Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
http://www.tri-cityherald.com/latest-news/article141439099.html What happens when there are no human controllers available?
https://arstechnica.com/gadgets/2017/03/video-shows-galaxy-s8-face-recognition-can-be-defeated-with-a-picture/
https://www.theguardian.com/theguardian/2017/apr/01/fake-news-the-best-and-worst-april-fools-day-stories
April Fools' Day pranks 2017—a complete list of all of the day's Internet hoaxes https://www.washingtonpost.com/news/the-intersect/wp/2017/03/31/an-updated-and-depressing-list-of-all-the-april-fools-pranks-on-the-internet/
EFFector Vol. 30, No. 7 April 1, 2017 editor@eff.org A Publication of the Electronic Frontier Foundation ISSN 1062-9424 effector: n, Computer Sci. A device for producing a desired change. EFF Updates * Surveillance Oversight Committees Confused `Oversight' and `Overlook' The bipartisan leaders of the House and Senate Intelligence Committees apologized during a press conference this morning for failing to provide rigorous supervision of the intelligence community, blaming past years' inaction on a fundamental misunderstanding of the word *oversight*. House Intelligence Chairman Devin Nunes: “It was merely a miscommunication. We had mixed up the word *oversee* and the word *overlook*. We thought we were supposed to overlook the mistakes of the intelligence community, not provide oversight.'' Senate Intelligence Committee Richard Burr said, “We unequivocally condone the privacy invasions committed by U.S. intelligence agencies. Oh shoot, I mean condemn.'' https://www.eff.org/pages/04/01 * European Union Announces Plan for Privacy Wall Around U.S. European Union Commissioner for Justice Vera Jourova announced plans today to permanently protect Europeans' data from U.S. government spying with the newest transnational data agreement: Privacy Wall. Once approved by the European Commission, the EU will begin constructing a thirty-foot wall around the United States. Only U.S. tech companies that comply with EU privacy restrictions and prohibit U.S. government access to their data will be given fiber optic grappling hooks to transport Europeans' data across the Atlantic, over the wall, and back to their U.S.-based servers. U.S. lawmakers appeared unfazed by U.S. companies' complaints that Privacy Wall will effectively kill their business abroad, but they responded to alarm bells raised by officials in the intelligence community who are concerned about losing generalized access to Europeans' data. https://www.eff.org/pages/04/01 * In Major Mix-Up, Oscars for Best Film Goes to Most Torrent-ed Movie The Academy Awards suffered an astounding embarrassment this week when presenters Alfonso Ribeiro and Mayim Bialik incorrectly handed out the Oscar for Best Film to the most-frequently torrent-ed movie of 2016, Deadpool, instead of the actual winner, Moonlight. Hollywood is blaming the mistake on accounting firm PricewaterhouseCoopers, which is responsible for guarding the envelopes containing names of both Oscars winners and TorrentFreak's list of most frequently torrent-ed films. Having been left off the list of Best Film nominees all together, Deadpool director Tim Miller and lead actor Ryan Reynolds were not in attendance at Sunday night's Oscars, giving Kanye West time to take the stage and correct the mistake. https://www.eff.org/pages/04/01 * FBI Seeks Technical Backdoor to Un-Mute iPhones Frustrated by silence on conference calls, the FBI is asking Apple to provide a backdoor so that the agency can un-mute iPhones across the world without the iPhone users' consent. “It's incredibly frustrating when you're waiting for someone to chime in on a conference call, and they're still on mute,'' FBI Director Jim Comey said at a press conference today. Comey appeared unmoved by arguments from technology and civil liberties advocates that creating a backdoor into all iPhones would undermine the privacy and security of tens of millions of technology users around the world. “Our work to protect this country's national security is too important to wait the seconds it takes for our analysts to unlock and un-mute their phones,'' Comey said. When asked if the FBI was seeking a similar accommodation from Android-developer Google, Comey at first laughed, but quickly sobered and asked “wait, people still use Android?'' https://www.eff.org/pages/04/01 * EFF Releases Surveillance Self Defense for In-Person Meetings EFF is out with an updated Surveillance Self Defense guide today that includes, for the first time, security tips for in-person meetings. Highlights include recommendations for verifying a person's identity, evading facial recognition systems, and circumventing censorship. For instance, you should have anyone you meet print off their public PGP key on red paper, fold that paper into the shape of a flower, and pin that paper flower to their label. Additionally, the guide recommends drawing Kiss-style shapes on your face with eyeliner to protect yourself from facial recognition technology and constantly carrying around a bullhorn so you can shout louder than anyone trying to limit your free speech. https://www.eff.org/pages/04/01 * EFF Gives Posthumous Lifetime Achievement Pioneer Award to Perfect 10 EFF is awarding a 2017 Pioneer Award to recently-defunct men's magazine and prodigious copyright-litigation-loser, Perfect 10. EFF established the Pioneer Awards in 1992 to recognize leaders on the electronic frontier who are extending freedom and innovation in the realm of information technology. The awards celebrate those who have contributed substantially to the health, growth, accessibility, or freedom of computer-based communications. Perfect 10 is receiving a posthumous lifetime achievement Pioneer Award this year for its cutting-edge strategy of losing copyright lawsuits in order to advance the doctrine of fair use. After losing cases against Amazon, Google, CCBill, and Megaupload, Perfect 10 was finally liquidated in March of this year to satisfy a litigation debt to yet another victorious defendant, Giganews. We salute Perfect 10’s dozen-year campaign to help make the Internet more free by consistently losing in court. Bravo! https://www.eff.org/pages/04/01 * Intelligence Community Unveils Emotional Vulnerabilities Program Director of National Intelligence Dan Coats today revealed a new program by which the U.S. Intelligence Community will, when appropriate, disclose information about emotional vulnerabilities it discovers in the course of its national security work. Building off of the widely celebrated success of the vulnerabilities equities process (which still exists, we think?), U.S. intelligence agencies will begin sharing and sometimes publishing information about the personality quirks it discovers as it conducts surveillance of law-abiding Americans. “We hope to make the country more secure by letting people know that their roommate has arachnophobia, their brother is addicted to tanning beds, and their mother has a fear of being abandoned by her children,” said Coats after flinching away from a pigeon that wasn't even flying toward the DNI. https://www.eff.org/pages/04/01 miniLinks White House Supports Day without a (Internet) Troll Following the success of the Day Without a Woman general strike in March, the White House has thrown its support behind today's Day without a Troll Strike, during which all Internet trolls will disappear from comment sections and forums online. https://www.eff.org/pages/04/01 Comcast to Assimilate with the Borg Looking to increase its market share, nationwide reach, and overall reputation for evil, the Borg has announced that it is assimilating broadband giant Comcast. “This merger will benefit consumers and boost broadband competition, and the federal government should quickly approve it,” Comcast's David Cohen said in a statement. “Plus, resistance is futile.” https://www.eff.org/pages/04/01 White House Releases Diceware Passphrase List In an attempt to demonstrate President Donald Trump's tech savvy, the White House has released a list of suggested words to use when attempting to create a secure passphrase. "Our list has the best words," said White House Press Secretary Sean Spicer. "Words like tremendous, disaster, MAGA, big-league, low-energy, beautiful, and winning. Sad!" https://www.eff.org/pages/04/01 ~ FBI Director Acknowledges Secure Backdoors Are Impossible FBI Director Jim Comey said today that his agency, agreeing with technical experts, has officially concluded that it is impossible to create a backdoor into encrypted technologies without undermining users' security. Nope, even that's too ridiculous for an April Fools' newsletter. https://www.eff.org/pages/04/01 815 Eddy Street, San Francisco, CA 94109-7701, United States
http://www.pewinternet.org/2017/03/29/the-future-of-free-speech-trolls-anonymity-and-fake-news-online/
https://krebsonsecurity.com/2017/03/why-i-always-tug-on-the-atm/ [This item is a very nice warning about one of the clever ATM skimmer augmentations: real ATMs with a Fake Camera-based Appendage. PGN]
There were reports that, at the start of the Falklands War, the French government declined to disclose the codes that would cause Exocet missiles (that they had sold to the Argentine airforce) to abort/self-destruct. After HMS Sheffield was severely damaged (and scuttled as a war grave of 20 dead sailors), they disclosed the codes. No warship was hit after then, only a requisitioned civilian RoRo vessel that lacked the technology to communicate with the in-bound missiles. SS Atlantic Conveyor was hit by two Exocets, killing 12 crewman and badly injuring many others in the ensuing fires. Eight years later, there were reports that, in Operation Desert Storm ("Gulf War I"), the Bloodhound ground-to-air missile system sold by Britain to the Iraqis was mysteriously unable to hit Coalition aircraft transmitting a particular IFF code. There were also reports of Bloodhound missiles, launched against RAF aircraft, turning around after launch and hitting the launchers instead. When I was "tidying up" in Kuwait after the war had ended, I was informed (by a reliable source) that British crews at least had been told they could ignore launch indications and were not to waste missiles on the launchers. The missile system had been "chipped".
With regard to the mention of the item on the BBC website that that discusses an alternative and much more subtle version of Malware making changes to data which while being too small to notice immediately result in system failure, I have a real-world example. Many years ago I was asked to investigate why a relatively small financial accounting system dealing with regular payments contained an increasing number of discrepancies from the paper records. It turned out that the organisation in question had hired a programmer with a habit of getting themselves fired from jobs without checking any of their references first. Sure enough, they managed to get fired from this job too. Said programmer had written a cron job which was set to start a (fairly well hidden) script if the programmer either had their user account deleted or they didn't log in for 3 months. The program generated 4 random numbers of 3 digits, two single digit numbers and the last of 2 digits for example 894, 6, 2 & 74. This would change every 894th instance of a 6 into a 2, then the job would sleep for 74 days and run itself again, generating 4 new random numbers. It kept no record of its actions. This is insidious, as there is no traceability, other than who set it up and when it first ran (based on the date that the programmer was fired). We had no way of knowing for certain how many times it ran or what it changed. By the time anyone realised that the variances were something more than keyboard input errors it had been running long enough for the subtle but incremental effects to be present in the Father and Son backup tapes. A copy of the records had to be recovered from the Grandfather tape and a lot of data had to be manually checked and re-entered from paper copies of the records to bring it up to date. To my knowledge this incident never went public, hence my reluctance to name names or places, and it was at least 20 years ago (and before the Computer Misuse Act came into effect) so I couldn't be 100% certain of the finer points - I've slept since then.
This also happened after the Boston Marathon bombing. Based on Brown Skin and dark hair, Reddit users piled onto a witch hunt that misidentified missing, already dead (4 weeks), Brown University student Sunil Tripathi as one of the bombers. http://www.cjr.org/analysis/sunil_tripathi_was_already_dead.php "He was wrongly accused on Reddit, convicted on Twitter, and vilified on Facebook" Someone using a scanner to monitor Police Radio heard "Last name: Mulugeta, M-U-L-U-G-E-T-A, M as in Mike, Mulugeta." in a context that had nothing to do with the bombing and decided that "Mike Mulgeta" was one of the bombers. https://www.theatlantic.com/technology/archive/2013/04/-bostonbombing-the-anatomy-of-a-misinformation-disaster/275155/ http://www.dailymail.co.uk/news/article-3035378/It-beast-Moderator-Reddit-s-Boston-Bombers-thread-tells-millions-users-descended-subreddit-days-attack-identified-wrong-suspect.html https://en.wikipedia.org/wiki/Sunil_Tripathi News media then piled on by the 100s, trying to contact Tripathi's family for sound bites and surrounding his parent's home. http://www.imdb.com/title/tt4087340/ So what triggers people to get it so wrong? Bruce Schneier talks of people overestimating unfamiliar risks while underestimating familiar risks. Were people trying to reduce their anxiety level by trying to convert a vague nebulous risk to a (mis)identified risk? This gave them Tripathi and his family as a target for their outrage. Did venting that outrage that make them feel better? Some people crave attention. Coming up with a name in an incident such as this gets them attention, but for all the wrong reasons.
What on earth was NASA doing in possession of ITAR data? Unless, of course, they needed permission to send arms into space?
The interesting aspect of this report is that it is an excellent example of where security countermeasures (in this case patches) can conflict with safety controls (in this case the fire alarm system). Standards are starting to recognise, not only the importance of protecting control systems and functional safety from cyber attack, but also managing the risk of incompatibility between safety functions and cybersecurity countermeasures. The evolving ISA/IEC 62443 series does give good guidance that try and address the gulf of understanding between the safety and security domains. Balancing diverse risks is becoming and interesting but challenging need for safety-related systems.
Some people responded that they wanted store clerks to keep their jobs. That is a valid personal action based on reasoning from personal ethical principles. However, how many of us could afford to make as many phone calls or send as much email or text if every connection still had to be manually connected at the network switch centre and along the path? Others commented that check out clerks are more efficient than most individuals. Your checkout clerk may vary. Also, as usual, "it depends". Most supermarkets have a multi-server multi-queue setup. Picking the wrong queue is a prescription for time out of your life that you will never get back, although some local supermarkets, Walmarts, Canada Tires and Home Depots have a blend of both multi queue and single queue and attended or self serve checkouts. (multiserver, single queue - Wendy's or most banks) (multi queue multi server - classic MacDonald's and most supermarkets and other stores) I am immune compromised. Waiting until a self serve checkout is unused avoids close association with people in line and with the clerk. Depending on the time of day / week that can be zero queue time, while check outs with attendants rarely have no queue. Stores close tills and redirect staff to other work if queues stop forming. At a local drug store recently I was subjected to a memorised pitch for one of their loyalty points cards, despite saying repeatedly "no, not interested, the answer was no" as the rote pitch went on and on. I then pointed out that she was being disrespectful of my time and the time of the people waiting in the queue. Afterward, I contacted the chain to complain, pointing out that assuming that I didn't get the message the first 10 times in recent years is hardly a compliment, that I didn't shop there often enough to make it worth my time, and that this experience made me less likely to shop there in the future. The clerks often repeat the pitch for each customer, even when they have heard it already while waiting in the queue. Credit Bureaus such as Equifax point out that credit and discounts are often a trade off of privacy versus cost and credit. Higher credit risk involves higher prices, discount cards require you to pay with personal information, in addition to cash. My response to Equifax was that my wife and I make a point of not having mortgage, auto loan, or other debt to preserve our privacy. Only people who use credit should have their information profile collected or released by Credit / Personal Information Reporting Bureaus. Cash should be sufficient payment for goods and services. Customers should not have to pay with personal information such as names, phone numbers and personal purchase profiles, in addition to cash. unless there is a Regulatory or Statutory Requirement to obtain the personal information. I have Asperger's Syndrome. I find the tendency of clerks to engage in banter annoying, confusing, and disrespectful of the time of the people being served, and the customers waiting in line. It detracts from the clerk's efficiency and interferes with their ability to make the correct change. Why do they often fail to enter the cash received correctly? Why can't they just give you the change amount shown on the till and the receipt, rather than trying to do arithmetic in their head because they don't realise that the amount is displayed for them and that they are making a mistake by trying to compute change amounts in their head? One time I went to buy some juice when I had laryngitis. When I failed to respond to "how are you" with the mandatory, non-optional, socially conventional response of "fine thanks, how are you" the clerk stood there doing nothing and staring at me, holding up me and the people in line behind we. My laryngitis was quite evident when I responded that "I have laryngitis and I think that it is unprofessional of you to insist on chatting when people are waiting in line". People on the Autism Spectrum often have to be told that the "how are you" "fine thanks how about you" thing is a non-optional, mandatory, social convention, and that people will often get annoyed if you actually tell them how you are. [Thanks. However, that's probably enough on this thread. PGN]
I doubt the ISPs will be dumb enough to sell the data. Google and Facebook don't sell theirs. It's the crown jewels. If the ISPs follow that model they will place ads on behalf of the advertisers, based on the data, which the ISPs will keep to themselves. But what liability is on the ISPs when this data is inevitably breached? Nothing?
Please report problems with the web pages to the maintainer