Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
https://www.nytimes.com/2019/09/20/us/data-privacy-fbi.html The practice, which the bureau says is vital to counterterrorism efforts, casts a much wider net than previously disclosed, newly released documents show.
[Note: This item comes from friend Steve Goldstein. DLH] [Via Dave Farber] Zak Dorfman, Forbes, 24 Sep 2019 <https://www.forbes.com/sites/zakdoffman/2019/09/24/russia-begins-installing-equipment-to-cut-its-access-to-world-wide-web/> Earlier this year, Russian President Vladimir Putin signed the Russian Internet (RuNet) into law to protect the country's communications infrastructure in case it was disconnected from the world wide web—or so he said. Critics argued it was opening a door to a Chinese-style firewall disconnecting Russia from the outside world. Now, Alexander Zharov, the head of the federal communications regulator Roskomnadzor has confirmed to reporters that “equipment is being installed on the networks of major telecom operators,'' and RuNet will begin testing by early October. Such testing, reporters were told, is known as `combat mode'. When the legislation was introduced there was some debate as to whether it would work in practice. The government claimed its objective was to deal with "threats to the stable, safe and integral operation of the Russian Internet on Russian territory," by centralizing "the general communications network." This would works by deploying an alternative domain name system (DNS) for Russia to steer its web traffic away from international servers. ISPs are mandated to comply. The Moscow Times reported at the time that "Russia carried out drills in mid-2014 to test the country's response to the possibility of its Internet being disconnected from the web—the secret tests reportedly showed that isolating the Russian Internet is possible, but that 'everything' would go back online within 30 minutes." As for this `combat testing', Zharov has assured that everything will be done “carefully'', according to local media reports, explaining that “we will first conduct a technical check—affects traffic, does not affect traffic, do all services work.'' The plan is for all of this testing to be completed by the end of October. Although the regulator has been keen to emphasise that RuNet is only for deployment when the system its perceived to be `in danger', there is a clear question as to where and how such a decision would be taken. Such threats have been classified as “impacts to the integrity of networks, the stability of networks, natural or man-made impacts, or security threats,'' all pretty wide-ranging classifiers. Russia's recent moves to shut down cellular data traffic to stymie anti-Putin protesters and government warnings that social media access may be curtailed have not brought much confidence to its tech savvy citizens.
Rep. Michael Waltz wants Navy to beat Army in this year's football game, according to a newly released political deepfake - a video doctored with artificial intelligence. But it the content wasn't true, as Waltz is a former Army Green Beret. But Waltz teamed up with Rep. Don Beyer, D-Va., to craft the mock deepfake for the House Science subcommittee to illustrate just how realistic this kind of disinformation can be. The SUNY-Albany and University of Chicago researchers took a recorded video statement from Beyer and transposed it onto Waltz's image - designed to be a jarring sight for subcommittee chair and former Navy pilot Mikie Sherill, D-N.J. The resulting video is a warning for lawmakers - and the public - that bad actors could abuse this technology for much more nefarious purposes than having a friendly joke about a sports rivalry. Watch it here: "You see how dangerous and misleading it could be; I'm sure we fooled a couple of people," Beyer said. "For instance, what if instead of 'Go Navy, Beat Army,' I said, 'It's time to impeach the president'? That would be viral everywhere."... https://www.greenwichtime.com/news/article/Lawmakers-warn-about-threat-of-political-14472593.php https://www.washingtonpost.com/news/powerpost/paloma/the-technology-202/2019/09/27/the-technology-202-lawmakers-warn-about-threat-of-political-deepfakes-by-creating-one/
Article: Plenty of options for customization exist on a city-wide level, including mandating that shared-ride service vehicles also be designed with cameras for neighborhood watch duties, he adds. Seriously? That's astonishing coming from someone in privacy-aware Europe. Given what Fairfax County has just gone through regarding privacy policies and implementation details on drones and body-worn cameras, the idea of *mandating* civilian implementation of massive surveillance is a hoot. Article: This could include a city-licensed remote vehicle monitoring center staffed with tele-operators or run by artificial intelligence capable of taking over a vehicle if the need arises. Seriously? AI or remote driver—with no situational awareness—suddenly seizes vehicle control? What could go wrong with that. https://www.cta.tech/News/i3/Articles/2019/July-August/How-will-Self-driving-Cars-Impact-Cities.aspx
- Survey reveals about two in five Americans are stressed out by the political climate, and one in five say they're even losing sleep. - Nearly a third of those surveyed feel views expressed on cable news channels are driving them crazy. - Study author believes problem is akin to a public health crisis in the country. The past few years in American politics have been tumultuous, to say the least. Personal political beliefs aside, there is no denying that the U.S. has grown especially divided in the wake of Donald Trump's 2016 presidential election victory. Between social media bots partisan news coverage <https://www.studyfinds.org/modern-politics-social-media-bots-will-be-harder-to-detect-during-2020-election-study-finds/>, <https://www.studyfinds.org/mainstream-media-news-politics/>, and the president's frequent Twitter posts, it has never been harder for the average American to avoid being bombarded with some type of political message on an almost hourly basis. It isn't a stretch to assume that at some point all of that polarization <https://www.studyfinds.org/political-divide-america-worst-ever/> would have a negative effect on the collective well being of the nation, and a new study conducted at the University of Nebraska-Lincoln has effectively confirmed this assumption. According to researchers, the current U.S. political climate is literally making Americans physically sick, damaging friendships, and driving many people crazy. In March of 2017 researchers surveyed 800 Americans, selected from a pool of 1.8 million in order to create representative samples of the U.S. population. Almost 40% admitted that politics is stressing them out, and one in five even said they are losing sleep over U.S. politics. <https://www.studyfinds.org/expert-warns-lack-of-sleep-changes-dna-behavior-weight-gain-high-blood-pressure/> “It became apparent, especially during the 2016 electoral season, that this was a polarized nation, and it was getting even more politically polarized,'' comments study leader and political scientist Kevin Smith in a release. “The cost of that polarization to individuals had not fully been accounted for by social scientists or, indeed, health researchers.'' <https://news.unl.edu/newsrooms/today/article/stressed-out-americans-making-themselves-sick-over-politics/> Smith even described the study's findings as akin to a public health crisis. This study is among the first to comprehensively examine the physical and emotional cost of participating in the current U.S. political system and subsequent discourse. Of course, there have been other studies conducted on U.S. politics, but those focused primarily on economic or monetary costs... https://www.studyfinds.org/a-nation-divided-u-s-politics-taking-physical-emotional-toll-on-americans/
The email outlined the White House's messaging strategy following the release of the rough transcript of President Trump's call with his Ukraisnian counterpart. It was quickly recalled, amid ridicule from Democrats. https://www.washingtonpost.com/politics/white-house-mistakenly-sends-trump-ukraine-talking-points-to-democrats/2019/09/25/5170aa52-dfb2-11e9-b199-f638bf2c340f_story.html
https://www.npr.org/sections/health-shots/2019/09/24/762834987/as-made-to-order-dna-gets-cheaper-keeping-it-out-of-the-wrong-hands-gets-harder 'The technology needed to "write" DNA is now undergoing a similar transformation. Over the last decade, the cost of synthesizing a pair of DNA letters has dropped from about one dollar to less than 10 cents. '"We can actually finally afford to write this code, and we can write much more of it," says Boyle. "We're coming up with thousands of new designs on a computer, printing out the DNA for them, booting up that DNA, seeing what it does and then iterating on those designs."' Risk: Biotoxic, viral defect escape.
Hackers searching for technical secrets, security sources say. China link suspected. https://t.co/8LFEokucaV (Twitter via IFTTT <action@ifttt.com>)
https://www.wired.com/story/feds-boeing-737s-better-designed-humans/
Opinion: Grounded by mid-20th-century technology, air traffic controllers cannot handle the ongoing demands of commercial airlines and drones. https://www.wired.com/story/the-dangers-of-delaying-faa-modernization/
https://www.nytimes.com/2019/09/24/opinion/facebook-google-apps-data.html
A new Exim patch has been released for a critical vulnerability in the world's most popular MX server. The second this month. https://exim.org/static/doc/security/CVE-2019-16928.txt https://www.bleepingcomputer.com/news/security/new-exim-vulnerability-exposes-servers-to-dos-attacks-rce-risks/
https://arstechnica.com/information-technology/2019/09/attackers-used-one-click-exploits-to-target-tibetans-ios-and-android-phones/
https://www.businessinsider.com/peloton-bike-tablets-rooted-watch-netflix-spotify-hacked-cheat-leaderboards-2019-9
Inmates built computers hidden in ceiling, connected them to prison network https://arstechnica.com/tech-policy/2017/04/inmates-built-computers-hidden-in-ceiling-connected-them-to-prison-network/ Randall Meyer, the Ohio inspector general, said the prison's lax supervision allowed a situation akin to "an episode from Hogan's Heroes."
Here on OpenStreetMap, "They are blocking my edits to North Korea", "They are blocking my edits to South Korea", might all in fact be due to a portion of the border lying right along a map tile boundary, and different tiles getting refreshed in one's browser not at the same time. All quite innocent. Something similar fooled me in https://github.com/gravitystorm/openstreetmap-carto/issues/3906 . So OK, if there seems to be some unfairness going on, first check if it is happening along a edge of a country, city, building, etc. that runs due north/south/east/west...
Companies and governments are gaining new powers to follow people across the Internet and around the world, and even to peer into their genomes. The benefits of such advances have been apparent for years; the costs—in anonymity, even autonomy --- are now becoming clearer. The boundaries of privacy are in dispute, and its future is in doubt. Citizens, politicians and business leaders are asking if societies are making the wisest tradeoffs. The Times is embarking on this months long project to explore the technology and where it's taking us, and to convene debate about how it can best help realize human potential. By now you probably know that your apps ask for permission to tap into loads of data. They request device information, like advertiser IDs, which companies use to build marketing profiles. There's data the companies explicitly ask for via a pop-up window, like access to contacts or your camera roll. And then there's tracking that is especially invasive, like access to your microphone or your phone's gyroscope or location tracking data. What you probably didn't know is that by downloading those apps and entering into those contracts, you're also exposing your sensitive information to dozens of other technology companies, ad networks, data brokers and aggregators. Sometimes the information is shared with global tech giants; other times it's with small companies you've never heard of. The data is transmitted—or in some cases leaked—via software development kits (SDKs). They are essentially developer shortcuts, a set of tools or a library of code that developers can import from a third party so that they don't have to build them from scratch. Because they're so useful to app developers, SDKs are embedded into thousands of apps, ranging from mundane weather services to mobile games and even in some health apps. Facebook, Google and Amazon, for example, have extremely popular SDKs that allow smaller apps to connect to bigger companies' ad platforms or help provide web traffic analytics or payment infrastructure. In exchange, the SDK makers receive user data from that app. Just how much data is often unclear. And once the companies have it, there are no restrictions on what they can do with it. Theoretically, they could turn around and sell that data for profit. Last December I reported on how Facebook's SDK was collecting information from apps like Tinder and Grindr as well as various pregnancy and religious apps. Among the information sent to Facebook: your device IP address and type, the time of use and your advertising ID. While the data is supposedly anonymized, the advertising ID makes it extremely easy for bigger companies like Facebook to identify and link third-party app information to existing Facebook users (if you've logged into Facebook on your phone or downloaded the app, Facebook can theoretically match that advertising ID with the ID transmitted through the SDK). SDKs become particularly concerning when embedded inside apps that contain sensitive information. This month BuzzFeed News reported that period tracker apps were sending highly personal data to Facebook via SDKs, including when women last had sex. And it's not just Facebook; small tech companies and ad networks with unknown business practices provide SDKs to apps, and hoover up and potentially expose information. In 2018, a researcher for Kaspersky Labs “found 4 million Android apps were sending unencrypted user profile data, such as names, ages, incomes, phone numbers and email addresses—and, in one example, dates of birth, user names and GPS coordinates'' from the app to the advertisers' servers. To get a sense of how prevalent SDKs are, I used Mighty Signal, a tool that tracks the SDKs embedded inside tens of thousands of apps to search around for sensitive categories. I quickly found Period Tracker, an Android app with more than 100 million downloads, according to the site. Mighty Signal listed 26 SDKs embedded in the app from Facebook and Google as well as smaller tech companies, each one transmitting potentially sensitive information. Feeld, an app that originally started as a way for couples and singles to participate in group hookups, currently has 42 installed SDKs and 52 previously installed SDKs on its iOS app. While its unclear exactly what information is being shared, each third party that's receiving sensitive information is a potential vulnerability. In the case of some SDKs, which belong to ad networks or smaller analytics firms, the companies may be bought or sold, so the data could change hands without its owners knowing. Nearly every advertising industry source I've spoken with requested anonymity to speak about SDKs, in part because their companies were using them in some way to collect data. One described the industry, which isn't meaningfully regulated or monitored, as the Wild West. “It's s the industry standard,'' an online ad industry veteran told me. “And every app is potentially leaking data to five or 10 other apps. Every SDK is taking your data and doing something different—combining it with other data to learn more about you. It's happening even if the company says we don't share data. Because they're not technically sharing it; the SDK is just pulling it out. Nobody has any privacy.'' https://www.nytimes.com/interactive/2019/opinion/internet-privacy-project.html
The senior Twitter executive with editorial responsibility for the Middle East is also a part-time officer in the British Army's psychological warfare unit, Middle East Eye has established. Gordon MacMillan, who joined the social media company's UK office six years ago, has for several years also served with the 77th Brigade, a unit formed in 2015 in order to develop `non-lethal' ways of waging war. The 77th Brigade uses social media platforms such as Twitter, Instagram and Facebook, as well as podcasts, data analysis and audience research to wage what the head of the UK military, General Nick Carter, describes as `information warfare'. https://www.middleeasteye.net/news/twitter-executive-also-part-time-officer-uk-army-psychological-warfare-unit
Catalin Cimpanu for Zero Day | 25 Sep 2019 https://www.zdnet.com/article/heyyo-dating-app-leaked-users-personal-data-photos-location-data-more/ Another dating app fails to secure production server and puts users at risk. selected text: Online dating app Heyyo has made the same mistake that thousands of companies have made before it—namely, it left a server exposed on the Internet without a password. This leaky server, an Elasticsearch instance, exposed the personal details, images, location data, phone numbers, and dating preferences for nearly 72,000 users, believed to be the app's entire userbase. During the time we looked at the database, it also became clear that the server was a live production system and not an older server used for tests or storing backups. The number of registered users grew from 71,769 to 71,921 in the time we looked at the data. We also registered a test account, and we saw it appear on the server within seconds. To show how intrusive the leak could be, we performed a simple test. We took the details of three random users, and in a few minutes, using Google search queries and simple OSINT (open-source intelligence) scripts downloaded from GitHub, we easily tracked down and linked the three users to their real-life identities, LinkedIn profiles, social media accounts, and even posts they made on niche Internet forums. Since we're talking about a dating website, this type of information could be used for stalking or extorting users with information about their dating life and habits. This is not a hypothetical scenario. These types of extortion campaigns have happened in the past, especially after the Ashley Madison data breach.
Police found him lost in Charleston, and he was returned to his family. https://www.washingtonpost.com/nation/2019/09/25/an-year-old-drove-miles-alone-live-with-man-he-met-snapchat-police-say/
Charlie Osborne, ZDNet, 24 Sep 2019, via ACM TechNews, 27 Sep 2019 The recent growth in the adoption of cloud-based technologies and Infrastructure as a Service (IaaS) has resulted in loss of information caused by misconfigurations and weak credentials in the public cloud space. Researchers at McAfee say that only 1% of IaaS misconfigurations are reported, suggesting there are numerous companies around the world unwittingly leaking data. The researchers surveyed 1,000 IT professionals from 11 countries and aggregated cloud usage data from over 30 million McAfee Mvision cloud users. The team found that while companies believe they average 37 IaaS misconfiguration issues per month, in reality the figure is closer to 3,500. The majority (90%) of respondents said they had encountered security issues with IaaS, but only 26% said they were equipped to handle misconfiguration audits. https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-21b8cx21df34x070237&
Mark Neisse, *Atlanta Journal-Constitution*, 26 Sep 2019 via ACM Tech News A report from the DEF CON Voting Machine Hacking Village conference described the discovery of a hack for commandeering ballot-scanning machines similar to those soon to be deployed in Georgia. Hackers at the conference seeking weaknesses in voting technology broke into the scanner with a screwdriver and replaced a memory card, allowing them to run their own operating system. Jeremy Epstein, vice chair of ACM's U.S. Technology Policy Committee and an election and cybersecurity expert, said the conference report emphasizes the need for both strong paper-ballot audits, and physical security of voting equipment. Said Epstein, "The good thing about the paper ballots, unlike the touchscreen machines historically used in Georgia, is in the worst case the paper ballots are in a box" that can be used to verify votes are tabulated accurately. https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-21b8cx21df38x070237&
https://arstechnica.com/information-technology/2019/09/developer-of-checkm8-explains-why-idevice-jailbreak-exploit-is-a-game-changer/
for using 369 Instagram accounts to harass bodybuilding colleagues and allegedly faking her daughter's kidnapping. https://www.businessinsider.com/fitness-influencer-tammy-steffen-jailed-instagram-fake-kidnapping-florida-2019-9
What is a blockchain smartphone? Should you buy one now? You're in the market for a new smartphone. There are all the usual suspects; Huawei, Samsung, Apple, and so on. But a new trend caught your eye: the blockchain smartphone. What is a blockchain smartphone? Should you bother buying one? And how do they compare to a regular smartphone? Here's what you need to know about blockchain smartphones. https://blocksdecoded.com/what-is-blockchain-smartphone-should-you-buy-one/
My 14-year-old is finally taking an interest in me. [...] https://i.redd.it/drudi6wikgo31.jpg
Google has confirmed the existence of an issue in a Chrome update that has reportedly affected movie studios that use the Avid video editing suite on the cylindrical Mac Pro, with the company offering a solution to the issue it claims will recover affected machines. https://appleinsider.com/articles/19/09/25/google-chrome-update-corrupting-some-macos-installs----but-theres-a-fix
Please report problems with the web pages to the maintainer