Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
James Urton, UW News 20 Feb 2018, via ACM TechNews, Wednesday, February 28, 2018 Researchers at the University of Washington (UW) have developed a way to safely charge a smartphone wirelessly across a room using a narrow, near-infrared beam from a laser emitter. The engineers mounted a thin power cell to the back of the smartphone, and custom-designed safety features that included a metal heat sink to dissipate excess heat and a reflector-based mechanism to deactivate the laser in case someone attempts to move in the beam's path. "These features give our wireless charging system the robust safety standards needed to apply it to a variety of commercial and home settings," says UW professor Arka Majumdar. The smartphone emits high-frequency acoustic "chirps" so the emitter can detect when a user has set the phone on the charging surface. The team also notes the emitter can be tweaked to expand the charging beam's radius to up to 100 square centimeters from a distance of 12 meters. http://www.washington.edu/news/2018/02/20/using-a-laser-to-wirelessly-charge-a-smartphone-safely-across-a-room/ [This innovation might have some fascinating implications on security, reliability, and more. PGN]
Emmie Martin, CNBC, 27 Feb 2018 http://www.cnbc.com/2018/02/27/bill-gates-calls-cryptocurrency-super-risky-in-reddit-ama.html Bill Gates is not a fan of cryptocurrency. During a recent "Ask Me Anything" session on Reddit, the Microsoft co-founder said that the main feature of cryptocurrencies is the anonymity they provide to buyers, and Gates thinks that can actually be harmful. "The government's ability to find money laundering and tax evasion and terrorist funding is a good thing," he wrote. "Right now, cryptocurrencies are used for buying fentanyl and other drugs, so it is a rare technology that has caused deaths in a fairly direct way." When a Reddit user pointed out that plain cash can also be used for illicit activities, Gates said that crypto stands out because it can be easier to use. "Yes—anonymous cash is used for these kinds of things, but you have to be physically present to transfer it, which makes things like kidnapping payments more difficult," he wrote.
http://www.telegraph.co.uk/news/2018/02/27/wine-lovers-cannot-buy-burgundy-tipple-google-internet-giant Wine lovers can no longer purchase their favourite Burgundy tipple using Google's Shopping service after the Internet giant cracked down on search queries featuring the term 'gun'. Online shoppers have complained about being unable to browse dozens of products such as Burgundy wine, water guns and music by American rock band Guns N' Roses. ^^^ ^^^^ ^^^^ [Gabe Goldberg commented on the same article in Business Insider: "The risk? Computers doing what they're told." PGN]
[Bonus risk included! (The headline states that the bug was in the protocol, but it is actually in the implementation.)] Zack Whittaker for Zero Day, 27 Feb 2018 http://www.zdnet.com/article/saml-protocol-bug-puts-single-sign-on-accounts-at-risk/ A validation bug in how some single sign-on products implemented an open authentication standard could have allowed an attacker to log in to a site or service as though they were the victim they were targeting. selected text: But this new vulnerability lets an attacker take the authenticated response to a login request and switch a portion with an attacker's information instead. That means an attacker can log in as though they were the victim they were targeting. The exploit works by modifying the response once a username and password has been verified. It then sends a message back to the user's browser to log them in. If an attacker modifies the response, the validating signature is also meant to change—but if the signatures aren't properly checked, the system is none the wiser.Duo researchers said the results of the attack "varies greatly" between services at risk by the bug.
NNSquad http://arstechnica.com/information-technology/2018/03/23000-https-certificates-axed-after-ceo-e-mails-private-keys/ A major dust-up on an Internet discussion forum is touching off troubling questions about the security of some browser-trusted HTTPS certificates when it revealed the CEO of a certificate reseller emailed a partner the sensitive private keys for 23,000 TLS certificates.
https://www.csoonline.com/article/3259445/security/new-orleans-alleged-to-have-secretly-used-palantir-predictive-policing.html The New Orleans Police Department is accused of secretly using Palantir's predictive policing technology to predict who would cause a crime or be a victim of it. "Ms. Smith", *CSO*, 28 Feb 2018 The city of New Orleans and Palantir Technologies are accused of using the city to secretly test Palantir's predictive policing technology since 2012. Even the City Council allegedly was in the dark about the program that was used to predict who was most likely to commit a crime or be a victim of it. The Verge published a disturbing report about how the Palantir system managed to fly under the radar for years. It alleges "Palantir established it as a philanthropic relationship with the city through Mayor Mitch Landrieu's signature NOLA For Life program. Thanks to its philanthropic status, as well as New Orleans' 'strong mayor' model of government, the agreement never passed through a public procurement process." But it wasn't just in 2012; the partnership was reportedly extended three times and was set to expire on Feb. 21, 2018. Neither New Orleans nor Palantir would comment as to the program's current status.
The most private room in the house may not be so private anymore. At CES 2018, Kohler announced a line of connected kitchen and bath products called Kohler Konnect, all of which work with Alexa, Google Assistant, and Apple HomeKit for Siri. The star of the lineup is Kohler's Verdera Voice Lighted Mirror, which has microphones, speakers, and Amazon Alexa built in so it can answer questions ("What's the weather today?"), adjust its lights by voice ("Turn on shaving mode"), and control other compatible devices around the house, including Kohler's other connected products—no separate smart speaker required. Kohler is just one of many manufacturers showing off products with Alexa or Google Assistant baked right in. Other brands include iDevices, First Alert, and GE Lighting. http://www.consumerreports.org/smart-home/voice-assistants-coming-to-every-room-of-home-ces-2018/ Didn't Orwell's 1984 predict that mirror?
http://www.troyhunt.com/i-wanna-go-fast-why-searching-through-500m-pwned-passwords-is-so-quick/
The "Krebs on Security" blog (KrebsOnSecurity.com) has a running series on ATM skimmers, and some of them are quite dastardly (the skimmers I mean, not the series). Well, I saw a suspicious device on an ATM that I was about to use; it was a box just above the card slot, clearly labeled "scanner", and what looked like a window under it. It turned out to be a sensor for the smart-card chip (common in the world outside of the USA); I didn't try it, but all the same: If it's sniffing my card, how do I know it's legitimate, and: What better way to train the sheeple to get accustomed to funny attachments on ATMs?
G. C. Allen and T. Chan, Artificial intelligence and national security http://thebulletin.org/artificial-intelligence-and-national-security11521 [Suggested by F. Lenci, whom I thank for the notice.] I've browsed the Executive Summary and Recommendations of this report: G. C. Allen and T. Chan, Artificial intelligence and national security. I haven't read the full report yet, but it seems to me that, once again, the issue of AI (and ICT) dependability as a general but fundamental feature of the specific technology at hand is not addressed, while the advances in machine learning and AI seem to be taken for granted as representing a turning point in the use of automation in warfare. In addition, as far as I could see, there are no references to the ethical dimension of the introduction of (lethal) autonomous weapons or AI tech in the battlefield. Shouldn't computer scientists [and systems engineers], and in particular those expert in computer ethics, dependability, trustworthiness, correctness, etc. be more effective and active in this discussion? [DL] Dott. Diego Latella, CNR-ISTI, Via Moruzzi 1, 56124 Pisa, Italy (http:www.isti.cnr.it) [The quest for a war-free world has a basic purpose: survival. But if in the process we learn how to achieve it by love rather than by fear, by kindness rather than compulsion; if in the process we learn how to combine the essential with the enjoyable, the expedient with the benevolent, the practical with the beautiful, this will be an extra incentive to embark on this great task. Above all, remember your humanity. Sir Joseph Rotblat]
WiReD via NNSquad http://www.wired.com/story/chrome-yubikey-phishing-webusb/ There's no better way to protect yourself from the universal scourge of phishing attacks than with a hardware token like a Yubikey, which stymies attackers even if you accidentally hand them your username and password. But while Yubikey manufacturer Yubico describes its product as "unphishable," a pair of researchers has proven the company wrong, with a technique that allows clever phishers to sidestep even Yubico's last bastion of login protection. It's important to note that this exploit category does NOT represent a flaw in U2F itself, but essentially a side-channel vulnerability created by an unrelated subsystem. This specific problem in Chrome will be straightforward to fix, but does highlight the complexity of these security environments. As the saying goes: Security is hard! [Caveat from Drew Dean channeling Kenn White on Twitter: This is apparently true only for the YubiKey Neo, which uses the CCID protocol over USB, not for the classic Blue, Nano, or 4 series. PGN]
''This is an extraordinarily powerful tool if all you want to do is simply discredit democracy,'' [Douglas W.] Jones says. ''All you have to do is create the appearance of something having happened, even if it hasn't happened.'' If the risk is that of discrediting democracy, our electoral system in and of itself serves that function already. As far as I can tell, that's what US elections are designed to do: create the appearance of something having happened, such as systemic or institutional change, even when nothing has happened and the same big corporations are still financing both parties to continue the same political agenda as before.
That is really pitiful. Passport data use a standard PKI and they are signed with the same kind of certificates that web sites use. You can get passport reading apps for phones that will show you what's on your passport's chip. US passports are signed with a CA from the US State Department. They don't even have to collect the certs, since the ICAO keeps the database for the benefit of airlines that want to verify passengers' passports.
In article <34.CMM.0.90.4.1519781441.risko@chiron.csl.sri.com3813> you write: >While some of this may involve harassment the vast majority is probably >related to the issue of Fake Reviews / "brushing". Apparently not. One of the articles mentioned that theory and Amazon said that there aren't many reviews for unordered stuff. "Our review detection systems are trained to catch this type of behavior and we will continue our ongoing efforts to detect and prevent abuse. Our investigations thus far indicate that there have been few reviews written on these shipments. We have removed these and will continue to remove any we do find immediately. We will hold offenders that have violated our policies accountable," said a spokesperson for Amazon in a statement to ABC News.
Please report problems with the web pages to the maintainer