Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Nathaniel Poppower and Rebecca Ruiz, *The New York Times*, 21 Jul 2017 The authorities took control of one large site, Hansa Market, and covertly operated it to catch refugees fleeing the closing of the largest market, AlphaBay. https://www.nytimes.com/2017/07/20/business/dealbook/alphabay-dark-web-opioids.html
https://www.nytimes.com/2017/07/20/us/opioid-reddit.html Dispatches left on a now-banned forum show the role one of the world's largest online communities played in facilitating access to drugs tied to a mounting toll.
To tackle online crime, Israel approves web censorship law Courts may now order providers to block terror group websites, online illegal gambling, prostitution services, hard drug sales. ... The court order may be issued only if it is essential to halting the criminal activity taking place online; or essential to prevent the exposure of the Israeli user to an activity that, would it be done in Israel, would be a crime, and the website's activity has some connection to Israel; or if the website belongs to a terror organization. In certain cases, if the owner of the website is Israel-based, the court may order the provider to seek the website's removal, rather than merely restricting access, it said. The courts may also order search engines to remove the websites from their search results and may rely on classified government testimony to make their decision. All affected parties must be present in court, the law said, unless they were summoned and failed to appear. ... http://www.timesofisrael.com/to-tackle-online-crime-israel-approves-web-censorship-law/
NNSquad http://gizmodo.com/uber-and-airbnb-want-to-tap-into-india-s-massive-and-co-1797066488 The national ID database, Aadhar, contains information on about 90 percent of India's population of 1.3 billion people, as well as people working and living in the country. Aadhar was launched in 2009 as a way to inhibit fraud and improve access to welfare and healthcare. But the biometric-based system has been criticized as Orwellian and dangerous because it can be used to monitor residents and because the nation has no privacy regulations. According to a report from India's Centre for Internet and Society, about 130 million citizens were put at risk of fraud after Aadhar data was recently leaked online. Earlier this month, Microsoft also integrated Aadhar into Skype Lite, but the company said it will keep user information encrypted. As more companies use Aadhar data, the risk of personal data being leaked will likely increase. Anonymous sources at Airbnb, Uber, and Ola told BuzzFeed News how the companies planned to use the controversial system. Airbnb is interested in using the database to authenticate India-based hosts and is already testing it with a sample of users, according to an Airbnb spokesperson. Hosts selected for the test are given the option to use Aadhar to verify their identity.
A basketball, a Lego set, or a box of crayons is largely what it seems, but modern smart toys and entertainment devices for kids have a lot of things in them that can collect sensitive data. And as more and more of a kid's nursery fills up with gadgets that connect to Bluetooth, the web, or parent apps, the feds are advising parents to be wary. The FBI's public service announcement doesn't outright say not to buy connected toys, but it does say that parents and caretakers need to be aware of the vulnerabilities smart toys present. https://consumerist.com/2017/07/19/fbi-to-parents-watch-out-for-kids-privacy-with-internet-connected-toys/
I have purchased several wifi webcams, but the TENVIS webcam is unique; every few minutes, I see a GET request going out from my LAN, to China. Here is its log from squid cache - using which I blocked the webcam's outbound requests: 1497330724.676 278 192.168.1.99 TCP_DENIED/403 5976 GET http://post.dvripc.cn/post/post.aspx?xmldata=%3c%3fxml+version%3d%221.0%22+encoding%3d%22gb2312%22%3f%3e%0d%0a+%3cdvs+dvsid%3d%220018A977AF83%22+domainname%3d%2277AF83%22+corpid%3d%22%22++dvsname%3d%22IPCAM%22+dvsip%3d%22192.168.1.99%22+webport%3d%2280%22+ctrlport%3d%228200%22+protocol%3d%22tcp%22++userid%3d%22root%22+password%3d%22mypassword%22+model%3d%22C006-A1080003%22+postfrequency%3d%2260%22+version%3d%22H150602%22+status%3d%220%22+serverip%3d%220.0.0.0%22+serverport%3d%2280%22+transfer%3d%222%22+mobileport%3d%2215961%22+channelcount%3d%221%22%3e%0d%0a%3cdv+channel%3d%220%22+dvname%3d%22Channel01%22+status%3d%221%22+%2f%3e%0d%0a%3c%2fdvs%3e%0d%0a - HIER_NONE/- text/html (Modified IP addresses and password) Risks are obvious: Trust a webcam to keep you private, but it sends everything to "post.dvripc.cn" instead. Nowhere in the configuration does it mention that it sends information to some "cloud".
It's always a good idea to accept iOS dot updates as soon as they are available as they generally have significant security fixes. But iOS 10.3.3 <https://9to5mac.com/2017/07/19/ios-10-3-3/>, released yesterday, fixes one particularly nasty vulnerability, making a swift update a particularly good idea. Apple's security document <https://support.apple.com/en-us/HT207923> describes it in rather mundane-sounding terms. Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip Description: A memory corruption issue was addressed with improved memory <handling. *But what Nitay Artenstein of Exodus Intelligence discovered—and reported to Apple—was that it was able to exploit the issue to run code in the main application processor. In other words, gain complete control of your device.* *The underlying issue is a weakness in the Broadcom BCM43xx family of wifi chips. These are used in every iPhone from the iPhone 5 to iPhone 7, as well as 4th-gen iPad and later, and iPod Touch 6th gen. But Artenstein found a way to leverage control of the wifi chip to then take control of the main processor.* Now that the vulnerability is fixed, Artenstein will be sharing full details at the Black Hat conference <https://www.blackhat.com/us-17/briefings/schedule/#broadpwn-remotely-compromising-android-and-ios-via-a-bug-in-broadcoms-wi-fi-chipsets-7603>next week. It's not the first time that a bug has allowed an attacker to take control of an iPhone via wifi. Back in 2015, attackers were able to completely disable <https://9to5mac.com/2015/04/22/security-flaw-ios-carriers/> any device running iOS 8 within range of a given wifi network. https://9to5mac.com/2017/07/20/broadpwn-wifi-vulnerability-iphone-ipad/ N.B. in the articles comments: "most Android users won't get this fix at all," vis-a-vis "... fix serious wifi vulnerability allowing attacker complete control"
Last Christmas, Nathan Seidle's wife gave him a second-hand safe she'd found on Craigslist. It was, at first glance, a strange gift. The couple already owned the same model, a $120 SentrySafe combination fire safe they'd bought from Home Depot. But this one, his wife explained, had a particular feature: The original owner had locked it and forgotten the combination. Her challenge to Seidle: Open it. Seidle isn't much of a safecracker. But as the founder of the Niwot, Colorado-based company SparkFun, a DIY and open-source hardware supplier, he's a pretty experienced builder of homemade gadgets, tools, and robots. So over the next four months, he and his SparkFun colleagues set about building a bot that could crack the safe for them. The result: A fully automated device, built from off-the-shelf and 3-D printed components, that can open his model of SentrySafe in a maximum of 73 minutes, or half that time on average, with no human interaction. In fact, in the demonstration Seidle gave WIRED in the video above, the process took just 15 minutes. https://www.wired.com/story/watch-robot-crack-safe/
https://www.youtube.com/watch?v=iXuc7SAyk2s
http://www.belfercenter.org/sites/default/files/files/publication/Vulnerability%20Rediscovery.pdf https://jia.sipa.columbia.edu/sites/default/files/attachments/Healey%20VEP.pdf https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf
A project by [Ireland's] Central Statistics Office proposing to track tourists and Irish residents traveling abroad using mobile phone roaming data has been described as *surveillance at its worst* by a world-renowned privacy expert. The statistics office wants to compel mobile operators to transfer to it monthly the details of phones or users roaming on the networks, as well as the dates and times of their calls. It has been in a stand-off with the Data Protection Commissioner for almost nine years on the legality of the proposal, but said last week it had found an *innovative technical solution* to anonymise the phone records. The commissioner's office has described the project as *disproportionate* and *extraordinary*. Dr Ann Cavoukian, executive director of the Privacy and Big Data Institute at Ryerson University in Toronto, and former information and privacy commissioner for Ontario, said she was *appalled* by the proposal, particularly given the *negative messaging* from the commissioner. [...] Full article <https://www.irishtimes.com/business/technology/cso-mobile-phone-plan-surveillance-at-its-worst-privacy-expert-1.3159979>
A student sent me a shell script attached in an email. My mail program wouldn't display it, so I tried to view it through the email's source code. This also didn't work, because the script was base64-encoded. Rather than saving the attachment and opening it with an editor, I lazily copied the text into the clipboard and run "base64 -d /dev/clipboard". This is what I got. #!/bin/bash input_file=$1 echo "Input file:" $input_filebase64: invalid input I first thought that the student had sent me a wrong incomplete script. I then realized that the actual output, intermixed with the base64 error message was a plausible shell script. The risks are obvious; here is a possible solution. Now that we all have color screens and work with smart terminal emulators, it would make sense for terminal emulators to subtly color a program's standard error stream, so as to make it distinguishable from its standard output. This would also educate novice users on the difference between the two types of outputs, and encourage tool authors to properly use the two types of streams. While at it, coloring folded lines would also help us read streams with long lines (e.g. log files) and, again, educate novice users on the folly of writing such text. Diomidis Spinellis - https://www.spinellis.gr
https://fpf.org/2017/06/29/infographic-data-connected-car-version-1-0/ https://www.ftc.gov/news-events/events-calendar/2017/06/connected-cars-privacy-security-issues-related-connected Videos: https://www.ftc.gov/news-events/audio-video/video/connected-cars-privacy-security-issues-related-connected-automated-0
The journalists at San Francisco's public TV and radio station, KQED, have been stuck in a time warp. All Internet-connected devices, tools and machinery have been cut off in an attempt to isolate and contain a ransomware attack that infected the station's computers on 15 Jun. More than a month later, many remain offline. Though the stations' broadcasts have been largely uninterrupted—minus a half-day loss of the online stream on the first day of the attack—KQED journalists said every day has brought new challenges and revealed the immeasurable ways the station, like many businesses today, has become dependent on Internet-connected devices. “It's like we've been bombed back to 20 years ago, technology-wise,'' said Queena Kim, a senior editor at KQED. “You rely on technology for so many things, so when it doesn't work, everything takes three to five times longer just to do the same job.'' http://www.sfchronicle.com/business/article/Ransomware-attack-puts-KQED-in-low-tech-mode-11295175.php
via NNSquad https://techcrunch.com/2017/07/18/facebook-link-preview-modification/?ncid=rss Until now, any Facebook Page that posted a link could change the headline, body text and image that appeared in the News Feed preview. That allowed fake news distributors to bait-and-switch readers into visiting articles they didn't expect, or make it look like legitimate news publishers were posting inflammatory or false headlines. But it also let real news outlets A/B test link previews, tailor content to different audiences and update previews as news stories evolved. To combat false news without stifling responsible publications, Facebook is now starting to disable the ability of all Pages to edit the previews of the links they post in the Page composer or API, with an exemption for some original publishers.
I claim the biggest risk here is not principally poor user education -- which is on-going for a Century or more. Instead, regardless of particulars in this case (the essential technical detail about the presence or absence of ground-fault protection is missing from the news articles), the fundamental risk associated with allowing grand-fathered electrical circuits to continue operating without a clear sunset provision for older, unsafe circuits. I am not claiming this fundamental problem is easy solve. I am claiming the problem of old installations is the real problem. The persistent risk of shock in wet *and damp* environments observed over the decades has not been radically reduced by the population becoming more familiar with electricity and widgets. Education cannot and will not solve this problem because 120V 15A 60Hz electrical power in wet *and damp* environments is fundamentally unsafe without engineering controls. The technical basis for the risk is a ground-fault current, and addressing that risk *as an engineering challenge* is the only effective means of mitigating a fundamental risk associated with wet environments. The National Electric Code (US) specifies that electric power sockets in these *high risk* areas be "protected" by a ground-fault interrupter. There are also special rules for the presence of power cabling in wet and damp environments even without a socket. There is an analogy of old power circuit designs to old software that is not maintained but continues to operate in the high-risk environments found on networks. [There is something to be said for understanding the basics of technology. GW] Harriet Sinclair, *Newsweek*, 11 Jul 2017 http://www.newsweek.com/teenager-madison-coe-killed-after-using-cell-phone-bath-635208 opening text: A teenager has been killed after using her cell phone in the bath and suffering an electric shock.
Any discussion of the forensic value of pacemaker data should certainly mention the 2000 death of David Crawford in Australia, whose time of death was precisely established through analysis of his pacemaker—thus disproving the alibi offered by his killer. There is, to be sure, a difference between the (presumably) steadily beating heart of an accused arsonist one the one hand, and the non-beating heart of a murder victim on the other.
There were two points. First, reasoning is HARD. It takes time, and (like cryptography) many problems have no solution that can be computed in the time we have available. > All reasoning depends on axioms. Does Youngman eschew reasoning? And second, that reason is itself unreasonable ... ? The thing with axioms is they have this sneaky little habit of turning out to be unreliable—we get them wrong, we pick the wrong ones, etc. And Godel proved that this is not our fault, this is actually the fundamental nature of an axiom. So no, I'm actually all in favour of reasoning, and logical thought. What I am against is glib calls for it treating it as if it is a "magic bullet", with no regard to its failings. I'm a scientist. I've seen too many examples of "the wrong maths in the wrong place", leading to mathematically perfect but practically erroneous results. (My favourite example, Euclid's "parallel lines never meet" leads to Newtons laws of motions, which are mathematically perfect but clearly erroneous.) Formal mathematical proofs are only as good as the assumptions, or axioms, on which they are based. And both experience and formal mathematical proofs—Godel's theorem—lead me to the inevitable conclusion that these axioms will have holes in them.
The last occasion when a flaw was discovered in the axioms used to prove the correctness of programs (logic and basic set theory) was Russell's Paradox: discovered in 1901, partially fixed by Russell's theory of types in 1903, and resolved in 1908. Putting to one side questions concerning the Axiom of Choice and various large cardinal axioms (which are not relevant to proofs in computer science) there have been no subsequent flaws uncovered in the axioms in over a century. We cannot prove that the axioms are consistent (cf Godel), but the axioms have survived the entire history of electronic computing so far and so can probably be relied on in the future! As Martyn Thomas points out, *all* engineering depends on mathematics. Engineering also depends on the "laws" of physics: which have been revised several times over the last century. But engineers use physics and mathematics extensively because they know that these methods are far more likely to lead to dependable systems. > Then of course, there is the little problem that any program of any size > will likely exhibit knapsack complexity, i.e., an automated proof would > take longer than the universe has existed. Most formal-methods researchers do not advocate writing a program in an informal way, and then attempting to prove it correct. Instead, we develop methods for deriving code from specifications such that the code guaranteed to be correct by construction. For example, in my paper "Provably Correct Derivation of Algorithms Using FermaT" (Formal Aspects of Computing, Volume 26, Issue 5, pp 993--1031, 2013) I derived a program for polynomial addition using Knuth's four-way linked list data structure. The first time I ran the program it crashed :-( But I soon noticed a typo: I had mistyped a variable name when typing up the code from my written notes. After fixing this typo the program ran correctly, and was tested by running it continuously for several days. The derived algorithm also turned out to be over twice as fast as Knuth's algorithm in "Fundamental Algorithms" Vol 1. I then derived a program to solve the more complex problem of polynomial multiplication. This time I took more care with my typing, and the program ran correctly first time. Martyn Thomas <martyn@thomas-associates.co.uk> writes: > All reasoning depends on axioms. Does Youngman eschew reasoning? There is (alas) a new and growing area of research under the heading "empirical software engineering" which does appear to eschew reasoning. A program is deemed "correct" if and only if it passes its test suite. Various automated and semi-automated ways of modifying the program are being investigated: any modification which passes the test suite is deemed to be "correct". For example, "empirical slicing" may be defined as "delete random sections of code and call the result a valid slice if it passes the regression test". Program semantics and program analysis are considered to be "too difficult" by these researchers, and therefore are not attempted. Regular RISKS readers will no doubt already be wondering how such methods avoid introducing security holes: given that a security hole will not necessarily prevent the program from passing its test suite (unless the tests happen to include the carefully crafted data which triggers the security hole!) As far as I can tell, the answer is: they don't! Dr Martin Ward | Email: martin@gkc.org.uk | http://www.gkc.org.uk
> The last occasion when a flaw was discovered in the axioms used > to prove the correctness of programs (logic and basic set theory) > was Russell's Paradox: And? The maths was flawed, it was incorrect. My problem is people using the wrong maths—it's correct but inappropriate. Like I said, Newton's laws of motion are mathematically correct, but useless for calculating the path of a spacecraft ... > But engineers use physics and mathematics extensively because they know > that these methods are far more likely to lead to dependable systems. And as I learnt on Groklaw, philosophers seem to divide into two camps. The majority view appears to be that Mathematics tells the Universe what to do. I seem to be in the minority believing that Mathematics describes what the Universe does. That doesn't mean that mathematics is any less important to those of us in the second camp. It just makes us rather more skeptical about the assumption that a proof means the program will run correctly. (Regardless of that, my personal attitude is that the time spent doing it formally is time very well spent.) > ... I got my first programming job based on top 'A'-level grades so have no formal computer qualifications. That said, it always seems to have been me pushing for formal methods, good programming practice, etc etc. I tend to program top down by defining the problem and refining it into a program - quite like the mechanism you describe :-) (And I've seen what happens when such a program is "improved" by someone ignoring the proof logic :-) My position is quite simple - formal methods and proofs are time well spent, but given that the foundations of mathematics are themselves provably unprovable, a complete formal proof is impossible. That's not saying they're not worth having.
High-value targets probably shouldn't rely on that. A random object inserted into a USB port might not actually be a thumb drive; it might be a chip that impersonates a keyboard and/or mouse and takes over your system. Or it might be a perfectly functional blank thumb drive that's been additionally programmed to impersonate a keyboard at some time in the future.
I believe the RISK being referred to is that of assuming that an untrusted USB gadget will present itself as a mass storage device when you plug it into a *general-purpose* bus on your computer. (As opposed to a keyboard, mouse, network adapter, USB hub, etc.) Most computers these days will accept input from a new USB keyboard without requiring any configuration. Your antivirus may be able to scan media for known malicious content, but it cannot scan circuits.
For me this risk comes up most often when I get Conference Proceedings on a USB drive, rather than downloading individual presentations one by one from a web server. At the annual local Privacy and Security conference someone always does a demo of a WiFi Pineapple type interception of wireless traffic, so I started doing an optical disk boot of Tails OS at conferences, and mentioned that to the session presenter last time it happened. Those events might be places where folks with the skills might see a challenge or an opportunity. I check that the mass storage device scan is starting. Windows 8 seems to prompt me that a new USB device has been installed if it detects a new USB device that is not a mass storage drive. The risk of malware in circuitry is a good point. Weren't news organisations that had received copies of documents from the Snowden Document Dump ordered to turn chips from devices and peripherals such as keyboards over to NSA-GCHA, not just hard drives and removable storage media? The implication is that long-term data recording may involve writable chip memory within workstations and peripheral devices. A USB connected "device" could be in that category.
In RISKS-30.38, Anthony Thorn wrote: > I am reluctant to question an Australian's statement about kangaroos, > but surely a taller object would appear to be nearer than it really is? Although Australian (well, British/Australian, to be precise), I don't claim to be an expert on our hopping fauna, but I believe the system measures from the bottom of the object to the perceived road surface, thus a mid-air marsupial appears to be further away than it really is. How it handles kids on pogo-sticks is anyone's guess... Does anyone know for sure how it works? Dave Horsfall, North Gosford, NSW, Australia
For the same reason the leaping man in this photograph <http://www.trendingly.com/weird-perspectives/3> seems to be farther away -- a near object above ground and a far object on the ground occupy the same place on the 2D plane of the camera.
[From CyberSquirrel1 data as of 18 Jul 2017; cumulative?]
Squirrel 1018
Bird 528
Unknown 130
Snake 95
Raccoon 85
Rat 45
Marten 23
aCat 22
Beaver 16
Jellyfish 13
Monkey 11
Possum 11
Eagle 8
Bat 7
Rodent 5
Gopher 4
Elephant 3
Mouse 3
Deer 2
Fox 2
Lizard 2
Bear 2
Marmot 2
Frog 2
Slug 1
Shark 1
Duck 1
Chicken 1
Caterpillar 1
Mongoose 1
Leopard 1
Bobcat 1
Baboon 1
Kangaroo 1 <=====!
[Incidentally, SRI recently had what I think was our eighth total outage
in Menlo Park (although our co-generation plant continued to function this
time). However, that is irrelevant when applied to self-driving cars in
Australia. A few years from now, the kangaroos on Australian roadways may
seriously outrank the squirrels in causing highway accidents, whereas the
squirrels are very unlikely to have any significant impact {!!!} on the
vehicles or on passengers. PGN]
Please report problems with the web pages to the maintainer