Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Science section of 2018 National Climate Assessment leaked to The NYTimes https://www.nytimes.com/2017/08/07/climate/climate-change-drastic-warming-trump.html Excerpt: The report concludes that even if humans immediately stopped emitting greenhouse gases into the atmosphere, the world would still feel at least an additional 0.50 degrees Fahrenheit (0.30 degrees Celsius) of warming over this century compared with today. The projected actual rise, scientists say, will be as much as 2 degrees Celsius. A small difference in global temperatures can make a big difference in the climate: The difference between a rise in global temperatures of 1.5 degrees Celsius and one of 2 degrees Celsius, for example, could mean longer heat waves, more intense rainstorms and the faster disintegration of coral reefs. Among the more significant of the study's findings is that it is possible to attribute some extreme weather to climate change. The field known as "attribution science" has advanced rapidly in response to increasing risks from climate change. The report: https://www.nytimes.com/interactive/2017/08/07/climate/document-Draft-of-the-Climate-Science-Special-Report.html http://www.nytimes.com/packages/pdf/climate/2017/climate-report-final-draft-clean.pdf It's 673 pages. The executive summary is readable by a general audience, but some science background would be helpful for some of the chapters.
Ed Kilgore, NYMag, 10 Aug 2017 http://nymag.com/daily/intelligencer/2017/08/how-the-indiana-gop-skewed-early-voting-opportunities.html Sometimes, disputes over voting rights are hard to sort out, since they are often loaded with legalese and hinge on obscure election procedures. But an investigative report by the Indianapolis Star lays out a pretty open-and-shut case of voter suppression by the Indiana GOP: State and local Republicans have expanded early voting in GOP-dominated areas and restricted it in Democratic areas, an IndyStar investigation has found, prompting a significant change in Central Indiana voting patterns. That made voting more convenient in GOP areas for people with transportation issues or busy schedules. And the results were immediate. How much more convenient, you may ask? A lot: Hamilton County saw a 63 percent increase in absentee voting from 2008 to 2016, while Marion County saw a 26 percent decline. Absentee ballots are used at early voting stations. Voter registration during this period was up in both counties. There's not much mystery about why the trends and the decisions that drove them started happening after the 2008 elections: That's when Indiana went Democratic in a presidential election for the first time since 1964, and only the second time since World War II. Marion County (Indianapolis) had three early voting sites in 2008. Republicans changed that immediately. State law requires a unanimous vote from county election boards to create more than one early voting site. The Democrats on the boards in both urban Marion and suburban Hamilton Counties voted for more sites. The Republicans in Hamilton did, too—but not the sole Republican in Marion. [F]our attempts to expand early voting in Marion County have been approved by Democrats, but blocked by the county's lone GOP representative on the elections board. In May, Common Cause Indiana and the NAACP's Indianapolis chapter filed a lawsuit against the Marion County Election Board, Lawson and individual members of the Marion County Election Board, along with Marion County Clerk Myla Eldridge over the lack of early voting locations in the County.
When people in several North Carolina precincts showed up to vote last November, weird things started to happen with the electronic systems used to check them in. "Voters were going in and being told that they had already voted—and they hadn't," recalls Allison Riggs, an attorney with the Southern Coalition for Social Justice. The electronic systems—known as poll books—also indicated that some voters had to show identification, even though they did not. Investigators later discovered the company that provided those poll books had been the target of a Russian cyberattack. http://www.npr.org/2017/08/10/542634370/russian-cyberattack-targeted-elections-vendor-tied-to-voting-day-disruptions But wait: There is no evidence the two incidents are linked, but the episode has revealed serious gaps in U.S. efforts to secure elections. Nine months later, officials are still trying to sort out the details. [...] The county conducted its own investigation in November and determined that VR Systems' software had not failed. Some poll books had not been updated with the latest software, so they were displaying outdated voter information. "The conclusion was that it was administrative errors that caused the issues on Election Day," says Bowens. The risk? Premature conclusion jumping and misleading headlines.
https://www.theguardian.com/technology/2017/aug/11/ex-mi5-chief-warns-against-crackdown-encrypted-messaging-apps
via NNSquad https://www.bleepingcomputer.com/news/government/uk-law-proposal-to-criminalize-re-identification-of-anonymized-user-data/ While Olejnik applauds the UK's efforts to expand user data privacy protections, he warns that the UK may be treading dangerous ground. "There are several issues with [the] banning of re-identification," he says. "First, it won't work. Second, it will decrease security and privacy." The biggest problem in Olejnik's eyes is that there's is no effective way to enforce it in practice. Second, it stifles security and privacy research who often re-identify anonymized data in their day-to-day work.
NNSquad https://www.bleepingcomputer.com/news/technology/vpn-provider-accused-of-sharing-customer-traffic-with-online-advertisers/ On Monday, the Center for Democracy & Technology (CDT)—a US-based privacy group—has filed a complaint with the US Federal Trade Commission (FTC) accusing one of today's largest VPN providers of deceptive trade practices. In a 14-page complaint, the CDT accuses AnchorFree—the company behind the Hotspot Shield VPN—of breaking promises it made to its users by sharing their private web traffic with online advertisers for the purpose of improving the ads shown to its users.
Medianama via NNSquad https://www.medianama.com/2017/08/223-india-blocks-access-internet-archive-wayback-machine/
<https://www.reddit.com/r/apple/comments/6qa287/apple_removes_vpn_apps_from_the_app_store_in_china/> <https://9to5mac.com/2017/07/29/apple-removes-vpn-apps-from-app-store-in-china-to-comply-with-local-laws/> Apple has come under considerable criticism following its decision to agree to a Chinese government request to remove VPN apps from its local App Store. Virtual private networks allow people in China to access sites blocked by the government, and to ensure that authorities cannot track the sites they visit. App-tracking site ASO100.com says that the company has so far removed more than 400 VPN apps. But while Apple is trying to maintain good relationships with China by complying with such requests, analysts and tech commentators believe that its troubles with the country have just started. https://9to5mac.com/2017/08/09/apple-china-vpn-censorship/
Catalin Cimpanu, BleepingComputer, 12 Aug 2017
https://www.bleepingcomputer.com/news/hardware/botched-firmware-update-bricks-hundreds-of-smart-door-locks/
On Tuesday, August 8, smart locks manufacturer LockState botched an
over-the-air firmware update for its WiFi enabled smart locks, causing the
devices to lose connectivity to the vendor's servers and the ability to
open doors for its users.
Only one LockState product was affected, which is the LockState RemoteLock
6i (also known as 6000i).
The device costs $469 and is sold mainly to Airbnb hosts via an official
partnership LockState has signed with the company. Hosts use the smart
locks to configure custom access codes for each Airbnb renter without
needing to give out a physical key to each one.
[Also noted by Jeremy Epstein, who added this riskful thought:
I'm not sure whether it's a research problem, or just the need for
solid engineering, but someone needs to figure out how to make IoT
devices that can be securely updated over a period of decades. This
is a problem that's going to recur endlessly.
PGN-ed very slightly]
Driven by man disguised as a car seat. Some kind of study by the Virginia Tech Transportation Institute. http://www.nbcwashington.com/news/local/Driver-Dressed-Like-a-Seat-Spotted-Inside-Driverless-Van-439041863.html What is the Risk? Is it a study to see if people freak out at the sight of a "driverless" van?
"Let's have something embedded in our eyes or attached to the nerves that go from our eyes to our brains that will overlay data there," says Facemire, adding that could be 10 or more years out. https://insights.hpe.com/articles/say-goodbye-to-your-keyboard-1708.html
Matt Taibbi, Rolling Stone, 11 Aug 2017 While nuke kooks rage, British regulators reveal rip in financial space-time continuum and $350 trillion headache <https://www.rollingstone.com/politics/news/taibbi-is-libor-crucial-financial-benchmark-a-lie-w497305> It was easy to miss, with the impending end of civilization burning up the headlines, but a beyond-belief financial story recently crept into public view. A Bloomberg headline on the story was a notable achievement in the history of understatement. It read: LIBOR'S UNCERTAIN FUTURE TRIGGERS $350 TRILLION SUCCESSION HEADACHE The casual news reader will see the term "LIBOR" and assume this is just a postgame wrapup to the LIBOR scandal of a few years back, in which may of the world's biggest banks were caught manipulating interest rates. It isn't. *This is a new story, featuring twin bombshells from a leading British regulator*—one about our past, the other our future. To wit: "Going back twenty years or more, the framework for hundreds of trillions of dollars worth of financial transactions has been fictional. We are zooming toward a legal and economic clusterf*ck of galactic proportions" —the "uncertain future" Bloomberg humorously referenced. LIBOR stands for the London Interbank Offered Rate. It measures the rate at which banks lend to each other. If you have any kind of consumer loan, it's a fair bet that it's based on LIBOR. A 2009 study by the Cleveland Fed found that 60 percent of all mortgages in the U.S. were based on LIBOR. Buried somewhere in your home, you probably have a piece of paper that outlines the terms of your credit card, student loan, or auto loan, and if you peek in the fine print, you have a good chance of seeing that the rate you pay every month is based on LIBOR. Years ago, we found out that the world's biggest banks were manipulating LIBOR. That sucked. Now, the news is worse: LIBOR is made up. Actually it's worse even than that. LIBOR is probably both manipulated and made up. The basis for a substantial portion of the world's borrowing is a bent fairy tale. The admission comes by way of Andrew Bailey, head of Britain's Financial Conduct Authority. He said recently (emphasis mine): "The absence of active underlying markets raises a serious question about the sustainability of the LIBOR benchmarks. If an active market does not exist, how can even the best run benchmark measure it?" As a few Wall Street analysts have quietly noted in the weeks since those comments, an "absence of underlying markets" is a fancy way of saying that LIBOR has not been based on real trading activity, which is a fancy way of saying that LIBOR is bullshit. LIBOR is generally understood as a measure of market confidence. If LIBOR rates are high, it means bankers are nervous about the future and charging a lot to lend. If rates are low, worries are fewer and borrowing is cheaper. It therefore makes sense in theory to use LIBOR as a benchmark for borrowing rates on car loans or mortgages or even credit cards. But that's only true if LIBOR is actually measuring something. Here's how it's supposed to work. Every morning at 11 a.m. London time, twenty of the world's biggest banks tell a committee in London how much they estimate they'd have to pay to borrow cash unsecured from other banks. The committee takes all 20 submissions, throws out the highest and lowest four numbers, and then averages out the remaining 12 to create LIBOR rates. Theoretically, a fine system. Measuring how scared banks are to lend to each other should be a good way to gauge market stability. Except for one thing: banks haven't been lending to each other for decades. Up through the Eighties and early Nineties, as global banks grew bigger and had greater demand for dollars, trading between banks was heavy. That robust interbank lending market was why LIBOR became such a popular benchmark in the first place. [...]
Devin Coldewey, TechCrunch, 10 Aug 2017 <https://techcrunch.com/2017/08/09/malicious-code-written-into-dna-infects-the-computer-that-reads-it/> In a mind-boggling world first, a team of biologists and security researchers have successfully infected a computer with a malicious program coded into a strand of DNA. It sounds like science fiction, but I assure you it's quite real—although you probably don't have to worry about this particular threat vector any time soon. That said, the possibilities suggested by this project are equally fascinating and terrifying to contemplate. The multidisciplinary team at the University of Washington isn't out to make outlandish headlines, although it's certainly done that. They were concerned that the security infrastructure around DNA transcription and analysis was inadequate, having found elementary vulnerabilities in open-source software used in labs around the world. Given the nature of the data usually being handled, this could be a serious problem going forward. Sure, they could demonstrate the weakness of the systems with the usual malware and remote access tools. That's how any competent attacker would come at such a system. But the discriminating security professional prefers to stay ahead of the game. “One of the big things we try to do in the computer security community is to avoid a situation where we say, ...adversaries are here and knocking on our door and we're not prepared,'' said professor Tadayoshi Kohno, who has a history of pursuing unusual attack vectors for embedded and niche electronics like pacemakers. “As these molecular and electronic worlds get closer together, there are potential interactions that we haven't really had to contemplate before.'' added Luis Ceze, one co-author of the study. Accordingly, they made the leap plenty of sci-fi writers have made in the past, and that we are currently exploring via tools like CRISPR: DNA is basically life's file system. The analysis programs are reading a DNA strand's bases (cytosine, thymine etc, the A, T, G, and C we all know) and turning them into binary data. Suppose those nucleotides were encoding binary data in the first place? After all, it's been done before—right down the hall. Here comes the mad science: [...]
http://gizmodo.com/the-guy-who-invented-those-annoying-password-rules-now-1797643987 The man in question is Bill Burr, a former manager at the National Institute of Standards and Technology (NIST). In 2003, Burr drafted an eight-page guide on how to create secure passwords creatively called the "NIST Special Publication 800-63. Appendix A." This became the document that would go on to more or less dictate password requirements on everything from email accounts to login pages to your online banking portal. All those rules about using uppercase letters and special characters and numbers--those are all because of Bill. The only problem is that Bill Burr didn't really know much about how passwords worked back in 2003, when he wrote the manual. He certainly wasn't a security expert. And now the retired 72-year-old bureaucrat wants to apologize. "Much of what I did I now regret," Bill Burr told The Wall Street Journal recently, admitting that his research into passwords mostly came from a white paper written in the 1980s, well before the web was even invented. "In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree."
https://www.nvteh.com/news/problems-with-public-ebs-snapshots TL;DR Creating public (unencrypted) EBS Snapshots might not be a great idea. Even if you are going to share them just for a second. A lot can be fished out of these snapshots: ssh keys, tls/ssl certificates, aws credentials, private source code and internal (extremely) valuable HR/Accounting/IT documents. https://www.nvteh.com/news/problems-with-public-ebs-snapshots
Item in this week's *The Telegraph*: http://www.telegraph.co.uk/news/2017/08/07/airlines-rail-companies-face-huge-fines-meltdowns-lead-delays/ Interesting approach to preventing IT failures—make them illegal! (Not sure about health as it's funded by taxes in the UK.) Summary: Airlines and rail companies that blame computer meltdowns for customer chaos will face huge fines under Government plans, ministers have said. Ministers are unveiling plans to force organisations that provide "essential services" in areas including transport, energy and the health service to improve their IT systems. Those that suffer critical IT failures because they did not do enough to protect their systems could ultimately be fined as much as 4 per cent of global turnover. Organisations will also face fines if they fail to protect themselves from cyber-attacks that could put at risk services on which people rely.
http://dailybruin.com/2017/08/04/cyberattack-on-ucla-server-potentially-breaches-student-information/
Tickets to the intimate shows at the Walter Kerr Theater will be sold via a new technology called Verified Fan in an attempt to cut down on scalping. https://www.nytimes.com/2017/08/09/arts/music/bruce-springsteen-broadway-concerts.html [Another new target for hacking in the exponentially/spirally escalating battle of defense vs offense? PGN]
[Via Dave Farber] I've just watched "Secrets of Silicon Valley—the Persuasion Machine", a one-hour BBC TV documentary, in which Facebook and Cambridge Analytica featured heavily. The BBC has a page describing this program (at http://www.bbc.co.uk/programmes/b091zhtk), with links to the program itself on iPlayer, but I understand iPlayer (a superb service) is restricted to the UK. However, you might nevertheless want this for IP. The Persuasion Machine Secrets Of Silicon Valley, Series 1 Episode 2 of 2 Jamie Bartlett reveals how Silicon Valley's mission to connect the world is disrupting democracy, helping plunge us into an age of political turbulence. Many of the Tech Gods were dismayed when Donald Trump - who holds a very different worldview - won the American presidency, but did they actually help him to win? With the help of a key insider from the Trump campaign's digital operation, Jamie unravels for the first time the role played by social media and Facebook's vital role in getting Trump into the White House. But how did Facebook become such a powerful player? Jamie learns how Facebook's vast power to persuade was first built for advertisers, combining data about our Internet use and psychological insights into how we think. A leading psychologist then shows Jamie how Facebook's hoard of data about us can be used to predict our personalities and other psychological traits. He interrogates the head of the big data analytics firm that targeted millions of voters on Facebook for Trump - he tells Jamie this revolution is unstoppable. But is this great persuasion machine now out of control? Exploring the emotional mechanisms that supercharge the spread of fake news on social media, Jamie reveals how Silicon Valley's persuasion machine is now being exploited by political forces of all kinds, in ways no one - including the Tech Gods who created it - may be able to stop.
> "People should be open to learning multiple technologies, languages, and > frameworks." I find it surprising that people working in high tech industry would need to be reminded of this. It should come up during their first year on the job, and continually after that. I've been aware of it since I read "The Engineer", published by Time Life in 1967. Chapter 4 ends with a Picture Essay, "Education without End". Page 96 deals with the noticeable phenomenon of graduate engineers returning to campus for knowledge upgrading. Top left is a photo of a Graduate Engineer sitting beside his undergrad son in a 1966 MIT Transistor Theory Class. At the bottom MIT Prof (Dean?) Arthur C. Smith is shown teaching Electrical Engineering to a class of engineers sent to MIT by their employers for a year of upgrading. If you aren't willing to learn anything new you should admit to yourself and to your employer that your career is about to end. I was less surprised when I heard that Canadian Federal Human Resources and Social Development once asked the Software Human Resources Council lobby group to explain what had happened to all the Windows NT Admin jobs they had been telling people to train for. OS Versioning and end of support is such an abstruse concept, after all.
via Dave Farber Your readers may be interested in this paper on an adjacent discipline: http://ieeexplore.ieee.org/document/5551111/ Fabricated news, made to mislead or turn a profit, is a growing problem in online communities. The U.S. intelligence community assessed that Russia used social media to propagate misinformation campaigns throughout the 2016 presidential race. "Misinformation devalues the open web," said Katharina Borchert, Mozilla chief innovation officer, on Wednesday, announcing their new initiative. "We see this as a threat to the fabric of our society." The Mozilla Information Trust Initiative (MITI) will increase funding for research on misinformation, the first findings to be released later this year. The company hopes to leverage Firefox's size and reach to get data about news browsing habits. MITI will also tailor products to amplify actual news over fake news, expand an effort to increase digital news literacy and fund designers to work on software to provide on-the-fly visualizations of the problem. "There will not be a quick technical fix," said Borchert, who emphasized the importance of tackling the issue from multiple fronts. Fake news is more than just an issue of influencing mass numbers of people. After the election, some producers of predominantly right-wing viral news stories acknowledged their work as hoaxes designed to attract advertising revenue. Mozilla is dedicating staff to MITI, including a new senior fellow and a research team under Borchert's purview.
Hoo-RAY, another PGN fishy pun! You are a DAB hand at them, and must have a WHALE of a time PLAICING them. Some are BETTA than others, but most are BRILL. I can't recall seeing a CRAPPIE one or one than made me GRUNT or FLOUNDER. Don't be KOI, we are SUCKERs for them and might DISCUSs whether you are trying to DRUM up an OSCAR for 'SOLE punster'. But I mustn't CARP, it's all a CHARming CODology. Now, where did I put that half-smoked ROACH? [I might presume that a Thesaurus would have been a large prehistoric fish that evolved into a land creature, and perhaps eventually into a BACONburger. However, in that there have been so few puns in RISKS lately, I thought Michael could be the MAN-TA sneak through my fish net to tip the SCALES. So, what's the relevance to Computer-Related Risks? Perhaps Seymour Crayfish would know, just for the HALIBUT. Or, simply call me FISHMEAL (in a MOBYous comic strip). PGN] But to be serious—if the following can be taken seriously—several years ago I was told the tale of the cow that broke through a rickety fence at the edge of a small bluff, and tumbled over the edge, demolishing at the bottom a small wooden shed, which housed the computer that both ran the milking machines for the farm and processed the paperwork vital for the sale of the milk, putting them out of action. "No milk today my love is gone away, The bottle stands forlorn a symbol of the dawn. No milk today it seems a common sight, But people passing by don't know the reason why." —Herman's Hermits C1966.
Please report problems with the web pages to the maintainer