Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The RISKS of online voting are well-known, and need not be covered again; well, not for a while anyway. However, there could be a new threat, should SQL be involved in the counting process. As usual, it involves SQL-injection, or the "Bobby Tables attack" (named after the famous XKCD comic). Although doubtless meant as a joke, the following URL should make hairs stand up upon one's neck: http://alicebobandmallory.com/articles/2010/09/23/did-little-bobby-tables-migrate-to-sweden (Basically it injects a "DROP TABLE" command.) There seem to be many such examples; another one is if you want to clear your driving record of speeding tickets: http://hackaday.com/2014/04/04/sql-injection-fools-speed-traps-and-clears-your-record/ (That one drops the entire database.) It's all a joke right now, of course, but how long will it be before it becomes for real?
Michael Kassner, TechRepublic, 4 May 2017, via ACM TechNews, 5 May 2017 Researchers at Peking University in China have found machine learning-based malware-detection algorithms cannot be used in real-world applications if they are easily bypassed by some adversarial techniques. The Chinese team reached this conclusion based on previous Google research demonstrating a technique to bypass malware-detection algorithms using altered information that maximized malware classification errors; this made it impossible for the detection algorithm to spot malware. The Peking University researchers built on the Google study by proposing the use of a generative neural network, called MalGAN, and altering the original samples to make input and output adversarial examples. The team trained a MalGAN generator to create adversarial examples that were capable of deceiving malware detectors. "Experimental results show that the generated adversarial examples are able to effectively bypass the malware detector," note Peking University researchers Weiwei Hu and Ying Tan. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-13797x211ba5x072646&
Matthew Hutson, *Science*, 2 May 2017, via ACM TechNews, 5 May 2017 A new study led by the Illinois Institute of Technology suggests artificial intelligence can outperform legal scholars in the prediction of U.S. Supreme Court rulings. The researchers built a general prediction algorithm based on the Supreme Court Database, drawing on 16 elements of each justice's vote, supplemented with other variables. For every year from 1816 to 2015, the team built a machine-learning "random forest" statistical model that reviewed all prior years and uncovered associations between case elements and decision outcomes. The model then examined the features of each case for that year to anticipate rulings, and was fed data about the rulings so it could update its approach and move on to the next year. The algorithm correctly forecast 70.2 percent of the high court's decisions and 71.9 percent of the justices' votes, while an earlier study found even knowledgeable legal scholars are only about 66 percent right in comparison. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-13797x211badx072646& [Whether this is this statistically significant may be less important than whether the justices would trust the results. If they did, then they might start using this AI analysis to resolve difficult cases where they were deadlocked 4-4-1! PGN]
CVE-2017-5689, reports vulnerabilities in the implementation of remote management features on Intel chips Intel has reported a set of vulnerabilities in the remote management of its business-grade processors (consumer-grade processors are reported not to be affected). The vulnerabilities permit non-authorized access to Intel's Active Management Technology, Intel Standard Manageability, or Intel Small Business Technology. The Intel chips contain a separate management processor with access to the integrated Ethernet. Intel's advisory notes that AMT and ISM are exploitable from the network; all three are vulnerable locally. The Register's article notes that the remote management processor uses "network port 16992" (unclear whether TCP or UDP; from context, probably TCP). Since this is a feature of the management firmware, it is below all OS and VM-level firewalls. * From The Register: "In March 2017 a security researcher identified and reported to Intel a critical firmware vulnerability in business PCs and devices that utilize Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), or Intel Small Business Technology (SBT)," an Intel spokesperson told The Register. Intel is providing a signed firmware update by way of manufacturers. The Intel bulletin also includes interim mitigations. The Intel warning is at: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr An extensive article also appeared in The Register at: http://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/ - Bob Gezelter, http://www.rlgsc.com
Lucian Constantin, Computerworld, 4 May 2017 The FIN7/Carbanak gang deploys fake application compatibility patches to inject malicious code into other processes http://www.computerworld.com/article/3194587/security/cybercrime-group-abuses-windows-app-compatibility-feature.html selected text: When Microsoft made it possible for enterprises to quickly resolve incompatibilities between their applications and new Windows versions, it didn't intend to help malware authors as well. Yet, this feature is now abused by cybercriminals for stealthy and persistent malware infections. Security researchers from FireEye have recently seen the shim technique used by a group of financially motivated cybercriminals known in the security industry as FIN7 or Carbanak. Since 2015, this group has stolen between $500 million and $1 billion from hundreds of financial organizations worldwide.
http://fortune.com/2017/04/27/facebook-google-rimasauskas/
http://www.pcworld.com/article/3192484/security/russian-hackers-use-oauth-fake-google-apps-to-phish-users.html
Studios invested heavily in magnetic-tape storage for film archiving but now struggle to keep up with the technology Digital technology has also radically altered the way that movies are preserved for posterity, but here the effect has been far less salutary. These days, the major studios and film archives largely rely on a magnetic tape storage technology known as LTO, or linear tape-open to preserve motion pictures. When the format first emerged in the late 1990s, it seemed like a great solution. The first generation of cartridges held an impressive 100 gigabytes of uncompressed data; the latest, LTO-7, can hold 6 terabytes uncompressed and 15 TB compressed. Housed properly, the tapes can have a shelf life of 30 to 50 years. While LTO is not as long-lived as polyester film stock, which can last for a century or more in a cold, dry environment, it's still pretty good. The problem with LTO is obsolescence. Since the beginning, the technology has been on a Moore's Law-like march that has resulted in a doubling in tape storage densities every 18 to 24 months. As each new generation of LTO comes to market, an older generation of LTO becomes obsolete. LTO manufacturers guarantee at most two generations of backward compatibility. What that means for film archivists with perhaps tens of thousands of LTO tapes on hand is that every few years they must invest millions of dollars in the latest format of tapes and drives and then migrate all the data on their older tapes—or risk losing access to the information altogether. http://spectrum.ieee.org/computing/it/the-lost-picture-show-hollywood-archivists-cant-outpace-obsolescence <http://www.baseline-data.com/Resources/Blog/ID/25/The-History-of-LTO> <https://www.theregister.co.uk/2015/09/16/lto_has_15tb_gen_7_tape_format/> <http://www.enterprisestorageforum.com/continuity/features/article.php/3933731/Tape-Migration-Its-Not-Your-Grandfathers-Tape-Migration-Anymore.htm>
https://arstechnica.com/tech-policy/2017/04/fbi-allays-some-critics-with-first-use-of-new-mass-hacking-warrant/
http://fortune.com/2017/04/29/dina-mitchell-fitbit-flex-explosion/ The risk? Explosive trendy IoT devices? Or old-fashioned scams? Fortune reports. You decide.
*You go, business pro, and so goes your privacy. *[Rant on] You loved your phone but one day a useful part of it breaks—a sad day all around—amazingly right at the end of the 2-year contract with a carrier <http://www.city-data.com/forum/cell-phones-smartphones/1899178-need-phone-finish-out-2-year.html>. We'll just call that a coincidence. Today that time period is referred to as a payment plan [and one has the option of paying for the phone in full.] But that is not the topic for today—nor is the topic about the default on Chrome that can no longer be switched off which automatically plays <https://www.nytimes.com/2017/03/20/technology/personaltech/stopping-video-autoplay-on-google-chrome.html?_r=0> videos. Advertisers must and will find you. No, today's rant is about that other torment, shall we say, the Tyranny of the Default <https://pagefair.com/blog/2015/the-tyranny-of-the-default/>—which made an unwelcome appearance, in every sense of the word, on my new phone. That bit of psychology is what is built in to new versions of software—it is both condescending and malevolent at the same time. *How many apps are there in the out-of-box experience? *Well, we're talking about the operating system of the device and every single application that is installed on it. And the list of applications is a default set -- shipping with the product. Sometimes, as with Chrome, one might want to reset to the defaults. <http://www.thewindowsclub.com/reset-chrome-settings> For smartphone users who use the average of 27 <http://www.businessinsider.com/average-number-of-apps-vs-time-spent-2016-5> (yup, that's 27!!) apps, a new phone could present a bit of a challenge. Easy—make the unneeded shortcuts disappear. More work—uninstall the unwanted. More work, select (from some source) the wanted apps. Maybe you started out with 35 out of the iPhone box <ttps://www.apple.com/iphone-7/specs/>, or maybe 50 pre-installed apps for the new Galaxy S8 <https://support.t-mobile.com/docs/DOC-34273>. *The problem: the defaults are all about sharing YOU. *Whether it is Facebook <https://support.t-mobile.com/docs/DOC-34273> privacy rules and disastrous live sharing <https://www.nytimes.com/2017/04/17/technology/facebook-live-murder-broadcast.html>, consider GoogleHangouts <http://www.androidcentral.com/what-you-need-know-about-new-google-hangouts-and-google-voice> – a charming multi-device app <https://gsuiteupdates.googleblog.com/2017/02/google-hangouts-temporary-issues-with-firefox.html>, right? But if you have a brand new Galaxy S8, the default for Hangouts is to enable permissions to access the phone's Camera, Contacts, Location, Microphone, Phone, SMS and Storage, each of which must individually have App Permissions set to Off—because the defaults are set to On <http://www.androidcentral.com/run-permissions-why-change-android-60-may-make-you-repeat-yourself>. So let's say this phone sells between 25 million or more <http://www.androidauthority.com/galaxy-s8-pre-orders-us-766770/>. Let's say that 42% of those buyers are 65+. <http://www.pewinternet.org/fact-sheet/mobile/> Conservative guess is that 10 million seniors globally will buy this new phone. Examining the permissions, setting the defaults to Off in individual apps <http://www.androidcentral.com/run-permissions-why-change-android-60-may-make-you-repeat-yourself>, like Hangouts – only the determined (or crazy) will bother, no matter what age—as okayed by Congress for ISPs in March <http://www.pcworld.com/article/3185880/privacy/us-house-votes-to-undo-broadband-privacy-rules.html>. But that vote was a meaningless discussion about closing the barn door after powerful marketer inhabitants (like Google and Facebook) have long departed. [Rant off] https://www.ageinplacetech.com/blog/default-sharing-you-data-privacy-nightmare
Few technological advancements bring to mind the American spirit of innovation like Henry Ford and his Model T. In the wake of his transportation innovation, the horse and buggy became an anachronism as the mass-produced automobile reshaped our cities, led to the emergence (for better or worse) of the suburbs, and revolutionized how we move goods and people. Now, there's little doubt that autonomous vehicles are the next frontier of transportation. These vehicles are projected to make our roads safer, potentially reducing fatalities by orders of magnitude. Along the way, however, there are a number of roadblocks to surmount: infrastructure issues, restrictive state licensing policies, driver education, cybersecurity and privacy vulnerabilities, and more. For innovators, regulators, and policymakers, solving these problems will involve a long to-do list, but a pointless regulatory scuffle over technology standards should not be on it. So why is the federal agency responsible for our road safety looking to introduce a totally avoidable roadblock to automotive innovation by mandating a severely flawed technological standard for vehicle communications? Here's the debate: Autonomous vehicles of the future will need to communicate with each other and the infrastructure around them, signaling to avoid collisions and informing other cars about traffic and road conditions. Cars will need to sense pedestrians and wildlife, and generally become better drivers than we are. There are two leading contenders for how this communication will happen: Dedicated Short Range Communications (DSRC) and next-generation wireless 5G networks. https://www.wired.com/2017/05/senseless-government-rules-cripple-robo-car-revolution/ The risk? Not answering the question the article poses: So why is the federal agency responsible for our road safety looking to introduce a totally avoidable roadblock to automotive innovation by mandating a severely flawed technological standard for vehicle communications?
I would hope that an autonomous vehicle would act more like an intelligent driver than a really stupid driver. An autonomous vehicle should detect the fact that it is approaching a junction, check the visibility of the other roads into the junction and approach at a safe speed given the visibility and seen and potential unseen traffic. The autonomous vehicle should also detect the road markings that are usually present along with a stop sign. An autonomous vehicle that dangerously "blows through" a junction because it did not detect the stop sign is dangerous in many other situations: a blind junction without a stop sign, a junction with the road markings but no stop sign, a junction where the stop sign has fallen down or been obscured by a tree, and so on.
This is a fairly difficult problem. For example, "apple" is in fact five Cyrillic characters that happen to look like Latin characters. TLDs forbade mixed-script names a long time ago, but it's going to be a challenge to identify strings entirely written in one script that happen to look like other strings entirely written in another unrelated script and somehow outlaw one or the other. As far as I know, only Cyrillic and Latin have this problem, but I don't claim to be a linguist.
This reminds me of an anti-virus application that ran on early Windows systems. When Windows 95 was introduced, it came up with the message "Your computer is infected with Windows 95", and offered to remove it. [Sounded like a good idea at the time. Now there are more recent versions that Microsoft might like to remove, such as all the unpatched zombie systems in China. PGN]
I'm a software engineer working in Israel, where this activity does not require licensing. I have presented myself as such, and discussed software engineering matters on previous RISKS issues. Since the RISKS list may be read in Oregon too, I hereby request all citizens of Oregon to remove my articles from any RISKS issues that they may have stored within the State of Oregon, or else I might also be fined by the Oregon State Board of Examiners for Engineering and Land Surveying for practicing engineering without license. [Amos, Might you ever move to Oregon? PGN]
Perhaps the US Government could set up some kind of national registry where every citizen and resident could be issued with a unique number. They could call it a "social security number". Then, all you have to do is persuade the cops to check this number. According to the "birthday problem" you only need 23 "John Smiths" for there to be a >50% probability that two share the same birthday. According to whitepages.com there are 1,791 John Smiths in New York. [Sarcasm does not overcome the problem. We have had cases in RISKS where two people with the same birthdate and name actually had the same SSN, unbeknownst to each other. There are cases where many people (e.g., migrant fruit pickers?) shared a single SSN (for the convenience of their employer?). And then there are people with multiple identities and multiple SSNs (for nefarious purposes?). PGN]
It seems that the team that designed the DMV's system did not include a Catholic or Anglican person. Many churches keep a calendar of saints, where each day of the year commemorates a certain saint; newborn babies are often given the name of the saint on whose day they were born. This custom greatly increases the odds that people born on the same date would also have the same first name, especially if that name is rare. [I suspect there are indeed even folks named Scholastica (10 Feb), Turibius (23 Mar), and Dung Lac (24 Nov). PGN]
It's in the nature of two factor authentication that if you lose the second factor, or it breaks, you're out of luck. One time I unwisely clicked a link on my mobile carrier's web site, and changed my phone number. All the 2FA tied to my old number stopped working even though it was the same phone. Oops. Another time I lost my phone, and even though the new phone had the same number, I lost the settings my bank uses to generate 2FA codes in their app, and the TOTP seeds in the Google Authenticator app. Oops. (For the latter, when I reset the accounts I scanned the seeds both on my phone and on my tablet, hoping not to lose them both at once.) I've also had the battery die in keyfob code generators. Oops. 2FA is a useful defense against some kinds of password stealing attacks, but it definitely has its own failure modes. > (I can actually call the 1-800 number via skype as I have WiFi but if > skype for mobile has a "dial a number" option I'm unable to find it. In the Skype app, tap the handset icon at the upper right; the plus sign at the bottom should turn into a keypad icon. Tap that.
[Yet another reminder that the world is rather connected these days!] Bart Perkins, Computerworld, 2 May 2017 United Airlines' mishandling of Flight 3411 provides powerful lessons on how to avoid creating a crisis http://www.computerworld.com/article/3193764/it-management/lessons-from-a-flight-gone-wrong.html opening text: It's the stuff corporate nightmares are made of. The video of Dr. David Dao being dragged off United Express Flight 3411 on April 9, 2017, his face bloodied, quickly went viral. People (read: potential customers) questioned why a passenger who was already seated and held a proper boarding pass would be forcibly removed to make space for an airline employee. Social media feeds were swamped with bitter commentary. Ad parodies included the taglines such as “We beat our competitors—not our customers'' and “The only things we pull out of the plane are your two free checked bags.'' Jimmy Kimmel, Ellen DeGeneres and other entertainers had a field day. Down the road, the incident is likely to become a business school case study about how to turn a routine situation into a crisis. That's because what happened over the next few days amounted to a textbook case of how not to handle a public-relations disaster.
Please report problems with the web pages to the maintainer