Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Sherra Frenkel and Kate Benner, *The New York Times*, 17 Feb 2018, via NNSquad http://www.nytimes.com/2018/02/17/technology/indictment-russian-tech-facebook.html In 2014, Russians working for a shadowy firm called the Internet Research Agency started gathering American followers in online groups focused on issues like religion and immigration. Around mid-2015, the Russians began buying digital ads to spread their messages. A year later, they tapped their followers to help organize political rallies across the United States. Their digital instrument of choice for all of these actions? Facebook and its photo-sharing site Instagram.
[Perhaps it is time to once again dust off my mixed metaphor
from the second crypto wars:
Pandora's Cat is Out of the Barn,
and the Genie Won't Go Back in the Closet. PGN]
Here are the articles from *The New York Times* in this news cycle.
0. INDICTMENT BARES RUSSIAN NETWORK TO TWIST 2016 VOTE,
17 Jan 2018 (front page top lead, over [1] and [2])
1. Scott Shane and Mark Mazzetti, Mueller Chronicles a Social Media War,
17 Jan 2018
2. Matt Apuzzo and Sharon LaFraniere, Sees `Unwitting' Ties to Trump Forces,
17 Jan 2018
3. Sheera Frenkel and Katie Benner, To Create Rifts, Russians Liked
Facebook Most, 18 Jan 2018
4. Peter Baker, Trump Quiet In a U.S. War On Meddling, 18 Jan 2018
5. Neil MacFarquahar, Russian Trolls Were Sloppy, but U.S. Indictment Still
`Points to the Kremlin', 18 Jan 2018
6. David E. Sanger, In Trump Administration, A Sharp Divide Over Election
Interference, 18 Jan 2018
7. Scott Shane, How Russians Exploited Web to Tangle Vote, 19 Jan 2018
Long Live the Internet, for better and for worse!
http://www.vox.com/world/2018/2/25/17050058/russia-hacked-olympics-pyeongchang-north-korea Russian military spies hacked hundreds of computers at the 2018 Olympic Games in South Korea—and tried to make it look like North Korea was the culprit, according to a new report. It is likely retaliation against the International Olympic Committee (IOC) for banning the Russian team from Olympics because of a widespread doping scheme it used to cheat in previous competitions. The Washington Post's Ellen Nakashima reported on Saturday evening that the GRU, Russia's military intelligence agency, accessed as many as 300 Olympics-related computers earlier this month, according to two US officials. To cover their tracks, and to pin any suspicions on North Korea, the hackers used North Korean IP addresses, among other tactics. http://www.washingtonpost.com/world/national-security/russian-spies-hacked-the-olympics-and-tried-to-make-it-look-like-north-korea-did-it-us-officials-say/2018/02/24/44b5468e-18f2-11e8-92c9-376b4fe57ff7_story.html
Friedrich-Alexander University Erlangen-Nurnberg (Germany) (02/19/18) Researchers at Friedrich-Alexander University (FAU) in Germany have probed the extent to which autonomous social bots were used on Twitter during Japan's general elections in 2014. The team analyzed more than 540,000 tweets using a corpus linguistics strategy so large volumes of text could be examined, and found nearly 80 percent of the investigated tweets were duplicates traced back to a total of 3,722 original tweets. Five proliferation patterns were uncovered, four of which were used by right-wing activists, and one by users who acted similarly to bots. FAU professor Fabian Schafer says it seems as if social bots were widely used by right-wing users, to give indirect online backing to Shinzo Abe's nationalistic agenda. "As a result, Abe's position was not only supported by the conservative organizations of a group of users with close links to the [Liberal Democratic Party] but also by the large...group of right-wing Internet activists," Schafer notes.
Kim Zetter, *The New York Times*, 21 Feb 2018 Election officials have insisted that machines can;t be remotely compromised because they're not connected to the Internet. But security experts point out crucial ways in which they are. https://www.nytimes.com/2018/02/21/magazine/the-myth-of-the-hacker-proof-voting-machine.html
Nathaniel Popper, *The New York Times*, 19 Feb 2018 [PGN-ed] Bitcoin Thieves Threaten Real Violence for Virtual Currencies Anonymity and soaring values have made virtual currencies an attractive target for thieves. http://www.nytimes.com/2018/02/18/technology/virtual-currency-extortion.html The currency they were after was virtual, but the guns they carried were anything but. * In Phuket, Thailand, assailants forced a Russian man to transfer about $100K in Bitcoin to them. * The head of a Ukrainian Bitcoin exchange was taken hostage and released only after a ransom of $1M in Bitcoin. * A NYC man was held captive until he transferred $1.8M in Ether (Etherium). Other recent cases have taken place in Russia, Ukraine, Turkey, Canada, Britain, and the U.S. [Bit-caveat Emptor]
Britain's adoption of Huawei technology is widening a gulf between the U.S. and allies over cybersecurity. http://www.wsj.com/articles/huaweis-u-k-relationship-raises-u-s-concerns-1519416947
The Washington Post, 17 Feb 2018 http://www.washingtonpost.com/politics/spate-of-drone-collisions-close-calls-underscore-growing-risks-for-aircraft/2018/02/17/4b630714-1433-11e8-8ea1-c1d91fcec3fe_story.html
The North Carolina-based regional bank cited equipment malfunction at a data center for the problems http://www.wsj.com/articles/bb-t-customers-locked-out-of-online-banking-atms-after-technical-issue-1519403905%3Fmod%3De2fb
Zack Whittaker for Zero Day, 19 Feb 2018 http://www.zdnet.com/article/chilling-effect-lawsuits-threaten-security-research-need-it-most/ Security researchers and reporters have something in common: both hold the powerful accountable. But doing so has painted a target on their backs -- and looming threats of legal action and lawsuits have many concerned. opening text: NEW YORK, NY—This year, two security reporters and one researcher will fight for their professional lives in court. Steve Ragan, senior staff writer at tech news site CSO, and Dan Goodin, security editor at Ars Technica, were last year named defendants in two separate lawsuits. The cases are different, but they have a common theme: they are being sued by the companies covered in articles they wrote. Although lawsuits targeting reporters, particularly on the security beat, are rare, legal threats are an occupational hazard that reporters are all too aware of—from companies threatening to call an editor to demand a correction—or else—to a full-blown lawsuit. But the inevitable aftermath is a "chilling effect." White-hat hackers and security researchers hesitate to report vulnerabilities and weaknesses to technology firms for fear of facing legal retribution.
Zack Whittaker for Zero Day, 20 Dec 2017 http://www.zdnet.com/article/security-firm-keeper-sues-news-reporter-over-vulnerability-story/ The vulnerability was fixed, but Keeper now demands that the allegedly defamatory article is pulled offline. selected text: Keeper, a password manager software maker, has filed a lawsuit against a news reporter and its publication after a story was posted reporting a vulnerability disclosure. Dan Goodin, security editor at Ars Technica, was named defendant in a suit filed Tuesday by Chicago-based Keeper Security, which accused Goodin of "false and misleading statements" about the company's password manager. The bug has since been fixed, according to Ormandy's follow-up note, which triggered the release of the report. Goodin's story was amended twice, which was noted in the story's footer. Keeper confirmed the bug was fixed in its own blog post, which said "no customers were adversely affected by this potential vulnerability." Several security experts and researchers on Twitter decried the lawsuit. "This is bullying and Goodin is [definitely] def in the top 1 percent [of] knowledgeable journalists," said Matthieu Suiche, founder of Comae Technologies, a Dubai-based security firm, in a tweet.
Woody Leonhard, Computerworld, 16 Feb 2018 http://www.computerworld.com/article/3256304/microsoft-windows/microsoft-is-distributing-security-patches-through-insecure-http-links.html Microsoft is distributing security patches through insecure HTTP links Stefan Kanthak, reporting on the Bugtraq mailing list, shows how Microsoft's own security patch download links are based on HTTP, not HTTPS.
Oh yeah, we patched that in October, Windows giant yawns http://www.theregister.co.uk/2018/02/15/microsoft_skype_fixed/
When an Oregon science fiction writer named Charity tried to log onto Facebook on February 11, she found herself completely locked out of her account. A message appeared saying she needed to download Facebook's malware scanner if she wanted to get back in. Charity couldn't use Facebook until she completed the scan, but the file the company provided was for a Windows device—Charity uses a Mac. http://www.wired.com/story/facebook-mandatory-malware-scan/
An old tax scam—with a troubling new twist http://www.washingtonpost.com/news/get-there/wp/2018/02/22/an-old-tax-scam-with-a-troubling-new-twist/ A New Tax Scam, and Tips on How to Deal With It http://www.nytimes.com/2018/02/23/your-money/income-tax-scam-tips.html A big deposit from the IRS unexpectedly shows up in your bank account. What should you do? First off, don't spend it. You may be a victim of identity fraud.
Zack Whittaker for Zero Day | December 13, 2017 http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/ Maker of sneaky Mac adware sends security researcher cease-and-desist letters "If there's code that's mining data and hiding itself on a computer without any way of removing it, that's malware, plain and simple." selected text: The maker of a sneaky adware that hijacks a user's browser to serve ads is back with a new, more advanced version—one that can gain root privileges and spy on the user's activities. News of the updated adware dropped Tuesday in a lengthy write-up by Amit Serper, principal security researcher at Cybereason. TargetingEdge sent cease-and-desist letters to try to prevent Serper from publishing his research.
Crooks find poorly secured access credentials, use them to install stealth miner. http://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/
Certificates registered in names of real corporations are surprisingly easy to come by. http://arstechnica.com/information-technology/2018/02/counterfeit-certificates-sold-online-make-digitally-signed-malware-a-snap/
Lily Hay Newman, WiReD, 22 Feb 2018 US Customs and Border Patrol hasn't been verifying the cryptographic signatures on e-Passports --because they never installed the right software. Passports, like any physical ID, can be altered and forged. That's partly why for the last 11 years the United States has put RFID chips in the back panel of its passports, creating so-called e-Passports. The chip stores your passport information—like name, date of birth, passport number, your photo, and even a biometric identifier—for quick, machine-readable border checks. And while e-Passports also store a cryptographic signature to prevent tampering or forgeries, it turns out that despite having over a decade to do so, US Customs and Border Protection hasn't deployed the software needed to actually verify it. This means that since as far back as 2006, a skilled hacker could alter the data on an e-Passport chip—like the name, photo, or expiration date -- without fear that signature verification would alert a border agent to the changes. That could theoretically be enough to slip into countries that allow all-electronic border checks, or even to get past a border patrol agent into the US. "The idea of these things is that they're supposed to provide some additional electronic security over a standard passport, which can be forged using traditional techniques," says Matthew Green, a cryptographer at Johns Hopkins University. "The digital signature would provide that guarantee. But if it's not checked it doesn't." A letter to CBP on Thursday from senators Ron Wyden of Oregon and Claire McCaskill of Missouri highlights this crucial shortcoming. More than 100 countries now offer passports that come with a digital chip, and fewer than half of those include the capability to verify the integrity of data using a digital signature. But Wyden and McCaskill stress that while the US demands that countries in the Visa Waiver program put a chip in their passports, it has failed to fully realize its own e-Passport program. "CBP does not have the software necessary to authenticate the information stored on the e-Passport chips," the two Senators wrote. "Specifically, CBP cannot verify the digital signatures stored on the e-Passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged." http://www.wired.com/story/us-border-patrol-hasnt-validated-e-passport-data-for-year
http://tidbits.com/article/17802
http://www.nytimes.com/2018/02/18/business/media/google-chrome-ad-block.html The brower's latest update filters out pop-up ads and other annoyances. It also strengthens Google's grip on the web.
http://www.eff.org/deeplinks/2018/02/federal-judge-says-embedding-tweet-can-be-copyright-infringement
How a fight over Star Wars download codes could reshape copyright law http://arstechnica.com/tech-policy/2018/02/judge-slaps-down-disney-effort-to-stop-resale-of-star-wars-download-codes/
Just 18 months later, the company—and consumers—have shrugged it all off http://www.washingtonpost.com/business/how-samsung-moved-beyond-its-exploding-phones/2018/02/23/5675632c-182f-11e8-b681-2d4d462a1921_story.html
Robin Harris for Storage Bits (26 Feb 2018) Big system have so many interacting parts which can interact in so many ways. Such interesting (and frustrating) failure modes: http://www.zdnet.com/article/how-clouds-fail-slow/ Computer systems fail. Most failures are well-behaved: the system stops working. But there are bad failures too, where the systems works, but really s-l-o-w-l-y. What components are most likely to fail-slow? The answers may surprise you. selected text: If you've ever had a system fail-slow, you know how maddening it is. The lights are on, the fans are running, but nobody is home. Is it software? A background process run amok? The paper has some cautionary anecdotes that are amusing, if only in retrospect. * one operator put an office chair adjacent to a storage cluster. The operator liked to rock in the chair, repeatedly popping hotplug drives out of the chassis (a hard correlation to diagnose). But many of the failures were more subtle: * a vendor's buggy firmware made a batch of SSDs stop for seconds, disabling the flash cache layer and making the entire storage stack slow. * a machine was deemed nonfunctional due to heavy ECC correction of many DRAM bit-flips. * bad chips in SSDs reduce the size of over-provisioned space, triggering more frequent garbage collection. * applications that create a massive load can cause the rack power control to deliver insufficient power to other machines (degrading their performance), but only until the power-hungry applications finish. "A fan in a compute node stopped working, making other fans compensate the dead fan by operating at maximal speeds, which then caused a lot of noise and vibration that subsequently degraded the disk performance." Naturally, finding these problems took a minimum of hours and often days, weeks, or even months. In one case an entire team of engineers was pulled off a project to diagnose a bug, at a cost of tens of thousands of dollars. Root causes Nor does the root cause necessarily rest with the slow hardware, as in the case above where a power-hungry application on some servers caused other servers to slow down. In another case the vendor couldn't reproduce the user's high-altitude failure mode at their sea level facility. For (one more) example, In one condition, a fan firmware would not react quickly enough when CPU-intensive jobs were running, and as a result the CPUs entered thermal throttle (reduced speed) before the fans had the chance to cool down the CPUs.
http://sacramento.cbslocal.com/2018/02/22/apple-elk-grove-911-accidental/ Since October of last year, devices at an Apple repair center in Elk Grove, California have called 911 an average of 20 times a day, for a total of about 1600 dials, according to a local CBS affiliate. Apple acknowledged the issue in a statement, saying, "We take this seriously and we are working closely with local law enforcement to investigate the cause and ensure this doesn't continue." That investigation likely won't take long; the Apple Watch automatically calls 911 if you hold the side button down for several seconds. Tapping the side button of your iPhone five times in succession does the same, if you're on iOS 11. Those features are obviously helpful to people in legitimate danger. But unless Apple can wrangle its Elk Grove process to stop the influx of false alarms, it may end up blocking actual calls from getting through. http://sacramento.cbslocal.com/2018/02/22/apple-elk-grove-911-accidental/ [Monty Solomon noted this here: http://www.washingtonpost.com/news/the-switch/wp/2018/02/23/an-apple-repair-center-accidentally-called-911-about-1600-times-in-four-months-and-no-one-knows-why/ ]
Software used for registration at some science fiction and furry conventions will let you type in anyone's name, and it will show if that person has ever attended that convention, and if they're registered for the upcoming one. The software vendor considers this to be a feature, not a bug. Some quotes from the article: "Even worse, your fursona name is also displayed." "The reality is that many people are afraid to come out as a fur, for their own reasons." "This is a leak of customer data, and should be treated like any other." <http://medium.com/%40_sky_/furry-website-leaks-real-identities-7e25c71bd762>
http://flyanddine.boardingarea.com/chase-glitch-random-access/ http://krebsonsecurity.com/2018/02/chase-glitch-exposed-customer-accounts/
http://en.rocketnews24.com/2018/02/21/iphone-explodes-at-vietnamese-hair-salon-thankfully-only-injures-apple-fans-pride%25E3%2580%2590video%25E3%2580%2591/ iPhone explodes at Vietnamese hair salon, thankfully only injures Apple fans' pride The explosion is off-screen, but flames are not.
Several women have received multiple unsolicited Amazon packages containing sex toys and lingerie. The sending account is anonymous and pays for the items with gift cards. http://www.bostonglobe.com/business/2018/02/19/these-surprise-packages-from-amazon-spark-something-more-than-frustration-fear/6X4X2rWJw3SawwCGe4n2rJ/story.html
Your driving behavior, location, has monetary value, not unlike your search activity. Of course, not all drivers may understand what privacy rights they're signing away. A Government Accountability Office report published in July found none of the 13 carmakers in the study that collected data from connected vehicles had easy-to-read privacy notices and most don't explain data sharing and use practices. ... The kinds of car-data tools in play today are much smaller scale. General Motors Co., which pioneered the connected car with its OnStar concierge service, sent a software update to million of vehicles in December, introducing an e-commerce system that lets drivers order coffee or make restaurant reservations while driving—to the chagrin of some safety advocates. Longer term, GM may look to monetize traffic and parking data it'll collect as its self-driving cars get on the road next year. http://www.bloomberg.com/news/articles/2018-02-20/the-car-of-the-future-will-sell-your-data [Monty Solomon noted this one: Connected cars are going to monetize data, but most drivers don't know that. http://arstechnica.com/cars/2018/02/no-one-has-a-clue-whats-happening-with-their-connected-cars-data/ ]
Pam Boyd, *Vail Daily*, February 17, 2018 EAGLE—Just because a GPS system recommends it, doesn't mean it's the right way to travel. The staff at Sylvan Lake State Park near Eagle highlighted this fact with a recent case in point. When motorists along Interstate 70 initiate a search for the shortest route to Ruedi Reservoir, their GPS may advise Crooked Creek Pass. During warm weather months, it's a viable alternative. In the winter, not so much. "GPS will tell people to come up this way, and that's fine in the summertime, but in the winter, the Forest Service doesn't plow the road above the lake," said Sylvan Lake State Park Supervisor Michael Wall. "It's very clear the road isn't open when they get here, it just isn't clear on GPS."
http://www.scientificamerican.com/article/before-hitting-the-road-self-driving-cars-should-have-to-pass-a-driving-test/ So a fresh-off-the-assembly line autonomous vehicle (AV) goes to the motor vehicle department, and queues for a road qualification test with a crash-test dummy... This qualification test, preferably a simulation environment applied to the AVs operational control program (OFP), must incorporate non- deterministic stimulus conditions: Bowling balls tossed onto the road, a couch or refrigerator flying off the bed of a pick-up truck that's 8 car lengths ahead while traveling at 100 km/h, various weather conditions (snow, ice, rain, wind, blinding sun, sundown, sunrise, etc.), an overturned truck load of cabbages, traffic signs plastered with "Kilroy was Here" or "Eat at Joe's," wayward intersection traffic controls, sudden lane closures, and dogs and cats or children on bicycles or skateboards carelessly sprinting in front of the vehicle via blind spots. Add sensor error, failure, or s/w stack anomalies like a "Bluetooth hijack" attack to spice things up a bit. Can an AV's OFP successfully navigate these conditions? Success means reduced accident statistics compared to historical NHTSA findings. The NHTSA published these accident statistics (http://crashstats.nhtsa.dot.gov/Api/Public/ViewPublication/812451) for 2014-2016. If all vehicles on the road are AVs, then the statistics would look different per vehicle mile traveled (VMT). Perhaps a probably approximately correct "trolley problem" self-trained, memristor-enabled, quantum neural network solution can. California's government specified safety requirements that AVs must satisfy for deployment. You can find them here: https://www.dmv.ca.gov/portal/wcm/connect/211897ae-c58a-4f28-a2b7-03cbe213e51d/avexpressterms_93016.pdf?MOD=AJPERES The government charges $3600 to register an AV for a trial permit. This document stipulates a "soup to nuts" specification for AV capability achievement: Section 227.58. Application for a Permit for Post-Testing Deployment of Autonomous Vehicles on Public Roads, Part (b) states: "(1)Certification that the vehicle complies with the Vehicle Performance Guidance for Automated Vehicles in the National Highway Traffic Safety Administration's Federal Automated Vehicles Policy. "(2) Certification that the autonomous vehicle's autonomous technology is designed to detect and respond to roadway situations in compliance with all provisions of the California Vehicle Code and local regulation applicable to the operation of motor vehicles." Section 277.44 Reporting Accidents states: "A manufacturer whose autonomous vehicle while operating under a Manufacturer's Testing Permit is in any manner involved in an accident originating from the operation of the autonomous vehicle on a public road that resulted in the damage of property or in bodily injury or death shall report the accident to the department, within 10 days after the accident, on Report of Traffic Accident Involving an Autonomous Vehicle, form OL 316 (NEW 9/2013)(REV 9/2016) which is hereby incorporated by reference." California's regulations are scoped to vehicle capability. There are no apparent "public benefit" metrics or key performance indicators contained in the regulations, such as to show a reduction in VMT accident or incident rates. I did not inspect the federal regulations, but suspect that they do not specify "public benefit" metrics either. It is the transition to an all "Minority Report" transportation system -- complete AV supremacy—that portends regrettable "lessons learned" measured in fatalities and accident histories. The State of California proactively anticipates these incidents. AV manufacturers have bought a green light to commit accidents, without a demand to "meet or reduce" historical accident measures. The government apparently figures that interfering with commercial enterprise and technological progress, despite the public risk, is an acceptable quotidian practice. Governments enable loss-of-life experimentation to benefit preferred constituents. An incontrovertible, and tragic oxymoron. Apparently, the wealth to reap from accelerated human-operated vehicle retirement tempts many to experiment. Politicians are eager to spill a little blood for campaign contributions in the name of progress. Pedestrians and motorists have no participatory opt-out/opt-in, except through vocal protest and the ballot box. Seems that technology has become like war: As Homer's Odyssey says, "War is young men dying and old men talking."
The University of Victoria Student Union is also receiving a wide variety of Amazon purchases that were not ordered. While some of this may involve harassment the vast majority is probably related to the issue of Fake Reviews / "brushing". Fake Reviewers have to actually order the product, but don't want to be traceable, so they direct the delivery to a street address for some other person or entity. Can't Amazon correlate the nuisance delivery addresses with Amazon Reviews, and reject the reviews associated with those purchases, and flag future purchases made with charge cards that can't be associated with an established account? Amazon is able to determine that the purchases were typically made with "Gift" VISA cards. http://news.ycombinator.com/item%3Fid%3D15940318 http://www.brianbien.com/amazons-fake-review-problem/
Please report problems with the web pages to the maintainer