Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The October issue of IET's E&T magazine has a story by Ben Heubl on problems with PV panels. It was originally published in July 2020 on-line https://eandt.theiet.org/content/articles/2020/07/solar-panel-technology-scandal-could-see-millions-of-solar-pv-panels-fail-or-degrade-prematurely “In February 2020, the power output plummeted at one of South Africa's proudest solar photovoltaic electricity generation sites, the Mulilo Sonnedix Prieska solar farm. .... Usually, PV solar panels last between 20 and 30 years. So how could this happen after less than four? Insiders claim accelerated backsheet degradation is to blame. The backsheet is part of a solar module that seals it from dust and moisture and provides electrical insulation. It is also necessary to protect interior components from mechanical and environmental stresses.'' ... and when a backsheet cracks, the consequences can include electrical short-circuits and fire. So there are safety issues. Heubl found it difficult to get anyone to give him information about the extent of the problem, except that it appears to be significant. It is not clear that anyone knows where panels most susceptible to early degradation are installed. There is surely not just a quality-control problem with newish panels. Panels have a limited functional lifetime in any case and it seems to follow from the report that there are few effective systems in place to identify which ones are faulty, whether after 3 years or 30 years. What about the panels on the roof of your house? Or built-in roofing panels?
https://www.avweb.com/aviation-news/american-pilots-to-reassure-passengers-before-max-flights/ "It's not often that passengers hear from the captain days before their flight but American Airlines is employing those calm, soothing voices to ease the reintroduction of the Boeing 737 MAX. As we recently reported, American plans to resume MAX flights starting Dec. 29, assuming all the regulatory approvals are in place. Its plan to gain customer approval for the re-launch is to offer customer tours of the aircraft and to have pilots answer phone and video calls from jittery pax. 'They're the ones that ... really have the credibility to explain the Max,' Alison Taylor, American's chief customer officer, told an online 'town hall' meeting with employees in mid-October." For a business to survive, the brands it sells must project and reliably demonstrate trust to sustain customer loyalty. Consumer expectations are, in part, achieved through unbiased and independent evaluations by regulatory agencies who evaluate these brands. They serve as the last line of defense for public health and safety. All bets are off when these agencies are neutered, or their investigatory and enforcement capabilities are compromised. How do businesses recover and restore brand trustworthiness after a 'Black Swan' shatters that expectation? The Chicago Tylenol murders (https://en.wikipedia.org/wiki/Chicago_Tylenol_murders retrieved on 28OCT2020) details measures a business can responsibly apply to restore and rebuild brand reputation following a deadly trust erosion incident. A "time heals all wounds" approach appears ineffective in the Internet-era where history is easy to retrieve, if curiosity strikes. Will a pilot's pre-flight reassurance be sufficient to sooth public anxiety about the re-engineered MAX's safety? The passenger loyalty consequences from a 'fit to fly' customer-charm offensive defy prediction. Eventually, I suspect this engagement 'pitch' will vanish. For now, that's all the flying public can expect following the Congressional investigations, FAA investigations, Boeing restructuring, liability settlements, MCAS revisions, re-certification efforts, etc. Airlines that offer discount 737-MAX flights will lure passengers and possibly recover revenue. Sustained airline profits from 737-MAX flights depends on over-achievement of historical aircraft safety records and trends. The flying public MIGHT be best served if, at ticket point-of-purchase, a government-mandated disclosure states, "This flight powered by a re-tooled 737-MAX. See this link for fleet history."
Tesla is beta-testing its latest self-driving technology with a small group of early adopters, a move that alarms experts and makes every road user -- including other motorists, pedestrians and cyclists—unwitting subjects in its ongoing safety experiment. https://www.axios.com/newsletters/axios-navigate-bd1ba2e9-6da7-4c76-91af-2d388ca96ba7.html CAS Comment on AV TEST Data Collection https://www.autosafety.org/cas-comment-on-av-test-data-collection/ Dear Deputy Administrator Owens, The Center for Auto Safety (the Center) appreciates the opportunity to provide comments on the notice and request for comment regarding the Automated Vehicle Transparency and Engagement for Safe Testing (AV TEST) initiative. The Center, founded in 1970, is an independent, member supported, non-profit consumer advocacy organization dedicated to improving vehicle safety, quality, and fuel economy. In 2020, we are celebrating 50 years of advocacy for consumer automotive safety and informed choice. The AV TEST initiative proposes using government resources for the purpose of providing “information to the public about Automated Driving System (ADS) testing operations in the U.S. and applicable State and local laws, regulations, and guidelines.'' Instead, the public would be better off visiting the promotional website of each AV manufacturer after conducting their own Google search. At least that way, there would not be any confusion about the biased nature of the promotion or the lack of government oversight. Motor vehicle crashes remain one of the primary causes of premature death, and the leading cause of death for those under age 30. These crashes cost the U.S. approximately $1 trillion every year. Sadly, NHTSA has estimated the first six months of 2020 have resulted in the highest death rate per vehicle mile traveled in the U.S. in over a decade. The Center firmly believes ADS technology can play a significant role in a safer transportation future and is committed to seeing its successful and safe integration into our transit ecosystem. Yet, NHTSA's refusal to even require the submission of test data relating to ADS development is an implicit encouragement of the deployment of unproven technology guided by artificial intelligence on public roads. These self-described self-driving vehicles are being unleashed on America in the hope that nothing too horrible will happen, in the absence of NHTSA analyzing validated engineering data demonstrating safe ADS performance.
[vis Dave Farber, who notes:
Typical PR piece. There has been an International activity to
conceptualize such a network for a while now—Japan , USA, EU, etc. It
is at the early research stage but advancing at a fast pace. Dave
Farber
]
U.S. hatches plan to build a quantum Internet that might be unhackable
The new network would sit alongside the existing Web, offering a more secure
way to send and process information
Jeanne Whalen, *The Washington Post*, 23 Jul 2020
https://www.washingtonpost.com/technology/2020/07/23/us-plan-quantum-internet/
U.S. officials and scientists unveiled a plan Thursday to pursue what they
called one of the most important technological frontiers of the 21st
century: building a quantum Internet.
Speaking in Chicago, one of the main hubs of the work, they set goals for
forging what they called a second Internet—one that would function
alongside the globe's existing networks, using the laws of quantum mechanics
to share information more securely and to connect a new generation of
computers and sensors.
Quantum technology seeks to harness the distinct properties of atoms,
photons and electrons to build more powerful computers and other tools for
processing information. A quantum Internet relies on photons exhibiting a
quantum state known as entanglement, which allows them to share information
over long distances without having a physical connection.
David Awschalom, a professor at the University of Chicago's Pritzker School
of Molecular Engineering and senior scientist at Argonne National
Laboratory, called the Internet project a pillar of the nation's
quantum-research program.
“It's the birth of a new technology. It's becoming a global competition.
Every major country on earth has launched a quantum program, because it is
becoming clearer and clearer there will be big impacts,'' he said in an
interview.
The United States' top technology rival, China, is investing heavily in
quantum technology, a field that could transform information processing and
confer big economic and national security advantages to countries that
dominate it. Europe is also hotly pursuing the research.
The Energy Department and its 17 national labs will form the backbone of the
project.
How exactly the work will be funded wasn't clear. The Energy Department did
not announce a funding figure for the project Thursday. Speaking to
reporters, Paul Dabbar, the Energy Department's undersecretary for science,
said the federal government invests about $500 to $700 million a year in
quantum information technology, suggesting some of that money would fund the
new Internet.
In an interview, Dabbar said there would probably be further funding
announcements for the project in the future.
Panagiotis Spentzouris, head of quantum science at the Chicago-area Fermi
National Accelerator Laboratory, or Fermilab, said in an interview that more
resources, and a clearer project structure, will be needed to carry out the
blueprint published Thursday.
The 38-page document lays out research priorities and milestones to aim for,
but it doesn't assign detailed tasks to particular parties.
Initial users of a quantum Internet could include national security
agencies, financial institutions and health-care companies seeking to send
data more securely, researchers said.
The networks promise to be more secure—some even say unhackable --
because of the nature of photons and other quantum bits, known as qubits.
Any attempt to observe or disrupt these particles would automatically alter
their state and destroy the information being transmitted, scientists say.
A quantum Internet could also be used to connect various quantum computers
with one another, helping boost their total computing power. Quantum
computers are still at an early stage of development and not yet as powerful
as classical computers, but connecting them via an Internet could help
accelerate their use for solving complex problems like finding new
pharmaceuticals or new high-tech materials, Awschalom said.
Eventually consumers might also tap into the quantum Internet, to buy
products with less risk of their credit card details being hacked, or to
send and receive sensitive personal information such as health records or
social security numbers, Spentzouris said. It is possible consumers will
surf seamlessly between the regular and quantum Internets as they make
purchases and send information, without necessarily knowing they are
switching platforms, he said.
In a sign of the potential economic rewards that quantum technology could
bring, Illinois Gov. J.B. Pritzker and Chicago Mayor Lori Lightfoot both
spoke at the announcement Thursday, expressing hope that there would be
spillover effects for the city's tech community.
Universities and labs in the region have established the Chicago Quantum
Exchange to try to accelerate innovation and economic development. [...]
As NASA moves towards the SLS's first flight, putting the Orion spacecraft in orbit around the moon, there are concerns not with the rocket's engines but rather with the computer software embedded in all its systems. https://www.washingtonpost.com/technology/2020/10/31/nasa-sls-moon-rocket/
*No Earth-based government has authority or sovereignty over Martian activities, SpaceX claims* SpaceX will not recognise international law on Mars, according to the Terms of Service of its Starlink Internet project. Elon Musk's space company will instead reportedly adhere to a set of *self-governing principles*" that will be defined at the time of Martian settlement. [...] https://www.independent.co.uk/life-style/gadgets-and-tech/elon-musk-spacex-mars-laws-starlink-b1396023.html
Chris Stokel-Walker, *New Scientist*, 21 Oct 2020 via ACM TechNews, Wednesday, October 28, 2020 Researchers at the Swiss Federal Institute of Technology, Zurich (ETH Zurich) trained a neural network algorithm designed to control a four-legged robot in a simulated environment resembling a video game. The ETH Zurich team told the algorithm which direction the simulated robot should be attempting to move in, and restricted how fast it could turn, in order to reflect the capabilities of the actual robot. The researchers started with a neural network preprogrammed with knowledge about the environment so the algorithm could absorb and recall inputs from virtual sensors, then transferred this knowledge to a large network controlling the real robot. As a result, the robot was able to move on uneven, mossy terrain more than twice as fast as it was able to with its default programming. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-27b91x225f47x066975& [As noted in RISKS many times, Flaws in simulations can lead to huge risks in the systems that are being modeled. Here is a case of the tail wagging the dog, happily. Please remember, relevant success stories are always welcome here, although they do not show up often enough. PGN]
https://www.iflscience.com/technology/ai-camera-ruins-soccar-game-for-fans-after-mistaking-referees-bald-head-for-ball/ A bald linesman distracts a camera aimed by a computer. On Beta, we'd have earrings for that. You could buy them in any jewelry store. http://www.conchord.org/xeno/bdgsig.html
https://techxplore.com/news/2020-10-years-mirai-dyn-internet-safer.html "'It seems that the lessons learned from the 2016 Dyn attack have only been acted upon by a handful of websites that were directly impacted,' says Aqsa Kashaf, a Ph.D. student in Electrical and Computer Engineering (ECE) and lead author of the new study. "The Mirai-Dyn attack in 2016 was successful because of what Kashaf and her team refer to as critical dependencies. The domains affected by the Mirai-Dyn attack were critically dependent on Dyn, a third-party DNS. In other words, they relied solely on Dyn, so when Dyn went down, so did they." The Mirai-initiated DDoS disabled ~180K domains and inconvenienced 10s of millions of website users. The research shows that BAU (business as usual) practices remain in place. Of the top 100Kwebites, 89% of them rely on a 3rd party DNS provider. In turn, these DNS providers rely on cloud services to support their operations. These shared dependencies and inter-dependencies comprise an attack perimeter that can cripple e-commerce. Service consumption favors provider availability/uptime over integrity characteristics that confer assault resilience. Core service providers (DNS, Content Delivery, Certification Authorities) should be required to disclose site hardening qualification results. That information can assist procurement decisions to improve industry readiness that helps deter the next meltdown.
Federal agencies warned that cybercriminals are unleashing a wave of data-scrambling extortion attempts against the U.S. healthcare system designed to lock up hospital information systems, which could hurt patient care just as nationwide cases of COVID-19. <https://www.cbsnews.com/feature/coronavirus> are spiking. In a joint alert Wednesday, the FBI and two federal agencies warned that they had "credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers." The alert said malicious groups are targeting the sector with attacks that produce "data theft and disruption of healthcare services." The cyberattacks involve ransomware, which scrambles data into gibberish that can only be unlocked with software keys provided once targets pay up. Independent security experts say it has already hobbled at least five U.S. hospitals this week and could impact hundreds more. [...] https://www.cbsnews.com/news/fbi-warns-ransomware-attack-us-healthcare-system-hospitals/
Hackers can now reverse-engineer updates or write their own custom firmware. Dan Goodin, 28 Oct 2020 [PGN-enhanced: added middle para] Researchers have extracted the secret key that encrypts updates to an assortment of Intel CPUs, a feat that could have wide-ranging consequences for the way the chips are used and, possibly, the way they're secured. An independent researcher, working with two researchers from security firm Positive Technologies, extracted the secret key that encrypts updates to Intel central processing units (CPUs). Hackers who got their hands on the key would be able to decrypt updates Intel issues to plug security holes or update other aspects of chip operation. Independent researcher Maxim Goryachy said, "At the moment, it is quite difficult to assess the security impact" of being able to obtain such a key. Added Positive Technologies' Mark Ermolov, "For now, there's only one but very important consequence: independent analysis of a microcode patch that was impossible until now." The key makes it possible to decrypt the microcode updates Intel provides to fix security vulnerabilities and other types of bugs. Having a decrypted copy of an update may allow hackers to reverse-engineer it and learn precisely how to exploit the hole it’s patching. The key may also allow parties other than Intel—say a malicious hacker or a hobbyist—to update chips with their own microcode, although that customized version wouldn't survive a reboot. [...] https://arstechnica.com/gadgets/2020/10/in-a-first-researchers-extract-secret-key-used-to-encrypt-intel-cpu-code/
https://www.bbc.com/news/technology-54748843 "In some ways you can feel sorry for Marriott. "In all the boardroom discussions about the company's takeover of Starwood, I bet it never realised that a hacker was already lurking inside the valuable databases they were buying. "The cyber-criminals had been in the systems for years, and were effectively thrown into the merger deal without Marriott having a clue." https://catless.ncl.ac.uk/Risks/30/93#subj5.1 reports this incident. Lesson learned: Do not neglect an IT infrastructure audit, and incident review/mitigation effort, before acquisition acceptance.
https://www.justice.gov/usao-ma/pr/two-former-ebay-employees-plead-guilty-aggressive-cyberstalking-campaign-targeting-nati-0 Department of Justice, U.S. Attorney's Office, District of Massachusetts Thursday, October 29, 2020 Two Former eBay Employees Plead Guilty to Aggressive Cyberstalking Campaign Targeting Natick Couple BOSTON “ Two former employees of eBay, Inc. pleaded guilty today to their roles in a cyberstalking campaign targeting the editor and publisher of a newsletter that eBay executives viewed as critical of the company. Brian Gilbert, 52, of San Jose, Calif., a former Senior Manager of Special Operations for eBay's Global Security Team, and Stephanie Stockwell, 26, of Redwood City, Calif., the former manager of eBay's Global Intelligence Center, pleaded guilty to conspiracy to commit cyberstalking and conspiracy to tamper with witnesses. U.S. District Court Judge William G. Young scheduled sentencing for Stockwell on March 11, 2021, and for Gilbert on May 6, 2021. On Oct. 8, 2020, co-defendants Stephanie Popp, 32, and Veronica Zea, 26, pleaded guilty to the same charges and are scheduled to be sentenced on Feb. 25, 2021. On Oct. 27, 2020, co-conspirator Philip Cooke, 55, pleaded guilty and is scheduled to be sentenced on Feb. 24, 2021. Former eBay executives, James Baugh, 45, and David Harville, 48, were arrested and charged on June 15, 2020. According to the charging documents, the victims of the cyberstalking campaign were a Natick couple who are the editor and publisher of an online newsletter that covers ecommerce companies, including eBay. Members of eBay's executive leadership team followed the newsletter's posts, often taking issue with its content and the anonymous comments underneath the editor's stories. It is alleged that in August 2019, the defendants executed a three-part harassment campaign against the Natick couple, which included the defendants sending anonymous and disturbing deliveries to the victims' home; sending private Twitter messages and public tweets criticizing the newsletter's content and threatening to visit the victims in Natick; and traveling to Natick to surveil the victims and install a GPS tracking device on their car. In connection with his plea today, Gilbert admitted to drafting threatening Twitter messages for Popp to send and planning the surveillance trip with various co-defendants. Gilbert also proposed bringing a dossier of documents to the Natick Police Department (NPD)—whom the victims had involved -- that would make the victims *look crazy* and contacting the victims to offer help with the threatening messages that the defendants had sent. Lastly, Gilbert made false statements to the NPD about Zea and Harville's reason for being in Boston. Stockwell admitted to, at Baugh’s direction, purchasing a laptop for use in harassing the victims, and using an anonymous email account to order online live spiders and a prepaid debit card to purchase a late-night pizza delivery to the victims' home. Stockwell also prepared an eBay `Person of Interest' report for the Bay Area—a fictions list of potential suspects to provide to the NPD to deflect the police from suspecting that eBay employees were actually harassing the victims. The charges of conspiracy to commit cyberstalking and conspiracy to tamper with witnesses each carry a sentence of up to five years in prison, three years of supervised release, a fine of up to $250,000 and restitution. Sentences are imposed by a federal district court judge based upon the U.S. Sentencing Guidelines and other statutory factors. United States Attorney Andrew E. Lelling; Joseph R. Bonavolonta, Special Agent in Charge of the Federal Bureau of Investigation, Boston Field Division; and Natick Chief of Police James G. Hicks made the announcement today. eBay provided valuable assistance and cooperation with the federal investigation. Assistant U.S. Attorney Seth B. Kosto, Deputy Chief of Lelling's Securities, Financial & Cyber Fraud Unit is prosecuting the case. The details contained in charging documents are allegations. The remaining defendants are presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.
The Project Zero reverse engineer shuts down some of the world's most dangerous exploits—along with antiquated hacker stereotypes. https://www.wired.com/story/maddie-stone-project-zero-reverse-engineering/
Scammers are luring people into Google Docs in an attempt to get them to visit potentially malicious websites. https://www.wired.com/story/beware-a-new-google-drive-scam-landing-in-inboxes/
*iPhone maker pushes to build its own search tools as ties to Google come under antitrust scrutiny* Apple is stepping up efforts to develop its own search technology as US antitrust authorities threaten multibillion-dollar payments that Google makes to secure prime placement of its engine on the iPhone. In a little-noticed change to the latest version of the iPhone operating system, iOS 14, Apple has begun to show its own search results and link directly to websites when users type queries from its home screen. That web search capability marks an important advance in Apple's in-house development and could form the foundation of a fuller attack on Google, according to several people in the industry. The Silicon Valley company is notoriously secretive about its internal projects, but the move adds to growing evidence that it is working to build a rival to Google's search engine. [...] https://www.ft.com/content/fd311801-e863-41fe-82cf-3d98c4c47e26
A very clear explanation of how Section 230 had become a Republican political tool: https://www.youtube.com/watch?v=kc-hh_uhEOA (It's a bit funny how he criticizes Republicans for turning a Congressional hearing into political campaigning, while actually doing the same...) [On the eve of a highly political event in the U.S., we generally eschew political items. This is one on truthiness vs truthfulness, which is a long-time consideration in RISKS, irrespective of politics. PGN]
A pro-Trump Twitter troll posted fundraising pleas for a child he said had cancer. Debunking-Twitter pounced. A tale of collateral damage in the disinformation age. https://www.wired.com/story/team-trump45-twitter-hazards-online-sleuthing/
The Wisconsin Republican party this week revealed that they had been swindled out of $2.3 million, money that had been earmarked for Donald Trump's reelection campaign. Rather than a sophisticated hack of a bank account, the incident appears to be yet another case of business email compromise, a category of scam that has netted billions of dollars for attackers over the past few years alone. The attackers apparently sent invoices to GOP officials that looked like they were from official vendors, but with banking information that routed the money to the schemers instead. It's the kind of mistake that could happen to anyone—but is especially inconvenient coming so close to the election. Cryptocurrency Scammers Hack Donald Trump's Campaign Website In other "Republicans compromised by avoidable scam" news, hackers managed to alter Donald Trump's campaign website, albeit for less than 30 minutes. The hackers made the dubious claim that they had accessed "internal and secret conversations" relating to Trump, along with links to send them Monero cryptocurrency. Defacing a website is a far cry from actually hacking a candidate, though, and it seems unlikely that this amounts to anything more than an act of digital vandalism. https://www.wired.com/story/wisconsin-gop-email-scam-ransomware-security-news/
And other lessons on spotting fake news from the News Literacy Project. https://www.washingtonpost.com/education/2020/10/28/new-media-manipulation-casebook-harvard-teaches-how-detect-misinformation-campaigns/
https://www.nbcnews.com/tech/security/how-fake-persona-laid-groundwork-hunter-biden-conspiracy-deluge-n1245387?cid=sm_npd_nn_tw_ma
No way the NSA would do that! Huawei? Black ops matter! Do we really want unelected NSA spooks to be purposely sabotaging our cybersecurity? And with code that *will* be repurposed by other state actors and criminals into weapons and ransomware used against U.S. companies and citizens? The NSA deliberately inserting vulnerabilities into U.S. products is completely equivalent to the so-called "gain-of-function" virus research (Google it) that the U.S. accuses China of performing, because there is no way to control the "blowback" against both friends and enemies. "NSA now requires that before a back door is sought, the agency must weigh the potential fallout and arrange for some kind of *warning* if the back door gets discovered and manipulated by adversaries." Ha! Both the CIA and NSA have already had their "Oh Shit!" moments due to their cyberweapons being exposed and repurposed against the U.S. A mere "warning" won't be sufficient. https://www.reuters.com/article/uk-usa-security-congress-insight/spy-agency-ducks-questions-about-back-doors-in-tech-products-idINKBN27D1DP https://www.cnbc.com/2020/10/28/spy-agency-ducks-questions-about-back-doors-in-tech-products.html Joseph Menn, Reuters Spy agency ducks questions about 'back doors' in tech products SAN FRANCISCO (Reuters) - The U.S. National Security Agency is rebuffing efforts by a leading Congressional critic to determine whether it is continuing to place so-called back doors into commercial technology products, in a controversial practice that critics say damages both U.S. industry and national security. The NSA has long sought agreements with technology companies under which they would build special access for the spy agency into their products, according to disclosures by former NSA contractor Edward Snowden and reporting by Reuters and others. These so-called back doors enable the NSA and other agencies to scan large amounts of traffic without a warrant. Agency advocates say the practice has eased collection of vital intelligence in other countries, including interception of terrorist communications. The agency developed new rules for such practices after the Snowden leaks in order to reduce the chances of exposure and compromise, three former intelligence officials told Reuters. But aides to Senator Ron Wyden, a leading Democrat on the Senate Intelligence Committee, say the NSA has stonewalled on providing even the gist of the new guidelines. "Secret encryption back doors are a threat to national security and the safety of our families—it's only a matter of time before foreign hackers or criminals exploit them in ways that undermine American national security," Wyden told Reuters. "The government shouldn't have any role in planting secret back doors in encryption technology used by Americans." The agency declined to say how it had updated its policies on obtaining special access to commercial products. NSA officials said the agency has been rebuilding trust with the private sector through such measures as offering warnings about software flaws. "At NSA, it's common practice to constantly assess processes to identify and determine best practices," said Anne Neuberger, who heads NSA's year-old Cybersecurity Directorate. "We don't share specific processes and procedures." Three former senior intelligence agency figures told Reuters that the NSA now requires that before a back door is sought, the agency must weigh the potential fallout and arrange for some kind of warning if the back door gets discovered and manipulated by adversaries. The continuing quest for hidden access comes as governments in the United States, the United Kingdom and elsewhere seek laws that would require tech companies to let governments see unencrypted traffic. Defenders of strong encryption say the NSA's sometimes-botched efforts to install back doors in commercial products show the dangers of such requirements. Critics of the NSA's practices say they create targets for adversaries, undermine trust in U.S. technology and compromise efforts to persuade allies to reject Chinese technology that could be used for espionage, since U.S. gear can also be turned to such purposes. In at least one instance, a foreign adversary was able to take advantage of a back door invented by U.S. intelligence, according to Juniper Networks Inc, which said in 2015 its equipment had been compromised. In a previously unreported statement to members of Congress in July seen by Reuters, Juniper said an unnamed national government had converted the mechanism first created by the NSA. The NSA told Wyden staffers in 2018 that there was a "lessons learned" report about the Juniper incident and others, according to Wyden spokesman Keith Chu. "NSA now asserts that it cannot locate this document," Chu told Reuters. NSA and Juniper declined to comment on the matter. JUNIPER'S COMPROMISE The NSA has pursued many means for getting inside equipment, sometimes striking commercial deals to induce companies to insert back doors, and in other cases manipulating standards - namely by setting processes so that companies unknowingly adopt software that NSA experts can break, according to reports from Reuters and other media outlets. The tactics drew widespread attention starting in 2013, when Snowden leaked documents referencing these practices. Tech companies that were later exposed for having cut deals that allowed backdoor access, including security pioneer RSA, lost credibility and customers. Other U.S. firms lost business overseas as customers grew wary of the NSA's reach. All of that prompted a White House policy review. "There were all sorts of 'lessons learned' processes," said former White House cybersecurity coordinator Michael Daniel, who was advising then-president Barack Obama when the Snowden files erupted. A special commission appointed by Obama said the government should never "subvert" or "weaken" tech products or compromise standards. The White House did not publicly embrace that recommendation, instead beefing up review procedures for whether to use newly discovered software flaws for offensive cyber-operations or get them fixed to improve defense, Daniel and others said. The secret government contracts for special access remained outside of the formal review. "The NSA had contracts with companies across the board to help them out, but that's extremely protected," said an intelligence community lawyer. The starkest example of the risks inherent in the NSA's approach involved an encryption-system component known as Dual Elliptic Curve, or Dual EC. The intelligence agency worked with the Commerce Department to get the technology accepted as a global standard, but cryptographers later showed that the NSA could exploit Dual EC to access encrypted data. RSA accepted a $10 million contract to incorporate Dual EC into a widely used web security system, Reuters reported in 2013. RSA said publicly that it would not have knowingly installed a back door, but its reputation was tarnished and the company was sold. Juniper Networks got into hot water over Dual EC two years later. At the end of 2015, the maker of Internet switches disclosed that it had detected malicious code in some firewall products. Researchers later determined that hackers had turned the firewalls into their own spy tool by altering Juniper's version of Dual EC. Juniper said little about the incident. But the company acknowledged to security researcher Andy Isaacson in 2016 that it had installed Dual EC as part of a "customer requirement," according to a previously undisclosed contemporaneous message seen by Reuters. Isaacson and other researchers believe that customer was a U.S. government agency, since only the U.S. is known to have insisted on Dual EC elsewhere. Juniper has never identified the customer, and declined to comment for this story. Likewise, the company never identified the hackers. But two people familiar with the case told Reuters that investigators concluded the Chinese government was behind it. They declined to detail the evidence they used. The Chinese government has long denied involvement in hacking of any kind. In a statement to Reuters, the Chinese foreign ministry said that cyberspace is "highly virtual and difficult to trace. It is extremely irresponsible to make accusations of hacker attacks without complete and conclusive evidence. At the same time, we also noticed that the report mentioned that it was the U.S. intelligence agency - the National Security Agency - that created this backdoor technology." NERVOUS COMPANIES Wyden remains determined to find out exactly what happened at Juniper and what has changed since as the encryption wars heat up. This July, in previously unreported responses to questions from Wyden and allies in Congress, Juniper said that an unidentified nation was believed to be behind the hack into its firewall code but that it had never investigated why it installed Dual EC in the first place. "We understand that there is a vigorous policy debate about whether and how to provide government access to encrypted content," it said in a July letter. "Juniper does not and will not insert back doors into its products and we oppose any legislation mandating back doors." A former senior NSA official told Reuters that many tech companies remain nervous about working covertly with the government. But the agencies' efforts continue, the person said, because special access is seen as too valuable to give up. Reporting by Joseph Menn; editing by Jonathan Weber and Edward Tobin
Back in > 2008, Brent Simmons published That New Sound, about The Clash's London > Calling. Here's a challenge: Can you find either of these with Google? > Even if you read them first and can carefully conjure up exact-match > strings, and then use the site: prefix? I can't. [...] Google t bray lou reed animal and you are taken straight to the review. Google "Brent Simmons" "That New Sound" and you are taken straight to the review. There, that wasn't hard, was it? Whether Bray's complaint was ever true, it isn't now.
Henry Baker wonders what code could be updated on an airframe dating back to
the 1950s when computers wouldn't fit into an aircraft, especially one as
small as a U2. It's quite simple, newsflash—they updated it, and more
than once. Aircraft receive modifications periodically, some for safety
reasons (e.g., Boeing 737 Max) and some for performance improvement—for
flight, fighting, longevity, sensing or survival.
When I signed the F700 for an RAF airframe before strapping it on back in
the late 70s and 80s they regularly had an entry documenting an
update/upgrade of some sort that the 'driver, airframe' needed to be aware
of. When I got back and signed the airframe in I had to make note of
anything I thought needed attention before anyone else took it skywards
("don't worry Chiefy, you can buff that out...").
Sensors packages get better, computers get smaller and lighter and
technology moves on. Making those changes and integrating technology brings
benefits but also might create all sorts of risks that have been discussed
many times before on this list. I won't repeat the list or approaches for
treating them when you can search the archive.
It's not just built-in computing power either. There is a (long) interview
<https://www.youtube.com/watch?v=4o4XJystc_8> with a U2 pilot on Youtube
where he describes the use of an iPad for navigational purposes, using
Foreflight and checking the weather.
[I'm sure Peter Ladkin will have much more to say on the subject.]
"it is at once hard and easy to believe that such a critical system could be vulnerable to total failure through the action of one person "switching it off"." I can easily imagine an even bigger outcry if other certain systems were found to be impossible to switch off by the actions of a single person.
> If a company owns newspaper delivery trucks doesn't want to deliver
> newspapers with a story its owners don't like, that's their privilege.
> And the newspapers can decide not to use that company any more.
Alas, today all the newspaper delivery trucks are owned by Facebook, Twitter
and Google. In this oligopoly environment, your argument does not apply.
> "Freedom of the press belongs to the man who owns the press." Same
> with the delivery company.
Precisely.
> "unique legal benefits": those same legal benefits protect Reddit and 4chan
> and Tumbler, and a BBS that I help moderate and several "furry" that I use,
> all of which include some sexually-oriented material. I think section 230 of
> the Communications Decency Act is the greatest boon to free speech ever
> passed by Congress. (And to think it appeared in a law that attempted to
> impose censorship on the Internet...)
I think the exact opposite.
CDA230 created a 3rd option for communications providers: in addition to
"wire providers" (think ATT: no control over content, no responsibility for
it) and "information providers" (think CNN: full control over content, full
responsibility), we now have FB/Twitter/Google who have full control and no
responsibility.
How about applying CDA230 only to _small_ players?
If you have more than 10% of all US users, you cannot censor content.
If you want to censor content, split up the company.
>> Facebook outright “has monopoly power in the market for social
>> networking,'' and that power is “firmly entrenched and unlikely to be
>> eroded by competitive pressure'' from anyone at all due to `high entry
>> barriers' including strong network effects, high switching costs, and
>> Facebook's significant data advantage—that discourage direct
>> competition by other firms to offer new products and services.
>
> Okay, so FB has a lot of economic power. Why? Because they have been highly
> successful in satisfying consumer demand for a place to talk to each other.
>
> I should note that there are a lot of very rich Republicans. I would guess
> that over 75% of billionaires lean Conservative in their views. Let them
> take some of their money and start right-slanted competitors to Facebook and
> Twitter. It's not cheap, but it's well within the reach of any ten
> billionaires, and if they do it right they might get even richer in the
> process.
Gab tried, and is being suppressed by the existing infrastructure.
In a marketplace ruled by monopolies, the standard libertarian free
market arguments do not apply.
> That's what the competition in the marketplace is supposed to be about. If
> the "barrier to entry" is simply that you need to invest some money, that is
> no barrier in an age when the the US alone has over 500 billionaires, over
> 2,000 worldwide.
No, the barrier to entry is "preferential attachment" (as in random
graph theory).
In the computer communication space the marginal cost of an additional
user is 0, and the benefit for a user of an existing user base is huge
("everyone is on twitter, so who will I talk to on gab?")
This leads to monopolies: Google, FB, Twitter have no
competitors in their respective core spaces.
(The only competition is in the area of AI personal assistants and the
political message of all the offerings is virtually identical).
My case is I am at home in Firstburg, with my cellphone connected to a tower in Secondburg, and I am getting warnings meant for Thirdsburg. Because that part of Thirdsburg is too far away from Thirdsburg Town Hall, all those addresses have been, by the government, by "temporary arraignment" changed to Secondburg. Yup, within that remote part of Thirdsburg all the house addresses say Secondburg in their names, not Thirdsburg. However actually changing the boundaries is too scary for the elected officials. So the informal arraignment persists, despite my protests to them that those boring boundaries stored in geographical information systems do affect real life. And there is no way to disable (Taiwan) "Presidential level" cellphone warnings, beyond "airplane mode". OK, let's say one day they fix the situation, and I start getting the Secondburg warnings that I deserve. But house is in Firstburg in the first place. OK, then they should be sending me messages for where my house is registered, not what cell tower I am connected to. But wait, what if today I am at a friends home in Secondburg, and a disaster is approaching? OK, (automatically) subscribe me to warnings for both where I am and where I live. And be sure to say the area name in the warning.
Wols Lists <antlists@youngman.org.uk> > aiui, UK law defines a "historic vehicle" as one over 25 years old > ... these cars are exempt from tax, they're now exempt from the MOT Actually it is over *40* years old, and there has to be no "substantial changes" made to the vehicle in the last 30 years, for example replacing the chassis, body, axles or engine to change the way the vehicle works: https://www.gov.uk/historic-vehicles
F-35 crashes and Tesla self-drive deployed? It's perhaps a risk that Teslas don't have an eject feature when the CPU is overloaded?
Please report problems with the web pages to the maintainer