Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
TAMPA, Fla. (WFLA) - A foul-mouthed parrot, who was kicked out of an animal sanctuary for swearing too much, is using technology to cause even more trouble. The Times of London reports Rocco, an African grey, has been using Amazon Alexa to shop online while his owner was away. His owner, Marion Wis[c]hnewski told the newspaper she was shocked to find that her Amazon account suddenly had pending orders for various snacks, including watermelon and ice cream and also a kettle. "I have to check the shopping list when I come in from work and cancel all the items he's ordered," Wischnewski told *The Daily Mail*. https://www.wfla.com/news/viral-news/sneaky-parrot-uses-amazon-alexa-to-shop-while-owner-is-away/1662596515 [Coyly, that case is the “real macaw'' (at least in English-speaking idioms, but perhaps not in Macao). However, it reminds me of several very funny parroting jokes—one that makes sense only when told in German, one about a seemingly very devout parrot who surprisingly turns foul-mouthed, and more. Best wishes for some Holiday Cheer! PGN]
The problem first hit during Russia's September 2017 Zapad military exercise in its western regions, near the Baltic states. Then it happened again in October during NATO's Trident Juncture exercise, held in Norway. GPS signals across far northern Norway and Finland failed. Civilian airplanes were forced to navigate manually, and ordinary citizens could no longer trust their smartphones. https://foreignpolicy.com/2018/12/17/the-gps-wars-are-here/
https://www.smh.com.au/national/virgin-australia-under-investigation-after-engines-flame-out-during-landing-20181218-p50n22.html Virgin Australia is under investigation after two engines on one of its aircraft "flamed out" during descent and had to be manually re-ignited before the aircraft hit the tarmac. The incident, which involved an ATR 72 twin-engine turboprop aircraft en route from Sydney to Canberra on December 13, has been categorised as "serious" by the Australian Transport Safety Bureau (ATSB).
Imagine if that goes through a window or an engine. https://www.rt.com/news/446416-plane-drone-collision-mexico/
"They told me incidents like that happen all of the time," whistleblower wrote. https://arstechnica.com/tech-policy/2018/12/uber-exec-warned-of-rampant-safety-problems-days-before-fatal-crash/
Anne Trafton, MIT News, 13 Dec 2018, via ACM TechNews, 17 Dec 2018 Researchers at the Massachusetts Institute of Technology (MIT) and Brigham and Women's Hospital have designed an ingestible capsule that can be controlled wirelessly via Bluetooth. The three-dimensionally-printed capsules, which can be customized to dispatch drugs, sense environmental conditions, or both, can remain in the stomach for at least a month, transmitting information and responding to instructions from a smartphone. The capsules also could be used to communicate with other wearable and implantable devices, transmitting their pooled information to the patient or doctor's smartphone. Within the capsule is a device with six arms that fold up before encasement; once swallowed, the capsule dissolves and the arms expand so the device can lodge in the stomach. Said former MIT postdoc Yong Lin Kong, "The self-isolation of wireless signal strength within the user's physical space could shield the device from unwanted connections, providing a physical isolation for additional security and privacy protection." https://news.mit.edu/2018/ingestible-pill-controlled-wirelessly-bluetooth-1213 [Risks in ingested capsules? They are not "in jest". Compromised 3-D printing instructions? sharp arms? embedded transmitters? monitoring? interference with brain signals? doping? absorbable toxins triggered remotely? And others left to your imaginations. PGN]
https://www.nytimes.com/2018/12/14/business/huawei-meng-hsbc-canada.html The chief financial officer was arrested after a years-long American inquiry into the Chinese telecommunications company.
https://www.infosecurity-magazine.com/news/apache-misconfig-leaks-data-120/
ZDnet, 10 Dec 2018 Stock trading algorithms know how to read news headlines, but they don't know what's real. https://www.zdnet.com/article/market-volatility-fake-news-spooks-trading-algorithms/ selected text: Fake news and inaccurate headlines may have contributed to recent stock market volatility, as trading algorithms try to interpret market-related news. Hugh Son, at CNBC reported that in a note written to clients by J.P. Morgan Chase's top quant, Marko Kolanovic, blamed a media landscape that's a mix of real and fake news, which makes it easy for others to amplify negative news. The effects can be seen that, in spite of a booming economy and positive signals, the markets are reacting strongly to this mix of negative news. High-speed trading algorithms scan news stories to try and quickly determine if there is any market-moving information that affects their portfolios. It doesn't give them much time to determine which news stories are real. For example, a few years ago stock trading algorithms were buying Berkshire Hathaway stock because actress Anne Hathaway was in the news with a new movie.
ZDNet,12 Dec 2018 Google sued within a day after announcing latest Google+ API leak. https://www.zdnet.com/article/rhode-island-sues-google-after-latest-google-api-leak/ opening text: A day after Google announced a Google+ API leak that could have exposed the personal information of over 52.5 million users, a Rhode Island government entity filed a class-action lawsuit in a California court.
That one of the world's biggest companies rides roughshod over a court order tells you all you need to know about the giants of Silicon Valley EXCERPT: Imagine if a media company told you the name of the man accused of killing Grace Millane. Imagine if, in defiance of a very clear court ruling of interim name suppression, that company told you his name in an email -- spelling it out, even, in the subject header. Unthinkable? That's exactly what happened in the early hours of Tuesday. The media company wasn't (New Zealand's) the Herald or Stuff. It wasn't TVNZ or Newshub or RNZ. New Zealand media outlets, from the hobbyist bloggers to the biggest broadcasters, respected the proscription on naming the accused. Of course they did: they understand consequences for breaching such an order, and in fact spend significant time and resource policing their social media channels to ensure their audience doesn't breach suppression either. Not just because the courts would take action against them for doing so. They understand, too, that it would be morally odious to do so: it could risk damaging the course of justice in an appalling murder that has left a family distraught and sent waves of grief and upset through the country. The company that paid precisely zero heed to all that is a media and technology corporation from Silicon Valley. A global colossus against which all of New Zealand;s media companies combined amount to a dim pixel. The company is Google. Shortly after midnight on Tuesday this week, it delivered to everyone signed up to its `what's trending in New Zealand' email the name of the 26-year-old accused of the most headlined crime in this country in 2018... https://www.theguardian.com/world/2018/dec/13/new-zealand-courts-banned-naming-grace-millanes-accused-killer-google-just-emailed-it-out
(via NNSquad) "In other words, they check victims' usernames and passwords in realtime on their own servers, and even if 2 factor authentication such as text message, authenticator app or one-tap login are enabled they can trick targets and steal that information too," Certfa Lab researchers wrote. https://arstechnica.com/information-technology/2018/12/iranian-phishers-bypass-2fa-protections-offered-by-yahoo-mail-and-gmail/ Avoid using text messaging as a second factor whenever possible!
When you make an account with a username, email address and password, it's usual that a verification email is sent. If the password is later lost, it is again an email which is used to send the password reset link, so here we see the mechanism to make the account is the mechanism to recover the account. If you can make the account, then you possess the means to recover the account. Two factor authentication when enabled guarantees that the person attempting to log in knows the username, email, password and possesses the 2FA device. If the device is lost, email cannot be used for recovery, because then both the password and device can be compromised by access to the email address. The question then is how to recover from loss of the 2FA device, and there is no obviously easy way. It actually seems to come down to methods to obtain a partial or full proof of identity - something, critically, which was *not* required to *enable* 2FA. It is then that the mechanisms to activate and to recover 2FA are not the same, and so it can be one works while the other does not, and so it can be that 2FA is activated, but does not work, and cannot be recovered because the provided mechanisms do not or cannot work, which means the account is inaccessible. Turning on 2FA can be in and of itself a risk. (As you gentle reader may have guessed, this is what happened today, with Amazon. In the light of the recent kernel.org DNS hijack, I activated 2FA on my Amazon account. 2FA activation worked, but log in to Amazon did not, and both the 2FA resync and account recovery pages seemed broken server-side ("internal error"), and 2FA support is only available in the form of Amazon phoning you, and I cannot currently be phoned. I thought then to try my luck with AWS rather than Amazon, log in failed still but the resync page on AWS worked, and having worked, I could log into both retail Amazon and AWS. If AWS resync also had not worked, I would now be locked out of my account.)
https://www.csoonline.com/article/3326830/security/top-10-worst-password-fails-of-2018.html
Technically Incorrect, ZDnet, 13 Dec 2018 A woman pleads with tech companies like Facebook and Twitter to stop serving her ads to intensify her grief. https://www.zdnet.com/article/shed-just-had-a-stillborn-child-tech-companies-wouldnt-let-her-forget-it/ [A summary would not do this article justice. GW]
ZDNet, 16 Dec 2018 Two vulnerabilities discovered and patched over the summer expose Jenkins servers to mass exploitation. https://www.zdnet.com/article/thousands-of-jenkins-servers-will-let-anonymous-users-become-admins/
ZDNet, 14 Dec 2018 Oh, Bing! Not again! https://www.zdnet.com/article/bing-recommends-piracy-tutorial-when-searching-for-office-2019/ opening text: Microsoft is sending users who search for Office 2019 download links via its Bing search engine to a website that teaches them the basics about pirating the company's Office suite. This happens every time users search for the term "office 2019 download" on Bing. The result is a Bing search card (highlighted search results) that links to a piracy tutorial.
Thisismoney.co.uk, Daily Mail, 5 Dec 2018 Item in newspaper seen this week. There's a lot of debate about driverless vehicles, but how much control will drivers still be allowed to have? And what about older cars (mine was made in 1988)—will they just be banned, or only allowed on the roads under strict supervision? https://www.dailymail.co.uk/money/cars/article-6462429/All-new-cars-fitted-black-box-devices-log-speed.html Big Brother is driving with you! All new cars could be fitted with black boxes to log speed and systems to slow them automatically under EU proposals https://www.dailymail.co.uk/money/cars/article-6462429/All-new-cars-fitted-black-box-devices-log-speed.html Big Brother is driving with you! All new cars could be fitted with black boxes to log speed and systems to slow them automatically under EU proposals * The European Council has called for all cars to have data loggers fitted by law * These would be able to record speed and which safety features were activated before, during and after a collision * Proposals also want new cars to have intelligent speed assistance systems and pre-wiring so an in-car breathalyser can be installed * Other requirements for new cars could include lane assist and fatigue monitors
*The San Francisco Chronicle* website: https://www.sfgate.com/bayarea/article/Delivery-robot-catches-fire-at-UC-Berkeley-13470063.php hmm. [The amount needed to pony up must have been a Vigil-ante. PGN]
If memory serves me correctly, back in the 1950s and 1960s we were told that one of the freedoms we enjoyed in the "Free West" was not having to constantly carry Internal Passports to be produced on demand by police and other officials. Sounded like a Killer Argument to me. What a change. Even if you don't carry an electronic ball and chain your movements could be tracked by licence plate scanners or by facial recognition. Seems more and more like Moscow or Beijing during the Cold War to me. Greyhound recently ceased operation in Western Canada, but the last time I used it in 2005 I saw someone being released from handcuffs after Vancouver Police decided that him giving the same name as a fugitive to the bus ticket agent was just a coincidence. I have never had a personal wireless digital device, so the main exposure would probably be if I bought a new automobile with some sort of wireless "feature / vulnerability". I would like to see wireless access in autos made modular, pull the module and carry on without it. Connect a plug to the engine interface for diagnosis and firmware updating. I use 100 mpbs wired ethernet for my home network, not WiFi. At home web pages ask permission to find the location of my PC. I just say NO. I have a used laptop with wireless that started out with XP Professional, but it usually boots with Linux. For the 2015 Victoria Privacy and Security conference one of the presenters did the usual live demonstration of a Pineapple type attack. I mentioned my laptop during the Q&A session, and the fact that I had booted it with Tails from an optical disk instead of Linux from the hard drive. Such conferences are places where someone might see a challenge or an opportunity. An IBM employee gave up a phone number to Kevin Mitnick for a demo of caller ID spoofing during a previous conference. Back when I had to carry a work phone I turned off the WiFi and GPS to make the battery life last longer. I am aware that GPS can be turned on again problematically. Calling 911 turns on GPS if it has been disabled. Our current auto is more than 10 years old and lacks that "feature". At least the e-trike I bought in 2016 does not have wireless, although it does have a USB port for powering a wireless or other device. https://www.youtube.com/watch%3Fv%3D1xbPm01fWHM
In all the twitter clients/web interface I use, if I type text it is black, until twitter or the client make it a link and then it's blue. Just like in literally every GUI piece of software I've used for 20+ years that auto-creates hyperlinks based on what you type. If you are typing text and some of it turns blue... it's probably because it's now a hyperlink. Attach it as a text file.
This looks less like a case of recipients using "Reply to All"—which is the default mode in many mailers, making mistakes unavoidable—and more a case of senders who do not know how to use "Bcc" when sending to a large list of recipients.
John—You might be right: the AV idles until the way forward is obstacle-free. We'll have to wait this trolley problem outcome. Alternatively, Waymo in Chandler, AZ could share a live scenario demo with the world to prove that "My Mother the Car" is sharp enough to respectfully manage hostile pedestrian interaction. I'd put my money on the vehicle occupants, if present, to issue one or more verbal command overrides or set a new destination with their hailing application if the squeegee crew acts aggressively. If AV is payload empty, an infinite standoff might manifest at the intersection/stop point...or not -- low fuel or diminished reserve power-level might compel AV return to depot to refuel rather than exhaust reserves and wait AAA for a tow. Suppose the AV is stuck due to obstacles that shuffle around it and otherwise impede forward motion—and possibly at a controlled intersection or behind another vehicle. I wonder if it'll try to rabbit should the signal light change to green or remain neutralized until obstacles clear? Possibly, AV depot control will sense a "help me I am stuck" signal and call the cops to intervene and run the squeegees off?
Having been in NYC when it had squeegee guys, this isn't the trolley problem. They dart out when the light is red, they don't deliberately block traffic, since that would get them arrested instantly.
I would not feel safe, in Baltimore particularly, of rolling down my car windows for a squeegee kid nor anyone else. Jacquelyn Smith was killed on December 1st in Baltimore when she "and her husband saw a woman asking for money. She rolled down her car window to hand over some cash when her husband said a man approached the car, reached inside to try to take Smith's purse and necklace before stabbing her. She later died at the hospital." https://www.baltimoresun.com/news/maryland/crime/bs-md-ci-jacquelyn-smith-funeral-20181213-story.html
Please report problems with the web pages to the maintainer