http://www.nytimes.com/2016/10/22/business/internet-problems.html?_r=0 Major websites were temporarily inaccessible to many users in the United States on Friday, after a major domain host reported two large distributed-denial-of-service attacks on its servers. Though the initial problems appeared to be resolved in just over two hours, they had resumed by the afternoon. Users initially reported problems <http://downdetector.com/status> with Twitter, Netflix, Spotify, Reddit, Etsy, SoundCloud, The New York Times and others. A global event is affecting an upstream DNS provider. GitHub services may be intermittently available at this time. GitHub Status (@githubstatus) Oct. 21, 2016 <https://twitter.com/githubstatus/status/789452827269664769> Dyn, a domain name system host that monitors and reroutes Internet traffic, said it began experiencing an attack just after 7 a.m. Friday that affected mostly users on the East Coast. Around 9:30 a.m., it said it had been restored to normal. <https://www.dynstatus.com/incidents/nlr4yrr162t8>statement that service Just after noon, however, Dyn announced that it was again experiencing an attack, and, once again, users of sites including Twitter and Spotify reported more problems. The new outage appeared to affect West Coast cities like Los Angeles, as well. “Our engineers are continuing to work on mitigating this issue,'' Dyn said in a statement on its site. <https://www.dynstatus.com/incidents/nlr4yrr162t8>
https://www.engadget.com/2016/10/21/mirai-botnet-hacked-cameras-routers-internet-outage/ Today's nation-wide Internet outage was enabled thanks to a Mirai botnet that hacked into connected home devices, according to security intelligence company Flashpoint. The distributed denial of service attack targeted Dyn, a large domain name server, and took down Twitter, Spotify, Reddit, The New York Times, Pinterest, PayPal and other major websites. https://www.engadget.com/2016/10/21/mirai-botnet-hacked-cameras-routers-internet-outage/
http://www.nytimes.com/2016/10/20/us/harold-martin-nsa.html Investigators found that stolen documents in the possession of Harold T. Martin III included top-secret NSA hacking tools that two months ago were offered for sale on the Internet.
A nine-year old race condition has been discovered in the Linux Kernel, involving "Copy-on-write". This race condition can lead to an escalation of privilege. >From the article: "While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it's not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that's a part of virtually every distribution of the open-source OS released for almost a decade. What's more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild." The complete Ars Technica article can be found at: http://arstechnica.com/security/2016/10/most-serious-linux-privilege-escalation-bug-ever-is-under-active-exploit/ Bob Gezelter, http://www.rlgsc.com
http://www.repubblica.it/scienze/2016/10/21/news/schiaparelli_foto-150301093/ For those who do not read Italian, the article cites statements attributed to Roberto Battiston, the president of ASI, the Italian Space Agency. Here is the translation of a few sentences, appearing in quotes also in the original: "If the computer did not make a mistake, we would have had the icing on the cake, but we do have the cake. In this case it was a fault of the computer, but nothing was wrong from the technical point of view." He concludes with: "Sure, without the error made by the computer everything would have been perfect, but I think we can be really happy." Applied Formal Methods Laboratory - University of Parma, Italy
http://www.nytimes.com/2016/10/21/us/private-security-group-says-russia-was-behind-john-podestas-email-hack.html The security group concluded that Hillary Clinton's campaign chairman was hacked by the same Russian foreign intelligence service that hacked the DNC.
http://www.nytimes.com/2016/10/20/technology/whoever-wins-the-white-house-this-years-big-loser-is-email.html The exposure of the Clinton campaign's internal emails shows that a ubiquitous, and vulnerable, communication tool is ready for the scrap heap.
https://www.washingtonpost.com/local/trafficandcommuting/obama-administration-unveils-new-rules-to-protect-air-travelers/2016/10/19/1dc7cd3e-960e-11e6-bb29-bf2701dbe0a3_story.html [Corrected URL thanks to Bob Gezelter. PGN]
More on Galaxy Note 7 Is Not Samsung's Only Problematic Product (RISKS-29.85): http://boston.cbslocal.com/2016/10/19/samsung-exploding-washing-machines/ [...] The affected washing machines have not been recalled even after a handful of washers have broken apart during the spin cycle. A federal class action lawsuit claims Samsung has known about the issue for years. Samsung says the potential safety issues are related to certain top-loading machines made between March 2011 and April 2016. They are now working with the Consumer Product Safety Commission to address the safety issue. [noted by Geoff Goodfellow, among others] [In the interim, Samsung recommends using the "delicate" cycle, which may or may not ease the problem. However, this does not seem to be a delicate issue, and it is difficult to separate fact from spin! PGN]
Complaint alleges that Samsung knew for years its technology was hazardous, saying a Galaxy S6 Active shot out 5-inch flames and left a user with melted flesh https://www.theguardian.com/technology/2016/oct/19/samsung-galaxy-s6-explosion-lawsuit-note-7-recalls
> St. Louis MO has an underground fire thanks to improper disposal of US > government Manhattan Project era radioactive materials. This news from a > year ago.) No. Not at all. St. Louis has an underground landfill fire, the sort of fire that seems to occur frequently and may be due to battery disposal or other ignition sources. It happens to be near a different landfill which has no barrier, where uranium processing waste which is slightly radioactive was disposed of. The low-level radioactivities have nothing to do with the fire other than possibly being threatened by it.
There was that (fake of course) story of Brandy Bridges of Ellsworth, Maine and a $2,004.28 compact fluorescent lightbulb. We do have the "batteries" bin at work, so for me it's actually easier to properly dispose of batteries than of CFLs. Where I live CFL disposal locations are nowhere near where I live or work, and their started fees range from "Charge" to "Charge. Free for CFLs. Call for more information" to "Not specified. Call for more information." So we're selling people hazardous waste as next best thing since sliced bread, we don't tell them it's hazardous waste, and we don't provide the facilities for safe and convenient disposal of said hazardous waste. What could possibly go wrong. PS. one has to wonder what's inside the LED lightbulbs: gallium arsenide? Dimitri Maziuk BioMagResBank, UW-Madison—http://www.bmrb.wisc.edu
A much better and more entertaining critique of this "trolley problem" discourse is this piece by Kate Griffin: http://www.kategriffin.info/post/stop_talking_about_trolley_problem What troubles me deeply here is how limited and loaded the "choices" are. As the website tells, "From self-driving cars on public roads to self-piloting reusable rockets landing on self-sailing ships, machine intelligence is supporting or entirely taking over ever more complex human activities at an ever increasing pace". We get to play God and choose whether the self-driving car kills three teachers or a beautician and a penguin. But we don't get to ask why self-driving cars have to be allowed on the public roads to kill people at all. And we certainly don't get to ask why cars in general get to take up so much public space. [...]
Regarding the idea of a customer-controlled setting for "altruism level", why in the world would anybody believe that such a setting would have any effect on how the autonomous vehicle operates? This is proprietary code that could have even simple bugs that accidentally invert settings. And no public view on how much effort the manufacturer put into physical tests of the safety algorithms. This just sounds like wishful thinking. [It seems more like Steve Bellovin's Security Flag and Drew Dean's ANGELIC bit—the dual of the EVIL bit. These were the lead items in the 2003 April Fool's issue, RISKS-22.66. PGN]
Frank Pasquale in his Slate article cites Judith Jarvis Thomson as an origin of the trolley problem. I recently read another article which cited a young contemporary philosopher. I think it's important to assign credit correctly. The trolley problem originated with the great Philippa Foot. Wikipedia cites 1967, but I haven't checked the original reference: https://en.wikipedia.org/wiki/Trolley_problem The first article I have found by Jarvis Thomson which mentions it appeared in The Monist in 1976, pp204-217, and is available at http://monist.oxfordjournals.org/content/monist/59/2/204.full.pdf Jarvis Thomson cites Philippa Foot's discussion of the trolley problem, on p206. This shows that Foot's discussion predates Jarvis Thomson's deservedly highly-regarded contributions. Peter Bernard Ladkin, Bielefeld, Germany www.rvs-bi.de www.causalis.com
> Imagine you are driving down a two-lane road at about 45 miles per hour... This trolley problem is too erudite! Surely there must be at least two other more realistic considerations: * That just about all collisions will not present this black and white ethical decision. * That the car being supposedly autonomous can decide itself over and above what its programmers have told it to do. The first one is simply the reality that no two accidents are the same and not many will fit the Trolley Dilemma well. So they won't fit a sacrificial or selfish decision very well. For example, the car has airbags inside it not outside it. So it's going to injure those it hits more likely than those inside it. This and many other considerations make it harder to weigh up what to do even in "Ideal Trolley". The second one suggests that free will exists where there is enough complexity. This is Daniel C. Dennett's idea. Since car accidents are going to be complex situations with many variables, in fact programming hard and fast rules is not going to be optimal. Also, the simple interaction of even a small number of rules can bring about highly unexpected outcomes. The car in the accident is in the best position to call it! So I'm now wondering if only in retrospect will we be able say the car acted in a utilitarian manner or not: we can't direct this.
I did the MIT "Moral Machine" survey mentioned in RISKS recently (which attempts to assess how self-driving cars should respond to 'trolley problems'). It struck me predominantly as an example of the risks of survey design -- that of hidden assumptions in the questions you ask. At the end of the survey your supposed preferences are presented as a series of sliders. Most of these sliders pertain to the gender, age, and perceived social value of the victims - none of which influenced my answers at all . One of them pertains to whether or not the victims were jaywalking. (As it happens I live in an enlightened jurisdiction where there is no such offence.) This is described in the questions, consistently, as "flouting the law". This is of course gratuitously leading the witness; an automated car cannot possibly tell if someone has made a conscious decision to flout the law or has made an honest mistake. It is also particularly ironic since in all these hypothetical cases the automated car was flouting the law by driving too fast to stop in the distance it could see to be clear. One of them pertains to whether one prefers to save the lives of pedestrians or motorists. In spite of the fact that that was my sole basis for preference, preferring to save any number of pedestrians over any number of motorists, I only got a result about 2/3 of the way along that slider - in spite of getting maximum results from some of the gender/age/etc sliders which I hadn't had any preference on at all. Clearly the survey design was extremely bad at elucidating my preferences.  I ensured there was no risk of unconscious bias by selecting an answer at random when I had no preference based on my actual, clearly defined, criteria.
Anthony Youngman <firstname.lastname@example.org>: But how can an election be legitimate if OVER HALF the voters select party A, and yet party B wins? In the US Presidential elections people are not voting for parties. They are not even voting for the people named on the ballot. There is no "popular vote total" in the Presidential elections. Statements like "A got over half the popular vote" are completely meaningless. In the US, people are actually voting state-by-state for people called "electors", who are appointed by each state to participate in the Electoral College. Those electors actually cast the final votes for the President. They are supposed to be sworn to vote for the person (not the party) who won the state-wide popular vote, but I believe there have been cases of defection in the past. And even though the official "election" is assumed by many to close at 8PM local time and all the hoopla starts over who won and lost, it truly doesn't even take place until December when the Electoral College meets to cast their ballots. This system was designed and described in the US Constitution when it was first written. It was intended to help alleviate the fears that large states would have complete control over the federal elections by giving a bit more say to the smaller states. That's part of being the "United States", not "One Large Undifferentiated Country". Each state gets two electors just for existing, and one elector for each U.S. Senator. The population disparity has grown so much that this benefit to small states isn't much of a benefit anymore, but switching to a pure popular vote system will not help resolve that, it will only make it worse. This is supposed to be taught to everyone as part of their civics classes in grade school. It was in mine, but apparently not so much elsewhere. That's why we have so many people complaining that "A got more than 50% of the popular vote for President and didn't win!" Why should I bother, if my vote is so unlikely to make a difference? What's the point? Could I point out that in an election where 100 million people cast ballots, your vote will ALWAYS be unlikely to make a difference. When voting for the local dog catcher in a tiny village where only 37 people are registered and nobody filed for the position, your one write-in vote may very well make all the difference. As soon as the difference between candidates reaches three, your vote didn't make a difference. It is a disingenuous excuse for laziness and apathy to cry "my vote doesn't matter". How do we fix that? We *cannot*. Unless you can find a way that MY vote makes some specific, measurable change in the outcome then my vote individually will never make a difference. It is, and always will be, the combination of everyone's votes that make a difference.
> But how can an election be legitimate if OVER HALF the voters select > party A, and yet party B wins? Because that's the electoral process that's in place. While debating whether it's a good one is certainly valid, saying it's not legitimate is entirely inappropriate and insulting. For us in the US it's a bizarre relic of a time when we couldn't logistically have a direct election in any kind of sensible timeframe. Just because it's representational democracy instead of direct democracy doesn't mean it's not legitimate. Said another way: Just because it's not how you'd like things to be organized, doesn't mean it's inherently wrong.
> Anyone following this discussion would be aware that when I wrote "whoever > takes office," the risk is that due to the potential for hacking, > unverifiable results, and Constitutional constraints, the person who takes > office might not be the person who was elected. Yes you are right: it is an important discussion. > When the only viable choices are two evils, voting for a nonviable choice, > casting an informal ballot, or choosing what an individual may consider to > the be lesser of the two evils, is not for the good of anyone else, it is > for evil anyway you look at it. I think I'll stick my neck out and say that I suspect but cannot prove that when more people vote, the choices get better. It's probably easier to believe that with declining turnout and disinterest in general, the choices get worse. I'll acknowledge that in compulsory voting, the choices (the candidates) are forced in to the centre of the political spectrum since they each seek to reach the largest audience: the left candidate will go for the entire left and the right candidate the whole right, so they end up back to back in the middle. So when everyone votes, it may be harder to discern the major candidates. But then the candidates have to work harder to differentiate their policies. > In Australia, the losers have a minority voice in government, in the US > losers—like third parties—have no seats and no voice whatsoever. My point was actually more basic than that: how much the winner wins by is important. Whether runoff or simple majority makes no difference. Those who expect their candidate to lose and don't support him/her anyway send no signal to the winner (and everyone else watching) about the mandate the winner receives. If he/she wins by a huge landslide it's going to be easier to make changes. If they win by a tiny margin, then the climate for change is different. The remainder of this email reply is interesting cultural comment, but I've commented on what I know.
> But how can an election be legitimate if OVER HALF the voters select > party A, and yet party B wins? > If you want people to vote, you need to convince them that the person they > *want* to vote for, stands a *decent* chance. As it stands, most people vote > for the "least worst" candidate, and too many people take the attitude "a > plague on ALL your houses!". Response from a Brit: but we don't actually vote for governments, we vote for who we want to be our representative (Member of Parliament), and the party with most MPs forms the government (maybe in coalition with other parties if no majority), leading to possibly contrary results as said. There's probably some way of voting for parties on a national basis, but this leaves the problem of choosing a representative for each constituency (voter area)—party lists? Personally I'm somewhat prejudiced against proportional representation as we had a horrendously complicated system at college for Students' Union representatives, typically requiring over 20 candidates to be listed in order of preference (awkward if you'd never heard of 18 of them), usually resulting in the complete unknown who hardly anybody voted for winning as a result of the distribution of the 2nd, 3rd, 4th, 5th, etc. choice votes. There are various ways of voting, each with their good and bad points, and it's certainly worth debating, but probably outside the scope of RISKS. At least we in the UK don't have to worry about electronic voting... yet. (There was a proposal for compulsory postal voting, but that was dropped after some scandals.)
"Determine if you're using outdated or less secure sign-in"? I've recently had slightly strange warnings from Yahoo! about e-mail access -- the help page says: > Chris > e767pmk >> App access and security > > Yahoo has a variety of ways for you to maintain your account security. > Some third party email applications use an older security protocol to > sign in to your account. Find out if you're using an app that fits this > description and how to improve your app security. > > Determine if you're using outdated or less secure sign in > > * *Blocked access* - We may block sign in attempts from older apps and > you won't be able to access your Yahoo Mail. > * *Email notices *- You may receive emails from Yahoo if we detect > sign in attempts from apps with outdated sign in security. If you > don't update your security, you'll continue to receive these notices. > * *Common email apps using older security protocols for sign > in* - You're using the following: > o Outlook.com and Outlook desktop app for Windows and Mac > o Apple Mail on Mac OS 10.9 or lower > o Apple Mail on iOS 8 or lower > o Outlook Express > > More securely access Yahoo Mail and stop email notices > > * *Use our app* - Use the Yahoo Mail app for Android and iOS or > https://mail.yahoo.com. > * *Use a third party email app with modern sign in security* - Like > the Mail app on iOS 9 or above for iPhone, or the newest, verified > Gmail or Outlook mobile apps. > * *Review email applications that access Yahoo Mail on your computer > and mobile devices, and remove any saved Yahoo Mail passwords from > apps you no longer use* - Email apps that save your passwords may > regularly fetch new email data, which can trigger the email notice. > > Temporarily allow or deny access to apps using older security sign in > > While we don't recommend granting access to apps that use a less secure > sign in method, you can temporarily choose to allow access to them for > the time being. In my case, I use a desk-top e-mail client and AVG anti-virus with POP3/SMTP -- it's AVG which handles the interface to the mail servers, which I've set for 'secure connection'. Is this the 'older security protocol', that Yahoo! is objecting to? A friend of mine pointed me to this URL: http://www.csoonline.com/article/3046496/security/google-microsoft-yahoo-and-others-publish-new-email-security-standard.html I also remembered an item in a newspaper back in May this year about how some security software (including AVG, of course!) increases the possibility of man-in-the-middle attacks due to how they work. So the question is: what happens next? Will new software be available to allow POP3/SMTP access as now but with better security, or will it require whole new e-mail applications? Personally I find e-mail web access rather clunky to use and prefer the desk-top client; one advantage is that I can read incoming mails offline and thus avoid them calling home when opened, so senders of spam/junk mails won't have any receipt confirmation. (And I don't want to have to change to a smartphone.)
Please report problems with the web pages to the maintainer