Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The European Space Agency on 23 Nov 2016 said its Schiaparelli lander's crash landing on Mars on 19 Oct 2016 followed an unexplained saturation of its inertial measurement unit, which delivered bad data to the lander's computer and forced a premature release of its parachute. Polluted by the IMU data, the lander's computer apparently thought it had either already landed or was just about to land. The parachute system was released, the braking thrusters were fired only briefly and the on-ground systems were activated. Instead of being on the ground, Schiaparelli was still 3.7 kilometers above the Mars surface. It crashed, but not before delivering what ESA officials say is a wealth of data on entry into the Mars atmosphere, the functioning and release of the heat shield and the deployment of the parachute—all of which went according to plan. [...] *A one-second glitch and a 3,700-meter freefall* In its Nov. 23 statement, ESA said the saturation reading from Schiaparelli's inertial measurement unit lasted only a second, but was enough to play havoc with the navigation system. “[T]he erroneous information generated an estimated altitude that was negative. That is, below ground level. This in turn successively triggered a premature release of the parachute and the back shell, a brief firing of the braking thrusters and finally activation of the on-ground systems as if Schiaparelli had already landed. In reality, the vehicle was still at an altitude of around 3.7 kilometers.'' ESA said the sequence of events “has been clearly reproduced in computer simulations of the control system's response to the erroneous information.'' ESA's director of human spaceflight and robotic exploration, David Parker, said in a statement that ExoMars teams are still sifting through the voluminous data harvest from the Schiaparelli mission, and that an external, independent board of inquiry, now being created, would release a final report in early 2017. http://spacenews.com/esa-mars-lander-crash-caused-by-1-second-inertial-measurement-error/ [Also noted by Monty Solomon: Mars lander slammed into red planet after data glitch http://www.cnn.com/2016/11/24/health/schiaparelli-cause-mars-crash/ and Mary Shaw: Computer glitch blamed for European Mars lander crash http://phys.org/news/2016-11-glitch-blamed-european-mars-lander.html PGN]
via NNSquad https://medium.com/@jhalderm/want-to-know-if-the-election-was-hacked-look-at-the-ballots-c61a6113b0ba#.pmdcfg3vv "You may have read at NYMag that I've been in discussions with the Clinton campaign about whether it might wish to seek recounts in critical states. That article, which includes somebody else's description of my views, incorrectly describes the reasons manually checking ballots is an essential security safeguard (and includes some incorrect numbers, to boot). Let me set the record straight about what I and other leading election security experts have actually been saying to the campaign and everyone else who's willing to listen."
Wisconsin Elections Commission Receives Two Presidential Election Recount Petitions (Wisconsin Elections Commission) http://elections.wi.gov/node/4436
https://www.eff.org/deeplinks/2016/11/e-voting-machines-need-paper-audits-be-trustworthy https://www.washingtonpost.com/posteverything/wp/2016/11/23/u-s-elections-are-a-mess-whether-this-one-was-hacked-or-not/
via NNSquad https://www.washingtonpost.com/business/economy/russian-propaganda-effort-helped-spread-fake-news-during-election-experts-say/2016/11/24/793903b6-8a40-4ca9-b712-716af66098fe_story.html The flood of 'fake news' this election season got support from a sophisticated Russian propaganda campaign that created and spread misleading articles online with the goal of punishing Democrat Hillary Clinton, helping Republican Donald Trump and undermining faith in American democracy, say independent researchers who tracked the operation. Russia's increasingly sophisticated propaganda machinery—including thousands of botnets, teams of paid human "trolls," and networks of Web sites and social-media accounts—echoed and amplified right-wing sites across the Internet as they portrayed Clinton as a criminal hiding potentially fatal health problems and preparing to hand control of the nation to a shadowy cabal of global financiers. The effort also sought to heighten the appearance of international tensions and promote fear of looming hostilities with nuclear-armed Russia. Two teams of independent researchers found that the Russians exploited American-made technology platforms to attack U.S. democracy at a particularly vulnerable moment, as an insurgent candidate harnessed a wide range of grievances to claim the White House. The sophistication of the Russian tactics may complicate efforts by Facebook and Google to crack down on *fake news*, as they have vowed to do after widespread complaints about the problem.
NNSquad https://plus.google.com/+LaurenWeinstein/posts/KadPRM6jEA7 The fake news, filter bubbles, echo chambers, and hate speech issues that are now drowning the Internet are of such a degree that we need to call a major summit of social media firms, experts, and other concerned parties to hammer out practical industry-wide solutions. Working groups also need to be established forthwith. The status quo is no longer tenable.
Jessi Hempel, BackChannel, 16 Nov 2016 Take it from the Internet's chief myth busters: The problem is the failing media. https://backchannel.com/according-to-snopes-fake-news-is-not-the-problem-4ca4852b1ff0 The day after the election, news began swirling around social media that *New York Times* columnist David Brooks had called for President-elect Donald Trump's assassination. Snopes managing editor Brooke Binkowski had a feeling it was fake. Because, come on now, would a prominent columnist for a reputable news outlet really make that kind of comment? Snopes has made its business out of correcting the misunderstood satire, malicious falsehoods, and poorly informed gossip that echoes across the Internet—and that business is booming. Traffic jumped 85 percent over the past year to 13.6 million unique visitors in October, according to comScore. The site supports itself through advertising, and in the last three years it has made enough money to quadruple the size of its staff. Sure enough, a bit of Snopes reporting revealed that Brooks had written a column <http://www.nytimes.com/2016/11/12/opinion/the-view-from-trump-tower.html?_r=0> saying Trump would likely resign or be impeached within a year. A news item published on *The Rightists *claimed Brooks had then said in an interview for KYRQ Radio New York that Trump should be killed. Snopes found *The Rightists* doesn't even pretend to traffic in truth <http://therightists.com/about-us/>. In the site's *about* section, it describes itself this way: “This is HYBRID site of news and satire. part [sic] of our stories already happens, part, not yet. NOT all of our stories are true!'' What's more, the story's facts didn't add up. For example, the site claimed Brooks had made the comments on a radio station KYRQ that didn't exist. Verdict: FALSE. <http://www.snopes.com/david-brooks-trump-needs-to-decide-if-he-prefers-to-resign-be-impeached-or-get-assassinated/> This is the state of truth on the Internet in 2016, now that it is as easy for a Macedonian teenager to create a website as it is for *The New York Times,* and now that the information most likely to find a large audience is that which is most alarming, not most correct. In the wake of the election, the spread of this kind of phony news on Facebook and other social media platforms has come under fire for stoking fears and influencing the election's outcome. Both Facebook and Google have taken moves to bar fake news sites from their advertising platforms, aiming to cut off the sites' sources of revenue.
via NNSquad https://www.buzzfeed.com/alexkantrowitz/2016-election-blew-up-in-facebooks-face As Facebook attempted to capture the fast-moving energy of the news cycle from Twitter, and shied away from policing political content, it created a system that played to confirmation bias and set the stage for fake news.
A lawyer representing PM Benjamin Netanyahu sent a letter to an unemployed man, threatening to sue for 130,000 NIS (about $30,000) for sharing an allegedly defamatory blog post on his Facebook page. It is still a mystery why this particular person was sued, and not the person who actually wrote the blog. I don't know if the blogger or the hosting site were even asked to take it down, last time I checked it was still there (it was first published in August); so I shared it too, just to see what happens... http://www.jpost.com/Israel-News/Politics-And-Diplomacy/Netanyahu-threatening-to-sue-unemployed-citizen-over-Facebook-post-473340
http://www.localmemphis.com/news/local-news/computer-system-chaos-at-the-shelby-county-criminal-justice-center The installation of a new computer program at the Shelby County [Memphis, TN] courthouse is causing big problems across the board. A spokesperson for the Shelby County Sheriff's Office says they expected there would be some problems with the changeover, but the question is, did anyone know just how bad it would be? “I think it's *bs* really,'' said DeJuan Jackson. Jackson considers himself lucky. After posting bond, it only took him two days to get released from prison. Others inside are taking much longer to get out.
http://arstechnica.com/security/2016/11/us-navy-warns-134000-sailors-data-breach-hpe-laptop-compromised/
https://www.theguardian.com/business/2016/nov/24/skoda-driver-decapitated-in-stuck-cruise-control-mystery The Bookout v Toyota Barr expert evidence came to mind.
London's *Daily Telegraph* reports the following story: http://www.telegraph.co.uk/news/2016/11/24/drivers-last-moments-recorded-999-call-ashe-tells-operator-cars/ Mr Gandhi's eight-and-a-half minute 999 call was played to the inquest. The coroner heard the Skoda hit the three-axle HGV with such force that its rear axle was pushed to the front of the trailer. The Skoda was found with its roof peeled off up to its rear wheels. Ian W Halliday, BA Hons, SA Fin, MBCS http://www.ianwhalliday.ltd.uk/
http://www.nytimes.com/2016/11/22/business/auto-safety-regulators-seek-a-driver-mode-to-block-apps.html Voluntary guidelines will be issued amid a spike in traffic fatalities in the last two years.
http://www.bostonglobe.com/business/2016/11/24/distracted-holiday-stress-mail-hackers-are-banking/F6VvnFDSuEzfi0IBEy1ibL/story.html
http://www.nytimes.com/2016/11/22/magazine/is-social-media-disconnecting-us-from-the-big-picture.html "In hindsight, that failure makes sense. I've spent nearly 10 years coaching Facebook—and Instagram and Twitter—on what kinds of news and photos I don't want to see, and they all behaved accordingly. Each time I liked an article, or clicked on a link, or hid another, the algorithms that curate my streams took notice and showed me only what they thought I wanted to see. That meant I didn't realize that most of my family members, who live in rural Virginia, were voicing their support for Trump online, and I didn't see any of the pro-Trump memes that were in heavy circulation before the election. I never saw a Trump hat or a sign or a shirt in my feeds, and the only Election Day selfies I saw were of people declaring their support for Hillary Clinton."
UMass to pay $650K in HIPAA settlement https://www.scmagazine.com/umass-to-pay-650k-in-hipaa-settlement/article/574905/ UMass settles potential HIPAA violations following malware infection https://www.hhs.gov/about/news/2016/11/22/umass-settles-potential-hipaa-violations-following-malware-infection.html
via NNSquad http://arstechnica.com/security/2016/11/google-warns-journalists-and-professors-your-account-is-under-attack/ Google is warning prominent journalists and professors that nation-sponsored hackers have recently targeted their accounts, according to reports delivered in the past 24 hours over social media. The people reportedly receiving the warnings include Nobel-winning economist and New York Times columnist Paul Krugman, Stanford University professor and former US diplomat Michael McFaul, GQ correspondent Keith Olbermann, and according to this tweet, Politico, Highline, and Foreign Policy contributor/columnist Julia Ioffe; New York Magazine reporter Jonathan Chait; and Atlantic magazine writer Jon Lovett. Reports of others receiving the warnings are here and here. Many of the reports included banners that Google displayed when account holders logged in. Ars spoke to someone who works for a well-known security company who also produced an image of a warning he received. The person said he was aware of a fellow security-industry professional receiving the same warning.
Discussion thread: If you're an Amazon user, I'm sure you know that your reviews appear under your public profile. Within your profile there is a sensitivity filter that can be set to prevent people from viewing your reviews of "sensitive" items directly through your profile but an easily accessible link that could be exploited by any user to view any other user's sensitive reviews directly through their profiles, regardless of the sensitivity settings. http://forum.elliott.org/threads/amazon-com-privacy-not-so-private.4435/ Surprise, as one response noted: Nothing is really private on the Internet, so a good rule of thumb is not to post anything on any website that you don't want to be public.
ACM TechNews; 23 Nov 2016 Andrew Myers, *Stanford News*, 16 Nov 2016 Stanford University researchers have developed HitchHike, a tiny, ultra-low-energy wireless radio that enables data transmission using just micro-watts of energy. HitchHike "can be used as-is with existing Wi-Fi without modification or additional equipment," and consumers can use it today with a cell phone and an off-the-shelf Wi-Fi router, according to Stanford researcher Pengyu Zheng. HitchHike requires so little power a small battery could drive it for a decade or more, and it has the potential to harvest energy from existing radio waves and use that electromagnetic energy to power itself, potentially indefinitely. "HitchHike could lead to widespread adoption in the Internet of Things," says Stanford professor Sachin Katti. HitchHike is a variation on a backscatter radio. The system bounces Wi-Fi signals back into the atmosphere, a signal known as backscatter. In order to function as a true radio, HitchHike must produce its own messages, rather than reflect existing messages. To do that, the Stanford researchers developed "code word translation." HitchHike shifts its new signal to another Wi-Fi channel, thus avoiding the radio interference between the original signal and the new data stream. "HitchHike opens the doors for widespread deployment of low-power Wi-Fi communication using widely available Wi-Fi infrastructure and, for the first time, truly empower the Internet of Things," Zheng says. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-11ea0x2106cex048234&
via NNSquad http://www.nytimes.com/2016/11/22/technology/facebook-censorship-tool-china.html The social network has quietly developed software to suppress posts from appearing in people's news feeds in specific geographic areas, according to three current and former Facebook employees, who asked for anonymity because the tool is confidential. The feature was created to help Facebook get into China, a market where the social network has been blocked, these people said. Mr. Zuckerberg has supported and defended the effort, the people added. [This appears to be unsourced, but since it's in the New York Times, it's worth reading with that important proviso in mind. LW]
India has a financial crisis, which they brought upon themselves, by poor planning. The economy is at a virtual stand still. Certain currency is believed to be heavily used by criminals, and citizens who fail to pay taxes, so India declared that two rupee notes, which had been legal tender, would no longer be, and the people were given less than 2 months to get that currency converted to the replacement notes, at banks and post offices. Since India is a nation where 90% of the population do business by cash, and 85% of it in the rupee notes going away, there has been a stampede to where they can convert their currency, with hundreds of people standing in line for a day, all over the nation. Some small businesses have gone out of business, because they cannot function with the rupee notes which are still legal tender. Since there is a ceiling on how much can be converted per person per day, small businesses have each of their employees and family members doing their dhare, magnifying how many people waiting in line, than would have been the case without the daily limit. Employees of many businesses have abandoned their work, because now they must wait in line, day after day, to get their currency exchanged. In the first week, at least 33 people died, because of the long lines, and the shock. One person, who needed to get to a hospital, died because a taxi refused to accept the now banned currency. ATM machines will take 2 weeks to be converted, having had no advance warning, but in the mean time issue a much smaller note. The nation is running out of some of the now legal types of currency, including the replacement note. Didn;t they have any idea how much was in circulation? There is no limit on how much of the currency, which will be illegal next year, may be deposited into bank accounts, but then the people will have to prove they paid taxes on that money, or else suffer severe tax penalties. http://money.cnn.com/2016/11/18/news/india/india-cash-ban-explainer/ http://www.bbc.com/news/world-asia-india-37974423 http://www.huffingtonpost.in/2016/11/15/33-demonetisation-deaths-in-7-days-hospital-casualties-suicide/?utm_hp_ref=in http://www.firstpost.com/india/demonetisation-over-33-deaths-reported-across-india-after-announcement-of-currency-ban-3107738.html https://www.washingtonpost.com/news/wonk/wp/2016/11/22/india-just-made-a-big-mistake-with-its-currency-ban/ http://www.huffingtonpost.in/2016/11/22/this-is-not-what-we-suggested-says-anil-bokil-the-man-credit/ http://fortune.com/2016/11/23/visa-mastercard-india-modi-currency-ban-paperless-economy/ http://www.bbc.com/news/world-asia-india-38088800
[We noted Bruce's testimony to the Congressional site in the previous issue of RISKS. Here are some snippets. PGN] Austin Powell, Daily Dot, 16 Nov 2016 Speaking before members of Congress, the Internet pioneer made clear the dangers of the Internet of Things. <http://www.dailydot.com/layer8/bruce-schneier-internet-of-things/> Internet pioneer Bruce Schneier issued a dire proclamation in front of the House of Representatives' Energy & Commerce Committee Wednesday: “It might be that the Internet era of fun and games is over, because the Internet is now dangerous.'' The meeting, which focused on the security vulnerabilities created by smart devices, came in the wake of the Oct. 21 cyberattack on Dyn that knocked Amazon, Netflix, Spotify, and other major web services offline. Schneier's opening statement provided one of the clearest distillations of the dangers posed by connected devices I've seen. It should be required viewing. He starts around the 1:10:30 mark in the livestream below, but we've also transcribed most of his remarks. Here's how he framed the Internet of Things, or what he later called the *world of dangerous things*: As the chairman pointed out, there are now computers in everything. But I want to suggest another way of thinking about it in that everything is now a computer: This is not a phone. It's a computer that makes phone calls. A refrigerator is a computer that keeps things cold. ATM machine is a computer with money inside. Your car is not a mechanical device with a computer. It's a computer with four wheels and an engine*. This is the Internet of Things, and this is what caused the DDoS attack we're talking about. He then outlined four truths he's learned from the world of computer security, which he said is *now everything security*. 1) Attack is easier than defense Complexity is the worst enemy of security. Complex systems are hard to secure for an hours' worth of reasons, and this is especially true for computers and the Internet. The Internet is the most complex machine man has ever built by a lot, and it's hard to secure. Attackers have the advantage. 2) There are new vulnerabilities in the interconnections The more we connect things to each other, the more vulnerabilities in one thing affect other things. We're talking about vulnerabilities in digital video recorders and webcams that allowed hackers to take websites. There was one story of a vulnerability in an Amazon account [that] allowed hackers to get to an Apple account, which allowed them to get to a Gmail account, which allowed them to get to a Twitter account. Target corporation, remember that attack? That was a vulnerability in their HVAC contractor that allowed the attackers to get into Target. And vulnerabilities like this are hard to fix. No one system might be at fault. There might be two secure systems that come together to create insecurity. 3) The Internet empowers attackers. Attacks scale. The Internet is a massive tool for making things more efficient. That's also true for attacking. The Internet allows attacks to scale to a degree that's impossible otherwise. We're talking about millions of devices harnessed to attack Dyn, and that code, which somebody smart wrote, has been made public. Now anybody can use it. It's in a couple dozen botnets right now. Any of you can rent time on one dark web to attack somebody else. (I don't recommend it, but it can be done.) [...]
Please report problems with the web pages to the maintainer