The world's largest aircraft—part-plane, part-airship—crashes in Bedfordshire. Airlander 10 sustains damage but no one injured on landing in fields during second test flight at Cardington airfield in the UK, ending its second test flight. <https://www.theguardian.com/uk-news/2016/aug/24/worlds-biggest-aircraft-crashes-bedfordshire-airlander-10> <https://www.theguardian.com/world/air-transport> <https://www.theguardian.com/world/video/2016/aug/24/worlds-largest-aircraft-crashes-during-test-flight-airlander-10-cardington-video>
Neil MacFarquahar, *The New York Times*, 29 Aug 2016 Spreading Disinformation to Sow Doubt, Fear and Discord in Europe and U.S. With a vigorous national debate underway on whether Sweden should enter a military partnership with NATO, officials in Stockholm suddenly encountered an unsettling problem; a flood of distorted and outright false information on social media, confusing public perceptions of the issue. ... The claims were all false, but the disinformation had begun spilling into the traditional news media. Disinformation has always been a remarkably effective weapon. However, we may now be getting to an era of disInformation Science and the Practice of disInformation Theory. disEntropy as a disEase? disMalWare? There's no disPutin' disInformation? PGN
[Russia Today, but for a UK story that's nonpolitical] Lawnmower accidentally triggers Northern Lights alert Stargazers in the UK were left disappointed after a "Red Alert" was accidentally sent claiming the Northern Lights would be visible, only to learn a lawnmower had triggered the alert. After a sensor at Lancaster University recorded a surge in geomagnetic activity on Tuesday, subscribers to the Aurora Watch UK mailing list received the auto-generated alert. [...] [It turned out...] that a university staff member had been using "a sit-on mower" and after driving close to the sensor, the mower's electric motor triggered a spike in activity resulting in the automatic alert to be issued. https://www.rt.com/viral/357214-lawnmower-northern-lights-alert/
Michael Kan, PC World, 25 Aug 2016 U.S. authorities accused Roman Seleznev of installing malware on point-of-sale systems http://www.pcworld.com/article/3112867/legal/us-convicts-russian-hacker-in-credit-card-theft-scheme.html selected text: Jurors in a U.S. federal court have convicted a Russian hacker of stealing and selling more than 2-million credit-card numbers. Testimony at his trial revealed that Seleznev's scheme defrauded US$169 million from 3,700 financial institutions, the U.S. Secret Service said in a statement. Seleznev was convicted on 38 counts, including wire fraud, intentional damage to a computer and identify theft. He will be sentenced in December and could face decades in prison and millions of dollars in fines. Seleznev has also been charged in separate cases in Neveda and Georgia involving racketeering and bank fraud.
*The Washington Post* via NNSquad https://www.washingtonpost.com/world/national-security/fbi-is-investigating-foreign-hacks-of-state-election-systems/2016/08/29/6e758ff4-6e00-11e6-8365-b19e428a975e_story.html Hackers targeted voter registration systems in Illinois and Arizona, and the FBI alerted Arizona officials in June that Russian hackers were behind the assault on the election system in that state. The bureau told Arizona officials that the threat was "credible" and severe, ranking as "an 8 on a scale of 1 to 10," said Matt Roberts, a spokesman for the secretary of state's office. As a result, Secretary of State Michele Reagan shut down the state voter registration system for almost a week.
Absentee Ballot Fraud - The Huffington Post http://www.huffingtonpost.com/news/absentee-ballot-fraud/ Congressman Joe Garcia's former chief of staff will head to jail for orchestrating a fraudulent, online absentee-ballot request scheme during last year's election. http://www.miamiherald.com/news/local/community/miami-dade/article1956526.h= tml Ex-aide to Miami Rep. Joe Garcia to head to jail in http://www.miamiherald.com/news/local/community/miami-dade/article1956526.html
Kate Murphy's *Do You Believe in God, or Is That a Software Glitch?, *The New York Times* Sunday Review, 28 Aug 2016) considers the National Academies of Science report on their study of faulty analyses of fMRI data. "The glitch can cause false positives—suggesting brain activity where there is none—up to 70 percent of the time." [This issue has been discussed previously in RISKS-29.60,63,64.] http://www.nytimes.com/2016/08/28/opinion/sunday/do-you-believe-in-god-or-is-that-a-software-glitch.html The article also considers the needs for transparency and reproducibility. Anders Eklund (Linkoping, Sweden, and a co-author of the NAS report) is quoted: "If we don't have access to the data, we cannot say if studies are wrong. Finding errors is how scientific fields evolve. This is how science gets done."
[Two articles by David Herns in *The Guardian*, 22 Aug 2016 refer to a 24 June report in *Science*. Starkly PGN-abridged] *The social dilemma of autonomous vehicles* <http://science.sciencemag.org/content/352/6293/1573> (*Science*, Vol.352 Issue 8293, 24 June - pay-walled) ABSTRACT—Autonomous vehicles (AVs) should reduce traffic accidents, but they will sometimes have to choose between two evils, such as running over pedestrians or sacrificing themselves and their passenger to save the pedestrians. Defining the algorithms that will help AVs make these moral decisions is a formidable challenge. We found that participants in six Amazon Mechanical Turk studies approved of utilitarian AVs (that is, AVs that sacrifice their passengers for the greater good) and would like others to buy them, but they would themselves prefer to ride in AVs that protect their passengers at all costs. The study participants disapprove of enforcing utilitarian regulations for AVs and would be less willing to buy such an AV. Accordingly, regulating for utilitarian algorithms may paradoxically increase casualties by postponing the adoption of a safer technology. [...] Alex Hern, *The Guardian*, 22 Aug 2016 If the age of self-driving cars is upon us, what's keeping them off the roads? <https://www.theguardian.com/technology/2016/aug/22/google-x-self-driving-cars> As Google and Uber trial prototypes, the future of fully driverless cars and safer roads should come sooner than anyone thought—but they're in no mood to rush. Alex Hern, *The Guardian*, 22 Aug 2016 Self-driving cars don't care about your moral dilemmas <https://www.theguardian.com/technology/2016/aug/22/google-x-self-driving-cars> Would it be better to hit a granny or swerve to hit a toddler? It seems like a dilemma, but the designers of self-driving cars say otherwise. As self-driving cars move from fiction to reality, a philosophical problem has become the focus of fierce debate among technologists across the world. But to the people actually making self driving cars, it=E2=80=99s kind of b= oring.
Who would have ever guessed Google would remove the streets from its maps? https://productforums.google.com/forum/#!topic/maps/FdRFH9SLjos I thought it was my graphics card on the fritz. Yes they really made the streets so white, you can't see them anymore. It's sort of like no longer being able to tell a five dollar bill from a ten dollar bill—you would never expect it to happen. Just makes China seem so much wiser, not allowing its populace to get over-dependent on Google products.
DC 911 Outage Caused by Contractor Hitting Emergency Shutoff Button, Officials Say The District's 911 system went down for 90 minutes over the weekend because a plumbing contractor hit an all-stop emergency shutoff button, officials said Monday. http://www.nbcwashington.com/news/local/DC-911-Outage-Caused-by-Contractor-Hitting-Emergency-Shutoff-Button-Officials-Say-391634231.html
Source: Jessica Floum, [lower-case the] *San Francisco Chronicle*, 27 Aug 2016, PGN-ed] Forty years ago today, SRI's Don Nielson's team drove the van (which recently was celebrated at the Computer History Museum) to Rossotti's (the Alpine Inn Beer Garden) in Portola Valley, California, and hooked up a wired connection from the van to a computer on a picnic table, and then wirelessly were able to connect to SRI and onto The Internet. Don wrote in an e-mail, "It is nice to see the event noted, but the capital-I Internet is so very much more." Today we celebrate the fortieth anniversary of the first wireless connection to The Internet, for better (mostly) and for worse (spam, ransomware, malware distribution, etc.) I'm delighted that the *Chronicle* [whose masthead says *San Francisco Chronicle*, without the definite article—even though it is not the *only* institution of that name. We also note that we cannot refer to the SF Chronicle, because there is also a Science Fiction Chronicle.] quotes Don Nielson on the "capital-I Internet" and itself resists the slide into nonuniqueness of other media. Without The Internet, RISKS would not exist, and even if it did exist, a rather large number of the computer-related risks cases would not have existed. So, kudos for Don Nielson for his role in creating the wireless Internet era. PGN
Michael Kan, ComputerWorld, 29 Aug 2016 Security firm Medsec tried to use its research findings to drive down the stock of St. Jude Medical http://www.computerworld.com/article/3113385/security/medical-device-security-ignites-an-ethics-firestorm.html opening text: One security research company is taking a controversial approach to disclosing vulnerabilities: It's publicizing the flaws as a way to tank a company's stock.
The District's 911 system went down for 90 minutes over weekend <http://www.nbcwashington.com/news/local/Officials-Internal-Power-Failure-Led-to-DC-911-Outage-391533041.html> because a plumbing contractor hit an all-stop emergency shutoff button, officials said Monday. The city's 911 system stopped working Saturday night after 11 p.m. It was back in service by about 1 a.m., said officials, including Mayor Muriel Bowser, who tweeted updates during the outage. The contractor who hit the button at D.C.'s 911 call center was looking for a plumbing leak that threatened highly sensitive equipment. D.C. emergency officials plan to adding more security and signage to limit access to the button involved in the outage. The risk? Too rare use of signs saying DO NOT PRESS THIS BUTTON. Or, perhaps, having plumbing near sensitive equipment.
http://genomebiology.biomedcentral.com/articles/10.1186/s13059-016-1044-7 Gene name errors are widespread in the scientific literature. Mark Ziemann, Yotam Eren and Assam El-OstaEmail author Genome Biology201617:177 DOI: 10.1186/s13059-016-1044-7© The Author(s). 2016 Published: 23 August 2016 They provide their data sources. They wrote scripts to trawl through published papers on genetics which had data files attached, and checked those files for data errors. They screened 35,175 supplementary Excel files and confirmed gene name errors in 987 supplementary files from 704 published articles in 18 journals. Linear-regression estimates show gene name errors in supplementary files have increased at an annual rate of 15 % over the past five years, outpacing the increase in published papers (3.8 % per year). “In conclusion, we show that inadvertent gene name conversion errors persist in the scientific literature, but these should be easy to avoid if researchers, reviewers, editorial staff and database curators remain vigilant.'' The root problem is that the researchers who uploaded those files *never* checked them. There is a paper about the problem from 2004 which also shows the problem with Gene names being turned into dates. See https://bmcbioinformatics.biomedcentral.com/articles/10.1186/1471-2105-5-80 So 12 years after the paper was published people geneticists still have not learned how to solve the problem. I've published a blog post explaining how to detect and prevent the error. https://sysmod.wordpress.com/2016/08/28/excel-gene-mutation-and-curation/ Patrick O'Beirne, Systems Modelling Ltd, XLTest Spreadsheet Auditing http://XLTest.com mob:+353 86 835 2233 .
Computerworld | Aug 24, 2016 7:22 AM PT A Cessna equipped with cameras is flying over Baltimore to conduct unblinking surveillance likened to 'Google Earth with TiVo' capabilities. http://www.computerworld.com/article/3112006/security/baltimore-cops-using-private-companys-aerial-cameras-to-conduct-secret-surveillance.html
Bing Maps relies on Wikipedia? Even a bit? Umm, guys, you do know anyone can edit it? We've got a screenshot of the Tweets above in case someone /ahem/ decides to delete them. <https://regmedia.co.uk/2016/08/23/wikipedia_tweets.jpg> Deletion may be an option because our exploration of the Wikipedia page for Melbourne suggests it had the correct co-ordinates back in February 2012. So there you have it: Bing Maps sometimes relies on Wikipedia data. That data can be edited by anyone and is therefore often contentious. As commenters pointed out in Sunday's story on this mess, Microsoft's motto was once “Where do you want to go today?'' If your answer was Melbourne, you probably ended up using Linux. http://www.theregister.co.uk/2016/08/23/microsoft_lost_a_city_because_it_used_bad_wikipedia_data/ Gabriel Goldberg, Computers and Publishing, Inc. email@example.com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
Ed Bott, ZDnet, 19 Aug 2016 Several mainstream tech sites this week published details of a purported new Microsoft support tool designed to fix problems with the Windows 10 Anniversary Update. After some digging, I can report that it is no such thing. My advice: Stay far away from this "Windows Self Healing Tool." http://www.zdnet.com/article/unauthorized-mislabeled-microsoft-support-tool-leaks-could-cause-more-trouble-than-it-cures/ selected text: If you want to be a Windows expert, one of the most important lessons to learn is skepticism. Whenever someone claims to have a magic fix-it tool or a MakeRocketShipGoFast registry tweak, you should keep it away from any system you care about until you can confirm it does what it says it does. In my experience, those claims rarely turn out to be true. The trouble is, this tool was built for internal use by support techs trying to resolve update issues on Surface devices. It was never authorized for general release, and it does far too much to be unleashed on an unsuspecting public with no documentation. One engineer who looked closely at what this utility was doing called it "a sledgehammer." Another support rep who also examined how it works was reportedly "frightened by some of the things this is doing."
Patrick Thibodeau, *Computerworld*, 26 Aug 2016 http://www.computerworld.com/article/3113032/h1b/fake-resumes-jobs-lead-to-real-guilty-plea-in-h-1b-fraud-case.html opening text: A Virginia couple has pled guilty to H-1B fraud charges in a scheme that made them millions, the U.S. Department of Justice announced Thursday.
(Lookout and Citize Lab blog posts as reported on ZDnet, Aug 25) http://www.zdnet.com/article/apple-releases-important-security-update-for-iphone-after-malware-found/ Apple has released a security fix for iPhones and iPads following the discovery of malware targeting the platform that was found circulating in the Middle East. The patches fix three vulnerabilities (dubbed "Trident" by security firm Lookout)... <https://blog.lookout.com/blog/2016/08/25/trident-pegasus/> ... which could be used to access the device's location, read contacts, texts, calls, and emails, as well as turn on the device's microphone. The company said that spyware that exploited the vulnerabilities were developed by an Israel-based company specializing in zero-day exploits. Citizen Lab explained in a blog post... https://deibert.citizenlab.org/2016/08/disarming-a-cyber-mercenary-patching-apple-zero-days/ ...that it had uncovered an operation by the security services of the United Arab Emirates to try to get into the iPhone of a renowned human rights defender, Ahmed Mansoor. The Canada-based security lab said that the UAE, which has long been criticized for its poor human rights record... https://www.hrw.org/world-report/2015/country-chapters/united-arab-emirates ...could turn an affected iPhone into "a sophisticated bugging device", adding: "They would have been able to turn on his iPhone's camera and microphone to record Mansoor and anything nearby, without him being wise about it. They would have been able to log his emails and calls—even those that are encrypted end-to-end. And, of course, they would have been able to track his precise whereabouts," said the blog post. Lookout said that the flaws included a memory corruption flaw in WebKit... <https://blog.lookout.com/blog/2016/08/25/trident-pegasus/> ...which would let an attacker exploit a device when a user clicks on an affected link. Two other kernel vulnerabilities would let an attacker jailbreak the device, and then the attacker can silently install malware to carry out surveillance. [...which raises the 'old question' again: Is there any relief in finding out that it was "Our Guys" doing it ?!? Consider "If the FBI found its own iPhone backdoor, should it show Apple?" http://www.zdnet.com/article/should-the-fbi-tell-apple-how-it-unlocks-seized-iphone/ Using a zero-day flaw to bypass an iPhone's security is a backdoor by another name.] [Gene Wirchenko noted Shaun Nichols, *The Register*, 25 Aug 2016, Update your iPhones, iPads right now—govt spy tools exploit vulns Pegasus snoopware package used against activists and journalists http://www.theregister.co.uk/2016/08/25/update_your_ios_devices_now_theres_an_apt_in_the_wild/ See also IPhone Users Urged to Update Software After Security Flaws Are Found http://www.nytimes.com/2016/08/26/technology/apple-software-vulnerability-ios-patch.html ]
Charlie Osborne, IBM X-Force via ZDnet, 24 Aug 2016 <http://www.zdnet.com/article/goznym-trojan-spreads-to-attack-german-banks/> for Zero Day <http://www.zdnet.com/blog/security/> GozNym is continuing its rampage across Europe and has sourced a swathe of fresh banking targets in Germany. Researchers from IBM X-Force said on Tuesday that the financial malware, a Trojan discovered in April this year, has recently targeted 13 German banks and their local subsidiaries. <https://securityintelligence.com/goznyms-euro-trip-launching-redirection-attacks-in-germany/> <http://www.zdnet.com/article/goznym-banking-trojan-ramps-up-attacks-targets-europe/> It appears the operators behind GozNym have been busy during the summer season, with a sharp hike in attacks across Europe. According to the researchers, in August alone there has been a 3,550 percent spike in activity and a 526 percent rise in comparison to the total number of recorded attacks in April to July this year. GozNym first hit the spotlight after starting its journey in the United States. In early April, IBM revealed the Trojan—a hybrid comprised of the powerful Nymaim Trojan and Gozi ISFB source code—has been at the heart of the theft of "millions of dollars" from US banks and credit unions. <http://www.zdnet.com/article/goznym-the-double-headed-malware-monster-targeting-us-banks/> [...] The hybrid malware included an exploit kit dropper, web-injection capabilities, encryption, anti-VM, and control flow obfuscation, making the malware persistent, difficult to detect, and also powerful. IBM researchers say that the malware is now also used in redirection schemes which send victims to fraudulent, carbon-copy websites of financial institutions in order to lure them into parting with their online banking details. "It is evident that the gang operating the malware has the resources and savvy to deploy sophisticated cybercrime tactics against banks," the researchers say. "The project is very active and evolving rapidly, making it likely to spread to additional countries over time." The security team ranks GozNym as the eighth most active financial Trojan in existence, standing up against other malware which has been on the scene far longer, such as Zeus variants, Zberp, and Tinba. [...]
ESET researchers say by using Twitter to orchestrate infected devices, Twitoor is the first malicious software of its kind. http://www.zdnet.com/article/is-your-android-phone-being-controlled-by-a-rogue-twitter-account-botnet-is-first-to-receive/
Inside Facebook's (Totally Insane, Unintentionally Gigantic, Hyperpartisan) Political-Media Machine http://www.nytimes.com/2016/08/28/magazine/inside-facebooks-totally-insane-unintentionally-gigantic-hyperpartisan-political-media-machine.html How a strange new class of media outlet has arisen to take over our news feeds.
Reston VA (an "edge city" outside Washington DC, near Dulles Airport) has become increasingly urban. A few months ago, the company that owns many of the parking garages announced a plan to start charging to park there, which led to a large outcry from locals, and many people stating that they'll stop shopping in that neighborhood rather than pay for parking. But the more critical part of the new plan is the "feature" being added along with paid parking: the company is providing a web app where you enter your license plate number, and it shows a photo of your car, enabling you to find it quickly if you forget where you park. As I understand it, these cameras that capture where everyone is parked are relatively common, but the difference here is that anyone can look up anyone's license plate, not just their own. Concerns have been expressed that this could lead to privacy concerns, and enable stalkers. I've looked on the web site for the parking company, and it's silent on the details of how the app prevents such privacy issues. Avoiding the app presumably doesn't protect you—you won't be able to find your car, but others will find it in your place. (https://www.restontowncenter.com/parking/parking-faq) According to the article (link below) in the local paper, the system doesn't just show a photo of the license plate, but of the car, and potentially people getting in and out of the car. This is a significantly greater privacy risk. Yes, someone could be standing in the parking garage taking photos, but this automates the risk. I heard one suggestion that the problem is lack of authentication of the people making authentication inquiries. While authenticating who is making the inquiry might be useful, the bigger problem is that an arbitrary person should only be able to inquire about his/her own car, not any car. This could be done by connecting to the DMV database, allowing verification of whose car it is—but that would introduce other risks, as well as reducing the "friendliness" of the feature. https://www.restonnow.com/2016/08/23/rtcs-parking-cameras-are-security-risk-some-users-say/
Zack Whittaker for Zero Day, 28 Aug 2016 Opera Security via ZDnet, 26 Aug 2016 <http://www.zdnet.com/article/opera-resets-passwords-after-server-hack/> Opera has confirmed that a hacker breached one of the company's sync servers, potentially exposing passwords. The Norway-based Internet browser maker said in a blog post https://www.opera.com/blogs/security/2016/08/opera-server-breach-incident/ that it "quickly blocked" an attack on its systems earlier this week, but it admitted that some data was compromised, including "some of our sync users' passwords and account information", such as login names. But the company said it doesn't know the full scope of what was compromised. Opera said that it has reset all the Opera sync account passwords as a precaution. At the time of the attack, more than 1.7 million active users last month used the feature, which allows users to share website passwords across devices. The company confirmed that passwords are hashed and salted—an industry-standard practice to scramble passwords so that they are unusable -- but didn't provide specifics on how, leaving no clear indication if the passwords can be unscrambled by an attacker. Opera staffer Tarquin Wilton-Jones, who wrote the blog post, said the company will "not divulge exactly how authentication passwords on our systems are prepared for storage", as this would "only help a potential attacker" Tarquin Wilton-Jones, Opera, 26 Aug 2016 *Opera server breach incident* https://www.opera.com/blogs/security/2016/08/opera-server-breach-incident/ [PGN-pruned]
<http://www.reuters.com/article/us-delta-air-outages-it-analysis-idUSKCN10N1A3> *Airlines will likely suffer more disruptions like the one that grounded about 2,000 Delta flights this week... https://it.slashdot.org/story/16/08/08/1251252/delta-air-lines-grounded-around-the-world-after-computer-outage
> Recovering from a crash (i.e., restarting and resynchronizing with the > rest of the networked aviation world 'out there') must be "a nightmare" > --WU Actually, it's not. In the rare event that it crashes, TPF reboots in a few seconds. In the recent Delta fiasco, their TPF-based reservation system, which was somewhere else, was fine. The systems that failed and didn't restart were likely running more "modern" systems.
> The airlines' reservation system appears to have evolved > based on some 1960's technology IBM software marketed since the 70's Some of the legacy/vintage technology isn't so bad after all. Before it was called "cookies", invisible text was on the screen so "send screen" sent an entire record including the program-generated invisible text to continue the transaction/session. I am under the impression that CICS depended on that trick a lot. > Recovering from a crash (i.e., restarting and resynchronizing with the > rest of the networked aviation world 'out there') must be "a nightmare" Long ago there was "checkpoint/restart": http://www.computerworld.com/article/2588055/disaster-recovery/checkpoint-and-restart.html https://en.wikipedia.org/wiki/Application_checkpointing But that was before network links with context at the other end, shared file systems and other extremely volatile data. Integrating the process' checkpoint/restart to a ZFS snapshot MIGHT help but there's still a lot of data outside that domain. 'tis a puzzlement!
A decade after unrecoverable data loss associated with use of Microsoft Excel on genomic data was first reported in RISKS-24.19, hundreds of scientific papers in the literature (including the same journal where the problem was originally reported) were found to suffer from corruption. http://genomebiology.biomedcentral.com/articles/10.1186/s13059-016-1044-7 Relevant quotes: "To date, there is no way to permanently deactivate automatic conversion to dates in MS Excel and other spreadsheet software such as LibreOffice Calc or Apache OpenOffice Calc." and "We also recorded several cases where gene name errors were located in the f= irst few lines of a file=E2=80=94this suggests to us that these files were n= ot properly reviewed before publication."
Thank you, Lauren, for your wonderful post explaining why hiding passwords increases frustration and decreases security. It goes along with my long standing statement: The more secure you make something, the less secure it is. (Lock all the doors at night and hard-working, dedicated employees/students will prop them open with whatever is available.) How do I deal with the invisible password I first select a password and write it down. Then I carefully paste it into as many fields as needed.If paste is not allowed, I simply use a simple password in order to avoid typing errors. Does this enhance security? I leave the answer as an exercise for the reader. And don't get me started on passwords with onerous requirements that you are told about only have you have failed to do it correctly the first, before you were allowed to see the rules. And poorly laid out keyboards on portable, screen devices, so I try hard to use only lowercase because it is so difficult to switch among the many layouts (upper case, symbols, digits) that invariably in switching I err, but because the password is invisible I can't tell. (And if I try to be alert for the brief flash of the typed item, the need to switch visual attention between the screen keyboard and the quick flash of the selected character leads to other errors. What about security questions? I recall when I was asked for my favorite color, but when I typed "red" I was told that it had to be at least four letters. Or the system that asked for and then wouldn't let me use my father's middle name because it only had one letter. Fortunately, he spent most of his life in the pre-computer, pre-high-security era with his single letter middle name: he would not survive today. Back to security questions. I have learned to write all the questions and answers down, else I will never remember my answers. Does case matter? Who knows. Or lazy programmers who insist on phone number syntax that either require certain symbols as delimiters or prohibit them. Same with date formats. When they are simply avoiding work, because there are lots of example cases where it is done properly (Microsoft has long been the leader), that allow almost any phone or date format, as long as it is unambiguous—they can convert it. Why do we have such bad security: because lazy and inept programming and security rules force us to simplify and cheat. And write things down. (Yes, I use 1Password, which doesn't have a nice free-text field where I can write down security questions and answers: I have to do workarounds..) Poor security practices lead to insecure systems because people try to defeat them with insecure workarounds (hence the prevalence of reused passwords and answers to security questions). These problems are well known. Moreover, they have been well known for a decade or more. But this is a common risk often discussed in RISKS: incidents repeat themselves in regular fashion. There appears to be no learning. Now, that turns out to be good for me and for other professionals in the4 usability and security business. There is no end of people who need our help. Even so, it is demoralizing. Should I write a book about these issues. (Oh, I already have. Many of them. But they only seem to be read by people who already understand these issues. I suspect that is true of the readership of RISKS: those who need these lessons the most do not read the books, journal articles, RISKS, and do not attend SOUPS and other relevant conferences. SOUPS, Symposium on Usable Privacy and Security, is now in it's 12th year!) Don Norman, Prof. and Director, DesignLab, UC San Diego firstname.lastname@example.org https://email@example.com designlab.ucsd.edu/ www.jnd.org <http://www.jnd.org/>
This is an excellent article, although I would have preferred for Monty to quote or paraphrase at least part of the article: I don't like having to click through just to get more than the subject line. I have one disagreement with the article: locking users out will only protect against crackers using brute force at the login interface. That is easy to protect against: after a few bad tries, make the user go through the password reset protocol (which generally involves being able to receive email). Or you can insert gradually increasing delays in your response time based on the number of bad attempts. But as I understand it, the dictionary attacks are mostly not used at the login interface. It's comparatively slow—you have to go over the net to attack it, and most sites _do_ block you after some number of failures. The dictionary attack is most useful after a cracker has stolen the encrypted password database. Sure, the encryption is (theoretically) one way: You can't "decrypt" the password even if you also steal the encryption key. But you _can_ run a massive brute force attack on the database: try everything in your dictionary (including common misspellings). Encrypt each proposed password via the "one way" algorithm, and compare with every entry in the DB. "Salting" helps slow that down, but the attacker can have nearly unlimited computing power thanks to botnets (which can, I understand, be rented by the hour). So I would propose that website operators not be _too_ aggressive in applying lockouts. I was recently "locked out" of Firefox Sync for too many bad tries because I had trouble remembering exactly how I had misspelled my password (made by sticking multiple words together which have a link that is meaningful to me, but unlikely to be found by a dictionary attack). Having to go through the reset protocol on multiple machines was a real pain.
I'm confused: when should I "sleep on it" and when should I continue my "flow time"? Some tasks require a lot of uninterrupted time to focus on one extremely engaging task, particularly learning. But sometimes taking a break/nap/sleep is required to stop spinning one's wheels and let another solution percolate. Our profession is not unique for pulling all-nighters but it's sometimes legitimized, even glorified as the way to get things done. I hope this is finally shedding light on what causes burnout. > [Why is this RISKS-relevant? I can think of many reasons, some directly RISKS related A) Operator fatigue contributes to crashes and other failures. That's why pilots and commercial drivers are allegedly limited to number of working hours. B) Long ago there were time & motion studies to optimize productivity. Now, productivity spyware is often used to pressure employees to work faster regardless of the task's difficulty or quality of service delivered for that quick outcome. Call centers are the main user of that tactic to maximize calls handled-per-hour, but at the risk of over stressing their employees. Physical injuries such as Carpal Tunnel and other Repetitive Stress Injuries can be proven via x-ray or ultrasound. But what of mental stress and other intangible injuries? Perhaps this is a step to giving some insight for that.
AlMac writes "The latest gift of The Internet of Things industry, revealed last week by security researchers at Bitdefender, is smart electrical sockets that can be hacked to hand over e-mail credentials, create a botnet, or (potentially) burn your house down by firing up connected appliances." <http://motherboard.vice.com/read/smart-electrial-sockets-could-be-the-next-botnet> Burning your house down by firing up appliances? Electrical safety standards are not perfect, but they have been around a long time (in Germany, about 120 years). Indeed, for about as long as mice have been gnawing through insulation on cables. Advice to those contemplating installation of "smart power outlets" seems obvious: if you are going to be spending on house electrics and you don't want to worry about your house burning down, then if your circuitry is more than a decade old your "smart money" goes first on residual-current devices and maybe arc-fault circuit breakers ("interrupters" in the US). It won't cost you much. You'll likely have something left over for your "smart power outlets". I have Type A RCDs on everything and was thinking of installing arc-fault protection. My electrician looked at me as you'd look at a person who puts on a bicycle helmet to walk down the stairs and said, quite slowly, "I can certainly do that if you wish". Some background to all this. Building circuits have overcurrent protection, short-circuit protection, more recently residual-current protection of various sensitivities, and, for the cognoscenti, arc-fault protection. Overcurrent and short-circuit protection is pretty much regulation in all developed countries; residual-current protection increasingly so, but countries also differ on the amount of residual-current detection/protection they require for new installations, even within Europe. I understand regulations in the US now require arc-fault protection in some, but not all, housing circuits in new installations. https://en.wikipedia.org/wiki/Arc-fault_circuit_interrupter In Germany, an arc-fault protection device is called a "fire protection (circuit-)breaker" (Brandschutzschalter), emphasizing its perceived role. Building electrical installations vary notably in age and effectiveness. It's an interesting question to try to determine the age and adequacy of building electrics everywhere. In a survey via questionnaire of electrical home installations in a small town, Lübbecke, near Bielefeld, Christoph Goeker found that, of the homes of his respondents, 61% of building electrics were older than 30 years, and only a quarter younger than 20 years. https://rvs-bi.de/publications/Theses/Masterthesis_Christoph_Goeker.pdf (in German) Some general figures. It is said that 93% of Italian dwellings have residual-current protection, but only 32% of French (I have no idea how reliable these figures are. They occur in the last paragraph of Section 6.1 of http://www.leonardo-energy.org/sites/leonardo-energy/files/root/Documents/2009/Feeds_lo.pdf in inverse: the proportion of dwellings which don't have RCDs). Well over 60% of UK buildings have RCDs (Table in Section 6 of http://www.electricalsafetyfirst.org.uk/news-and-campaigns/policies-and-research/statistics/ broken down by building-ownership category) In Switzerland, apparently the figure is 100% since a 2010 law (3rd paragraph of https://de.wikipedia.org/wiki/Fehlerstrom-Schutzschalter#Schweiz , in German). Arc-fault detection and protection first came to the fore in aviation, after TWA 800 was discovered to have been the likely victim in July 1996 of a fire in fuel vapors in an "empty" tank ignited by residual current in the fuel quantity measuring system stemming from an arc fault somewhere in a wiring bundle. Although some people didn't think so. For example, http://catless.ncl.ac.uk/Risks/21/08#subj9.1 https://rvs-bi.de/publications/Papers/Scarry-refutation.pdf It was regarded as infeasible to inspect all wiring bundles in all aging aircraft, and arc-fault detection and protection seemed to be a reasonable solution. Since then, prices for arc-fault protection have come down considerably. Some 15-20 people die in Germany each year due to electrocution, and some 600 in building fires, of which about a third are thought to be caused by faulty electrics (general figures from Georg Luber of Siemens AG, the German representative on the IEC Advisory Committee on Safety), so let's say about 200 per annum. In the US, it seems the figure is 455 p.a. http://www.nfpa.org/public-education/by-topic/top-causes-of-fire/electrical/electrical-safety-in-the-home This is about the same number of people who die from the most common types of food poisoning, salmonella (380 p.a.) and campylobacter (76 p.a.) https://www.cdc.gov/salmonella/ http://www.cdc.gov/foodsafety/diseases/campylobacter/index.html In the UK, it seems that the number was only 46 deaths in 2011/12, with only 25 deaths put down to faults. See Section 3 of this: http://www.electricalsafetyfirst.org.uk/news-and-campaigns/policies-and-research/statistics/ (From these figures, the US has ten times the incidence of fire deaths from electrical faults as the UK, with a little over five times the population. But it appears Germany has five times the incidence amongst a population only one-third larger. So, caveat lector—something doesn't quite seem right to me about these figures as they are—I've lived in and looked at electrics in all three places.)
I know that electrical and other safety standards have existed since before I was born, and that over the years there is continuous improvement. I also know that enforcement of these standards is non-existent many places in the world, particularly in small towns, such as those I have resided in for many decades of my career, from which I am now retired. A little over 35 years ago, I moved into an apartment, where some of the lights used an open flame, because the building was ancient, using both electric and gas. This open flame for the gas lighting in the living room was totally legal in the town where I was working. I was unfamiliar with best safety practices when using open flames, so I refrained from using them, and instead got some electric lamps which could be plugged into electrical sockets, which incidentally did not have any grounding, which was also legal in that town. This is a common reality in parts of the USA, where the voters are generally opposed to government regulations. Regarding risks of setting a building on fire, by powering up appliances when no human nose is around to detect the smoke, I have known of instances of: . Building contractor work done by someone not qualified for the work they did, who supplied the property owner with fraudulent credentials; . A home burning down thanks to defective electrical components, killing all occupants; . Me getting close to dead when my bedroom caught on fire, when I was sleeping there. No, I was not smoking in bed. I was in a town whose building safety standards were non-existent, so every building was a fire hazard. In the fraudulent building contractor case, the property owner later found out and went to the police, but nothing could be done, because that was not a crime where it happened. In my personal experience, including proprietary knowledge of electrical recalls, about which I cannot speak about in public, electrical and other safety standards are poorly enforced in many areas of USA, including: . Retail sales of electrical components, some of which may be counterfeit, or improperly labeled. . Smalltown America building safety standards can be non-existent. . Rental property management, where things are replaced only when they break down, and sometimes not even then. . Manufacturing supply chain record keeping, not good enough to make defects traceable. . Pipelines and Utilities located where, so contractors know where not to dig. In this USA reality, I think it is criminal negligence to sell a home "smart power" app which makes it possible for anyone in the world to turn on electrical appliances when no one is home, to detect whether anything is over-heating, or smoke coming from wall plug. In fact I think a great deal of ioT sales, without any security, constitute criminal negligence, which are placing many people at needless risks.
Please report problems with the web pages to the maintainer