http://www.newyorker.com/news/news-desk/america-continues-to-ignore-the-risks-of-election-hacking "America's voting systems are hackable in all kinds of ways. As a case in point, in 2016, the Election Assistance Commission, the bipartisan federal agency that certifies the integrity of voting machines, and that will now be tasked with administering Congress's three hundred and eighty million dollars, was itself hacked. The stolen data -- log-in credentials of EAC staff members—were discovered, by chance, by employees of the cybersecurity firm Recorded Future, whose computers one night happened upon an informal auction of the stolen passwords. “This guy—we randomly called him Rasputin—was in a high-profile forum in the darkest of the darkest of the darkest corner of the dark Web, where hackers and reverse engineers, ninety-nine per cent of them Russian, hang out,'' Christopher Ahlberg, the CEO of Recorded Future, told me. “There was someone from another country in the forum who implied he had a government background, and he wanted to get his hands on this stuff. That's when we decided we would just buy it. So we did, and took it to the government''—the U.S. government -- “and the sale ended up being thwarted.'' (Ahlberg wouldn't identify which government agency his company had turned the data over to. The EAC, in a statement, referred questions about “the investigation or information shared with the government by Recorded Future'' to the FBI The FBI, through a Justice Department spokesperson, declined to comment.)"
More than two dozen voters cast ballots in the wrong race. They were among 6,000 misassigned voters across the state. It might've cost Democrats a pivotal race. http://www.washingtonpost.com/local/virginia-politics/voters-assigned-to-wrong-districts-may-have-cost-democrats-in-pivotal-virginia-race/2018/05/13/09a9dd8a-5465-11e8-a551-5b648abe29ef_story.html
(PGN-excerpted from Bruce's CRYPTO-GRAM, 15 May 2018) Elections serve two purposes. The first, and obvious, purpose is to accurately choose the winner. But the second is equally important: to convince the loser. To the extent that an election system is not transparently and auditably accurate, it fails in that second purpose. Our election systems are failing, and we need to fix them. [This is a long item, perhaps intended for non-RISKS readers. Nevertheless, it is highly relevant and timely. The full article is at https://www.schneier.com/crypto-gram/ PGN]
Calls to 000 (the Australian emergency phone number) failed to large areas of Australia on May 04 2018. Government to investigate Telstra triple-0 outage after emergency calls go unanswered http://www.abc.net.au/news/2018-05-04/telstra-triple-zero-outages-several-states-cable-damaged/9725860
NNSquad http://www.mercurynews.com/2018/05/01/self-driving-cars-shortcomings-revealed-in-dmv-reports/ The disengagement reports themselves identify other problems some self-driving vehicles struggle with, for example heavy pedestrian traffic or poorly marked lanes. In describing the events that caused their backup drivers to take the controls, the companies have provided a new window into the road-worthiness—or not—of their cars and systems. Baidu, a Chinese Internet-search giant, reported a case in which driver had to take over because of a faulty steering maneuver by the robot car; several cases of "misclassified" traffic lights; a failure to yield for cross traffic; delayed braking behind a car that cut quickly in front; drifting out of a lane; and delayed perception of a pedestrian walking into the street.
Two security researchers have excoriated Volkswagen Group for selling insecure cars. As in: hackable-over-the-Internet insecure. They broke into a recent-model VW and an Audi, via the cars' Internet connections, and were able to jump from system to system, running arbitrary code. Worryingly, they fully pwned the unauthenticated control bus connected to some safety-critical systems—such as the cruise control. But VW has no way to push updates to its cars, and won't alert owners to visit a dealer for an update. http://techbeacon.com/vw-bugs-unpatchable-remote-code-pwnage
NNSquad http://arstechnica.com/tech-policy/2018/05/report-software-bug-led-to-death-in-ubers-self-driving-crash/ The fatal crash that killed pedestrian Elaine Herzberg in Tempe, Arizona, in March occurred because of a software bug in Uber's self-driving car technology, The Information's Amir Efrati reported on Monday. According to two anonymous sources who talked to Efrati, Uber's sensors did, in fact, detect Herzberg as she crossed the street with her bicycle. Unfortunately, the software classified her as a "false positive" and decided it didn't need to stop for her. Distinguishing between real objects and illusory ones is one of the most basic challenges of developing self-driving car software. Software needs to detect objects like cars, pedestrians, and large rocks in its path and stop or swerve to avoid them. However, there may be other objects—like a plastic bag in the road or a trash can on the sidewalk—that a car can safely ignore. Sensor anomalies may also cause software to detect apparent objects where no objects actually exist. [Also noted by Wendy Grossman: Classic case of where you set the positive/negative error rate tradeoffs in the classifier, but with the consequences amped up because it's a car on public roads, not a bit of software deciding between cats and giraffes: if you set the threshold too low the car stops (and jolts its passengers) for every plastic bag and shadow. If you set it too high...you get deaths. I wouldn't really call that a bug; I'd call it an experimental error. So besides the risks inherent in deciding where you set the threshold, there's the risk of allowing companies like Uber to run their experiments on public roads.]
The New York Times http://mobile.nytimes.com/2018/05/13/business/deadly-convenience-keyless-cars-and-their-carbon-monoxide-toll.html "It seems like a common convenience in a digital age: a car that can be powered on and off with the push of a button, rather than the mechanical turning of a key. But it is a convenience that can have a deadly effect. "On a summer morning last year, Fred Schaub drove his Toyota RAV4 into the garage attached to his Florida home and went into the house with the wireless key fob, evidently believing the car was shut off. Twenty-nine hours later, he was found dead, overcome with carbon monoxide that flooded his home while he slept. '“After 75 years of driving, my father thought that when he took the key with him when he left the car, the car would be off,'' said Mr. Schaub's son Doug.' Adoption of technological convenience carries transition risk. The article discusses a wrongful death lawsuit boosted by internal Toyota memos that discovered recommendations to integrate audible and visual warnings when the engine remains active with no key fob inside the vehicle. This recommendation was 86'd from implementation. Over 20 people have perished from vehicle-generated CO poisoning since 2006.
http://www.straitstimes.com/asia/south-asia/the-risk-from-robot-weapons-the-statesman-contributor 'A letter warning against the coming race of these weapons was signed in 2015 by over 1,000 AI experts.' 'Peter Singer, an expert on future warfare at 'New America", a think tank, has said that very powerful forces propel the AI arms race - geopolitical compulsions, scientific advances and profit-seeking high technology companies. 'Scharre has also raised the possibility that perhaps because of badly written codes or perhaps because of cyber attack by an adversary, military use autonomous systems can malfunction, raising possibilities of attack on people or soldiers on the same side, or escalating conflicts or killing to unintended, highly exaggerated levels.' Numerous public proclamations admonishing on AV weapon risks are insufficient to deter investment and capability pursuit. There's apparently too much momentum among businesses and governments to deflect this juggernaut. With the Manhattan Project, scientific leadership recognized the risks nuclear weapons raised. Some scientists argued for a demonstration, rather than deployment, to compel quick Japanese surrender. Nagasaki and Hiroshima were destroyed to temporarily establish and project US nuclear hegemony as a deterrent. Aggressive international diplomacy among progressive governments might negotiate an non-proliferation of autonomous weaponry treaty (NPAWT), like the Treaty on the Non-Proliferation of Nuclear Weapons (NPT). However, an enforceable and verifiable treaty is unlikely to timely emerge given historical human proclivity and myopia, despite empirical evidence that argues for deliberate restraint and negotiation. [A timely reminder on the importance of negotiation to cut the risk of war can be found here (http://www.nytimes.com/2018/05/11/opinion/nuclear-doomsday-denial.html).]
*The Washington Post* http://www.washingtonpost.com/news/retropolis/wp/2018/05/10/is-technology-bringing-history-to-life-or-distorting-it/ "Whatever its shortcomings, the Kennedy speech is just the latest way that history is being digitally re-created, updated and manipulated as never before. From meticulously colorized photographs to immersive virtual-reality battlefields, scholars, artists and entrepreneurs are dragging the old days into the computer age. And scholastic standards are straining to keep up. "The U.S. Military Academy is working on a phone-based app along the lines of Pokemon Go that will let visitors see how George Washington's troops strung a massive iron chain across the Hudson River. A team in North Carolina has synthesized an important but unrecorded 1960 speech by Martin Luther King Jr., acoustically accurate down to the echoes in the Durham church." Simulation capability has improve to the point where a political leader can be used to construct a fictitious speech which appears authentic, with the power to convince an enraptured audience. This capability, if exploited by mendacious political entities, can accelerate democracy's decline. Publication of false and misleading political speech, especially by elected authorities, empowers authoritarianism. Current political discourse in the US is heavy with misleading facts and falsehoods that confuse public sentiment. This manipulation distracts attention from government's intent to apparently conceal a hidden political agenda. Exactly what the agenda is, beyond "pay for play," is difficult to divine. The introduction of bots applied for this purpose introduces an asymmetric multiplier for dissembled political discourse. By the time a policy becomes apparent through executive enforcement, the bots will have buried the policy agenda into a messaging morass that will potentially overwhelm any independent observer's (the free press) ability to analyze. The result is likely to suppress litigation that thwarts ill-conceived public policy that exclusively benefits "payers."
(via Diego Latella) http://www.bbc.com/news/uk-wales-south-west-wales-44007872 More than 2,000 people were wrongly identified as possible criminals by facial scanning technology at the 2017 Champions League final in Cardiff. South Wales Police used the technology as about 170,000 people were in Cardiff for the Real Madrid v Juventus game. But out of the 2,470 potential matches with custody pictures - 92% - or 2,297 were wrong. Chief Constable Matt Jukes said officers "did not take action" and no one was wrongly arrested. South Wales Police have made 450 arrests in the last nine months using the automatic facial recognition (AFR) software, which scans faces comparing them to about 500,000 custody images http://www.bbc.co.uk/news/technology-39735637Cdf0d5bf31bb44f614f0908d5b45569c1%7C40779d3379c44626b8bf140c4d5e9075%7C1
Actually, I believe it exploits a flaw in the most common IMPLEMENTATION of the protocol. For security reasons, once the key has been checked the first time, the recipient forgets it (over-writes it with 0s), so if the attacker can interrupt the handshake at that point, they can resend a key of all zeros and authenticate. The receiver should either abort the handshake completely, or not forget the key until the handshake is complete.
You would think that after decades of analyzing and fighting email spam, there'd be a fix by now for the Internet's oldest hustle—the Nigerian Prince scam. There's generally more awareness that a West African noble demanding $1,000 in order to send you millions is a scam, but the underlying logic of these 00 pay a little, get a lot-- schemes, also known as 419 fraud, still ensnares a ton of people. In fact, groups of fraudsters in Nigeria continue to make millions off of these classic cons. And they haven't just refined the techniques and expanded their targets—they've gained minor celebrity status for doing it. http://www.wired.com/story/nigerian-email-scammers-more-effective-than-ever
In the way of the TSB computing disaster (which DW has a long piece on the legacy code that runs banking systems, so old that no one understands it any more. The problem: you can't stay in business without updating, and updating it breaks things. Ellen Ullman has often written about this—see for example 1997's Close to the Machine and her more recent sort-of-sequel. http://m.dw.com/en/fail-by-design-bankings-legacy-of-dark-code/a-43645522
On 11 Apr 2018, we experienced an extended outage coinciding with the release of Fortnite 3.5. The outage blocked all logins for all players to our platform. We know many millions of you were excited about dropping from the Battle Bus with your friends, and it was a long time to wait to check out our 3.5 release. We sincerely apologize for the downtime. We're sharing more technical details in this post to give you a better understanding about what went wrong, what we did to fix it, and how we can prevent future issues like this from happening again. http://www.epicgames.com/fortnite/en-US/news/postmortem-of-service-outage-4-12
You can't opt out from other people sharing data about you, such as the relative of the Golden State Killer who put DNA data on a website. http://fivethirtyeight.com/features/you-cant-opt-out-of-sharing-your-data-even-if-you-didnt-opt-in/
from Mainichi.jp English-language site: http://mainichi.jp/english/articles/20180507/p2g/00m/0dm/063000c%23cxrecs_s TOKYO (Kyodo)—Dozens of Canon Inc.'s security cameras connected to the Internet have been hacked across Japan, making them uncontrollable at waterways, a fish market, and a care facility among other places, users said Monday. Over 60 cameras nationwide are believed to have been illegally accessed so far. ... While it remains unclear why Canon cameras have been targeted, the city of Yachiyo in Chiba Prefecture and the city of Ageo in Saitama Prefecture, which lost control of the cameras for monitoring the levels of their waterways, said they had failed to reset the cameras' default passwords..... Hackings were also reported at other locations including a fish market in Hiroshima, a care facility for the disabled in Kobe, and a Naha branch of a company based in Saitama Prefecture.... [This news item seems custom-designed for a classic-style PGN joke linking fishy business at the market, constant comp.risks complaints about poor password management, and Hiroshima's hometown baseball team, the Carp. Have at it.] [OK. Carpe Diem? I had dinner in Kobe's in Lahaina (Maui) last night. I have no beef with this item, even if it might smell fishy. “If you knew Sushi like I knew Sushi,'' oh, whatta place... “She shells seashells by the seashore.'' PGN]
There are more than 30 Oakland Police Department patrol cars roaming the city with license plate readers, specialized cameras that can scan and record up to 60 license plates per second. Meanwhile, the Alameda County Sheriff's Office maintains a fleet of six drones to monitor crime scenes when it sees fit. The Alameda County district attorney's office owns a StingRay, a device that acts as a fake cell tower and forces phones to give up their location. And that's just in one little corner of California. Just as consumer electronics continually get faster, cheaper, smaller, and more sophisticated, so too do the tools law enforcement uses to spy on us. What once demanded significant money and manpower can be accomplished easily by machine. This advanced technology is hurtling toward us so fast that privacy laws can't keep up. http://www.latimes.com/opinion/op-ed/la-oe-farivar-surveillance-tech-20180502-story.html
American companies that fall victim to data breaches want to retaliate against the culprits. But can they do so without breaking the law? http://www.newyorker.com/magazine/2018/05/07/the-digital-vigilantes-who-hack-back
Electronic Frontier Foundation Earlier today in the U.S. Capitol Visitor Center, EFF convened a closed-door briefing for Senate staff about the realities of device encryption. While policymakers hear frequently from the FBI and the Department of Justice about the dangers of encryption and the so-called Going Dark problem, they very rarely hear from actual engineers, cryptographers, and computer scientists. Indeed, the usual suspects testifying before Congress on encryption are nearly the antithesis of technical experts. The all-star lineup of panelists included Dr. Matt Blaze, professor of computer science at the University of Pennsylvania, Dr. Susan Landau, professor of cybersecurity and policy at Tufts University; Erik Neuenschwander, Apple's manager of user privacy; and EFF's tech policy director Dr. Jeremy Gillula. http://www.eff.org/deeplinks/2018/05/bring-nerds-eff-introduces-actual-encryption-experts-us-senate-staff [Incidentally, this is the 20th anniversary of the famous L0pht testimony from Mudge's team, which immediately followed my testimony for the U.S. Permanent Subcommittee on Investigations of the Senate Committee on Governmental Affairs included in Weak Computer Security in Government: Is the Public at Risk? <http://www.csl.sri.com/neumann/senate98.html> PGN]
Throughout the many arguments over encrypted communications, there has been at least one constant: the venerable tools for strong email encryption are trustworthy. That may no longer be true. On Tuesday, well-credentialed cybersecurity researchers will detail what they call critical vulnerabilities in widely-used tools for applying PGP/GPG and S/MIME encryption. According to Sebastian Schinzel, a professor at the Münster University of Applied Sciences in Germany, the flaws could reveal the plaintext that email encryption is supposed to cover up—in both current and old emails. The researchers are advising everyone to temporarily stop using plugins for mail clients like Microsoft Outlook and Apple Mail that automatically encrypt and decrypt emails—at least until someone figures out how to remedy the situation. Instead, experts say, people should switch to tools like Signal, the encrypted messaging app that's bankrolled by WhatsApp co-founder Brian Acton. http://fortune.com/2018/05/14/email-encryption-tool-vulnerability-cybersecurity-warning/
Erica Portnoy, Danny O'Brien, and Nate Cardozo, EFF, 14 May 2018 http://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0 Don't panic! But you should stop using PGP for encrypted email and switch to a different secure communications method for now. A group of researchers released a paper today that describes a new class of serious vulnerabilities in PGP (including GPG), the most popular email encryption standard. The new paper includes a proof-of-concept exploit that can allow an attacker to use the victim's own email client to decrypt previously acquired messages and return the decrypted content to the attacker without alerting the victim. The proof of concept is only one implementation of this new type of attack, and variants may follow in the coming days. Because of the straightforward nature of the proof of concept, the severity of these security vulnerabilities, the range of email clients and plugins affected, and the high level of protection that PGP users need and expect, EFF is advising PGP users to pause in their use of the tool and seek other modes of secure end-to-end communication for now. Because we are awaiting the response from the security community of the flaws highlighted in the paper, we recommend that for now you uninstall or disable your PGP email plug-in. These steps are intended as a temporary, conservative stopgap until the immediate risk of the exploit has passed and been mitigated against by the wider community. There may be simpler mitigations available soon, as vendors and commentators develop narrower solutions, but this is the safest stance to take for now. Because sending PGP-encrypted emails to an unpatched client will create adverse ecosystem incentives to open incoming emails, any of which could be maliciously crafted to expose ciphertext to attackers. While you may not be directly affected, the other participants in your encrypted conversations are likely to be. For this attack, it isn't important whether the sender or the receiver of the original secret message is targeted. This is because a PGP message is encrypted to both of their keys. At EFF, we have relied on PGP extensively both internally and to secure much of our external-facing email communications. Because of the severity of the vulnerabilities disclosed today, we are temporarily dialing down our use of PGP for both internal and external email. Our recommendations may change as new information becomes available, and we will update this post when that happens. How The Vulnerabilities Work PGP, which stands for Pretty Good Privacy, was first released nearly 27 years ago by Phil Zimmermann. Extraordinarily innovative for the time, PGP transformed the level of privacy protection available for digital communications, and has provided tech-savvy users with the ability to encrypt files and send secure email to people they've never met. Its strong security has protected the messages of journalists, whistleblowers, dissidents, and human rights defenders for decades. While PGP is now a privately-owned tool, an open source implementation called GNU Privacy Guard (GPG) has been widely adopted by the security community in a number of contexts, and is described in the OpenPGP Internet standards document. The paper describes a series of vulnerabilities that all have in common their ability to expose email contents to an attacker when the target opens a maliciously crafted email sent to them by the attacker. In these attacks, the attacker has obtained a copy of an encrypted message, but was unable to decrypt it. The first attack is a direct exfiltration attack that is caused by the details of how mail clients choose to display HTML to the user. The attacker crafts a message that includes the old encrypted message. The new message is constructed in such a way that the mail software displays the entire decrypted message—including the captured ciphertext—as unencrypted text. Then the email client's HTML parser immediately sends or exfiltrates the decrypted message to a server that the attacker controls. The second attack abuses the underspecification of certain details in the OpenPGP standard to exfiltrate email contents to the attacker by modifying a previously captured ciphertext. Here are some technical details of the vulnerability, in plain-as-possible language: When you encrypt a message to someone else, it scrambles the information into ciphertext such that only the recipient can transform it back into readable plaintext. But with some encryption algorithms, an attacker can modify the ciphertext, and the rest of the message will still decrypt back into the correct plaintext. This property is called malleability. This means that they can change the message that you read, even if they can't read it themselves. To address the problem of malleability, modern encryption algorithms add mechanisms to ensure integrity, or the property that assures the recipient that the message hasn't been tampered with. But the OpenPGP standard says that it's ok to send a message that doesn't come with an integrity check. And worse, even if the message does come with an integrity check, there are known ways to strip off that check. Plus, the standard doesn't say what to do when the check fails, so some email clients just tell you that the check failed, but show you the message anyway. ... http://dewaynenet.wordpress.com/feed/
The excruciating DMCA section 1201 exemption process is upon us again, and the right to repair tractors, cars, and electronics is at stake. http://motherboard.vice.com/en_us/article/mbxzyv/dmca-1201-exemptions
Apparently, a large number kernel-level developers have misunderstood the documentation concerning the interruptability of an x86-64 instruction. This misunderstanding has made many major operating systems on the x86-64 platform vulnerable to a privilege escalation hazard. Patches have reportedly been issued. Intel has also re-issued its x86-64 Software Development Manuals. A description of the vulnerability can be found at: http://cve.mitre.org/cgi-bin/cvename.cgi%3Fname%3DCVE-2018-8897 [For those of you following the CVE list, it has just exceeded 100,000 CVE entries. This should be a warning for anyone reading RISKS who believes our computer systems are secure. PGN]
http://www.nytimes.com/2018/05/10/technology/alexa-siri-hidden-command-audio-attacks.html Researchers can now send secret audio instructions undetectable to the human ear to Apple's Siri, Amazon's Alexa and Google's Assistant.
Millions of Prime members with Chevrolet, Buick, GMC, Cadillac and Volvo cars can now use Amazon Key to have their Amazon packages delivered inside their vehicle parked at home, work or near other locations in their address book In-car delivery is available at no extra cost for Prime members—customers simply download the Amazon Key App, link to their connected car and start ordering on Amazon.com; no additional hardware or devices required To get started, customers download the Amazon Key App and then link their Amazon account with their connected car service account. Once setup is complete and the delivery location has been registered, customers can shop on Amazon.com and select the In-Car delivery option at checkout. On delivery day, the Amazon Key App lets customers check if they've parked within range of the delivery location, and provides notifications with the expected 4-hour delivery time window. The App also notifies customers when the delivery is on its way, and the package has been delivered. Customers can track when their car was unlocked and relocked in the App's activity feed, and rate their in-car delivery. http://www.businesswire.com/news/home/20180424005509/en/Buckle-Prime-Members-Amazon-Launches-In-Car-Delivery
http://www.nytimes.com/2018/05/10/technology/cellphone-tracking-law-enforcement.html A company catering to law enforcement and corrections officers has raised privacy concerns with a product that can locate almost anyone's cellphone across the United States.
Ars Technica is reporting that a service meant for use with prison phone systems lacks authentication and safeguards. It has reportedly already been used to track people without legal jurisdiction. Access to non-anonymized geolocation data for mobile devices by third parties is a serious privacy hazard. The article does not indicate the degree of reporting or other measures undertaken to ensure accountability. In this context, even advertising delivered to a identifiable device is a hazard. http://arstechnica.com/tech-policy/2018/05/senator-furious-at-polices-easy-ability-to-get-real-time-mobile-location-data/
http://www.bbc.com/news/technology-44089161 'The Metropolitan Police used facial recognition at London's Notting Hill carnival in 2016 and 2017 and at a Remembrance Sunday event. 'Its system incorrectly flagged 102 people as potential suspects and led to no arrests. 'In figures given to Big Brother Watch, South Wales Police said its technology had made 2,685 "matches" between May 2017 and March 2018 - but 2,451 were false alarms. 'Big Brother Watch also raised concerns that photos of any "false alarms" were sometimes kept by police for weeks.' Perhaps the UK should import and deploy PRC cameras per RISKS-30.65.
Anybody who's been involved with tech for a while has most likely come across the expression "RTFM" on more than one occasion. Usually delivered with a degree of snark, if not downright hostility, the initialism stands for "read the ... manual," with an added expletive added for good measure. As is often pointed out, the advice is not only rude, it's also often not helpful. Sometimes there is no documentation to read and if there is, it's poorly written and difficult to understand. The latter seems to be the case with CVE-2018-8897, the latest operating system vulnerability. On May 8, Nick Peterson of Everdox Tech and Nemanja Mulasmajic of triplefault.io, made public a research paper that revealed all major operating systems—Linux, Apple, Windows and BSD—to be affected by a flaw that can allow authenticated users to read data in memory or control low-level OS functions. The good news is that the researchers notified software developers of the problem on April 30, and by the time it was made public, patches were at the ready. http://www.itprotoday.com/endpoint-security/intel-documentation-blamed-multiple-operating-system-security-flaw
If you're in a foreign country and try to read a map, you may find it difficult—unless your host nation's language is the same as your home nation's, the words are going to be different and, assuming you're not bilingual, will require some translation. But the locations of the roads, rivers, buildings, and the like should be the same, regardless of whether the map is in English, Spanish, or Chinese, right? Language aside, Google Maps should work the same everywhere, right? Well, no. http://nowiknow.com/the-problem-with-chinese-gps/
The former agency employee is being held in a Manhattan jail on unrelated charges. http://www.washingtonpost.com/world/national-security/us-identifies-suspect-in-major-leak-of-cia-hacking-tools/2018/05/15/5d5ef3f8-5865-11e8-8836-a4a123c359ab_story.html
Please report problems with the web pages to the maintainer