[Thanks to Nancy Leveson for this item. PGN] https://www.digitaltrends.com/cool-tech/drone-collision-passenger-plane-canada/ A small drone struck a passenger jet in Canada last Thursday in the first incident of its kind in the country. The Skyjet aircraft was making preparations to land at Jean Lesage airport in Quebec City when it collided with what is believed to have been a drone. The plane suffered minor damage but the incident was deemed so serious that Transport Minister Marc Garneau felt compelled to issue an official statement about it: “This is the first time a drone has hit a commercial aircraft in Canada and I am extremely relieved that the aircraft only sustained minor damage and was able to land safely,'' The jet, which was carrying eight passengers on the flight from the city of Rouyn-Noranda, 370 miles north-west of Quebec City, is likely to have been a King Air 100 or King Air 200 model. Reports suggest it was flying at an altitude of 1,500 feet (457 meters) when the drone, model unknown, hit the aircraft. No arrests have yet been made. The minister noted that while *the vast majority* of drone operators fly responsibly, anyone tempted to fly their machine near an airport is “endangering the safety of an aircraft, [which is an] extremely dangerous and serious offense.'' Growing fears about risky drone flights prompted the Canadian government to issue a set of interim guidelines in March that imposed strict limitations on drone operations near people, animals, and buildings, including airports. Violators could be hit with a $25,000 fine or a prison term. Or both. <https://www.digitaltrends.com/cool-tech/canada-drone-rules/> Garneau said at the time that the potential for a catastrophic accident involving an airplane is “the kind of nightmare scenario that keeps me up at night.'' After last week's incident, the minister will be sleeping even less easily. Canadian authorities said that so far in 2017, it has received reports of 1,596 drone incidents, with 131 considered to have been of aviation safety concern. Earlier this month, a helicopter flying over New York City collided with a Phantom 4 drone, a popular consumer model made by drone giant DJI. After landing safely at an airport in New Jersey, parts of the mangled quadcopter were extracted from the body of the helicopter. Federal Aviation Administration data compiled between February and September 2016 lists 1,274 possible drone sightings by U.S. air traffic facilities, compared to 874 for the same period a year earlier. Rogue drone flights in off-limits locations is a growing headache for the authorities as the market for consumer machines continues to grow. The challenge of dealing with rogue drones has spawned a new industry geared toward developing technology that takes control of the drone from the operator to remove it from the sky, while the Pentagon recently approved a policy allowing the U.S. military to shoot down rogue drones flying close to its military installations across the country. https://www.digitaltrends.com/cool-tech/battle-innovations-anti-drone-gun/ https://www.digitaltrends.com/cool-tech/drone-restrictions-us-military/
https://www.nytimes.com/2017/09/28/business/airport-check-in-computer.html A “network issue” affected programs used by several major carriers, delaying flights and causing other problems for travelers.
Medical IoT devices: the security nightmare that keeps CIOs up late at night A survey by security company ZingBox found that U.S. hospitals on average have between 10 and 15 connected devices per bed. A large hospital can have more than 5,000 beds. Every connected device, and the systems managing them, is a target for hackers and malware—and the devices often aren't well-protected. https://insights.hpe.com/content/hpe-nxt/en/articles/2017/09/medical-iot-devices-the-security-nightmare-that-keeps-cios-up-late-at-night.html U.S. DHS and FDA Face Medical Device Security Woes While most eyes interested in cybersecurity for the past two weeks have been focused upon (and for good reason) the Equifax breach, the U.S. Food and Drug Administration (FDA) continued its pressure on medical device manufacturers to build security into product design — just as the U.S. Department of Homeland Security warned the medical community of eight vulnerabilities in Smiths medical wireless infusion pumps. https://businessinsights.bitdefender.com/dhs-fda-security-breach
The Homeland Security cybersecurity response team has notified automobile makers they should take a look at new research illustrating flaws in vehicle control modules to set the systems up for denial-of-service attacks and other mischief. ... Samani said consumers should also bear some of the responsibility by asking manufacturers about their responses to cybersecurity incidents and vulnerabilities, as well as how they test products to ensure security. https://fcw.com/articles/2017/08/03/auto-cyber-cert-rockwell.aspx That will be a fun and enlightening exchange, right?
This could be rather devastating for your wireless. If you don't want to read the outstanding Vanhoef-Piessens paper, try Matt Green's take on it, or some of the other sources. * Mathy Vanhoef and Frank Piessens (Leuven), Key Re-installation Attacks: Forcing Nonce Reuse in WPA2, CCS 2017 https://papers.mathyvanhoef.com/ccs2017.pdf * Matthew Green, Falling through the KRACKs, https://blog.cryptographyengineering.com * Forbes: Update Every Device—This KRACK Hack kills your wi-fi privacy * The Verge: Wi-Fi security has been breached * The Independent: Krack wi-fi breach means every modern network and device is vulnerable * https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/ * https://www.krackattacks.com/ * https://plus.google.com/+LaurenWeinstein/posts/3HPiHw5HjMp [Steve Bellovin notes it's a blindingly obvious flaw in the protocol -- bad things happen if you replay message 3—but it took 13 years to be noticed. Drew Dean commented that the Needham-Schoeder flaw took 18 years to be found. Even then, the Lowe's would-be fix to address man-in-the-middle attacks required more time to get right. PGN]
ANOTHER (DIFFERENT!) Security Disaster Today! https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/ A crippling flaw in a widely used code library has fatally undermined the security of millions of encryption keys used in some of the highest-stakes settings, including national identity cards, software- and application-signing, and trusted platform modules protecting government and corporate computers. The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. The five-year-old flaw is also troubling because it's located in code that complies with two internationally recognized security certification standards that are binding on many governments, contractors, and companies around the world. The code library was developed by German chipmaker Infineon and has been generating weak keys since 2012 at the latest. This relates to: Explaining the Chromebook Security Scare in Plain English: Don't Panic! https://lauren.vortex.com/2017/10/11/explaining-the-chromebook-security-scare-in-plain-english-dont-panic My comments in that posting still hold true.
http://variety.com/2017/digital/news/russia-pokemon-go-1202588702/ Russian operatives apparently didn't just lean on Facebook and Twitter in their attempts to influence the 2016 presidential election. A new report from CNN details an effort to also tap into the fan base of Pokemon Go to cause unrest. These efforts were being organized by "Don't Shoot Us," a group ostensibly founded to protest police brutality against African-Americans. As part of these efforts, the group encouraged its followers to make use of a feature that allows users to rename any Pokemon that they have captured. The group instructed Pokemon Go players to replace the default Pokemon names for the names of victims of police brutality, and then take screenshots of their renamed Pokemons. Game maker Niantic Labs told CNN that users can't actually share information in the game with each other. "Niantic will consider our response as we learn more," it said in a statement.
TAKE A HINT - A leading election security expert on Monday urged New Jersey to decertify paperless electronic voting machines that they say create an unacceptable risk of vote hacking. "New Jersey needs to ensure its ability to detect interference is as strong as its other defenses," said Barbara Simons, a computer scientist who leads the nonprofit Verified Voting, in a statement. The Garden State will hold a closely watched gubernatorial election in November to replace term-limited Gov. Chris Christie. Virginia recently decertified paperless touchscreen voting machines, and Simons urged New Jersey to do the same. While "election officials take precautions to ensure that the risk of tampering is as low as possible," she said, "defending any computer system is not foolproof." New Jersey law defines the ballot of record as the paper document generated by each vote, but the state has not enforced that law because it lacks the money to buy new machines that produce those paper documents. <http://go.politicoemail.com/?qs=7f927db04f459f0dbd62e5b7095548345bf6e814b42d84122fbbc1ad20a67a35367bba5f7d3a526d098074e45baf4805014f1573920434c2> Montgomery County, Md. whose county IT services were crippled under a ransomware attack, paid the ransom to its hackers. <http://go.politicoemail.com/?qs=7f927db04f459f0df1a4ac12e9ae0e5bca00ca6bef81c55a47721e3a13260ea449b200d6467b3d1a206604f39c4c4dab6495ec24467110bb>.
Edward-Isaac Dovere, Politico, 9 Oct 2017 <http://go.politicoemail.com/?qs=3D72a51dae38c79e4d50be87cf0f23fd979df36889c45a095dd3a70e0606f552d1daee5442b1092d585679d613dd22dee09201b5c3783908ef> American voting machines are full of foreign-made hardware and software, including from China, and a top group of hackers and national security officials says that means they could have been infiltrated last year and into the future. DEFCON, the world's largest hacker conference, will release its findings on Tuesday, months after hosting a July demonstration in which hackers quickly broke into 25 different types of voting machines. The report, to be unveiled at an event at the Atlantic Council, comes as the investigation continues by four Hill committees, plus Justice Department special counsel Robert Mueller, into Russian meddling in the 2016 elections, on top of the firm intelligence community assessments of interference. Though the report offers no proof of an attack last year, experts involved with it say they're sure it is possible—and probable—and that the chances of a bigger attack in the future are high. From a technological point of view, this is something that is clearly doable," said Sherri Ramsay, the former director of the federal Central Security Service Threat Operations Center, which handles cyber threats for the military and the National Security Agency. "For us to turn a blind eye to this, I think that would be very irresponsible on our part." Often, voting machine companies argue that their supply chain is secure or that the parts are American-made or that the number of different and disconnected officials administering elections would make a widespread hack impossible. The companies also regularly say that since many machines are not connected to the internet, hackers' ability to get in is limited. But at the DEFCON event in Las Vegas, hackers took over voting machines, remotely and exposed personal information in voter files and more. [lots more PGN-truncated.]
PGN excerpted from Bruce Schneier's CRYPTO-GRAM, October 15, 2017, email@example.com, https://www.schneier.com https://www.schneier.com/crypto-gram.html Yet Another Russian Hack of the NSA—This Time with Kaspersky's Help The *Wall Street Journal* has a bombshell of a story. Yet another NSA contractor took classified documents home with him. Yet another Russian intelligence operation stole copies of those documents. The twist this time is that the Russians identified the documents because the contractor had Kaspersky Labs anti-virus installed on his home computer. This is either an example of the Russians subverting a perfectly reasonable security feature in Kaspersky's products, or Kaspersky adding a plausible feature at the request of Russian intelligence. In the latter case, it's a nicely deniable Russian information operation. In either case, it's an impressive Russian information operation. This is a huge deal, both for the NSA and Kaspersky. The Wall Street Journal article contains no evidence, only unnamed sources. But I am having trouble seeing how the already embattled Kaspersky Labs survives this. What's getting a lot less press is yet another NSA contractor stealing top-secret cyberattack software. What is it with the NSA's inability to keep anything secret anymore? And it seems that Israeli intelligence penetrated the Kaspersky network and noticed the operation. https://www.wsj.com/articles/russian-hackers-stole-nsa-data-on-u-s-cyber-defense-1507222108 (link behind paywall) https://www.wsj.com/articles/kaspersky-says-it-is-pawn-in-u-s-russia-conflict-1507285528 (link behind paywall) https://arstechnica.com/information-technology/2017/10/the-cases-for-and-against-claims-kaspersky-helped-steal-secret-nsa-secrets/ https://www.nytimes.com/2017/10/05/us/politics/russia-nsa-hackers-kaspersky.html https://www.wired.com/story/nsa-contractors-hacking-tools/ http://www.slate.com/blogs/future_tense/2017/10/05/another_nsa_contractor_stole_documents_and_now_the_russians_have_more_u.html https://motherboard.vice.com/en_us/article/kz755a/ex-nsa-hackers-are-not-surprised-by-bombshell-kaspersky-report Israel's involvement: https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html https://www.washingtonpost.com/world/national-security/israel-hacked-kaspersky-then-tipped-the-nsa-that-its-tools-had-been-breached/2017/10/10/d48ce774-aa95-11e7-850e-2bdd1236be5d_story.html
<http://www.wsj.com/articles/russian-hackers-scanned-networks-world-wide-for-secret-u-s-data-1507743874?mod=djemalertNEWS> The Russian government used a popular antivirus software to secretly scan computers around the world for classified U.S. government documents and top-secret information, modifying the program to turn it into an espionage tool, according to current and former U.S. officials with knowledge of the matter. The software, made by the Moscow-based company Kaspersky Lab, routinely scans files of computers on which it is installed looking for viruses and other malicious software. But in an adjustment to its normal operations that the officials say could only have been made with the company's knowledge, the program searched for terms as broad as "top secret," which may be written on classified government documents, as well as the classified code names of U.S. government programs, these people said. [...]
“Even worse, any technology that allows U.S. agencies to lawfully access data will present an irresistible target for hackers and foreign intelligence services. The idea that such data will remain safe is laughable in a world where foreign intelligence services have openly leveraged cyberweapons against corporate and political targets.'' http://www.slate.com/blogs/future_tense/2017/10/12/russia_used_kaspersky_software_to_spy_on_the_u_s_that_s_why_we_need_encryption.html
https://www.nytimes.com/2017/09/13/magazine/rt-sputnik-and-russias-new-theory-of-war.html?smprod=nytcore-ipad&smid=nytcore-ipad-share How the Kremlin built one of the most powerful information weapons of the 21st century — and why it may be impossible to stop.
https://www.nytimes.com/2017/10/15/world/asia/north-korea-hacking-cyber-sony.html While the world is fixated on its nuclear missiles, North Korea has also developed a cyberattack program that is stealing millions and unleashing havoc.
Joel Schectman, Dustin Volz and Jack Stubbs (Reuters) "Hewlett Packard Enterprise allowed a Russian defense agency to review the inner workings of cyber defense software used by the Pentagon to guard its computer networks, according to Russian regulatory records and interviews with people with direct knowledge of the issue. "The HPE system, called ArcSight, serves as a cybersecurity nerve center for much of the U.S. military, alerting analysts when it detects that computer systems may have come under attack. ArcSight is also widely used in the private sector. The Russian review of ArcSight's source code, the closely guarded internal instructions of the software, was part of HPE's effort to win the certification required to sell the product to Russia's public sector, according to the regulatory records seen by Reuters and confirmed by a company spokeswoman." https://www.reuters.com/article/us-usa-cyber-russia-hpe-specialreport/special-report-hp-enterprise-let-russia-scrutinize-cyberdefense-system-used-by-pentagon-idUSKCN1C716M
"The hack into the accountancy giant Deloitte compromised a server that contained the emails of an estimated 350 clients, including four US government departments, the United Nations and some of the world's biggest multinationals, the Guardian has been told." https://www.theguardian.com/business/2017/oct/10/deloitte-hack-hit-server-containing-emails-from-across-us-government
https://www.washingtonpost.com/investigations/the-only-california-county-that-sent-a-warning-to-residents-cellphones-has-no-reported-fatalities/2017/10/13/b28b5af4-b01f-11e7-a908-a3470754bbb9_story.html "More than 65 percent of the nation's 3,500 counties do not have agreements in place with FEMA to send alerts through the Wireless Emergency Alert system, as it is known, the agency said."
James Somers, *The Atlantic*, 26 Sep 2017 via ACM TechNews, 29 Sep 2017 The growing complexity and connectivity of software and the fact that its foundational requirements can lead to serious and potentially disastrous consequences has prompted a group of coders to combat the abstract approach to programming. The Communications Design Group's Bret Victor says thinking about software systems via code is difficult, which plays directly into their high incidence of bugs. His solution is a what-you-see-is-what-you-get interface to enable programmers to write and revise code and see the immediate effects of those changes on the application under development. Some programming experts are following Victor's lead, with Microsoft's Chris Granger having built a prototype coding environment designed to provide instant feedback to developers on software behavior. Also gaining favor is a model-based approach that is still sufficiently unambiguous for computers to comprehend, while of paramount importance is the creation of a program to convert the models into actual code that can be proven to function correctly all the time. https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-171ddx213192x077133&
http://www.smh.com.au/technology/consumer-security/corporate-tech-giant-leaves-secret-data-exposed-to-public-internet-20171011-gyyijb.html “A world-leading corporate consultancy and technology outsourcer left at least four cloud-based storage servers unsecured and publicly downloadable, exposing secret data, authentication credentials, certificates, decryption keys, customer information, and more data that could have been used to attack both the provider and its thousands of clients. Fairfax Media can reveal that Accenture – one of the world's largest corporate consulting and management firms that has offices across Australia, and is also behind the national e-health record system – inadvertently allowed files belonging to its clients to be publicly available.'' It seems that the exposed data was actually test data for a trial run, but nonetheless was accurate; there was no evidence that Australia's e-health system was compromised (but how would they know?). I guess one message here is that test data had better be just that...
Pirate Bay and Showtime turned to forcing unknowing visitors to mine cryptocurrency, using computers rather than eyeballs on ads to generate money. https://www.theguardian.com/technology/2017/sep/27/pirate-bay-showtime-ads-websites-electricity-pay-bills-cryptocurrency-bitcoin
The e-crime unit of the Hellenic Police identified 15 individuals involved in the unlocking of stolen smartphones. According to an issued press statement  the perpetrators would send a targeted phishing message to the owners of stolen smartphones that had enabled the device's tracking feature. The message, purporting to come from the device's manufacturer, would direct them to a phishing site made to look like the site of the phone's manufacturer. The site prompted the owners wishing to find out their phone's location to enter their iCloud credentials required to unlock the phone. Through these the perpetrators could unlock the phone, access its user's data, and reset the phone so that they could resell it. Apparently, local phone shops outsourced the phishing operation to accomplices with a global presence. As I see it, the scam's effectiveness is based on two factors and corresponding risks. First, it targets phone owners who are distraught, because their phone has been stolen. These will most probably have their defenses lowered. Second, it involves the phone owners in an operation with which they are not familiar; most phone owners seldom use their phone's location tracking feature.  http://www.astynomia.gr/index.php?option=ozo_content&lang=%27..%27&perform=view&id=74803&Itemid=1961&lang
Passengers will no longer have to wait in line at security counters or pass through e-gates, instead walking through a tunnel that scans people’s faces. https://www.thenational.ae/uae/transport/dubai-airport-s-new-virtual-aquarium-tunnel-scans-your-face-as-you-walk-through-it-1.665406#5
No one has built a quantum computer large enough to be useful because the delicate quantum effects qubits rely on also make them prone to errors. https://www.wired.com/story/microsofts-nadella-wants-to-help-coders-take-a-quantum-leap Blindingly fast but error-prone computing, what could go wrong?
Brian Krebs notes the risks of poor authentication in the US Post Office's latest on-line convenience service: mail covers/images for most in-coming mail delivered to you via email ... <https://krebsonsecurity.com/2017/10/usps-informed-delivery-is-stalkers-dream/>
Inattentive ISPs and technical faults have led the Internet Corporation for Assigned Names and Numbers (ICANN) to delay the KSK Rollover for next year. KSK stands for the key signing key, a special cryptographic key used by core Internet DNS servers. The KSK is part of the Domain Name System Security Extensions (DNSSEC) protocol, a more secure version of the classic DNS protocol. https://www.bleepingcomputer.com/news/security/internet-regulator-delays-key-security-feature-update-because-of-lazy-isps/
Obviously, it can't stop someone picking up your machine and walking away with it (unless the USB stick is made of lead), but it can stop prying eyes from having a quick look at your personal documents while you're stood up ordering your next iced frappe-latte-mocha-chino. Sounds great, but how can you make this magic happen? It's all thanks to a wonderful little app called Predator. The Predator app lets you lock and unlock your PC by removing or inserting a USB flash drive. You can use any USB stick, so you don't have to remember to take the same one with you every time you leave the house. As long as you have a USB stick on your person, it will work. The app works by generating a security code and placing it on the USB stick. Every few seconds, it checks to see whether the code—and by extension, the stick—is still present. http://www.makeuseof.com/tag/usb-stick-secure-computer-public/ Really?
https://www.theatlantic.com/technology/archive/2017/10/google-and-facebook-have-failed-us/541794/ In the crucial early hours after the Las Vegas mass shooting, it happened again: Hoaxes, completely unverified rumors, failed witch hunts, and blatant falsehoods spread across the internet. But they did not do so by themselves: They used the infrastructure that Google and Facebook and YouTube have built to achieve wide distribution. These companies are the most powerful information gatekeepers that the world has ever known, and yet they refuse to take responsibility for their active role in damaging the quality of information reaching the public. BuzzFeed's Ryan Broderick found that Google's "top stories" results surfaced 4chan forum posts about a man that right-wing amateur sleuths had incorrectly identified as the Las Vegas shooter. 4chan is a known source not just of racism, but hoaxes and deliberate misinformation. In any list a human might make of sites to exclude from being labeled as "news," 4chan would be near the very top.
https://www.theverge.com/2017/6/22/15851662/facebook-profile-picture-protection-india "Facebook is introducing new protections for profile pictures for users in India, in a bid to stop people from copying, sharing, or otherwise misusing their images. Users who elect to guard their profile through the new system will ensure that others can't send, share, or download their picture, and will keep strangers from tagging themselves in the image." But all one has to do is in e.g., Chromium, CTRL+S Save Webpage Complete, and voila...
First they track your browsing, then they read your e-mail, and now they will eavesdrop on your conversations. https://qz.com/1094638/google-goog-built-earbuds-that-translate-40-languages-in-real-time-like-the-hitchhikers-guides-babel-fish/ I'm sure it's to give you targeted ads to improve your user experience.
Microsoft has apologized to users of its Azure cloud in Europe who could not access some services for seven hours late last month. The reason for the snafu? An errant fire alarm. Or, as the Microsoft Azure status report put it: “During a routine periodic fire suppression system maintenance, an unexpected release of inert fire suppression agent occurred.” At that point, the data center’s air handling units shut down automatically, as they are supposed to, while the conditions were assessed. Some Microsoft Azure cloud services were difficult or impossible to access between 1:27 p.m. and 8:15 p.m. local time on September 29, 2017, according to the status report which tech news site The Register picked up. http://fortune.com/2017/10/04/microsoft-azure-cloud-europe/ The risk? Same as on-premises equipment. Just larger consequences.
I mentioned to my Mom about the endless deletion attempts on Wikipedia, https://en.wikipedia.org/wiki/Wikipedia:Articles_for_deletion/Peace_and_World_Affairs_Center_of_Evanston So she said something that made my day: So is Wikipedia really a disappointment? That's good to know because since I haven't contributed to them yet, I was thinking of adding a thousand dollars for them in my will. If you say so, I won't do it. Please advise. I told her: Dear Mom, consider instead https://archive.org/donate/ , which stores all the Wikipedia articles that have been deleted. They even tired to delete https://en.wikipedia.org/wiki/Wikipedia:Articles_for_deletion/Triscuit
https://bugs.chromium.org/p/chromium/issues/detail?id=772914#c3 "The link status text has never been a security surface. Because of onclick handlers, sites can navigate anywhere (or do anything else) when you click a link. Because the halting problem is not solvable, browsers cannot tell you ahead of time what the site is going to do. Therefore, in all browsers, this text is simply a best-effort attempt to show what will happen; it's not a reliable one (and cannot be made to be). In the particular case of Google, the site completely changes the link's target when you click down, which is why you see the preview change at that point. The browser can't know in advance that's what will happen."
Yes, I think everyone knows that battleground states get most of the attention from everyone involved in political campaigns. Everyone makes a coordinated effort to target pivotal voters in those states. That's where the cost/benefit ratio is best. They *all* propagate their agendas (the original definition of "propaganda") where they can sway the most votes. Why waste money on voters in a state that you know you either are going to win or cannot win? How is this news? How is this even a risk? Who is paying these Oxford "researchers" to produce such obvious results? Clinton didn't spend a lot on states she knew she had sewn up; Trump likewise. I live in a state that was going to go to HRC and I didn't see any ads from either one. I kind of like that. It makes watching TV or listening to the radio much more pleasant. By the way, the more recent derogatory usage for an inherently neutral word is more concerning than the fact that campaigns actually go where they can influence the most voters. It's always the other guy's agenda being propagated that becomes "propaganda", never one's own. And don't get me started on how it is a sudden epiphany to so many people that the Internet is filled with misinformation. It has been that way since long before the Eternal September, back when USENET was UUCP. Suddenly it's front page news that the front page of so many news sources on the Internet might not contain 100% fact. Something must be done! Why isn't the Government saving us?
> "To be clear, TargetSmart's database and systems are secure and have not > been breached. TargetSmart imposes strict contractual obligations on its > clients regarding how TargetSmart data must be stored and secured, and takes > these obligations seriously," Bonier added. But not seriously enough to actually get the third party to secure things properly. Contractual obligations are nice for placing blame after it all goes wrong, but they generally don't serve to, you know, actually secure anything. That has to be done by people who actually give a damn, every day. Apparently that wasn't in the contract.
It is doubtful whether this measure will have the desired effect. If indeed illegal immigrants have bank accounts, despite setting up an account in the UK seemingly requiring much in the way of ID including inside leg measurement, they will simply close these accounts and drop off the grid.
It seems worse than that ... I recently had a letter from my bank telling me that for several years they have to check new customers residential status. But now they are required retrospectively to check the status of all existing account holders. Don't forget - the UK is one the few (the only?) countries that has no form of identity card system. What proof do they want of resident status? I have no idea where my birth certificate is (it's only valid as proof if the date of issue is within six weeks of the date of birth - copies are easily obtained but are also easily identified by the date of issue). I no longer have a valid passport. National Insurance numbers and driving licences are handed out willy-nilly and are meaningless for national identity purposes. ... I'm probably not alone - an awful lot of people will have no ID to prove their rights. This has long been a problem - I remember something like this maybe 30 years ago, when there was a big storm about the number of women who would be affected because they were asking for a whole bunch of id that typically the husband would have eg household bills. How does a woman prove her address when all the paperwork is in her husband's name? It would not surprise me in the least if the Government has learned absolutely nothing in the intervening years ... (I think that if I'm forced to apply for a new passport, I'll try and get a German one. :-)
This seemed a bit far-fetched, so I looked it up (I always follow links, they tell a different story than headlines, often contradictory). Two facts not mentioned in this post are first, that this guy had already been sentenced to more than 15 years for other offenses (which he'll start to serve once this issue is resolved), that's why no one is in a hurry to get him out of prison; and second, more important, that he was not ordered to reveal his password, (and so never claimed he forgot it), only to produce a decrypted version of the hard drive. If I understand the points of law correctly (IANAL), he was not convicted, only held in contempt, so *habeas corpus *is not applicable (as one judge said, he "keeps punishing himself" by refusing to comply); and OTOH since he was ordered to *do *something rather than *say *something, the fifth amendment protection does not apply either. The important and ominous fact is, a person may be held indefinitely in jail without being convicted, for refusing to criminalize himself. The relevance to RISKS is that technology provides the cracks that such a monstrosity can slip through.
Perhaps the real risk here is taking the claims of paid lobbyists seriously without fact checking. This brings to mind the scandal where the Conference Board of Canada, supposedly an independent Research Group, presented 3 reports portraying Canada as a top international hot bed of "file swapping". Those reports got a lot of traction with news reporters and politicians, until a text comparison showed them to contain masses of text copied in whole from press releases of an industry group seeking draconian regulations about monitoring personal internet activity. At least one of the paid Researchers whose name appeared on the final version of a report asked the Conference Board to remove his name from a report that no longer bore any resemblance to the one he prepared. http://www.michaelgeist.ca/2009/05/conference-board-ip-reports/ "The role of the Ontario government obviously raises questions about taxpayer dollars being used to pay for a report that simply recycles the language of a U.S. lobby group paper." http://www.michaelgeist.ca/2009/05/conference-board-recalls-reports/ http://www.cbc.ca/news/technology/conference-board-report-on-copyright-draws-criticism-1.818091 I understand that Game of Thrones appeals to many people. Clearly it serves a purpose of amusing them. For me George R. R. Martin's shtick of killing off characters got old long ago, when I read stories such as "After the Festival" in Analog magazine. I said exactly that when TELUS told me that someone had accused me of illegally downloading an episode and watching it.
Please report problems with the web pages to the maintainer