Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
http://www.straitstimes.com/singapore/transport/root-cause-behind-downtown-line-glitch-still-unknown "Slower journeys for commuters throughout the day as work to restore system continued." Singapore's Downtown Line (DTL) incident, apparently of non-deterministic origin, crippled train service used by ~470K passengers for weekday transit. These incidents accrue into a significant productivity impact. Technologically-enabled transportation imbrues commuters with elevated risk. http://www.straitstimes.com/singapore/transport/ridership-on-downtown-line-increased-by-more-than-50-per-cent-following-dtl3 Triage skills are essential to root cause incidents arising in production. Piecing together a system's state transition event history, and the input/output conditions compelling those transitions requires comprehensive, interdisciplinary skills and effective tools. A simulation that integrates non-deterministic stimulus can proactively identify anomalous events, and their origin, before production release. These anomalies can be prioritized for repair. Unknown whether or not SBS Transit, the DTL operator, applies a simulation for signaling system qualification purposes.
Earth got a warning shot on January 25, 2016. On that day, Air Force engineers were scheduled to kill off a GPS satellite named SVN-23”the oldest in the navigation constellation. SVN-23 should have just gone to rest in peace. But when engineers took it offline, its disappearance triggered, according to the National Institute of Standards and Technology, a software bug that left the timing of some of the remaining GPS satellites—15 of them—off by 13.7 microseconds. That's not a lot to you. If your watch is off by 13.7 microseconds, you'll make it to your important meeting just fine. But it wasn't so nice for the first-responders in Arizona, Pennsylvania, Connecticut, and Louisiana, whose GPS devices wouldn't lock with satellites. Nor for the FAA ground transceivers that got fault reports. Nor the Spanish digital TV networks that had receiver issues. Nor the BBC digital radio listeners, whose British broadcast got disrupted. It caused about 12 hours of problems—none too huge, all annoying. But it was a solid case study for what can happen when GPS messes up. The 24 satellites that keep GPS services running in the US aren't especially secure; they're vulnerable to screw-ups, or attacks of the cyber or corporeal kind. And as more countries get closer to having their own fully functional GPS networks, the threat to our own increases. Plus, GPS satellites don't just enable location and navigation services: They also give ultra-accurate timing measurements to utility grid operators, stock exchanges, data centers, and cell networks. To mess them up is to mess those up. So private companies and the military are coming to terms with the consequences of a malfunction—and they're working on backups. [...] http://www.wired.com/story/spoof-jam-destroy-why-we-need-a-backup-for-gps
Chalk one up for the humans. Hedge funds that use artificial intelligence and machine learning in their trading process posted the worst month on record in February, according to a Eurekahedge index that's tracked the industry from 2011. The first equity correction in two years upended their strategies as once-reliable cross-asset correlations shifted. <http://www.bloomberg.com/news/articles/2018-03-05/easy-allocation-models-doomed-as-diversification-breaks-down While computerized programs are feared for their potential to render human traders obsolete, the AI quants lagged behind their discretionary counterparts. The AI index fell 7.3 percent last month, compared to a 2.4 percent decline for the broader Hedge Fund Research index. http://www.bloomberg.com/news/articles/2018-03-12/robot-takeover-stalls-in-worst-slump-for-ai-funds-on-record Risks—indeed.
According to the World Health Organization, more than 1.25-million people around the world die from road accidents each year. Consequently, the United Nations has set a target of halving this number by 2020. A new technology being readied for its debut could be a step forward in achieving that ambitious goal: greatly improved automotive video cameras meant to replace mirrors on vehicles. In its annual R&D Open House on 14 February, Mitsubishi Electric described the development of what it believes is the industry's highest-performance rendition of mirrorless car technology. According to the company, today's conventional camera-based systems featuring motion detection technology can detect objects up to about 30 meters away and identify them with a low accuracy of 14 percent. By comparison, Mitsubishi's new mirrorless technology extends the recognition distance to 100 meters with an 81 percent accuracy. "Motion detection can't see objects if they are a long distance away," says Kazuo Sugimoto, Senior Manager, at Mitsubishi Electric's Image Analytics and Processing Technology Group, Information Technology R&D Center in Kamakura, 55 km south of Tokyo. "So we have developed an AI-based object-recognition technology that can instantly detect objects up to about 100 meters away." To achieve this, the Mitsubishi system uses two technology processes consecutively. A computational visual-cognition model first mimics how humans focus on relevant regions and extract object information from the background even when the objects are distant from the viewer. The extracted object data is then fed to Mitsubishi's compact deep learning AI technology dubbed Maisart. The AI has been taught to classify objects into distinct categories: trucks; cars; and other objects such as lane markings. The detected results are then superimposed onto video that appears on a monitor for the driver to view. Currently, this superimposing results in objects being displayed with colored rectangles surrounding them. For instance, a blue rectangle designates an approaching truck, a yellow rectangle an oncoming car. "But this can be done in a number of ways," says Sugimoto. "We are now testing out various ideas to find the best method for drivers." http://spectrum.ieee.org/cars-that-think/transportation/advanced-cars/mitsubishi-electric-develops-highperformance-aibased-mirrorless-car-technology The risks? Maybe too much displayed, data overload? Displays looking like video games? or maybe it'll be brilliant.
Danny Palmer, ZDNet, 13 Mar 2018 Researchers have discovered that cyber-attackers can remotely gain control of an IoT camera, allowing them to spy on users and more. http://www.zdnet.com/article/security-vulnerabilities-in-these-popular-smart-cameras-let-hackers-turn-them-into-surveillance/
Researchers from Purdue University and the University of Iowa have found quite a few new security holes in the popular 4G mobile networks. http://www.computerworld.com/article/3262549/mobile-wireless/it-beware-university-finds-new-4g-security-holes.html The Zen of Mobile Evan Schuman, Computerworld, 12 Mar 2018 opening text: IT has enough to worry about with traditional data breach issues, but now researchers from Purdue University and the University of Iowa have found quite a few new security holes in the popular 4G mobile networks. The potentially worst hole detailed in the study is an authentication synchronization failure attack. The danger? It allows bad guys to read incoming and outgoing messages from an employee, permits "stealthy denial" of selected services and "location of history poisoning," which simply means it can manipulate location ready to give false information to systems using location for identity authentication.
It's possible that multiple *different* ultrasonic spying devices may have interfered with one another in the recent Cuba incident! (Spy v Spy)*nonlinear => Intermodulation Distortion + Oops! This obviously violated the spooks' Hypocratic Oath: First, Do No Harmonics! [Hypocritical comment! PGN] http://spqr.eecs.umich.edu/papers/YanFuXu-Cuba-CSE-TR-001-18.pdf On Cuba, Diplomats, Ultrasound, and Intermodulation Distortion University of Michigan Tech Report CSE-TR-001-18 Chen Yan 1 , Kevin Fu 2 , and Wenyuan Xu 1 1 Department of Systems Science and Engineering, Zhejiang University 2 Computer Science & Engineering, University of Michigan 1 Mar 2018 Abstract This technical report analyzes how ultrasound could have led to the AP news recordings of metallic sounds reportedly heard by diplomats in Cuba. Beginning with screen shots of the acoustic spectral plots from the AP news, we reverse engineered ultrasonic signals that could lead to those outcomes as a result of intermodulation distortion and non-linearities of the acoustic transmission medium. We created a proof of concept eavesdropping device to exfiltrate information by AM modulation over an inaudible ultrasonic carrier. When a second inaudible ultrasonic source interfered with the primary inaudible ultrasonic source, intermodulation distortion created audible byproducts that share spectral characteristics with audio from the AP news. Our conclusion is that if ultrasound played a role in harming diplomats in Cuba, then a plausible cause is intermodulation distortion between ultrasonic signals that unintentionally synthesize audible tones. In other words, acoustic interference without malicious intent to cause harm could have led to the audible sensations in Cuba.
Lily Hay Newman, *WiReD*, 1 Mar 2018, via Dave Farber http://www.wired.com/story/github-ddos-memcached/ On Wednesday, at about 12:15 pm ET, 1.35 terabits per second of traffic hit the developer platform GitHub all at once. It was the most powerful distributed denial of service attack recorded to date—and it used an increasingly popular DDoS method, no botnet required.
Yes, UDP is easy to spoof, but the real risk here is why is spoofed UDP getting past the firewall and to memcached in the first place?
The personal information of thousands of Marines, sailors and civilians, including bank account numbers, was compromised in a major data spillage emanating from U.S. Marine Corps Forces Reserve. Roughly 21,426 people were impacted when an unencrypted email with an attachment containing personal confidential information was sent to the wrong email distribution list Monday morning. http://www.marinecorpstimes.com/news/your-marine-corps/2018/02/28/major-data-breach-at-marine-forces-reserve-impacts-thousands/ The risk? Personal information loose in files too easy to randomly/incorrectly attach, email systems not scanning for sensitive information being sent, people.
Tara Seals, FierceWireless, 12 Mar 2018 http://www.fiercewireless.com/dpi-espionage-campaign-targets-turkish-dissidents A series of deep packet inspection (DPI) middleboxes developed by Sandvine PacketLogic (formerly known as Procera) are apparently being misused by state-sponsored cybercriminals for espionage purposes and for commercial gain. <http://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/ According to a Citizen Lab internet scan, DPI boxes on Turk Telekom's network are being used to redirect hundreds of mobile and fixed users in Turkey and Syria to spyware when those users attempt to download certain legitimate Windows applications. Visitors to official vendor websites, including Avast Antivirus, CCleaner, Opera, and 7-Zip, were observed being silently redirected to malicious versions bundled with the StrongPity spyware, as were those who downloaded a wide range of applications from CBS Interactive's Download.com and FinFisher. <http://securelist.com/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/76147/ <http://www.finfisher.com/FinFisher/index.html The scans of Turkey revealed that this redirection was happening in at least five provinces, and Citizen Lab believes the efforts were being carried out by the ISP at the behest of the Turkish government. “Based on publicly available information we found on Wi-Fi router pages, at least one targeted IP address appears to serve YPG (Kurdish militia) users, YPG has been the target of a Turkish government air and ground offensive which began in January 2018. Areas not controlled by the YPG also appear to be targeted, including the area around Idlib city.'' The Citizen Lab also found similar middleboxes in the Telecom Egypt network being used to hijack Egyptian internet users' unencrypted web connections en masse. In this case, the boxes were being used to redirect the users to affiliate ads and browser cryptocurrency mining scripts in an effort to line the criminals' pockets. This kind of redirection can be done via network injection: A DPI middlebox operates over connections between a target and an internet site he or she is visiting. If the connection is unauthenticated (e.g., HTTP and not HTTPS), then the middlebox can be used to tamper with data to inject a spoofed response from the internet site. The spoofed response may contain redirects to exploits or spyware to infect and monitor the target. The Citizen Lab said that it matched characteristics of the network injection in Turkey and Egypt to Sandvine PacketLogic devices. “We developed a fingerprint for the injection we found in Turkey, Syria, and Egypt and matched our fingerprint to a second-hand PacketLogic device that we procured and measured in a lab setting,'' the group said in an announcement. [...] http://www.fiercewireless.com/dpi-espionage-campaign-targets-turkish-dissidents
Zack Whittaker for Zero Day | 13 Mar 2018 The bugs can leak real-world IP addresses, which in some cases can identify individual users and determine a user's location. http://www.zdnet.com/article/more-privacy-busting-bugs-found-in-popular-vpn-services/
A bit more of my thoughts on Google's military drone AI effort. One issue that often comes up in such discussions is the difference between defensive vs. offensive technologies. I remember having discussions about topics like this at RAND many, many years ago (not drones of course, but tech efforts that ostensibly aimed at troop defense rather than offense, for example). The upshot was that in the final analysis, it was impossible to "wall off" one from the other. That is, tech designed for the former always ended up contributing to the latter, either directly or indirectly (I've had Pentagon types say this to me explicitly, explaining that this is part of why they fund what seem to be purely defensive efforts—they know there will be an offensive side payoff). With image analysis and target identification, this connection seems even more direct. A counter-argument is that better target analysis could in theory help avoid civilian collateral damage. But I don't believe that is actually generally true in practice given the nature of the kinds of targets that drones are used again. These targets tend to be deep in civilian areas and travel with civilians (including children, other family members, etc., who typically have no choice about such matters). No drone-based image analysis can separate these. Pentagon planners for years have used drones for attacks with the explicit understanding that significant civilian losses are part and parcel of such attacks, and any tech that increases the viability of drone-based attacks will increase such losses.
Dan Williams, Reuters, 7 Mar 2018 JERUSALEM, March 7 (Reuters) - Israel and Egypt were working to halt disruptions to mobile phone service after Egyptian jamming against Sinai insurgents caused outages in neighbouring Israel and the Gaza Strip, Israeli officials said on Wednesday. Under President Abdel Fattah al-Sisi, Egypt has quietly cooperated with Israel on security in the Sinai, a desert peninsula demilitarised as part of their U.S.-sponsored 1979 peace treaty but where Cairo's forces now operate freely. The jamming appeared to catch Israel by surprise, however, prompting what its communications minister said were talks across the border to resolve what he called a "crisis". rest: http://af.reuters.com/article/africaTech/idAFL5N1QP267 Egypt's military did not immediately comment. Cairo launched a major sweep of Sinai jihadis loyal to Islamic State on 9 Feb 2018. Israeli officials said that on 21 Feb Egyptian forces began jamming a range of cellphone frequencies in Sinai, disrupting reception in Israel and Gaza. "We've never seen anything this intensive or protracted. Even the Palestinians have been coming to us, appealing to make it stop," one Israeli official told Reuters on condition of anonymity. Phones had been disrupted as far away as Jerusalem and northern Israel, depending on weather, the official said. An Egyptian official who also asked not to be identified confirmed electronic warfare was being waged in the Sinai. "Obviously, we want to stop terrorists from communicating," he told Reuters. The official denied that Israel was the intended target of the jamming, but he said some Sinai insurgents were suspected of using smuggled Israeli SIM cards, close enough to the border to link up with Israeli cellphone reception, "which means that we may need to work against a wide range of frequencies". Several Palestinian residents of Gaza, the densely populated enclave on the Egyptian border, told Reuters they had been experiencing problems with phone service. A source at one of the two Palestinian mobile phone companies said its services were disrupted for a day in the past week in southern Gaza but that the problem had been resolved. Israeli cellphone provider Partner said several hundred of its customers had complained about reception problems, but that its 4G network was working well. Other leading Israeli providers, Cellcom and Pelephone, did not immediately respond to requests for comment. Interviewed by Israel's Army Radio, Communications Minister Ayoob Kara said: "Without getting into details, for the first time in the south we have been experiencing an uncomfortable situation". But he said understandings were reached "after a very important meeting across the border" on Tuesday, and he believed the disruptions would end within the next three days. Gadi Yarkoni, a mayor representing Israeli communities near Gaza, criticised the Communications Ministry and threatened to sue the phone companies, saying the failure to fix disruptions "shows disrespect for the residents of the Gaza periphery". The Multinational Force & Observers (MFO), an international body set up under the Israel-Egypt peace agreement to monitor the Sinai, declined to comment. (Additional reporting by Steven Scheer in Jerusalem and John Davison in Cairo Writing by Dan Williams Editing by Jeffrey Heller)
https://beta.techcrunch.com/2018/03/07/all-of-oculuss-rift-headsets-have-stopped-working-due-to-an-expired-certificate/
911 call led Clinton police to the wrong home. That mistake led to an officer's death. http://www.kansascity.com/news/local/crime/article204015984.html It is unclear if the mistake was the result of human error or a faulty computer system. "The 911 call that came in was somehow attached to that (Clinton) address," Lowe said during a Wednesday afternoon press conference. "We're confident that is not part of this incident (in Clinton), but the fact remains they were called to that residence. ... In order to determine nothing adverse was going on in that residence, they had to make sure everything was OK. That's when the tragic incident took place."
http://www.npr.org/2018/03/12/591906701/18-years-after-sept-11-critical-incidents-still-overload-emergency-radios "Digital radio promises greater capacity, but it is sometimes the subject of complaints from some police and first responders, who say the systems can become finicky during large-scale events. "Officers' frustration with the radios got so bad, they started a social media campaign to pressure Motorola Solutions to come back to Cincinnati and make fixes. The company did, and Hils says the radios are more reliable now. But he still doesn't completely trust the new generation of radios in critical incidents, when many people are trying to communicate at the same time. "There's even a webpage , run by an engineer and owner of an emergency radio systems company in California, that collects news media accounts of technical problems with newer digital systems. "But the manufacturers and other defenders of digital radio say the real problem tends to be user error, not the technology itself. In Broward County, de Zayas says police and other first responders need "good end-user education." "Agencies need to train their public safety personnel on how to use their radios," says de Zayas. "Constant and continuous training on how to use the radio." Is this really a case of UIAI—user is an idiot? Certain features are buggy, certain bugs are features, if you use the gear correctly? With deterministic behavior a guessing game—apparently—does public safety truly benefit?
So eyup, you *can* claim you're late 'cuz your clock had the wrong time... [European news] Continuing frequency deviation in the Continental European Power System originating in Serbia/Kosovo: Political solution urgently needed in addition to technical ... Some clocks are based on the frequency of the power system, and thus run late when the frequency decreases, or run too fast, when the system is in over-frequency. Such clocks are typically radio-, oven clocks or clocks for programming the heating system. These types of electric clocks show now a delay around six minutes. rest: http://www.entsoe.eu/news-events/announcements/announcements-archive/Pages/New s/2018-03-06-press-release-continuing-frequency-deviation-in-the-continental-european-power-system.aspx [Monty Solomon noted this item: Clocks Slow in Europe? Blame Kosovo-Serbia Row An old dispute between the Balkan neighbors over power supplies made residents of countries like Portugal and Poland late. http://www.nytimes.com/2018/03/08/world/europe/kosovo-serbia-clocks-europe.html PGN]
Apple responds to claims that Cellebrite can now break into latest iPhone by telling customers to upgrade to latest iOS. http://www.timesofisrael.com/in-reported-breakthrough-israeli-tech-can-now-unlock-any-phone/
Technology developed by LawGeex had a 94% accuracy rate vs 85% for experienced lawyers, multinational study shows Artificial intelligence software developed by an Israeli startup has proved in an international study to be quicker and more accurate at analyzing legal documents than experienced lawyers. http://www.timesofisrael.com/israeli-ai-software-whips-expert-lawyers-in-contract-analysis/ The risk? Unemployed lawyers? Overly trusting AI? I'd like to feed current vendor privacy statements and terms of service into an analyzer—but what would be the point, since nobody will modify them based on such evaluations/comments. Though perhaps automated analysis would give objective arguments for changes. Agreeing on "objective" would be the challenge.
7 Mar2018 Israeli cellular networks have been experiencing interference since Wednesday, the Communications Ministry said Thursday—and the reason is due to Egyptian military activity in Sinai. The Egyptians are apparently jamming cellular networks in northern Sinai as part of their campaign against Islamist groups in the region, the Ministry said, responding to the complaints it has received in the 24-hour period between Wednesday and Thursday afternoon. http://hamodia.com/2018/02/22/officials-egyptian-military-activity-affecting-israeli-cell-networks/
http://fortune.com/2018/02/27/apple-steve-wozniak-bitcoin-theft/ The risk? Old scams working on new technologies/assets. And not using old-school tools like escrow.
http://www.zdnet.com/article/australians-used-bitcoin-to-pay-au50k-worth-of-fake-ato-tax-debts-in-2017/ The Australian Taxation Office has warned of scammers impersonating the ATO and demanding cryptocurrency as a form of payment, revealing AU$50,000 was handed over last year in bitcoin. Asha McLean, 14 Mar 2018
> Naturally, finding these problems took a minimum of hours and often days, > weeks, or even months. In one case an entire team of engineers was pulled > off a project to diagnose a bug, at a cost of tens of thousands of dollars. "Clocks in phones at high altitudes always ran faster than those close to sea level!", I told the desktop landline telephone designers. Wow, clock chip affected by altitude! All discovered by Junior, the Science Wiz, me! ...Until one day I unplugged a sea level phone, messed with the time, and plugged it back in. Oh, it got time corrections every minute from the switching office and promptly corrected itself.—A feature that more older rural switching offices lacked.
Hewlett Packard Enterprise has patched a vulnerability in its remote management hardware called Integrated Lights-Out 3 that is used in its popular line of HP ProLiant servers. The bug allows an attacker to launch an unauthenticated remote denial of service attack that could contribute to a crippling on vulnerable datacenters under some conditions. http://threatpost.com/bug-in-hp-remote-management-tool-leaves-servers-open-to-attack/130189/
Today, Talos is releasing details of a new vulnerability within Adobe Acrobat Reader DC. Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability. A specific Javascript script embedded in a PDF file can cause the document ID field to be used in an unbounded copy operation leading to stack-based buffer overflow when opening a specially crafted PDF document in Adobe Acrobat Reader DC 2018.009.20044. This stack overflow can lead to return address overwrite which can result in arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page. http://blog.talosintelligence.com/2018/02/vulnerability-spotlight-adobe-acrobat.html
http://www.thehindu.com/business/Industry/article22772456.ece "Apple has admitted that the iOS 11.2.5 has a serious bug which is capable of crashing apps and Apple devices via iMessage, saying that it was working on to fix it. The vulnerability was discovered earlier this week and involves sending an Indian language character (in Telugu) to devices that crashes an iPhone..." Ah, reminds me of (Kannada this time) http://debbugs.gnu.org/cgi/bugreport.cgi?bug=30193 "The deadliest file in Emacs history Gentleman, I reveal to you the deadliest file in the history of Emacs. It is so deadly that it must be QP encoded, else, well, Fatal error 11: Segmentation fault"
http://boingboing.net/2018/01/08/what-banana.html The risk? Human beings vs. technology.
In Openstreemap, there are two powerful editors, one "left hand drive" (left mouse button), one "right hand drive". Due to "muscle memory" switching back and forth may affect how you use other unrelated mapping programs too, in a bad way... http://forum.openstreetmap.org/viewtopic.php?id=61550
On Tuesday, the Supreme Court heard oral argument in United States v. Microsoft, a case that many observers believe could have significant ramifications for how cloud computing and other technology companies interact with the US government. If it were up to the justices themselves, however, those implications would end up being short-lived. The dispute concerns the reach of the Stored Communications Act, a 1986 law that regulates the ability for the US government to obtain emails and other communications from technology companies. In July 2016, the Second Circuit Court of Appeals, a prominent federal appellate court that sits in New York, ruled that a warrant obtained under the SCA does not allow the government to require the production of emails stored by Microsoft overseas—in this case, on a server in Ireland—because the relevant provision of the statute does not apply *extraterritorially* to reach foreign-stored data. http://www.wired.com/story/us-v-microsoft-supreme-court-oral-argument The risks? Lawyers, lawsuits, judges, Congress...
http://www.ecns.cn/m/2018/03-05/294535.shtml She had to wait an incredible 25,114,980 minutes to try her password again in order to activate her phone. That's almost 47.78 years. It was disabled because her two-year-old son played with her phone and entered wrong pins multiple times. "I have many important files, photos and contacts in the phone," the worried Lu said. "I don't want to reboot it. Am I supposed to wait for some 40 years? I will be too old to talk then."
$ uname Linux $ ls a.pdf b.pdf #Let's make text versions too. $ pdftotext *.pdf $ file * a.pdf: PDF b.pdf: text $ pdftotext --help Usage: pdftotext [options] <PDF-file> [<text-file>] Oops.
via NNSquad http://techcrunch.com/2018/03/05/moviepass-ceo-proudly-says-the-app-tracks-your-location-before-and-after-movies/ "We get an enormous amount of information," Lowe continued. "We watch how you drive from home to the movies. We watch where you go afterwards." It's no secret that MoviePass is planning on making hay out of the data collected through its service. But what I imagined, and what I think most people imagined, was that it would be interesting next-generation data about ticket sales, movie browsing, A/B testing on promotions in the app and so on. I didn't imagine that the app would be tracking your location before you even left your home, and then follow you while you drive back or head out for a drink afterwards. Did you? It sure isn't in the company's privacy policy, which in relation to location tracking discloses only a "single request" when selecting a theater, which will "only be used as a means to develop, improve, and personalize the service." Which part of development requires them to track you before and after you see the movie?
A first look at browser-based Cryptojacking Shayan Eskandari, Andreas Leoutsarakos, Troy Mursch, Jeremy Clark http://arxiv.org/abs/1803.02887v1 Abstract: In this paper, we examine the recent trend towards in-browser mining of cryptocurrencies; in particular, the mining of Monero through Coinhive and similar code- bases. In this model, a user visiting a website will download a JavaScript code that executes client-side in her browser, mines a cryptocurrency, typically without her consent or knowledge, and pays out the seigniorage to the website. Websites may consciously employ this as an alternative or to supplement advertisement revenue, may offer premium content in exchange for mining, or may be unwittingly serving the code as a result of a breach (in which case the seigniorage is collected by the attacker). The cryptocurrency Monero is preferred seemingly for its unfriendliness to large-scale ASIC mining that would drive browser-based efforts out of the market, as well as for its purported privacy features. In this paper, we survey this landscape, conduct some measurements to establish its prevalence and profitability, outline an ethical framework for considering whether it should be classified as an attack or business opportunity, and make suggestions for the detection, mitigation and/or prevention of browser-based mining for non- consenting users.
http://www.zdnet.com/article/after-oracle-weblogic-miner-attack-critical-apache-solr-bug-is-now-targeted/ After Oracle WebLogic miner attack, critical Apache Solr bug is now targeted Money-hungry hackers have used over 1,400 unpatched Apache Solr servers to install a cryptocurrency miner. By Liam Tung | March 9, 2018—14:12 GMT (06:12 PST) | Topic: Security [selected text] Marinho notes that IBM InfoSphere version 11.5, JBoss Data Grid versions 7.0.0, 7.1.0, JBoss Enterprise Application Platform (EAP) versions 6, 7, 7.0.8, and JBoss Enterprise Portal Platform version 6 may also be vulnerable to this attack because it exploits a vulnerability in a shared library.
David Gewirtz for DIY-IT, ZDNet, 9 Mar 2018 Why does Alexa sometimes misinterpret sounds? We dive deep into the digital assistant's inner workings to show you. http://www.zdnet.com/article/has-alexa-snapped-why-alexa-sometimes-laughs-or-does-other-creepy-things/ selected text: Let's cover the back story pretty fast, since it's been written about elsewhere. Alexa has been known to suddenly exhibit weird behaviors. In January, I wrote about how Alexa suddenly started to speak without being woken up by a wake word. A few weeks ago, tech columnist Farhad Manjoo wrote in the New York Times about how his Alexa startled him in bed one night by screaming. All across the Internet this week, we've been hearing stories about Alexas breaking out with unbidden, evil-sounding laughter. What's happening?
Danny Palmer, ZDnet, 9 Mar 2018 Researchers found they were able to infect robots with ransomware; in the real world such attacks could be highly damaging to businesses if robotic security isn't addressed. http://www.zdnet.com/article/ransomware-for-robots-is-the-next-big-security-nightmare/
Niraj Chokshi, *The New York Times*, 6 Mar 2018 The vast majority of Americans expect artificial intelligence to lead to job losses in the coming decade, but few see it coming for their own position. http://www.nytimes.com/2018/03/06/us/artificial-intelligence-jobs.html The risk? People not understanding what "artificial" and "intelligence" mean.
Christopher Elliott, *The Washington Post*, 1 Mar 2018 http://www.washingtonpost.com/lifestyle/travel/new-tracking-technology-could-make-lost-belongings-a-thing-of-the-past/2018/02/28/f7a7e59c-18cc-11e8-92c9-376b4fe57ff7_story.html?utm_term=.c16996ca7988 I wrote to author: Trackers, IoT, oh my... Regarding your column about trackers for keeping track of everything (keys, luggage, kids, etc.)—you neglected critical privacy/security issues. The IoT industry seems intent on repeating the mistake made in developing the early Internet: not including robust reliability/privacy/security. Horror stories about exposures in lightbulbs, thermostats, baby monitors, and other fancy gadgets show that this technology must be evaluated/adopted cautiously and conservatively. Who knows how reliable/private/robust all the devices/services you mentioned are? And what might risks be in revealing people's/objects' locations? Considering known breaches at supposedly responsible large and well-established organizations (stores, credit reporting agencies, banks, government agencies) I'm not willing to trust startups with anything that matters. You'd do well mentioning technology's dark side when you cover it.
http://fortune.com/2018/03/06/apple-unlock-iphone/ Misleading headline—it costs $15,000 for 300 unlocks!
Larry Dignan. ZDNet, 14 Mar 2018 Two risks in one: the original problem and the consequences of dealing with a [near-?]monopoly. http://www.zdnet.com/article/googles-doubleclick-outage-should-force-marketers-to-ask-some-hard-questions/ DoubleClick for Publishers has suffered five service disruptions in 13 days in March. When the ad tech stack is largely controlled by Google little things like reliability really matter. More transparency into what Google's DoubleClick is needed. selected text: Google's control of the ad stack isn't optimal, but when DoubleClick's reliability fails Web publishers' dependence on the search giant becomes all too apparent. Of course, Google has some time to resolve its DoubleClick service problems. Where are marketers going to go?
Alexa briefly lost its voice on Friday http://www.theverge.com/circuitbreaker/2018/3/2/17071634/amazon-alexa-loses-voice-aws-outage
http://www.boston.com/news/local-news/2018/03/09/malicious-software-hits-connecticut-court-systems-computers
Haven't seen anything about this in RISKS so far this year, but recently there have been calls from various people among the great and good claiming that Internet companies (e.g., Apple, Facebook, Google, et al.) have become too big and powerful so must be regulated. This was a big topic at the World Economic Forum meeting in Davos in January this year, and arguments continue, for instance in two of todays' UK newspapers (March 12th): http://www.dailymail.co.uk/sciencetech/article-5489853/Tim-Berners-Lee-says-internet-weaponised-scale.html https://www.telegraph.co.uk/technology/2018/03/11/london-mayor-sadiq-khan-tells-tech-giants-not-law/ Looks like lots of RISKS here; who decides what any regulations actually say, and how to enforce them? Different governments have different criteria, so either there's going to have to be widespread international agreement (seems unlikely), or the world is split into different regions with different regulatory regimes (another Great Firewall of China?). Of course some of the campaigning is from existing media businesses so there's an element of vested interests here. One line of argument is that computer companies have effectively become utilities so should be regulated like them, though as one commentator said, would you prefer your gas company to be run like Google, or Google to be run like your gas company? And then there's the can of worms that is taxation...
Please report problems with the web pages to the maintainer