Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The Voting News Daily, a news service of Verified Voting A CIA asset reportedly pulled from Russia in 2017 played a major role in the agency's determination that Russian President Vladimir Putin personally ordered Moscow's meddling in the 2016 election, according to *The New York Times*. The informant, while not in Putin's inner circle, interacted with him regularly and was privy to decision-making at high levels of the Russian government, according to The Times. Information on the informant's identity was so carefully guarded that it was kept out of then-President Obama's daily security briefings in 2016, instead transmitted in separate sealed envelopes. In 2016, high-level CIA officials ordered a full review of the source's record and grew suspicious he might have become a double agent after he rejected an offer of exfiltration from the agency, according to the Times. Other officials said these concerns were alleviated when the source was offered a second time and accepted. [The original source is this: Julian E. Barnes, Adam Goldman and David E. Sanger CIA Informant Extracted From Russia Had Sent Secrets to U.S. for Decades *The New York Times*, 10 Sep 2019 (updated from the previous day) Also of related interest are op-ed pieces by Michelle Goldberg and Paul Krugman in The NYT on 10 Sep 2019. PGN]
https://openprivacy.ca/blog/2019/09/09/open-privacy-discovers-vancouver-patient-medical-data-breach/ The Open Privacy Research Society has discovered that the sensitive medical information of patients being admitted to certain hospitals across the Greater Vancouver Area is being broadcast, unencrypted, by hospital paging systems, and that these broadcasts are trivially interceptable by anyone in the Greater Vancouver Area. The data being broadcast includes the patients name, age, gender marker, diagnosis, their attending doctor and room number. Other broadcasts regarding medical tests such as x-rays are often associated with a patients last name or medical number, exposing their progression through hospital departments. Some broadcasts appear to contain freeform text, allowing other sensitive information to be entered as well. We have been able to confirm the authenticity of this data by cross-referencing records with public obituaries.
Nick Weaver has been an occasional contributor to RISKS over the past 23 years, and is the author of the CACM Inside Risks article #244, Risks of Cryptocurrencies, CACM June 2018 http://www.csl.sri.com/neumann/insiderisks.html—or directly at http://www.csl.sri.com/neumann/cacm244.pdf This month's IEEE Computer Society *edge* magazine (September 2019, pp 23-26, www.computer.org/computingedge) condenses Nick's Silver Bullet podcast interview with Gary McGraw, and succinctly updates the above-mentioned Inside Risks article. I recommend the *edge* interview for anyone unclear about the RISKS-related issues are associated with blockchains and cryptocurrencies. PGN
https://www.bostonglobe.com/business/2019/09/09/the-fine-print-bank-america-less-than-charitable-charity-that-says-was-hacked/IENfpHpEkjTf0rzvpzHbfJ/story.html
https://securityboulevard.com/2019/09/sysadmins-scramble-to-secure-5m-exim-email-servers/
https://www.scientificamerican.com/article/3-d-printers-could-help-spread-weapons-of-mass-destruction/ “In the mid-1990s boy scout David Hahn used household objects and his scientific knowledge to start building a nuclear reactor in his backyard. Police and the Environmental Protection Agency stopped him before he could finish. Twenty years later, revolutions in manufacturing and computing have made projects such as Hahn's a lot more feasible; if he had access to a 3-D printer, for example, he might have finished his reactor before authorities intervened. Modern technologies also mean one does not need to be as smart as Hahn to create at least some kinds of DIY weapons. With the right machine and blueprints anyone can build a handgun in their living room—and firearms are just the beginning. Researchers fear that artificial intelligence and 3-D printing might one day create, on demand, weapons of mass destruction.'' The WMD Do-It-Yourself kit is a frightening possibility. Can a 3-D printer enable WMD deployment of a chemical or biological device? Thanks to Graham Allison's efforts, and the Nunn-Lugar Cooperative Threat Reduction legislation of 1991, WMD material (enriched uranium and plutonium, biological/chemical) became more difficult to acquire as the Soviet Union disintegrated. Threat reduction implementation tapered substantially after Russia annexed Crimea. https://en.m.wikipedia.org/wiki/Nunn–Lugar_Cooperative_Threat_Reduction,
https://time.com/5675566/airbus-airplane-bathroom-tracker/ “The Airbus Connected Experience aims to give flight attendants a more detailed survey of the cabin, with sensors for such critical data as when bathroom soap is running low and how much toilet paper remains in each bathroom. But the rethinking of the passenger environment doesn't just stop with the lavatory. At each seat, your belt will signal red for unbuckled and green when fastened. The goal is faster boarding and departure, dispensing with those lap-scrutinizing walk-throughs flight attendants must perform. The crew will also have access to information on what's onboard and where, like which galley carts contain specific meals, such as pre-orders or vegetarian selections.'' What happens if there's a faulty or intermittent seat belt lock/unlock sensor? Will each flier be required to wear an RFID tag that is scanned when entering and exiting the toilet? Will airlines compile a passenger `compliance score' and use it to raise or lower ticket prices, or deny purchase, based on profiled compliance history?
A new safety bulletin from the British government shows that an unplanned landing in Ireland was caused by coffee that spilled on a control panel in the cockpit. The airline says it is now providing lids for coffee. https://www.washingtonpost.com/travel/2019/09/12/why-spilled-cup-coffee-forced-plane-make-an-unplanned-landing/
China leads the world in facial recognition tech but sometimes police just use their noses as well. https://www.washingtonpost.com/world/asia_pacific/chinese-police-sniff-out-a-fugitive--literally--in-the-case-of-the-telltale-hot-pot/2019/09/12/86db31a8-d521-11e9-ab26-e6dbebac45d3_story.html
https://www.washingtonpost.com/technology/2019/09/12/apple-makes-changes-kids-app-guidelines-following-criticism-developers/
Plenty of schools have incentive programs for students who attend games, but ones who give demerits for early exits are harder to find. https://www.washingtonpost.com/sports/2019/09/13/alabama-is-penalizing-students-leaving-football-games-early-is-that-normal/
[On the limits of computer searching:] Mary Branscombe for 500 words into the future, ZDNet, 12 Sep 2019 Artificial intelligence might have passed a school science test but when everyday tasks are still well beyond it's ability, we can't even talk about building general purpose AI. https://www.zdnet.com/article/sorry-general-ai-is-still-a-long-long-way-off/ opening text: For the last few weeks, we've been watching a plant grow on our windowsill. A seed blew into the window box and took root, and started to shoot up. There was nothing growing in that end-of-the-window box, so we left it until we could see whether it was a weed or a nice plant. The seed had been long and black, and the stem grew tall and spindly. Once we could see a few leaves, I started searching the web for a plant with a long, hairy stem and long, pointed leaves springing alternately from the stem, that grow in the UK from long black seeds, that are pointy at one end and round at the other. If you described that to a botanist or a gardener, they would tell you immediately that it was probably a sunflower, but I didn't get any useful results from searching by the description. In fact, none of the lists of UK plants with hairy stems or alternate leaf-growth patterns that I did find included the sunflower. It wasn't until we could see the flower forming and looking very like a sunflower that I could search for 'sunflower hairy stem' and get a description telling me that sunflowers have long, hairy stems and leaves growing alternately from the stem. Once I knew what I wanted, the machine learning behind the search engine could tell me about it, but it couldn't take my description and tell me what I was looking at.
A fresh look at the 2016 blackout in Ukraine suggests that the cyberattack behind it was intended to cause far more damage. https://www.wired.com/story/russia-ukraine-cyberattack-power-grid-blackout-destruction/
For the past 20 years or so, many large companies have tried to match candidates with positions by automatic processes to scan CV's for keywords; this method may be faster, but may miss candidates who would do an excellent job, but whose CV does not contain *exactly* the same keywords a manager had to come up with to describe the job. Thus, much of the interview process is already done by robots; however the new method misses an even more important aspect: getting a candidate acquainted with the people s/he's going to be working with. (Though in this case, the job's description seems to indicate that the newly hired employee would be working mainly with robots anyway)
1. The theft of British Airways's customer payment card details in 2018 was widely reported, but it seems that the hackers also lost out due to the sudden abundance of saleable information reducing the black-market value of these details... Summary follows. The full article [not included] gives typical black-market values for personal details; the title comes from a comment that “the typical profile of cyber-crime victims are well-off, middle-aged professionals aged 35-44 with an income above 50,000 pounds [$65,000] in managerial positions.'' https://www.telegraph.co.uk/technology/2019/09/10/rich-smart-sensibly-grown-up-hackers-dream/ Rich, smart and sensibly grown-up? You're the hackers? dream Harry de Quetteville, 10 Sep 2019 Poor hackers. British Airways?s aircraft may be grounded again, but at least this time the company knows why: its pilots are on strike. Too often in recent years the company has stranded passengers because of mysterious IT foul-ups. The cost of some of those failures was not always immediately apparent. In 2018 half a million BA customers had their payment card details stolen. It was only later BA was hit was hit with a huge ?183m fine for the breach. And it now turns out it wasn?t just BA and its passengers who suffered. Hackers did too. So many fraudulent cards hit the market after the data breach at BA (as well as others at Marriott, and Ticketmaster) that black market prices collapsed. 2. RISKS often features the problems of the latest technology, but here's an item on the problems of *not* using this. The UK's National Health Service (`the envy of the world') still uses fax machines, pagers, land-line telephones, etc. for communications, which are obviously not ideal for a large organisation dealing with a huge throughput of patients, especially as much information is time- and life-critical. Some staff unofficially use social networking sites like WhatsApp, but there are big RISKS here with patient confidentiality, possibility of confusion between personal and work information, no way of sorting incoming messages, and so forth. Working in health is quite a high-pressure job in general of course, but if it's difficult to make contact with other people this just raises stress levels and wastes valuable time. This article features a junior doctor, Lydia Yarlott, who has come up with a fix (summary follows): https://www.cityam.com/wp-content/uploads/2019/09/CITYAM_20190910_NEW.pdf > With WhatsApp being seen as a sort of sticking plaster to the > communication problem, in true doctor fashion, Yarlott started concocting > a cure. With the help of a team of technologists, she has built a secure > instant messaging service called Forward Health designed for doctors, > nurses, midwives, and other clinicians. Through the app, NHS staff can > search by name or role in a hospital or clinic, share patient notes and > photos, with everyone working off the same list. On average, the app > saves each clinician 43 minutes per shift, which is time that would > usually wasted waiting for a colleague to call them back. It means that > doctors can access the info they need anywhere in the hospital, ultimately > allowing them to move away from paper notes. It?s a simple idea, and > remarkable that nothing like this existed in the NHS already, which just > goes to show how far behind official hospital technology ? still heavily > reliant on pagers ? really is. And it?s worrying that old-fashioned and > counterintuitive tech is exacerbating existing issues in the NHS, making > the working lives of staff even harder. While bringing NHS tech into the > modern era is vital, the organisation is such a vast and complex web that > updating the system is painfully difficult ? not to mention the fact that > [NHS] trusts tend to make standalone decisions, rather than learning from > each other.
A serious issue is [that] your phone's precious single USB socket is rated for only a limited amount of plugging in and out, after which it will start to fail (bad connection, not all metal plates properly in contact). Meaning you won't be able to charge your phone anymore—spelling the certain demise of your phone completely, as it would make more sense to get a fast new phone rather than repair an old slow one. Mom was right. See what happens after too much `phone s*x'. “Avoid multiple partners'' they say. Well even to much plugging in and out 'action' with the same partner will lead to `terminal' illness, as was my experience with MicroUSB. And I'm not going to increase my `libido' and RISK it with my new Type C phone. I'm just not in the mood, OK?
Re: "Bright Idea --Can't stop..." (RISKS-31.41) This raised some questions in my mind, so here is a little follow-up, from: https://www.theguardian.com/technology/2019/aug/13/teen-smart-fridge-twitter-grounded "After reports emerged questioning Dorothy's account, LG confirmed that some of its fridge models have social media capabilities, but the company could not confirm whether Dorothy's tweet was sent from one. “We don't know if Dorothy actually used an LG smart refrigerator to tweet, but yes “ it is possible to access Twitter via the web browser on select LG smart refrigerator models,'' an LG spokeswoman, Taryn Brucha, said. Igor Brigadir, a computer researcher at University College Dublin, reviewed the tweets for the Guardian and said that the metadata for Dorothy's Wii U and Nintendo tweets showed that the tweets were legitimate. He said others had used the devices to post on Twitter in the past. But the refrigerator tweet, Brigadir said, most likely did not come from the fridge. “The LG fridge [tweet] was definitely manually created,'' he said. Brigadir examined the metadata of the tweets and discovered that they were sent through a custom Twitter app. If Dorothy had tweeted from the fridge, Brigadir continued, the metadata would probably have said the tweet was sent through a browser, not from a fridge. Dorothy was able to make it look like she tweeted from the fridge because custom apps can be renamed on Twitter to make tweets appear as though they were sent from different devices. “For me, the think that seals it is the fact that nobody else ever made any other tweets from that fridge, whereas, for the Wii U and Nintendo clients, there's fresh tweets daily,'' Brigadir added. [Amos Shapir notes that this is rather old news—and probably fake: https://www.buzzfeednews.com/article/stephaniemcneal/dorothy-fridge-tweets PGN]
Please report problems with the web pages to the maintainer