more empowered than any other volunteer editor, but their ideological zeal and willingness to viciously attack any opposing editor has driven off most impartial editors. After all, Wikipedia is 100% volunteer, so why would someone voluntarily spend their time being called a moron and facing endless opposition to every neutral edit? There is no one to report to, as a collaborative platform Wikipedia has no formal management structure, even when collaboration turns into mob mentality.
Different professionals disagree whether ISIS is or is not how serious a cyber threat to our critical infrastructure. Connecting everything to the Internet, without solid security, when we usually have serious enemies in the world, is asking for trouble. There have been worrisome incidents with cyber and physical attacks on our power grid, and other critical infrastructure, where the industries have been resistant to spending money to beef up their security. The FBI says that highly capable hacking software is available for purchase on the black market and could be used to hack networks associated with energy companies, fuel refineries, or water-pumping stations. http://www.securityweek.com/isis-cyber-ops-empty-threat-or-reality http://i-hls.com/2015/10/can-isis-attack-our-infrastructure/ http://i-hls.com/2015/10/is-now-a-cyber-watershed-for-isis/ http://gwtoday.gwu.edu/isis-cyber-security-threat http://thehill.com/policy/cybersecurity/242280-isis-preps-for-cyber-war
With a clause in complex contracts that few people read, corporations have insulated themselves from lawsuits and locked Americans into a system where arbitrators overwhelmingly favor business. http://www.nytimes.com/2015/11/01/business/dealbook/arbitration-everywhere-stacking-the-deck-of-justice.html
It's probably worth noting that if you want to protect your e-mail, you need to encrypt end-to-end and hope that nobody has a backdoor to the encryption you used. "Top mail providers" using various DMARCs and STARTTLSes at some of the hops is, by definition, "not it".
It must be noted that, when Thunderbird sends an E-mail message after it has been composed, it alters the message's line-lengths. This invalidates any OpenPGP encryption or digital signature applied during composition. An encrypted message cannot then be decrypted, and a digital signature cannot be verified.
Please report problems with the web pages to the maintainer