Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
"The fact that future nuclear weapons will be far more networked (though not necessarily to the open Internet) will create better safety and oversight, and allow for more coordinated operations. But more connectivity also introduces new potential vulnerabilities and dangers." https://www.theatlantic.com/amp/article/511904/ The idea that connectivity to the Internet wasn't rejected out of hand seems to indicate that the Air Force Scientific Advisory Board needs replacing very firmly. A blogger at the US Naval Institute certainly thinks so: <https://blog.usni.org/2017/01/04/there-are-bad-ideas-and-then-there-is-this-bad-idea> "Some support systems? Sure, but command, control, mission loading, arming, and launch must be contained in a robust, hardened, isolated & closed system. Simple, almost primitive, with multiple physical human interfaces required. To be even thinking of network access to the weapons systems themselves is the height of irresponsibility; even more irresponsible than a reliance on GPS or satellite systems as a point of failure between authorization, launch, and "servicing the target." Ahem." ICBMs as part of the IoT is, I'm pretty sure, the worst idea I've seen on the Internet since I started using it in 1992.
(WiReD, 27 Jan 2017) [Peter, I'm feeling ambivalent about calling attention to this article, 'popular' in tone, but it does a decent enough job of explaining the basics... and while there is 'business hype' in the name-dropping and describing the possibilities, the author also is fair in pointing out the difficult and uncertain blessings of the technology... take a look-see and decide if and how you want to use it.] Quantum Computers Versus Hackers, Round One. Fight! https://www.wired.com/2017/01/quantum-computers-versus-hackers-round-one-fight/ Lily Hay Newman, *WiReD*, 27 Jan 2017 This week D-Wave, a leader in the nascent field of quantum computing, unveiled its latest machine, D-Wave 2000Q, as well as its first customer: a cybersecurity firm called Temporal Defense Systems. It's the first time quantum has been used to fight cybercrime, and if it works, it could reshape how security analysts protect their networks from harm. [...] D-Wave's customers for earlier models range from Lockheed Martin to Google to Los Alamos National Laboratory. Now TDS, a cybersecurity company that builds hardware and software security products, will be the first private security business to seek improved results through next-generation computing. [...] Quantum computing is far from a proven tool at this point, and it's just one of a handful of next-generation computing solution being applied to thorny cybersecurity issues. The more opportunities it has to transform the world, though, the better the chance that it eventually will.
Dan Bilefsky, *The New York Times*, 30 Jan 2017 https://www.nytimes.com/2017/01/30/world/europe/hotel-austria-bitcoin-ransom.html The ransom demand arrived one recent morning by email, after about a dozen guests were locked out of their rooms at the lakeside Alpine hotel in Austria. (The hotel was at maximum capacity.) The electronic key system at the picturesque Romantik Seehotel Jaegerwirt had been infiltrated, and the hotel was locked out of its own computer system, leaving guests stranded in the lobby, causing confusion and panic. “Good morning!'' the email began, according to the hotel's managing director, Christoph Brandstaetter. It went on to demand a ransom of two Bitcoins, or about $1,800, and warned that the cost would double if the hotel did not comply with the demand by the end of the day, 22 Jan. Mr. Brandstaetter said the email included details of a Bitcoin wallet, the account in which to deposit the money—and ended with the words, “Have a nice day!'' With the 111-year-old hotel brimming with eager skiers, hikers and vacationers, some having paid about $530 for a suite with a panoramic view and sauna, Mr. Brandstaetter said he decided to cave in. Guests had already complained that their electronic room keys were not working, and receptionists' efforts to create new ones had proved futile. Bashing down the doors was not an option. Security experts said the attack on the hotel appeared to be a novel example of an increasingly malicious and prevalent type of modern-day piracy. The weapon? A type of software known as ransomware... [Jim Reisert AD1C noted another article, Hotel ransomed by hackers as guests locked in rooms (Chris Summers) http://www.dailymail.co.uk/news/article-4163886/Alpine-hotel-brings-locks-cyber-hacking.html Benoit Goas noted https://www.theregister.co.uk/2017/01/30/austrian_hotel_ransomware_attack/ ]
I recently was in a brand new hotel (around a week old), and their computer systems crashed the day I checked in, preventing them to know which room got cleaned or not. The room I was first given indeed wasn't made, but at least nobody else was in... Not sure if they could know that! They also had a big computer screen to display the next bus hours, which at one point later displayed only a pop-up screen with "your 7 day anti-virus trial version expired". Nothing really dangerous (as long as you don't need electronic keys to exit the rooms), but it can be more reliable to keep older technology!
[I wonder if this hack is related to any of the other recent high-profile Internet-wide CCTV hacks.] Here's a non-sequitur: "the intrusion was confined to the police CCTV cameras that monitor public areas" "the safety of the public or protectees was never jeopardized" If this conclusion were really true, then a "security theater" camera would be just as effective as a real camera, and they needn't have bothered fixing the cameras ! Clarence Williams, *The Washington Post*, 27 Jan 2017 Hackers hit D.C. police closed-circuit camera network, city officials disclose https://www.washingtonpost.com/local/public-safety/hackers-hit-dc-police-closed-circuit-camera-network-city-officials-disclose/2017/01/27/d285a4a4-e4f5-11e6-ba11-63c4b4fb5a63_story.html Hackers infected 70 percent of storage devices that record data from D.C. police surveillance cameras eight days before President Trump's inauguration, forcing major citywide reinstallation efforts, according to the police and the city's technology office. City officials said ransomware left police cameras unable to record between Jan. 12 and Jan. 15. The cyberattack affected 123 of 187 network video recorders in a closed-circuit TV system for public spaces across the city, the officials said late Friday. Secret Service spokesman Brian Ebert said the safety of the public or protectees was never jeopardized. Archana Vemulapalli, the city's Chief Technology Officer, said the city paid no ransom and resolved the problem by taking the devices offline, removing all software and restarting the system at each site. An investigation into the source of the hack continues, said Vemulapalli, who said the intrusion was confined to the police CCTV cameras that monitor public areas and did not extend deeper into D.C. computer networks. [...]
http://www.defenseone.com/ideas/2017/01/everything-i-need-know-about-russias-internet-interference-i-learned-through-college-pranks/134953/?oref=d-river Sean Havey It's not terribly difficult to inject fake news into conversation. One February, as a snowstorm headed for the Carolinas, a Raleigh television station debuted a Web form meant to allow local schools and businesses to send cancellations and snow delays straight to the live TV feed. Someone posted the URL to an unofficial university message board, and within minutes, mayhem erupted in the margins of the nightly news: <http://www.thewolfweb.com/message_topic.aspx?topic=180137&page=2> <https://www.youtube.com/watch?v=WcO3pyge-8w> But while our antics caused little damage aside from a few embarrassed faces in the newsroom, not everyone uses fake news for lulz. As recent events show, sinister actors use the same tricks to spread misinformation and deception—with potentially disastrous consequences.
Dustin Volz, Reuters, 27 Jan 2017 http://www.businessinsider.com/r-fbi-request-for-twitter-account-data-may-have-overstepped-legal-guidelines-2017-1 selected text: WASHINGTON, Jan 27 (Reuters) - The FBI appeared to go beyond the scope of existing legal guidance in seeking certain kinds of Internet records from Twitter as recently as last year, legal experts said, citing two warrantless surveillance orders the social media company published on Friday. Twitter said its disclosures were the first time the company had been allowed to publicly reveal the secretive orders, which were delivered with gag orders when they were issued in 2015 and 2016. In doing so, the orders bolster the belief among privacy advocates that the FBI has routinely used NSLs to seek Internet records beyond the limitations set down in a 2008 Justice Department legal memo, which concluded such orders should be constrained to phone billing records. The FBI did not immediately respond to a request for comment. An FBI inspector general report from 2014 indicated that it disagreed with the memo's guidance.
http://www.pcworld.com/article/3160836/software/severe-vulnerability-in-ciscos-webex-extension-for-chrome-leaves-pcs-open-to-easy-attack.html
Several highly visible Republicans (including Tiffany Trump, Steve Bannon, Steven Mnuchin) are registered in more than one state. That's not illegal, although Bannon apparently never lived in the house in Florida at which he was registered. That's illegal. (R 30 12) http://www.usnews.com/news/national-news/articles/2017-01-25/tiffany-trump-steve-bannon-steve-mnuchin-registered-to-vote-in-multiple-states [Additional names seem to be cropping up as well.]
Nick Bilton, BoingBoing via NNSquad http://boingboing.net/2017/01/31/the-future-of-fake-news-is-rea.html Nick Bilton reports on the next round of fake news tools that allow users to manipulate audio and video to change what's being said, a sort of real-time Photoshop for moving images and audio. Want to make it look like a celebrity used a taboo word, or misquote a politician? No problem.
AP via NNSquad http://m.startribune.com/intentionally-or-not-big-brands-help-fund-fake-news/412040223/?section=nation Wittingly or not, major global corporations are helping fund sites that traffic in fake news by advertising on them. Take, for instance, a story that falsely claimed former President Barack Obama had banned Christmas cards to overseas military personnel. Despite debunking by The Associated Press and other fact-checking outlets, that article lives on at "Fox News The FB Page," which has no connection to the news channel although its bears a replica of its logo. And until recently, the story was often flanked by ads from big brands such as the insurer Geico, the business-news outlet Financial Times, and the beauty-products maker Revlon. This situation isn't remotely an isolated case, although major companies generally say they have no intention of bankrolling purveyors of fake news with their ad dollars. Because many of their ads are placed on websites by computer algorithms, it's not always easy for these companies to steer them away from sites they find objectionable.
That, in turn, links to a Google Groups Form, which requires active scripting and cookies. Given that Risks readers know the Risks of active scripting (and the privacy implications of anything hosted by Google), I'm surprised he thought it worthwhile to announce this here. Or is it just a test to see how many of us will browse unsafely just to submit a fake news site? [Intriguingly, Lindsay Marshall's newcastle site that houses the official searchable RISKS archive barfed on this item, blocking it perhaps because the website was brand new. PGN]
1. This story rumbled on over several days last week. As I understand it, the missile was unarmed and officially the test was to check the submarine's launch capability rather than the missile itself. The main news interest was who knew what and when, fueled by conflicting reports from UK and US commentators and governments, UK Prime Minister Theresa May evasively not answering questions about it in a TV interview, "we don't comment on security matters", etc. Presumably 'UK Unintentionally Launches Missile Attack On US' makes a better headline than 'Problem Found During Routine Test Firing'... :o) http://www.telegraph.co.uk/news/2017/01/23/theresa-may-briefed-trident-missile-test-allegedly-misfired2/ 2. Maybe I'm missing something, but I find the recent posts in RISKS on "fake news", "alternative news", "real news", and so forth rather ridiculous—can news reports be definitively graded as 'true' or not!??! The Royal Society has this on their web site, which seems right to me: > The Royal Society's motto 'Nullius in verba' is taken to mean 'take > nobody's word for it'. https://royalsociety.org/about-us/ Tediously long article at http://www.telegraph.co.uk/news/2017/01/23/theresa-may-briefed-trident-missile-test-allegedly-misfired2/
The link to ACARS went down, resulting in an inability for the company to send weight and balance information or communicate with aircraft via datalink. I don't know what specific part of the system failed.
> While ease of development may be in the eye of the developer, I certainly > wouldn't commend for readability a language in which a blank in the wrong > place might completely change the meaning of a routine! This is an old chestnut. How many people remember PL/1? That was intended to be the ultimate programming language, iirc, and I found it a nice language, but it had a similar reputation. A misplaced parenthesis ran a serious risk of still leaving you with a valid program, but one that did something completely different from what you intended. Caused by the massive overloading of the meaning of said character.
I spent decades programming in languages like C and perl that marked grouping with { braces } and now mostly use python which uses indentation. While it took a little while to get used to it, now I find the python way works at least as well. Compilers remember the open levels of indentation so they can diagnose spacing typos where you return to an indentation level that was never opened, something C and perl can't do since all braces look the same. It also avoids a whole category of hard to find bugs in C programs where the indentation suggests one thing but the braces say something else. I think the moral here is that just because something is unfamiliar doesn't mean it's worse. I'm reminded of a famous article Don Norman wrote in 1981 about how awful the UNIX shell language (which at that time was the user interface) was. One of the UNIX guys pointed out that commands he complained weren't "natural" were because they weren't like the PDP-10 he was used to.
https://nakedsecurity.sophos.com/2017/01/27/data-privacy-day-know-the-risks-of-amazon-alexa-and-google-home/
Please report problems with the web pages to the maintainer