Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
*Ambassador Daniel Benjamin is director of the John Sloan Dickey Center for International Understanding at Dartmouth College and served as coordinator for counterterrorism at the State Department 2009-2012.Steven Simon is visiting professor of history at Amherst College. He served as the National Security Council senior director for counterterrorism and for the Middle East and North Africa, respectively, in the Clinton and Obama administrations.* EXCERPT: Who really bombed the oil tankers in the Persian Gulf two weeks ago? Was it Iran, as the Trump administration assured us? Or was it Saudi Arabia, the United Arab Emirates or Israel—or some combination of the three? Here's a confession from two former senior government officials: For days after the attacks, we weren't sure. Both of us believed in all sincerity there was a good chance these actions were part of a false flag operation, an effort by outsiders to trigger a war between the United States and Iran. Even the film of Iranians hauling in an unexploded limpet mine from near the side of tanker, we reasoned, might be a fabrication—deep fake footage just like the clip of Nancy Pelosi staggering around drunk. Perhaps you felt that way too. But for the two of us, with 30 years of government service and almost 20 more as think tankers between us—this was shocking. Yes, we are card-carrying members of the Blob, the all-too-conventionally minded Washington foreign policy establishment, but we weren't sure whether to believe our government or not. This was more than a little disconcerting. Imagine waking up one morning and catching yourself thinking that alt-right conspiracy theorist Alex Jones was making good sense, that perhaps the Sandy Hook shooting was faked or that the 9/11 attacks were really an inside job? Imagine what it might be like to be in the grip of a conspiracy theory, when you've spent your whole professional life being one of those policy mandarins who could smell a conspiracy theory a mile away?... https://www.politico.com/magazine/story/2019/07/05/fake-news-real-war-227272
http://www.mtr.com.hk/archive/corporate/en/press_release/PR-19-044-E.pdf MTR (the operators of the Hong Kong metro) are converting several lines to use the Thales/Alstom SelTrac system. During a test of the system outside service hours, the computer signaled two trains on to intersecting tracks, resulting in a collision; one driver was slightly injured. In this system, there are no fixed signals beside the track indicating whether it is safe to proceed. Instead, the central control computer gives each train a "movement authority" indicating exactly where it is allowed to proceed to. Only when the rear of the train passes an intersection is another train given a movement authority that passes over the same intersection. These authorities are updated every few seconds. Each control area (the line in question has two) has three control computers: A (normally active), B (hot standby), and C (warm standby). All three are the same design and run the same software. Computer C is at a different physical location. Computer A keeps B constantly updated with the complete status but, to prevent common mode failures, it only passed some data to computer C. In particular, the "Conflict Zone Data" (which I am guessing is a table of which train is allowed on a given intersection) is not passed across; computer C is expected to re-compute it independently. During a test computers A and B were both turned off, causing computer C to take over. At this point C does not transmit any movement authorities to the trains, which therefore all make an emergency stop. The traffic controller (a person in the control centre) then tells C to allow each train in turn to depart, giving it a new movement authority. The report's conclusions are: (1) The software development documentation did not state that the conflict zone data was not passed to computer C, so no test and safety analysis was done. (2) A bug in the software meant that computer C failed to recalculate the conflict zone data correctly, allowing the collision. (3) The take-over process did not require the conflict zone data to be present before C moved from warm backup state to active state.
In February 2019, a deep draft vessel on an international voyage bound for the Port of New York and New Jersey reported that they were experiencing a significant cyber-incident impacting their shipboard network. An inter-agency team of cyber-experts, led by the Coast Guard, responded and conducted an analysis of the vessel's network and essential control systems. The team concluded that although the malware significantly degraded the functionality of the onboard computer system, essential vessel control systems had not been impacted. Nevertheless, the interagency response found that the vessel was operating without effective cybersecurity measures in place, exposing critical vessel control systems to significant vulnerabilities. https://www.dco.uscg.mil/Portals/9/DCO Documents/5p/CG-5PC/INV/Alerts/0619.pdf
Catalin Cimpanu for Zero Day | 9 Jul 2019 https://www.zdnet.com/article/vulnerabilities-found-in-ge-anesthesia-machines/ GE recommends not connecting vulnerable anesthesia machines to hospital networks. Security researchers have discovered vulnerabilities in two models of hospital anesthesia machines manufactured by General Electric (GE). The two devices found to be vulnerable are GE Aestiva and GE Aespire -- models 7100 and 7900. According to researchers from CyberMDX, a healthcare cybersecurity firm, the vulnerabilities reside in the two devices' firmware. CyberMDX said attackers on the same network as the devices—a hospital's network—can send remote commands that can alter devices' settings. The researcher claims the commands can be used to make unauthorized adjustments to the anesthetic machines' gas composition, such as modifying the concentration of oxygen, CO2, N2O, and other anesthetic agents, or the gas' barometric pressure. CyberMDX said that such unauthorized modifications could put patients at risk. Furthermore, attackers could also silence device alarms for low/high levels of various agents and modify timestamps inside logs.
Companies are trying to rein in medical misinformation on social media, but the problem isn't just technological. It's also human. https://www.washingtonpost.com/lifestyle/style/they-turn-to-facebook-and-youtube-to-find-a-cure-for-cancer--and-get-sucked-into-a-world-of-bogus-medicine/2019/06/25/6df3ddae-7cdc-11e9-a5b3-34f3edf1351e_story.html
Greg Nichols for Robotics | 10 Jul 2019 Safety is a massive unaddressed issue in the rapidly evolving automation sector. https://www.zdnet.com/article/robot-that-started-fire-costs-ocado-137m/ In February, a robot at an Ocado fulfillment warehouse sparked a massive fire. The warehouse was destroyed, and the British grocer has just revealed the price tag of the damage: $137M.
https://www.bbc.com/news/technology-48935111 "A type of anaesthetic machine that has been used in NHS hospitals can be hacked and controlled from afar if left accessible on a hospital computer network, a cyber-security company says. "A successful attacker would be able to change the amount of anaesthetic delivered to a patient, CyberMDX said." The DHS CERT link https://www.us-cert.gov/ics/advisories/icsma-19-190-01. I have been digging into FDA MAUDE on a different device class over the past few months, and wrote a crawler using mechanize.py and beautifulsoup4 to fish through the HTML reports. It was easy enough to find medical device reports (MDRs) on the anesthesia machines mentioned in the BBC article. For instance: https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/detail.cfm?mdrfoi__id=8319602 "'the hospital reported a patient had cardiac arrest during a case. It was alleged the ventilator had stopped mechanically ventilating in pressure mode towards the end of the case without alarming. It was unknown how long ventilation had stopped. The patient was resuscitated and remains in the icu." This particular MDR, submitted by the manufacturer, is curious because it lists the device manufacturing date as 01/01/1970! Must be a typo. Another MDR: https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/detail.cfm?mdrfoi__id=8451207 "It was reported that when replacing a failing internal power backup battery, our company representative noticed that the battery had leaked battery acid into the battery compartment of the anesthesia workstation. There was no injury reported. (b)(4)." The following Pareto documents deaths, malfunctions, and injuries reported for all devices assigned the product code BSZ—gas-machine, anesthesia. The product code includes all manufacturers, including the Aespire and Aestiva 7100 and 7900 mentioned in the article. Here's the data from 01JAN2017-30JUN2019: Deaths—9 Injury—65 Malfunctions—As shown per period (5181 total, average ~370 +/- 107 per 60 days, or ~6 per day). 01/01/2017-02/28/2017 364 03/01/2017-04/30/2017 344 05/01/2017-06/30/2017 424 07/01/2017-08/31/2017 391 09/01/2017-10/31/2017 346 11/01/2017-12/31/2017 470 01/01/2018-02/28/2018 369 03/01/2018-04/30/2018 389 05/01/2018-06/30/2018 420 07/01/2018-08/31/2018 425 09/01/2018-10/31/2018 459 11/01/2018-12/31/2018 489 01/01/2019-03/31/2019 88 04/01/2019-06/30/2019 203 Note that FDA's MAUDE platform carries a long list of disclaimers and advisory information about the Medical Device Report Content. Among them are: "MDR data alone cannot be used to establish rates of events, evaluate a change in event rates over time or compare event rates between devices. The number of reports cannot be interpreted or used in isolation to reach conclusions about the existence, severity, or frequency of problems associated with devices." Find the full list at https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/search.cfm
https://federalregister.gov/d/2019-14141 Meeting Sept 10 in Maryland, open to public, and comments can be sent by July 30. Requests to speak due by July 22 The committee receiving comments does not approve/disapprove medical devices. They advise on "which factors should be considered by FDA and industry when communicating cybersecurity risks to patients and to the public, including but not limited to the content, phrasing, the methods used to disseminate the message and the timing of that communication. The recommendations will also address concerns patients have about changes to their devices to reduce cybersecurity risk... background material available to the public no later than 2 business days before the meeting... at https://www.fda.gov/advisory-committees/committees-and-meeting-materials/patient-engagement-advisory-committee The committee members seem politically connected, and not cyber experts, so one hopes they would value expert comments. https://www.fda.gov/advisory-committees/patient-engagement-advisory-committee/roster-patient-engagement-advisory-committee FDA has pages of guidance on communicating device risks, (pages 7, 13-15, 39), though not yet on cyber specifically. https://www.fda.gov/media/71030/download
The EU's "Galileo" GPS system is down. And it remains down, except for search and rescue transmissions functionality: https://www.bbc.com/news/science-environment-48985399
A solar-powered winged robot has become the lightest machine capable of flying without being attached to a power source. Weighing just 259 milligrams, the insect-inspired RoboBee X-Wing has four wings that flap 170 times per second. It has a wingspan of 3.5 centimetres and stands 6.5 centimetres high. The flying robot was developed by Noah Jafferis and his colleagues at Harvard University... https://www.newscientist.com/article/dn24638-four-winged-robot-flies-like-a-jellyfish/ https://www.newscientist.com/article/0-watch-this-robotic-fruit-fly-swoop-dive-and-perform-impressive-flips/ https://www.newscientist.com/article/2207687-tiny-flying-insect-robot-has-four-wings-and-weighs-under-a-gram [Not encouraging. The equivalent of a mosquito bite can be deadly. PGN]
Japanese operator of ubiquitous Seven-Eleven has introduced its smartphone-based payment system since July 1st. It has been hacked since day 1 and the press conference announcing the limited operation to protect the users revealed that the president of the operation did not know what "two stage authentication" is, and its VIP of IT claimed that the system did not have any security issues whereas - the system did not have two-stage authentication, and - the system would send out the link to change password to an e-mail address that is *NOT* the original e-mail address that was used when the user registered for the service, etc. Unbelievable lapse of proper security. No wonder it was abused form day 1. The press reported about 900 users' accounts were abused and about JPN 55,000,000 YEN (about half a million US dollars) have been used by third party to buy easy to cash items such as cigarette cartons. I have read the lapse of security mechanisms and could not believe a big name company like Seven-Eleven would let such a system put into operation. But it did. To be honest, ever since the emergence of web-based services, I noticed the drop of the quality of software in general, not to mention the security side of the services, but this confirms my suspicion that there are many improperly trained so called professional in ICT industry in Japan. But I am afraid that the situation may not be that great in other countries, too. Some English articles from Japan Times. https://www.japantimes.co.jp/news/2019/07/04/business/corporate-business/users-7-elevens-mobile-payment-service-lose-total-Â¥55-million-900-accounts-hacked/ https://www.japantimes.co.jp/news/2019/07/06/national/crime-legal/government-urges-seven-eleven-japan-beef-security-7pay-mobile-payment-fraud/ Seven-Eleven has a lot to explain and clean up and improve their internal ID system, which I suspect was already know to be vulnerable to crackers.
https://theintercept.com/2019/07/05/border-patrol-facebook-group/ [via NNSquad]
https://www.theverge.com/2019/7/6/20683177/china-missile-semiconductors-trial-professor-yi-chi-shih-guilty
Don't be surprised if you're arrested next time you visit the UK. Facial recognition technology trialed by the Metropolitan Police is reportedly 81 percent inaccurate. The system, according to a study by the University of Essex mistakenly targets four out of five innocent people as wanted suspects. It is likely to be found unlawful if challenged in court. In order to compile an independent report on the London police service's testing, Peter Fussey and Daragh Murray were granted what the University called *unprecedented* access to six of the 10 trials, completed between June 2018 to February 2019. The pair joined officers in LFR control rooms and on the ground; they also attended briefing and debriefing sessions and planning meetings... https://www.geek.com/tech/london-polices-facial-recognition-system-has-81-percent-error-rate-1794564/
https://www.zdnet.com/article/gdpr-record-british-airways-fine-shows-how-data-protection-legislation-is-beginning-to-bite/ Danny Palmer | 8 Jul 2019 The ICO's proposed £183m fine should act as a wake-up call for other organisations: make sure your cybersecurity and data protection policies are GDPR-compliant - or you could be next. opening text: It was always only a matter of time, and a little over a year after General Data Protection Regulation (GDPR) came into force across Europe, a data protection agency has announced plans to issue the first mega-fine as the result of a data breach.
Commission alleged the company failed to secure its routers and Internet-connected cameras Smart home products manufacturer D-Link Systems, Inc., has agreed to implement a comprehensive software security program in order to settle Federal Trade Commission allegations over misrepresentations that the company took reasonable steps to secure its wireless routers and Internet-connected cameras. The settlement ends FTC litigation against D-Link stemming from a 2017 complaint <https://www.ftc.gov/news-events/press-releases/2017/01/ftc-charges-d-link-put-consumers-privacy-risk-due-inadequate> in which the agency alleged that, despite claims touting device security, vulnerabilities in the company's routers and Internet-connected cameras left sensitive consumer information, including live video and audio feeds, exposed to third parties and vulnerable to hackers. “We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users' most sensitive personal information to prying eyes,'' said Andrew Smith, Director of the FTC's Bureau of Consumer Protection. “Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise.'' Despite promoting the security of its products by claiming it offered “advanced network security,'' D-Link failed to perform basic secure software development, including testing and remediation to address well-known and preventable security flaws, according to the FTC's complaint. These flaws included using hard-coded login credentials on its D-Link camera software with the easily guessed username and password, “guest,'' and storing mobile app login credentials in clear, readable text on a user's mobile device. As part of the proposed settlement, D-Link is required <https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf> to implement a comprehensive software security program, including specific steps to ensure that its Internet-connected cameras and routers are secure. This includes implementing security planning, threat modeling, testing for vulnerabilities before releasing products, ongoing monitoring to address security flaws, and automatic firmware updates, as well as accepting vulnerability reports from security researchers. In addition, D-Link is required for 10 years to obtain biennial, independent, third-party assessments of its software security program. The assessor must keep all documents it relies on for its assessment for five years and provide them to the Commission upon request. The settlement also requires the assessor to identify specific evidence for its findings—and not rely solely on the assertions of D-Link's management. Finally, the order gives the FTC authority to approve the third-party assessor D-Link chooses. https://www.ftc.gov/news-events/press-releases/2019/07/d-link-agrees-make-security-enhancements-settle-ftc-litigation
https://www.washingtonpost.com/local/as-florida-cities-use-insurance-to-pay-1-million-in-ransoms-to-hackers-baltimore-and-maryland-weigh-getting-covered/2019/07/06/d1c0dc16-9f77-11e9-9ed4-c9089972ad5a_story.html
https://www.washingtonpost.com/transportation/2019/06/26/house-democrats-introduce-bill-tighten-airport-security-stings/
If you want to see the face of a CEO of a company which has just introduced new ERP software, look at https://www.faz.net/aktuell/wirtschaft/erp-software-chaos-erzuernt-liqui-moly-chef-ernst-prost-16277813.html (the article itself is in German). EPR (enterprise resource planning) software is absolutely central to companies do these days - almost all business processes are done done using this software. The company in question, Liqui Moly, has just switched from home-grown COBOL programs to an ERP supplier and is now facing increased costs and delays in their business processes ("Only the hourglass is running on everybody's screen..."). To keep delivery dates, new people have to be hired, containers are only half filled, trucks have to wait, and expensive air freight needs to be booked. The vendor for his ERP software is not mentioned, because "this is such a typical problem." And yet, this kind of thing has attracted very attention, probably because nobody likes to talk about their failures. Let us hope that this article helps to break the circle of silence.
Mark Scott and Laurens Cerulus, Politico Europe: Europe's privacy watchdogs are looking to beef up restrictions for the use of facial recognition in a move that will affect how governments and big tech companies use the technology. Data protection agencies will discuss new guidelines Tuesday at a joint meeting in Brussels that would reclassify facial recognition data as biometric data, which under European privacy rules requires explicit consent from the person whose data is being collected. Under the GDPR, biometric information—a category under which the technology would soon fall—is considered as sensitive data, meaning that its collection is prohibited https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-protected/how-data-my-religious-beliefs-sexual-orientation-health-political-views-protected_en?utm_source=3DPOLITICO.EU unless individuals give explicit consent or the information has been made public. The draft change, which was confirmed by two data protection officials from different authorities who spoke on the condition of anonymity because the guidelines are not yet public, has potentially far-reaching impact at a time when facial recognition tools are becoming more widespread in public spaces and consumer technology. More stringent demands for consent could challenge police forces and security services that are turning to facial recognition to keep tabs on crowds, with experiments already under way or completed in London, https://politico.us8.list-manage.com/track/click?u=3De26c1a1c392386a968d02fdbc They are also likely to weigh on tech companies like Facebook. The social media giant reintroduced its use of facial recognition https://politico.us8.list-manage.com/track/click?u=3De26c1a1c392386a968d02fdbc in Europe last year following a ban. The company had used the onset of the General Data Protection Regulation (GDPR) as a chance to ask users whether they want to opt in to using the platform's facial recognition tool for automatic tagging of their photographs. At the time, privacy activists argued that the consent was not valid because even users who opted out would have their biometric data scanned. The Irish Data Protection agency—Facebook's lead regulator within the EU -- sought guidance from other European agencies. A spokesman for Facebook declined to comment. “We'll get the right level of consent to use facial recognition going forward,'' Stephen Deadman, Facebook's global deputy chief privacy officer, said in an interview last year in reference to the technology's rollout in Europe. If companies and governments fail to obtain a higher level of consent, they may not be able to deploy facial recognition tools. Current tools for obtaining consent for video surveillance, like signs informing people they being recorded, are not likely to meet the higher standard of consent required for collection of biometric data. The guidelines are expected to go through a public consultation process before being finalized by the watchdogs. A spokesperson for the European Data Protection Board, the pan-EU group of privacy regulators, declined to comment.
Woody Leonhard, Columnist, Computerworld | PT https://www.computerworld.com/article/3408496/new-windows-7-security-only-update-installs-telemetrysnooping-uh-feature.html Three years ago, Microsoft promised to keep Win7 and 8.1 updated with two tracks of patches—Monthly Rollups that include everything and "security-only" patches that are supposed to be limited to security fixes. Guess what just happened.
Ed Bott, ZDNet, 8 Jul 2019 https://www.zdnet.com/article/the-windows-10-misinformation-machine-fires-up-again/ The loudest voices screaming about Windows 10 sometimes have no idea what they're talking about. Case in point: This dire warning from Gordon Kelly at Forbes, who is as ill-informed as ever. opening text: Gordon Kelly of Forbes is at it again, pushing his unique blend of scary words about Windows 10, mixed with an absolutely overwhelming lack of knowledge about the underlying technologies. [And so on. He then debunks Kelly. The risk? At least one of them is wrong. There is a lot of wrong data out there. Too many people have an overly high opinion of their opinions. (It is hard to avoid, and I do not think that I do a perfect job myself.) In the middle of this mess, we have to work out what is or appears to be true and decide what to do. I wish it were easier.]
Steven J. Vaughan-Nichols, Computerworld For months Microsoft hid the fact that its Registry backup feature no longer worked, while Windows 10 kept reporting that it was completing successfully. What were you thinking, guys? https://www.computerworld.com/article/3406846/wtf-microsoft.html selected text: When things have gone wrong on standalone Windows machines—and they often have—one of my repair tricks of last resort has been to restore the Windows Registry to an earlier known good state. A lot of times, doing a restore was faster than a backup. Good thing I haven't had to do that lately, though. Microsoft quietly removed this feature in October 2018's Windows 10 version 1803. But it didn't bother to tell users about it until late June 2019. But let's get back to the really important question for Microsoft: Why did you hide this from users? Windows kept reporting that the backups were being *completed successfully*. But were you to browse to the \Windows\System32\config\RegBack folder in Windows Explorer, you would see each Registry hive backup—with a size of 0Kbit. Zero. I said “were you to browse,—meaning, on the slim, not to say minuscule, chance that you would do this.'' I mean, I always dive deep into obscure file folders to make sure the operating system isn't lying to me when it tells me a job has been completed. Doesn't everyone? That is the real pain in the rump of this entire affair: not that the feature is missing, but that Windows lied to its users, and Microsoft hid this from us for months. That is unacceptable.
Liam Tung, ZDNet, 9 Jul 2019 Did Raspberry Pi Foundation fail to test Raspberry Pi 4 properly? Either way, one expert says new flagship is not USB-C compliant and must be fixed. https://www.zdnet.com/article/raspberry-pi-4-wont-work-with-some-power-cables-due-to-its-usb-c-design-flaw/ opening text: The Raspberry Pi Foundation has confirmed its brand-new Raspberry Pi 4 Model B has a problem with some USB-C cables failing to charge the little computer. The Raspberry Pi 4 is the first version to include a USB-C port capable of supplying power to it. The problem, as some early users have found, is that certain charging cables don't work. But they would have if the Raspberry Pi Foundation had simply followed the USB-C specification to the letter.
Forwarded message: Seems to be specific to Mac users of the Zoom videoconferencing app, but all should check your settings. https://www.forbes.com/sites/zakdoffman/2019/07/09/warning-as-millions-of-zoom-users-risk-webcam-hijack-change-your-settings-now/ I have tough-to-hack handy slide shield over iPad camera (not that iOS seems implicated in this risk.
That decision, likely to be cemented by county commissioners Tuesday, has raised questions from a science advocacy organization, the Center for Scientific Evidence in Public Issues (EPI Center). It recommends the use of paper ballots as a way of ensuring that votes are counted securely and accurately. But Freda Ragan, the county's elections administrator, countered Monday that the type of machines selected, known as direct recording electronic machines (DREs) are highly secure, with redundancies built in and no remote access. The system should be familiar to voters, while making the path smooth for the county's elections office, she said. "There are currently no state mandates or requirements for counties to purchase paper," Ragan said. The system the county likely will purchase does have the ability to be converted to paper ballots, "if we are ever required or mandated to do so," she said. https://eb2.3lift.com/pass?tl_clickthrough=3Dtrue [cid:e0fea9da-6e27-42a6-88e9-d204ff482dd4] Ragan said in an email last week the voting program being considered, Texas-based Hart InterCivic's Verity Voting system, is already in use throughout the state. The system attained certification from the federal U.S. Election Assistance Commission, she said, and successfully has passed through Texas Secretary of State Elections Office independent testing and certification processes. To be awarded certification at the federal level, by the EAC, and to attain state certification, which is required in Texas, voting systems must meet or exceed established security standards.
In 1952, The Saturday Evening Post christened Rockdale, Texas, “The Town Where It Rains Money.'' An estimated 100-million tons of lignite coal lay buried a few miles south of the city limits, and Alcoa had just swooped in to build a $100-million smelter that would use the cheap energy source to produce aluminum for fighter planes, skyscrapers, automobiles, and more. “At the mere mention of somebody blowing into town with $100,000,000 to spend, many citizens were seized by attacks of vertigo,'' wrote local author George Sessions-Perry. “Others merely went off and lay down in an effort to regain their composure. Then things began to happen.'' Seemingly overnight, Rockdale's population doubled to 5,000. A photo accompanying the Post story shows resident millionaire H. H. “Pete'' Coffield and the mayor hosting a party for new Alcoa employees on a patio surrounded by a lush garden. The women wear cocktail dresses, and the men wear ties. “What makes us feel best of all,'' Sessions-Perry continued, “is that we're making a sizable pile of something that the nation needs.'' More recently, though, prosperity has eluded Rockdale. The Alcoa smelter was shuttered in 2008, and an adjoining coal-fired power plant closed last year. More than 1,000 jobs vanished, sending Rockdale and surrounding Milam County, population 25,000, into a nosedive. Then, last summer, a ray of hope pierced the gloom. Bitmain, a Chinese company that makes specialized computers for “mining'' cryptocurrency, said it would invest $500 million in what was to be the world's largest bitcoin-mining facility at the closed Alcoa smelter, which, crucially, was still connected to massive electrical lines. The large buildings where aluminum was made, called potrooms, would be filled with shipping containers stocked with 325,000 mining machines. Most important for Milam County, Bitmain promised to create between 400 and 600 jobs. New industry would replace the old. https://www.wired.com/story/hard-luck-texas-town-bet-bitcoin-lost/
https://www.wired.com/story/waze-data-help-predict-car-crashes-cut-response-time/ FOOD FOR THOUGHT Users of the Google traffic app Waze are fastidious about reporting all manner of roadside obstacles and slowdowns, including traffic accidents. Some studies show that "Wazers" actually reports crashes more quickly than callers to emergency services. Aarian Marshall reports for Wired on researchers now seeing if they can combine vast amounts of Waze reports with other data sets to predict crashes before they happen. It's not an easy problem, as computer apps generally are not good at predicting rare events. “You have to have a lot of data, and diverse types of data, and then be able to analyze it for it to be actionable instead of just piling up,'' says Christopher Cherry, an engineering professor with the University of Kentucky who recently completed a study of how traffic data could be used to improve road safety. The traffic data itself is useful, sure. But to predict the risk of crashes, and to prevent them, you should also probably have a sense for where crashes are happening, and what the roads in question look like, and how those roads perform under different weather conditions. And then you have to link all those datasets up and help them “talk'' to each other -- no small feat.
https://www.secretservice.gov/data/press/reports/USSS_FY2019_MAPS.pdf
"More than 1,000 recordings were obtained by Belgian broadcaster VRT NWS, which noted in a story that some contained sensitive personal conversations --- as well as information that identified the person speaking." I suppose it's bad enough when a company obtains sensitive personal information without the full awareness of the user, but then they gotta leak it too? http://www.taipeitimes.com/News/biz/archives/2019/07/13/2003718564
https://www.southcoasttoday.com/news/20190710/new-bedford-computer-outages-continue-for-sixth-day Earlier: https://wbsm.com/new-bedford-computer-outage-spreads-to-fire-department/
https://whdh.com/news/feds-new-bedford-police-officer-arrested-after-194-child-porn-files-found-on-computer/
7-Eleven in Japan caused hundreds of customers to lose about $600 each. Hackers stole the money via the convenience store's newly launched mobile payments app, 7pay. The app design had a frankly ludicrous flaw in its lost-password UX. As the reality of the stupendous error sinks in, infosec experts are left scratching their heads, dumbfounded. https://techbeacon.com/security/7-elevens-7pay-app-hacked-day-due-appalling-security-lapse
https://daringfireball.net/linked/2019/07/09/ulysses-icloud-os-betas
Adrian Kingsley-Hughes, ZNDet, 11 Jul 2019 The feature has been disabled while Apple fixes the bug. https://www.zdnet.com/article/apple-disables-walkie-talkie-app-due-to-snooping-vulnerability/ opening text: Apple has temporarily disabled the Walkie-Talkie app on the Apple Watch due to a vulnerability that could allow someone to eavesdrop on an iPhone without the owner's consent. Also Apple disables Walkie Talkie app due to vulnerability that could allow iPhone eavesdropping (TechCrunch) https://techcrunch.com/2019/07/10/apple-disables-walkie-talkie-app-due-to-vulnerability-that-could-allow-iphone-eavesdropping/
Stripe, one of the most valuable financial technology startups in the world, was hit with one of its longest periods of downtime ever on Wednesday. The company's services were offline for almost two hours cumulatively throughout the day, meaning some companies that rely on Stripe to process payments could not accept orders during that time. Stripe was last valued by investors at $23 billion, and builds software and payment infrastructure to help businesses accept money online. https://fortune.com/2019/07/11/stripe-outage-technology-payment-processing/
One of the kids uses Siri. Another uses Alexa. My baby brother uses "Hey Google" on his Android phone. (His eyes are going, and I'm a bit jealous because I really *hate* those soft keyboards ...) Way back when PDAs (remember them?) first started to become a "thing," I predicted that they wouldn't be big until they could talk (and listen) to us. What I did *not* foresee was that the heavy lifting in the listening department would be done by giant servers at the corporate end, and that, therefore, all of our interactions with the devices would be accessible to giant enterprises that would mine all of our conversations in a way that makes "big data" look like a little black book. I don't use Siri or Cortana or Hey Google, and, whenever one of them switches on I turn it off. My TV is cheap enough that it doesn't have a camera or a microphone. I don't have on of those cylinders or pucks that turns on your lights because I don't have smart light bulbs. We don't have to have constant "tunes" or "playlists" playing in the house. (This actually leaves Gloria and I free to talk to each other, something that we apparently do much more than most people.) My extremely old car does have a computer in it, but it only talks to the service department (and then only when I bring it in). We drive little enough, now, that, by the time I have to replace it, I may be able to simply get rid of it and use taxis. (Yes, taxis. I know some of you *love* ride-sharing, but I still see too many problems with it to go that route. Besides, for most of my transport-related problems, I see very few issues that the 210 bus doesn't solve.) So I probably won't have to get used to a self-driving car, that's talking with every other car on the road (*and* the manufacturer, *and* my insurer, *and* the local police). (As much as I hate machines that think they are smarter than I am, I do believe we should get the self-driving cars on the road as quickly as possible, because, for all the "this car killed it's driver" anecdotes, they already drive better than we do, and it would, even now, save lives.) This may sound funny, as I'm writing this on a computer, and I'm surrounded by three more computers and another three "devices." But, as the joke has it, I'm not going to worry about all my computers ganging up on me until the computer actually starts reliably talking to the printer that's right beside it. I still have to reboot my cable modem (and sometimes short out the coax cable) to get the Internet back at times, and I still have to power cycle the spiffy new PVR the cable company gave me to fix problems with the old one. It's not the computers that scare me, it's the companies. Facebook, of course, has amply demonstrated that it cares nothing about its users. Google scared me, ini tially, with the masses of information it collected, but, over the years, the "don't be evil" mantra seemed to work out. Recently, though, Google has demonstrated some very worrying tendencies. Apple has always wanted to lock you into their world, but hasn't seemed to care for much beyond getting you. Microsoft, of course, was always the big evil empire, but lately isn't quite so ... big. And, no, thanks, I *don't* want the government to take over and regulate everything in sight. I started out in malware research, and watched various governments make bone-headed decisions about creating laws just to try and make viruses illegal. Governments are having a tough enough time (and taking a long time) to get "sufficient" regulation to reign in some of the corporate excesses. We have a lot of things to learn about privacy and security, and constant vigilance is the price of et cetera, et cetera. We are going to have to struggle through, and it will be a lot of work, and it means we have to pay attention to a lot of stuff going on. Welcome to security.
Alex Weinert—Microsoft Every week I have at least one conversation with a security decision maker explaining why a lot of the hyperbole about passwords—“never use a password that has ever been seen in a breach,'' “use really long passwords'', “passphrases-will-save-us'', and so on—is inconsistent with our research and with the reality our team sees as we defend against 100s of millions of password-based attacks every day. Focusing on password rules, rather than things that can really help—like multi-factor authentication (MFA), or great threat detection—is just a distraction. Because here's the thing: When it comes to composition and length, your password (mostly) doesn't matter. https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Your-Pa-word-doesn-t-matter/ba-p/731984
*The New York Times* now blocks views in private mode of browers such as Firefox or Chromium. If you do that, you get an error message stating "You're in private mode. Log in or create a free New York Times account to continue reading in private mode." which is actually quite funny. This is, of course, the NYT's business decision. However, I do not think the problems of pay-in for content with your data need to be spelled out for the readers of comp.risks. However, I would like to ask comp.risks contributors to no longer post links to nytimes.com. Contributing to uncontrolled gathering of data is not what a forum about computer risks should do. [I am a subscriber, and read as much of the paper as i can in print over breakfast. I do not have time or patience to read long articles on a cell phone. Many others subscribe online only. The NYTimes, WashPost, and very few others are becoming the only ones that support a staff of news folks who actually generate news articles rather than simply copy them from elsewhere. We value good journalism, which is becoming rare—as it is increasingly strangled by other media and fifteen-second sound bites on TV. PGN]
"Line stresses Line Score is opt-in only"—yes, but the customers who do not opt in are already denied certain "special deals"; how soon will that they find out that they are the only ones paying full price for a gradually degrading service? And "the company will never share a user's Line Score with third parties" -- but how about sharing with other companies of the same owners, or with all companies owned by the next Big Company which would acquire Line?
CD> Personally I feel that the simplest solution would be to have some sort CD> of radio/wi-fi signal for autonomous vehicles (and maybe to conventional Sounds good but sure hope such add-on systems' clocks don't drift, else after about a month (when the first autonomous vehicle shows up) radio red might already correspond to visual green...
> Still, it's unnerving that tech companies seem to think that social > credit ratings are the next big thing for now. Hopefully, this is a > trend that will not catch on. Stack Exchange was first. Some might say not the same thing... But users quickly learn to dot their i's and cross their t's... Indeed, here on RISKS readers' RISK_POINTS shall be deducted for each missing dot (U+0131 LATIN SMALL LETTER DOTLESS I). Furthermore, and just for sadistic pleasure, you can only lose RISK_POINTS (that you never had in the first place) and never gain them.
Fernando Corbato', a Father of Your Computer (and Your Password), Dies at 93 Katie Hafner, *The New York Times*, 12 Jul 2019 https://www.nytimes.com/2019/07/12/science/fernando-corbato-dead.html Personal note: Corby was a mentor, colleague, and close friend from 1965 on. He is deeply missed. Pioneer `father' of time-shared computing (CTSS at MIT in 1962), Multics (MIT, with Honeywell [as Katie notes, originally GE], and Bell Labs), inspirational professor, even a dean for a while. The obit by Katie is worth reading, especially for those of you who did not know him. PGN
Please report problems with the web pages to the maintainer