Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
[Like the extant stock market) Our Planet/Humanity/Society/Civilization is BADLY IN NEED of a "correction", er, "consolidation" (AND The Sooner The Better)] https://www.thesun.co.uk/tech/4904635/15000-scientists-sign-warning-to-humanity-letter-detailing-the-grim-future-of-our-planet/ http://washingtonpost.com/news/speaking-of-science/wp/2017/11/13/thousands-of-scientists-issue-bleak-second-notice-to-humanity/
http://www.straitstimes.com/singapore/transport/signal-fault-to-blame-for-joo-koon-mrt-collision "Sharing their preliminary findings yesterday, SMRT and LTA said the first train departed Ulu Pandan depot with a software protection feature, but this was `inadvertently removed' when it passed a faulty signaling circuit." One needs to ask Thales if their release qualification process injects arbitrary/random faults into their simulation environment to assess problematic responses? Especially to measure viability factor X—Safety, used to evaluate behavior under fault conditions. For public safety, stack procurement requires additional vigilance: Inspect test plan, review test results for the deployed version, examine top-10 defect field escapes and root cause analysis, what's the wall clock needed to complete qualification for each change. These steps are unlikely to be pursued for simple consumer items, and are generally above and beyond consumer comprehension. Hence the increasing importance of a public service that vets stack publications and rates them for compliance with a simple "readiness to publish" metric. $ ~ V= V(B,F,R,M,I,P,S,T,X,U) The software stack's or ecosystem's readiness to publish for business purposes (primarily to capture and realize revenue) can be characterized as: $ = Revenue or quantifiable utility V = Viability (publication deployment fitness) B = Business process (via SOPs & Process flows) F = Function (via API, protocol, command line, database insert/select ops that enable business process fulfillment) R = Reliability (continuous hours of operation w/o deadlock, crash, or data corruption) M = Resource consumption (absence of memory and/or descriptor leak, temp disk) I = Integration (processing of data sources/sinks, payload delivery, message passing) P = Performance (x/hr or 99.99% successful content delivery, scaling under load, etc) S = Standards compliance (EDI/B2B, FIX, HTTP, RFC, JSON, XML, ANSI/IEEE) T = Trust (demonstrate a non-repudiated result; immune/hardened against surreptitious access or corruption, fuzz evaluation hard, OWASP.org at minimum) X = Safety (behavior under fault conditions, fail-over consistent) U = Usability (GUI navigation structure, initial brand exposure, intuitive usage, psychometrics, a/b test) Select viability attribute(s) may not be applicable for a software stack or ecosystem under test. Each viability attribute is measured by one or more test suites designed exclusively for this purpose (minimal overlap). Assign a "1" for each scoped attribute that passes, "0" for non-passing coverage. If viability is not achieved per scoped viability factors coverage, prioritized defect repair is essential with release notes to identify known issues subject to extent of test coverage findings. Ideal practice is to publicly disclose test results and known defects to assist consumer buying decisions and pressure competition.
http://hightechforum.org/level-3s-tiny-error-shut-off-internet-parts-us/
A vulnerability found within a popular wallet has frozen potentially hundreds of millions of dollars of the crypto currency in a second setback in recent months. https://flipboard.com/@flipboard/-a-major-vulnerability-has-frozen-hundre/f-bca53f51bf%2Ftechcrunch.com [See also https://thehackernews.com/2017/11/parity-ethereum-wallet.html PGN]
https://paritytech.io/blog/security-alert.html Following the fix for the original multi-sig vulnerability that had been exploited on 19th of July (function visibility), a new version of the Parity Wallet library contract was deployed on 20th of July. Unfortunately, that code contained another vulnerability which was undiscovered at the time. And a newbie developer "accidentally" tripped over that vulnerability, and erased *other* people's wallets. More here: https://cointelegraph.com/news/accidentally-killed-it-parity-grapples-with-280-mln-locked-eth https://motherboard.vice.com/en_us/article/ywbqmg/parity-multi-signature-wallet-vulnerability-300-million-hard-fork >From that last link: When I reached devops199 [the newbie developer] for comment on the incident, they replied, "Sorry! I'm really afraid now can't talk." RISK 1: Are you sure that patch you are in a hurry to release doesn't contain some new flaw? RISK 2: New technology has all sorts of unexpected failure modes.
[From Cryptography, via Dave Farber, long item PGN-truncated] Christopher Malmo, Motherboard, 1 Nov 2017 One Bitcoin Transaction Now Uses as Much Energy as Your House in a Week Bitcoin's surge in price has sent its electricity consumption soaring. https://motherboard.vice.com/en_us/article/ywbbpm/bitcoin-mining-electricity-consumption-ethereum-energy-climate-change Bitcoin's incredible price run to break over $7,000 this year has sent its overall electricity consumption soaring, as people worldwide bring more energy-hungry computers online to mine the digital currency. An index from cryptocurrency analyst Alex de Vries, aka Digiconomist, estimates that with prices the way they are now, it would be profitable for Bitcoin miners to burn through over 24 terawatt-hours of electricity annually as they compete to solve increasingly difficult cryptographic puzzles to "mine" more Bitcoins. That's about as much as Nigeria, a country of 186 million people, uses in a year. This averages out to a shocking 215 kilowatt-hours (KWh) of juice used by miners for each Bitcoin transaction (there are currently about 300,000 transactions per day). Since the average American household consumes 901 KWh per month, each Bitcoin transfer represents enough energy to run a comfortable house, and everything in it, for nearly a week. On a larger scale, De Vries' index shows that bitcoin miners worldwide could be using enough electricity to at any given time to power about 2.26 million American homes. Expressing Bitcoin's energy use on a per-transaction basis is a useful abstraction. Bitcoin uses x energy in total, and this energy verifies/secures roughly 300k transactions per day. So this measure shows the value we get for all that electricity, since the verified transaction (and our confidence in it) is ultimately the end product. Since 2015, Bitcoin's electricity consumption has been very high compared to conventional digital payment methods. This is because the dollar price of Bitcoin is directly proportional to the amount of electricity that can profitably be used to mine it. As the price rises, miners add more computing power to chase new Bitcoins and transaction fees. [...] ... at a minimum, worldwide Bitcoin mining could power the daily needs of 821,940 average American homes. Put another way, global Bitcoin mining represents a minimum of 77KWh of energy consumed per Bitcoin transaction. Even as an unrealistic lower boundary, this figure is high: As senior economist Teunis Brosens from Dutch bank ING wrote, it's enough to power his own home in the Netherlands for nearly two weeks. [...]
Oliver Haberstroh's door was broken down by irate cops after flat after neighbours complained about deafening music blasting from inside* https://www.thesun.co.uk/news/4873155/cops-raid-german-blokes-house-after-his-alexa-music-device-held-a-party-on-its-own-while-he-was-out/ A German man has been left with a huge bill after his Amazon Echo tried to organise a house party while he was away. Hamburg cops were forced to break into Oliver Haberstroh's flat after neighbours complained about deafening music blasting from inside—but found the apartment empty after searching each room for someone to tell off. Mr Haberstroh claims he walked out of his flat to meet friend on Friday night after checking that the lights and music were switched off. He wrote on Facebook: "While I was relaxed and enjoying a beer, Alexa managed on her own, without command and without me using my mobile phone, to switch on at full volume and have her own party in my apartment" "She decided to have it at a very inconvenient time, between 1.50am and 3.00am. My neighbours called the police." After knocking on the door, the officers called an expert to break the lock open - and refused to hand over keys for the replacement until they'd been paid for the locksmith. A police spokesman said the source of the noise was "a black jukebox which is usually activated by voice control". It comes just weeks after a mischievous parrot used Alexa to order itself a set of ten gift boxes while the owner was away. [...]
via NNSquad https://boingboing.net/2017/11/15/russia-used-150000-twitter-ac.html Russian Twitter accounts posted more than 45,000 messages about Brexit in 48 hours during last year's referendum in an apparently co-ordinated attempt to sow discord, The Times can reveal. More than 150,000 accounts based in Russia, which had previously confined their posts to subjects such as the Ukrainian conflict, switched attention to Brexit in the days leading up to last year's vote, according to research for an upcoming paper by data scientists at Swansea University and the University of California, Berkeley.
via NNSquad Facebook Has Finally Opened The Door To Admitting Russia Meddled In Brexit https://www.buzzfeed.com/markdistefano/facebook-has-finally-opened-the-door-to-admitting-russia?utm_term=.uarW57Empo#.uqg5V2ljro Facebook has issued a carefully worded statement that appears to admit for the first time that some Russia-linked accounts may have used the platform to interfere in the EU referendum.
https://gizmodo.com/russian-proof-that-the-us-is-helping-isis-is-actually-f-1820446490 Russia's Ministry of Defense released startling visual proof this morning that the United States military is assisting ISIS. The only problem with Russia's claims? The photographic "evidence" actually came from a video game.
During a keynote address on Nov. 8 at the 2017 CyberSat Summit, a Department of Homeland Security (DHS) official admitted that he and his team of experts remotely hacked into a Boeing 757. This hack was not conducted in a laboratory, but on a 757 parked at the airport in Atlantic City, N.J. And the actual hack occurred over a year ago. We are only now hearing about it thanks to a keynote delivered by Robert Hickey, aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate. “We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,'' Hickey said in an article in Avionics Today. [That] means I didn't have anybody touching the airplane; I didn't have an insider threat. I stood off using typical stuff that could get through security, and we were able to establish a presence on the systems of the aircraft.'' While the details of the hack are classified, Hickey admitted that his team of industry experts and academics pulled it off by accessing the 757's radio frequency communications. https://www.csoonline.com/article/3236721/security/homeland-security-team-remotely-hacked-a-boeing-757.html
via NNSquad https://www.techworm.net/2017/11/facebook-asking-users-upload-nudes-stop-revenge-porn-online.html Facebook is running a pilot program in Australia in collaboration with Office of the eSafety Commissioner that allows the users to use its Messenger service to send dirty images in question to themselves to "hash it" or create a digital fingerprint of the image. It also blocks the leaking out of private pictures, as it will allow the victim to take action before their pictures are uploaded or shared privately on Facebook, Instagram and Messenger. The technology will soon be tested across the UK, US and Canada. [What could go wrong?] UH NO. OH SO VERY MUCH NO!
Buried deep inside your computer's Intel chip is the MINIX operating system and a software stack, which includes networking and a web server. It's slow, hard to get at, and insecure as insecure can be. http://www.zdnet.com/article/minix-intels-hidden-in-chip-operating-system/
A security firm says that a USB exploit can be used to run unsigned code on nearly all machines with Intel inside. Uh-oh. More bad news about Intel's Management Engine, the chipmaker's computer within a computer that runs on its own CPU and operating system. Sysadmins use it to remotely control and configure networked machines and it's been on about every CPU Intel has released since 2008. http://www.itprotoday.com/security/usb-exploit-affects-nine-years-intel-processors
*Sacramento Regional Transit Systems Hit By Hacker* http://sacramento.cbslocal.com/2017/11/20/sacramento-regional-transit-systems-hit-by-hacker/ SACRAMENTO (CBS13)—Sacramento Regional Transit is the one being taken for a ride on this night, by a computer hacker. That hacker forced RT to halt its operating systems that take credit card payments, and assigns buses and trains to their routes. The local transit agency alerted federal agents following an attack on their computers that riders may not have noticed Monday. “We actually had the hackers get into our system, and systematically start erasing programs and data,'' Deputy General Manager Mark Lonergan. Inside RT's headquarters, computer systems were taken down after the hacker deleted 30 million files. The hacker also demanded a ransom in bitcoin, and a left a message on the RT website reading “I'm sorry to modify the home page, I'm good hacker, I just want to help you fix these vulnerability.''
https://www.hackread.com/eavesdropper-flaw-exposes-millions-of-call-texts-and-recordings/
"Yes or no, does the data remain unencrypted at rest?" "I don't know at this stage," Barros responded. Gardner appeared stunned by Barros' answer and pointed out that a lack of encryption was essentially what caused this massive Equifax breach. Smith attempted to make the situation better. http://searchsecurity.techtarget.com/news/450429891/Following-Equifax-breach-CEO-doesnt-know-if-data-is-encrypted The risk? Ninnies all the way to the top, as a manager of mine once described the hierarchy above him. Too true then and apparently at Equifax.
[Please read the entire testimony. I've just excerpted the main points. PGN] Bruce Schneier, CRYPTO-GRAM, November 15, 2017 schneier@schneier.com https://www.schneier.com https://www.schneier.com/crypto-gram.html Last week, I testified before the House Energy and Commerce committee on the Equifax hack. A link to the video is at the bottom of this section. And you can read my written testimony below. Testimony and Statement for the Record of Bruce Schneier Fellow and Lecturer, Belfer Center for Science and International Affairs, Harvard Kennedy School Fellow, Berkman Center for Internet and Society at Harvard Law School Hearing on "Securing Consumers' Credit Data in the Age of Digital Commerce" Before the Subcommittee on Digital Commerce and Consumer Protection Committee on Energy and Commerce United States House of Representatives 1 November 2017 2125 Rayburn House Office Building Washington, DC 20515 1. The Equifax breach was a serious security breach that puts millions of Americans at risk. 2. Equifax was solely at fault. 3. There are thousands of data brokers with similarly intimate information, similarly at risk. Equifax is more than a credit reporting agency. It's a data broker. It collects information about all of us, analyzes it all, and then sells those insights. It might be one of the biggest, but there are 2,500 to 4,000 other data brokers that are collecting, storing, and selling information about us—almost all of them companies you've never heard of and have no business relationship with. 4. These data brokers deliberately hide their actions, and make it difficult for consumers to learn about or control their data. 5. The existing regulatory structure is inadequate. 6. The market cannot fix this because we are not the customers of data brokers. 7. We need effective regulation of data brokers. 8. Resist complaints from the industry that this is "too hard." 9. This has foreign trade implications. 10. This has national security implications. 11. We need to do something about it. Yes, this breach is a huge black eye and a temporary stock dip for Equifax -- this month. Soon, another company will have suffered a massive data breach and few will remember Equifax's problem. Does anyone remember last year when Yahoo admitted that it exposed personal information of a billion users in 2013 and another half billion in 2014? Unless Congress acts to protect consumer information in the digital age, these breaches will continue. Hearing: https://energycommerce.house.gov/hearings/securing-consumers-credit-data-age-digital-commerce Video of the hearing: https://www.youtube.com/watch?v=4_ydofXb7mU&feature=youtu.be [Lots of references omitted, some of which have already been in RISKS. PGN]
[Worse than SSN!] https://techcrunch.com/2017/11/08/are-social-security-numbers-going-away/ Eyeing more secure alternatives to Social Security numbers, lawmakers in the U.S. are looking abroad. Today, the Senate Commerce Committee questioned former Yahoo CEO Marissa Mayer, Verizon chief privacy officer Karen Zacharia and both the current and former CEOs of Equifax on how to protect consumers against major data breaches. The consensus was that Social Security numbers have got to go. Rounding out the panel, Entrust Datacard president and CEO Todd Wilkinson offered some context and insight about why the U.S. should indeed move away from Social Security numbers -- a step that the witnesses unanimously agreed was necessary if not wholly sufficient to protect consumers moving forward, in light of the Equifax hack. SSN is bad. This would be worse. Every proposed replacement moves us directly into the realm of mandatory electronic national ID systems and cards, which if implemented in our toxic political and law enforcement environments will inevitably lead to tyranny. Yes, it is technically *possible* to improve this system without moving in that direction. But *we* will be incapable of doing it correctly and safely, and our children will curse us in our graves. [Reportedly, the breach cost at least $87M. PGN https://securityledger.wpengine.com/2017/11/equifax-says-breach-cost-87m/ ]
Dan Goodin, Ars Technica, 3 Nov 2017 Stuxnet-style code signing is more widespread than anyone thought. Forgeries undermine the trust millions of people place in digital certificates. <https://arstechnica.com/information-technology/2017/11/evasive-code-signed-malware-flourished-before-stuxnet-and-still-does/> One of the breakthroughs of the Stuxnet worm that targeted Iran's nuclear program was its use of legitimate digital certificates, which cryptographically vouched for the trustworthiness of the software's publisher. Following its discovery in 2010, researchers went on to find the technique was used in a handful of other malware samples both with ties to nation-sponsored hackers and, later on, with ties to for-profit criminal enterprises. Now, researchers have presented proof that digitally signed malware is much more common than previously believed. What's more, it predated Stuxnet, with the first known instance occurring in 2003. The researchers said they found 189 malware samples bearing valid digital signatures that were created using compromised certificates issued by recognized certificate authorities and used to sign legitimate software. In total, 109 of those abused certificates remain valid. The researchers, who presented their findings Wednesday at the ACM Conference on Computer and Communications Security, found another 136 malware samples signed by legitimate CA-issued certificates, although the signatures were malformed. The results are significant because digitally signed software is often able to bypass User Account Control and other Windows measures designed to prevent malicious code from being installed. Forged signatures also represent a significant breach of trust because certificates provide what's supposed to be an unassailable assurance to end users that the software was developed by the company named in the certificate and hasn't been modified by anyone else. The forgeries also allow malware to evade antivirus protections. Surprisingly, weaknesses in the majority of available AV programs prevented them from detecting known malware that was digitally signed even though the signatures weren't valid. "Our results show that compromised certificates pose a bigger threat than we previously believed, as it is not restricted to advanced threats and that digitally signed malware was common in the wild before Stuxnet," Tudor Dumitra, one of three professors at the University of Maryland, College Park, who performed the research, told Ars. "The findings also raise important concerns about the security of the code signing ecosystem." Bypassing AV on the cheap An accompanying research paper, titled Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI, found that even when a signature isn't valid because it doesn't match the cryptographic hash of the file being signed, at least 34 AV programs to some degree failed to identify the easy-to-spot error. As a result, the AV programs often failed to detect malware that was known to be malicious. The failure, the paper reported, is the result of faulty implementations of Microsoft's Authenticode specification. To prove the point, the researchers downloaded five unsigned ransomware samples that AV programs almost universally detected as malicious. The researchers then took two expired certificates that previously had been used to sign both legitimate software and malware and used the certificates to sign each of the five ransomware samples. When analyzing the resulting 10 files, the AV programs to varying degrees failed to detect they were malicious. [...]
Joe Uchill, The Hill, 10 Nov 2017 http://thehill.com/policy/cybersecurity/359806-pentagons-coordinated-disclosure-program-defangs-2800-security-flaws Nearly a year after a rule change allowed good Samaritan hackers to notify the Department of Defense (DOD) about cybersecurity glitches that needed fixing, the Pentagon has mitigated more than 2,800 security problems. The Pentagon opened its vulnerability disclosure program on November 21, 2016, inviting anyone who came across a security flaw in one of its public-facing websites to report it. The program came on the heels of last year's "Hack the Pentagon" program, which offered cash rewards for anyone who reported a valid security problem. The vulnerability disclosure program offers no such incentives. But even without incentives, the vulnerability disclosure program has netted valuable information for the Defense Department. Nearly than 650 hackers from more than 50 countries have submitted security shortcomings to be repaired. The DOD operates its disclosure program using the firm HackerOne, which also ran the Hack the Pentagon program. More than 100 of the bugs reported through the program were deemed of high or critical severity, meaning they would allow changes to important data or allow attackers to execute their own commands. [...]
Scott Shane, Nicole Perlroth and David E. Sanger, *The New York Times*, 12 Nov 20187 A serial leak of the agency's cyberweapons has damaged morale, slowed intelligence operations, and resulted in hacking attacks on businesses and civilians worldwide. https://www.nytimes.com/2017/11/12/us/nsa-shadow-brokers.html "Have hackers and leakers made secrecy obsolete?" [Well, the NSA still needs it. So do we. PGN]
https://qz.com/1127853/uber-drivers-in-lagos-nigeria-use-fake-lockito-app-to-boost-fares/ In some cases, inflated trips can cost riders more than double the rate they should be paying. "It's more like a parasite," says Mohammed, a driver for both Uber and Taxify in Lagos. "It sets the false GPS movement while allowing the phone also to keep track of its actual movement. The Uber app can't tell the difference between both so it just calculates both." When a driver uses Lockito for an Uber trip he or she can have the fake GPS running (and calculating a fake fare) from the pickup point to the drop off location, before the passenger has even got into the car. When the real trip starts, the real GPS starts running and calculating the actual fare. But at the end of the journey the fares from both trips (real and fake) are tallied up as one fare which the unsuspecting rider pays.
Eric Newcomer, Bloomberg, 21 Nov 2017 * Company paid hackers $100,000 to delete info, keep quiet * Chief Security Officer Joe Sullivan and another exec ousted Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers. Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. drivers' license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said. https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-people-s-data
How many more of these IoT devices that use DRM technology to validate the use of proprietary refills do we have to endure? http://www.zdnet.com/article/jailbreaking-your-coffee-machine-the-idiocy-of-things/ The risk? Besides those noted in article, extraneous complexity leading to fragility, frustration, and failure.
How simple life was three years ago when we last wrote about ATM malware. Back then, security researchers classified ATM attacks into two broad categories: ones that used skimming hardware devices attached to the outside of card readers, and ones that used various techniques to open ATMs' cabinets and cash drawers. The skimmers were crude but effective in collecting credit and debit card numbers from customers. The latter methods exploited vulnerabilities created by the ATMs' outdated operating systems (OS) and their functionality. In one case, some criminals blew up the ATMs themselves, as The Daily Mirror reported. Crude, but certainly effective. https://securityintelligence.com/how-are-atms-exploited-an-update-on-atm-malware-methods/
Trustwave SpiderLabs Security Advisory TWSL2017-017: Remote Unauthenticated DoS in Debut embedded httpd server used by Brother printers Published: 11/02/2017 Version: 1.0 Vendor: Brother (http://www.brother-usa.com) Product: Debut embedded httpd Version affected: <= 1.20 Product description: Brother printers are network connected consumer and business multi-function printers. These printers utilize the Debut embedded httpd server to host their web interfaces. Finding 1: Remote unauthenticated denial of service Credit: z00n (@0xz00n) of Trustwave CVE: CVE-2017-16249 The Debut embedded http server contains a remotely exploitable denial of service where a single malformed HTTP request can cause the server to hang until eventually replying with an HTTP 500 error. While the server is hung, print jobs over the network are blocked and the web interface is inaccessible. An attacker can continuously send this malformed request to keep the device inaccessible to legitimate traffic. https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-017/?fid=10211
After lobbying Congress to repeal consumer privacy protections over ISPs, Verizon wants the Federal Communications Commission (FCC) to do it a favor and preempt states from restoring their privacy rights. While Congress repealed the previous FCC's privacy rule, it left the underlying Section 222 intact. As a result, dozens of state bills were then introduced to restore broadband privacy, mirroring Section 222 of the Communications Act. https://www.eff.org/deeplinks/2017/11/verizon-asks-federal-communications-commission-prohibit-states-protecting-user Long item, and unless I missed it here, no argument quoted from Verizon WHY this should be done—just claiming that FCC can do it. Maybe there's implication that protecting privacy would (implausibly) impede something good... broadband rollout, kittens and rainbows, etc.
NEW YORK, Nov. 13, 2017 (GLOBE NEWSWIRE)—CAST, the leader in software intelligence, today announced the findings from its global benchmarking report on the state of software security. The CRASH Report on Application Security reveals software that is vulnerable to exploit based on an application's Common Weakness Enumeration (CWE) density. CWE is a community-developed list of common software security weaknesses that serves as a baseline for identification, mitigation and prevention efforts. https://globenewswire.com/news-release/2017/11/13/1185210/0/en/CAST-Research-on-the-State-of-Software-Security-Reveals-Riskiest-Applications.html Sigh; I always discount self-designated "...the leader..." references.
It was a lazy autumn day that fateful afternoon when my Asus Zenfone 3 beeped and told me another occasional FOTA update was ready, "Estimated time: 10 minutes." I pushed "accept." Then the reboot ... loading ... reboot ... loading cycles began. (I don't remember the exact words. It was a month ago and I only now have regained my composure to write about it.) Holding down the power button forever didn't help, and one cannot just take out the battery anymore. It was my first cellphone mid-life crisis. Normally geographically astute me got on the wrong bus but at least in the right direction, got off at this big river on the map that was easy to follow no matter what mental state, and finally made it to the Asus Royal Service Center or whatever it is called, in Taichung, TW. I agreed they could wipe everything off my phone and indeed they fixed it. Yes it was still under warranty and no I didn't "root" it. Moral of story: from now on I will only check for updates when I am nearby their service center and not expecting any important calls, etc. (I see the version it happened with, https://www.asus.com/zentalk/forum.php?mod=viewthread&tid=184831 was not recalled, meaning the problem only affected me.)
I was fooling around one day in the lab when, $ wget https://www.couchsurfing.com/ -O - | perl -MJSON ... Host Feature Test [Dashboard] - Does different messaging on the side-bar verification CTA improve verification rates? [Dashboard] - Showcase Video Content for Host Conversion [Dashboard] - Verification Upsell Placement (new_user=true) [Dashoard] Verification Upsell Placement [Hangouts] - Can we improve app downloads by making "text me link" more prominent? [Host Search] - Do people send more requests when we remove empty profiles from search? [Landing Page] - Can we increase sign-ups when we change the header image? [Mobile Web] - Improve "install app" CTA (Android) [Mobile Web] - Improve "install app" CTA (IOS) [New User Dashboard] - Showcase Video Content [New User Experience]: Send half of new users to their local city page [Profile] Introduction Modal Changes [Rate Limiting] - Can we increase the conversion rate of RL upsell with clearer language? [Rate Limiting] - Does changing our rate limiting modal increase conversion? [Verification Confirmation Page] - Will member buys travel insurance post-purchase? [Verification Page] - Can we increase the conversion rate by reducing content for mobile web users? [Verification Page] - Can we increase the conversion rate of RL upsell with clearer language? [Verification Page] - Can we increase the conversion rate with copy edits? [Verification Page] - Do female members convert better when we change the header image? [Verification Page] - Do male members convert better when we change the header image? [Verification Page] - Do we reduce refunds by being more transparent about pricing? [Verification Page] - Does different messaging of verification better resonate with members? [Verification Page] - Does different order and content layout affect conversion rate? [Verification Page] - Does more focus on finding hosts faster improve verification rates? [Verification Page] - Does shorter content convert better on mobile? I will tell staff to ask the programming team if they really want these embedded in web page.
It's been just over a year since HP got caught using dirty tricks to force its customers to use its official, high-priced ink, and now it's Epson's turn to get in on the act. Epson claims that ink-cartridges that are compatible with its printers violate a nonspecific patent or patents in nonspecific ways, and on the strength of those vague assertions, they have convinced eBay to remove many third-party ink sellers' products, without any scrutiny by eBay. That's because Epson is part of eBay's VeRO program, through which trusted vendors can have listings removed without anyone checking to see whether they have a valid claim, contrary to eBay's normal procedure. As the company has said in another context, "eBay believes that removing listings based on allegations of infringement would be unfair to buyers and the accused sellers." https://www.eff.org/deeplinks/2017/10/epson-using-its-ebay-trusted-status-make-competing-ink-sellers-vanish
Essentially bricking the otherwise functional smart remote devices. Logitech customers are not happy, as they recently found out that the company would be discontinuing service for its popular Harmony Link remote system. The device and its cloud-based system allow users to control home theater and sound equipment from a mobile app. Customers received an e-mail explaining that Logitech will "discontinue service and support" for the Harmony Link as of March 16, 2018, adding that Harmony Link devices "will no longer function after this date." While Logitech is offering a one-time, 35-percent discount on its Harmony Hub to affected customers that are out of warranty, that's not enough for Harmony Link users who are expressing their dissatisfaction on Logitech support forums and Reddit. Users have not experienced major problems with the Harmony Link system that would indicate they are approaching end of life. Harmony Link customers do not pay a subscription or service fee to use the device, either. The only reason provided comes from a Logitech employee with the username Logi_WillWong, who explains in a response post from September 8, 2017 that Logitech will not be renewing a "technology certificate license" that expires in March. No details were provided about how this certificate license allows the Harmony Link to function, but it appears that without it, those devices will not work as promised. "The certificate will not be renewed as we are focusing resources on our current app-based remote, the Harmony Hub," Logi_WillWong added, which seems to indicate that the shutting down of the Harmony Link system is a way to get more customers on the newer Harmony Hub system. https://arstechnica.com/gadgets/2017/11/logitech-to-shut-down-service-and-support-for-harmony-link-devices-in-2018/ The risk? Maybe technology economics, since "Harmony Link customers do not pay a subscription or service fee to use the device, either."
Twitter's expansion to 280 characters is rolling out publicly today to all users in supported languages, including English. The company had first announced the controversial plan to move beyond its traditional 140 characters back in September, noting at the time how a longer character count allowed users to express more of their thoughts without running out of room to tweet. https://techcrunch.com/2017/11/07/twitter-officially-expands-its-character-count-to-280-starting-today/ The risk? People mistaking this for news?
> Although the normal odds of winning the lottery are near-zero, reducing them to actual zero is a (microscopically small) RISK. > [microscopic? Not if anyone who actually had the winning combination tried to sue the state—and won!] The way I understand the bug, it allows anyone to buy tickets that cannot have a winning combination, so this situation could never happen; they could sue for the $2 they paid for the ticket, though... [I wouldn't bet on it! PGN]
Lauren Weinstein <lauren@vortex.com> wrote: The fundamental problem with spam folders, of course, is that they tend to be ignored by recipients, This is a symptom. The fundamental problem is that people assume that email is a reliable communications medium. There are simply too many, often vigilante, email systems and anti-spam techniques, to ever again believe that sending an email is equivalent to someone getting it. Often, these systems are employed by the ISPs who don't let you opt out and don't tell you that you were opted in, and don't tell you when the rules change. And even more often the senders are never notified that their email was accepted for delivery and then discarded, so they don't know it didn't get through. The failure here is on the SEC who thinks that legal notices or requests are valid when sent by email instead of registered letter.
> Taser Company Ignored SEC Emails Because They Were In a Spam Folder I use Yahoo! e-mail with POP3/SMTP and a mail application, with no spam filter as I only receive a few messages each day, so easy to filter manually; I often go for days without receiving any 'proper' messages, and as another poster here once said, at least the spam gives confidence that the system is working OK. Early this year I suddenly stopped getting any messages at all, which worried me, so I tried the web access and found that there is now a spam folder, while 'proper' messages still get through as usual. There doesn't seem to be an option for 'download ALL messages', so I have to periodically use the web access (quite a rigmarole, especially if 2-factor authentication is requested), with the problems described above. (One reason for using a mail application is that I read incoming messages off-line, thus senders don't get an indication that they've been read, as well as reducing the chances of downloading something nasty.) Ironically, I had very few spam messages until I started posting to RISKS, which is the only place where my e-mail address is (intentionally) shown in public... :o) > Hackers prey on home buyers, with hundreds of millions of dollars at > stake (WashPo) Reportedly this is becoming a problem in the UK—fraudulently getting people to pay into the wrong account, typically when houses change hands. Just before the transaction is completed, a fraudster manages to send an e-mail purportedly from the seller to the buyer or the solicitor handling the sale, notifying a (fictitious) change of the seller's bank details. The money is sent off, then later it's not appeared in the seller's account, and on checking with the bank, it's found to have gone to the fraudster's account which has since been emptied and closed—this is known as "Friday afternoon fraud", because house sales are usually completed on a Friday, and banks' anti-fraud departments are closed over the weekend so it's well into next week before an investigation gets under way, by which time the fraudster has well and truly gone. (Obviously it can happen whenever large payments are made on a one-off basis; for instance, when building work has been done, a fraudster notifies the customer of a fake change of the builder's bank details so the bill payment is made to the fraudster.) The banks are blamed for this but respond that they're only acting on customers' instructions.
Please report problems with the web pages to the maintainer