Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
China Covert Operations May Overwhelm Us Nigel Inkster, *The New York Times*, 16 Sep 2022 The West isn't sufficiently prepared for intelligence threats from Beijing Russia Secretly Spent $300M to Sway Elections Around the World Edward Wong, *The New York Times*, 14 Sep 2022 [At least. That what has been detected. PGN]
https://9to5mac.com/2022/09/16/chinese-spy/
I heard a Ukrainian reporter on the radio talking about the problems with the Ukrainian "grid infrastructure" due to the Russian occupation of the Zaporizhzhia nuclear plant. Except with her Ukrainian accent, she pronounced it "greed infrastructure". I think that she summed up the nuclear power industry precisely !! Truly a Kinsley gaffe (Google it) moment ! Farhad Manjoo, *The New York Times*, 16 Sep 2022 Nuclear Power Still Doesn't Make Much Sense https://www.nytimes.com/2022/09/16/opinion/nuclear-power-still-doesnt-make-much-sense.html I landed in London at around the same time that international energy regulators were making emergency plans for maintaining the safety of Ukraine's Zaporizhzhia nuclear plant, which had come under shelling from Russian troops. [...] Tyson Slocum, the director of the energy program at the advocacy group Public Citizen, summed up these problems neatly: “Nuclear power has simply been eclipsed. It was an incredible zero-emission resource for its day. But for much of the energy system today, that day has long passed.'' [...]
A number of financial institutions in and around New York City are dealing with a rash of super-thin *deep-insert* skimming devices designed to fit inside the mouth of an ATM's card acceptance slot. The card skimmers are paired with tiny pinhole cameras that are cleverly disguised as part of the cash machine. Here's a look at some of the more sophisticated deep insert skimmer technology that fraud investigators have recently found in the wild. https://krebsonsecurity.com/2022/09/say-hello-to-crazy-thin-deep-insert-atm-skimmers/
I live in a New York City co-op apartment building that contracts with the firm BuildingLink for a package of administrative & security services, such as tracking & notification of package deliveries, repair requests, instructions for the front desk regarding items such as permissions to enter, and storage and check-out of apartment keys at the front desk. The system also includes a directory of building residents, including their apartment numbers, their phone numbers & email addresses. BuildingLink's software is used in more than 6,000 properties worldwide, according to the company's website. The system was down Monday, Tuesday, and much of Wednesday following a malware attack. Apparently, it was a nationwide outage. Some excerpts from BuildingLink's status report page (https://status.buildinglink.com/): 12 Sep Monday: Users are currently unable to access BuildingLink.com and custom domains, the resident app, and the valet app. -Users are also unable to access ConciergeLink and the GEO app if not already logged in.... -KeyLink can currently be used with the fingerprint reader, but not with username and password. 14 Sep afternoon On Sunday, 11 Sep, BuildingLink was the target of a malware incident, which impacted certain network systems. While we are still in the early stages of an investigation, here's what we know so far: our team acted quickly and took certain systems offline as a precautionary measure and continue to take steps to enhance security systems already in place. We also immediately engaged outside specialists ... to assist us in our response and conduct a full investigation so we can fully understand what happened. 15 Sep (this afternoon): We have a team investigating the malware incident to determine if any data was impacted. We will share our findings as soon as we are able. The service interruption had no ill effects on me or anyone I know of. But I'll be interested to learn what, if any, data concerning those 6,000+ properties and their residents was "impacted."
In recent years, patent trolls have started attacking open-source developers and companies. But, the open-source community is fighting back. https://www.zdnet.com/article/patent-troll-attacks-against-open-source-projects-are-up-100-since-last-year-heres-why/
https://www.theverge.com/2022/9/16/23356974/health-cybersecurity-devices-fbi-ransomware
https://www.engadget.com/microsoft-teams-has-been-storing-auth-tokens-in-plaintext-093510463.html
https://arstechnica.com/information-technology/2022/09/trojanized-versions-of-putty-utility-being-used-to-spread-backdoor/
https://9to5mac.com/2022/08/26/iphone-lockdown-mode-2/
https://www.macrumors.com/2022/09/16/watchos-9-breaks-spotify-streaming/
Apple and Google have added useful features to texting apps, yet the apps still lack a major component: an effective way to set limits. The pros of text messaging can easily turn into cons. Since texting typically takes only a few seconds and is widely considered the most urgent, attention-grabbing form of digital communication, itâs difficult to set boundaries around texting with our colleagues and friends. Texting invites us to intrude on other peopleâs time. https://www.nytimes.com/2022/09/14/technology/personaltech/texting-ios-android.html Don't answer? "Do not disturb"? Off? Plus gripes about various unrelated matters like Apple vs. Google, messaging insecurity, complexity, can't schedule sending messages, and waxes nostalgic for AOL Instant Messenger. Wanders unproductively far afield from messaging boundaries.
*The Boston Globe*, 14 Sep 2022 https://www.boston.com/real-estate/fall-house-hunt/2022/09/14/watch-it-legal-issues-arise-with-home-security-cameras <https://www.hollywoodreporter.com/tv/tv-news/ed-markey-slams-amazon-wanda-sykes-ring-nation-1235205556/> Tech giant Amazon is rolling out a new TV series about Rings, and it's not their billion-dollar blockbuster set in Middle-Earth. This show is called Ring Nation, and it will feature videos captured by Amazon's Ring home security cameras. The idea of a weekly TV series featuring surveillance videos has ticked off privacy experts, civil libertarians, and Senator Edward Markey, Democrat of Massachusetts. But it also proves that home security cameras are on the way to becoming as commonplace as lawn sprinklers. We've still got a way to go. By the end of 2021, only about 14 percent of homes with broadband access had a network-connected security camera, while 15 percent owned a video doorbell, according to research firm Parks Associates. <https://www.parksassociates.com/blog/article/access-control-ecosystem--expanding-value> But with the surge in crime <https://time.com/6138650/violent-crime-us-surging-what-to-do/>, the percentage is likely to rise. And a 2021 survey by the National Association of Home Builders indicated that 70 percent of likely home buyers want security cameras, with 27 percent calling them a âmust-haveâ feature. When the concept was first patented by Marie van Brittan Brown <https://lemelson.mit.edu/resources/marie-van-brittan-brown#:~:text=African American inventor Marie Van,Jamaica, Queens, New York.> and her husband, inventors from Queens, N.Y., back in the 1960s, home-video technology was far too cumbersome and expensive for the average homeowner. Today, cameras cost between $100 and $400, depending on the features. They can shoot high-resolution video images and carry microphones that can pick up conversations 20 feet away. Some are completely wireless and powered by internal batteries or even solar cells, while using Wi-Fi to hook up with a homeâs broadband system. Videos can be viewed in real time over a smartphone connection or automatically stored in the Internet cloud for later viewing. This type of camera --offered by major companies like SimpliSafe, Vivint, and Ring --is something homeowners can set up easily. But when people start pointing cameras and microphones at one another, certain issues arise. Like, what if your next-door neighbor complains that your camera invades his privacy? What if the microphone records people's private conversations? The law has little to say about such matters, according to Matthew Guariglia <https://www.eff.org/about/staff/dr-matthew-guariglia-0>, a policy analyst at the Electronic Frontier Foundation, an online civil liberties group. “There isn't a lot of protection for people from household surveillance devices,'' Guariglia said. If your camera is pointed at a part of your neighbor's property that's in plain view --like the driveway, front porch, or even the backyard - these are areas where the neighbor has no reasonable expectation of privacy. And people are watching. According to a survey Vivint released in May, nearly 25 percent of people with outdoor cameras use them to keep an eye on their neighbors. With one major exception: cameras that can see inside someone's home. In a 2014 ruling, the Massachusetts Supreme Judicial Court held that a homeowner could be sued for setting up a camera that can peer through the neighbor's windows. <https://scholar.google.com/scholar_case?case=15557137513272157927&q=Polay+v.+McMahon&hl=en&as_sdt=40000006&as_vis=1> And be even more careful about recording voices. Under Massachusetts law, you can't record someone's voice without their permission. Inadvertently picking up a few phrases is no big deal, but using your camera to eavesdrop deliberately could get you into trouble. Another thing: What happens to all that recorded video and audio? Most of these systems store it online, where you can review it from any Internet-connected device. This makes home video systems a godsend for police forces, which routinely ask homeowners for captured footage of possible crimes. Lots of people are fine with this. A 2021 Consumer Reports survey indicated that 10 percent of video doorbell users have handed over footage to the police on request. <https://www.consumerreports.org/consumer-protection/curbs-on-neighbors-by-ring-dont-ease-privacy-rights-concerns-a1459419637/> Millions of people who own Ring cameras use Amazonâs social network Neighbors to share video footage with friends—and with law enforcement. When a crime is committed, police can log onto Neighbors and request video footage from all nearby Ring users. Compliance is entirely voluntary, most of the time. <https://www.aceableagent.com/blog/amazons-ring-launches-social-network-for-neighborhood-safety/> But Ring will also provide video recordings without the user's permission if the police come with a search warrant. In addition, Amazon said that in the first half of 2022, it handed over Ring videos to police 11 times without a warrant or user permission. The company said that these were extraordinary cases involving danger of death such as a kidnapping or an attempted murder. <https://www.businessinsider.com/amazon-gave-police-11-ring-doorbell-videos-without-consent-2021-2022-7> Even more worrisome is the possibility that hackers could steal your stored videos or employees at the security company who have no right to see them will watch them. This actually happened at Ring several years ago, leading the company to toughen up its access policies. <https://www.theverge.com/2019/1/10/18177305/ring-employees-unencrypted-customer-video-amazon> If the prospect dismays you, Ring offers the option to encrypt all your videos automatically so that only you can unlock them. Or you can opt for a security camera that allows you to store all video on a small hard drive, instead of keeping it online. Of course, a local drive could be lost or damaged or a savvy thief could cover his tracks by stealing it, which just goes to show that there's no such thing as perfect security.
Contacts, call logs, messages and photos from up to 10,000 travelers' phones are saved to a government database every year https://www.washingtonpost.com/technology/2022/09/15/government-surveillance-database-dhs/
The decision likely sets up a Supreme Court showdown over the future of online speech The 5th Circuit Court of Appeals on Friday upheld a controversial Texas social media law that bars companies from removing posts based on a person’s political ideology, overturning a lower court’s decision to block the law from taking effect and likely setting up a Supreme Court showdown over the future of online speech. The ruling could have wide-ranging effects on the future of tech regulation, as states throughout the country consider legislation similar to the Texas law. The judges ruled that while the First Amendment guarantees every person’s right to free speech, it doesn’t guarantee corporations the right to “muzzle speech. [...] https://www.washingtonpost.com/technology/2022/09/16/5th-circuit-texas-social-media-law/
Biden is completely wrong about Section 230 as relates to hate speech Sad to say, President Biden in new remarks has continued to demonstrate an apparently fundamental misunderstanding of a key aspect of Section 230, in his continuing claim that rolling back 230 would help stop hate speech. In fact, what rolling back 230 would do is make virtually all User Generated Content (UGC) impractical, killing most discussion entirely. Who the blazes advises him on these issues?
[BREAKING: Reports of another data breach at Uber, with internal systems affected and extent unknown and/or not being made public. -L] The Uber Hack Shows Push Notification 2FA Has a Downside: It's Too Annoying https://www.vice.com/en/article/5d35yd/the-uber-hack-shows-push-notification-2fa-has-a-downside-its-too-annoying [ADDED LATER: Another bad sign in the Uber hack Another really bad sign in the Uber hack—in addition to their apparently not using security key tech for authentication—is the wide access the hacker got inside the corp net, exactly what zero trust security systems would have very likely prevented. -L
https://www.theverge.com/2022/9/16/23356959/uber-hack-social-engineering-threats
[This is not a parody] Chess Grandmaster accused of using anal beads to cheat receives offer to clear his name by playing nude [If aliens decide Earth should be removed from the galaxy, this will probably be one of the leading exhibits. -L] https://www.avclub.com/hans-niemann-anal-beads-chess-grandmaster-cam-site-1849545231 [Paul Wexelblat noted A first!? article submitted to both RISKS and YUCKS. https://metro.co.uk/2022/09/14/the-internet-thinks-a-chess-grandmaster-cheated-using-anal-beads-17370756/ to which Gene Spafford replied Yucks is defunct, but I did publish it in the web-heads list! PGN]
In 2017, Terry Gou, then CEO of electronics manufacturing giant Foxconn, announced in the White House's East Room that his firm would spend $10 billion to build a state-of-the-art megafactory in Wisconsin that would make LCD television and computer screens. "We are committed to creating great jobs for American people," Gou said at the press conference, promising 13,000 new jobs for Wisconsinites. The announcement spawned the Wisconn Valley Science and Technology Park and the aspiration that the cornfields of southeastern Wisconsin could become a global tech hub with the help of Foxconn, best known for producing iPhones for Apple. "We believe this will have a transformational effect on Wisconsin, just as Silicon Valley transformed the San Francisco Bay Area," Wisconsin’s then-Gov. Scott Walker declared at the press conference, alongside then-President Donald Trump and top Wisconsin lawmakers. Now five years into the experiment, so-called Wisconn Valley has failed to live up to expectations. Instead of a sprawling 20-million-square-foot factory complex, Foxconn has built a far smaller campus. There is a 1-million-square-foot warehouse, a 260,000-square-foot "smart manufacturing center," a 120,000-square-foot "multipurpose building," and a 100-foot-tall glass globe that bulges from otherwise empty farmland like an otherworldly "orb," says Gordon Hintz, a member of Wisconsin’s state assembly. Nobody is quite sure what the buildings are being used for, though it’s clearly not manufacturing. "The whole thing has just been a joke," says Hintz. But the town of Mount Pleasant, home to the project, isn't laughing. [...] To pay upfront for the Foxconn site and infrastructure such as water pipes and road upgrades, Mount Pleasant created a special district, called a tax increment financing, or TIF, district. It allowed the town to borrow $911 million on an annual budget of $23 million. "Let's say you have an income of $50,000," says Lawrence Tabak, author of Foxconned, a book about Foxconn's Wisconsin factory. "That would be like buying a $10 million house and then trying to figure out how you're going to pay the taxes and mortgage debt." https://fortune.com/2022/08/04/foxconn-mount-pleasant-wisconsin-wisconn-valley-lcd-factory/
The National Security Agency (NSA) and friends have released "Securing the Software Supply Chain for Developers." The Enduring Security Framework (ESF), a public-private working group that provides security guidance on high-priority threats to the nation's critical infrastructure, wrote this report. https://thenewstack.io/nsa-software-supply-chain-guidance/
Yesterday's NASA: Apollo 13 has just suffered a major explosion with loss of fuel cells and oxygen and the Lunar Module equipment is not compatible with the Command Module's carbon dioxide scrubbing canisters. Engineers on the ground examine every item available to the astronauts on the spacecraft and devise a way to fix the problem using bits of plastic, cardboard manual covers and other items. Today's NASA: The batteries on the Artemis emergency detonation system need recharging. We are on the ground, so have available the entire resources of NASA to fix the problem. The only solution that *this* generation of engineers on the ground can come up with is to tow the whole rocket four miles back to the assembly building where it can be plugged in and recharged. As Gabe says "No suitable extension cord". Also no suitable generator or battery pack or suitable skills to design one, apparently.
I see *two* problems: 1. WiFi CCTV cameras should always record locally (encrypted with PKE), even when WiFi isn't working. A 256GB SD card now costs $21 at Amazon. You may not get a real-time warning, but at least you'll still have the video (assuming you have the decryption key). 2. WiFi operates in Part 15 unlicensed spectrum. FCC says "Part 15 devices may not cause any harmful interference to authorized services and must ***accept any interference*** that may be received" It is well-known that *spread spectrum* techniques can resist jamming (intentional or otherwise). https://en.wikipedia.org/wiki/Spread_spectrum "Resistance to jamming (interference). Direct sequence (DS) is good at resisting continuous-time narrowband jamming, while frequency hopping (FH) is better at resisting pulse jamming." Spread spectrum techniques utilize so-called "process gain" (measured in dB) to overcome jamming interference. Since WiFi transmitters are limited in the amount of power they can utilize in overcoming jammers, they could in theory utilize more "process gain" get their signal through. However, these techniques would dramatically reduce the transfer speed in Mbps, but at least the signal would get through. The good news is that ***ultra wide band*** (UWB) is coming to devices near you. https://www.osti.gov/biblio/1021131 "UWB offers low probability of detection (LPD), low probability of = interception (LPI) as well as anti-jamming (AJ) properties in signal space" https://en.wikipedia.org/wiki/Ultra-wideband "Ultra-wideband characteristics are well-suited to short-range applications, such as PC peripherals, wireless monitors, ***camcorders***, wireless printing, and file transfers to portable media players. UWB was proposed for use in personal area networks, and appeared in the IEEE 802.15.3a draft PAN standard. However, after several years of deadlock, the IEEE 802.15.3a task group was dissolved in 2006. The work was completed by the WiMedia Alliance and the USB Implementer Forum. Slow progress in UWB standards development, the cost of initial implementation, and performance significantly lower = than initially expected are several reasons for the limited use of UWB in = consumer products (which caused several UWB vendors to cease operations in 2008 and 2009)."
Having telephone service independent of whatever may befall the electrical grid is nothing new. That's how we all started out in the 20th century. It is a fortunate accident of history that Alexander Graham Bell preceded Thomas Alva Edison, otherwise it might not have turned out that way. Imagine what it would have been like during, say, the 1965 Northeast U.S. power blackout if telephones had stopped working.
It appears that Rob Slade <rslade@gmail.com> said: >In its new line of iPhones, Apple will be doing away with physical SIM >cards, moving instead to a system it refers to as eSIM. This will be a >software version of identification of the phone handset, and will be >modifiable in order to change to new providers. ... Samsung introduced an eSIM watch in 2015, and since 2019 eSIM phones have been available from Samsung, Motorola, Sony, Google, Huawei and others. The change in the iPhone 14 is that in North America it will ship without a physical SIM slot, just eSIM. Models sold in some countries will continue to have both, in China just physical SIMs. I don't see any new threat here other than that if you have an account with a North American carrier that doesn't offer eSIM, you lose. But in practice other than some small MVNOs they all do. For people who travel and use different SIMs in different countries, eSIMs are a pain to swap, but that's not new either. I would also have expected to hear of eSIM security attacks but so far I haven't. Maybe there are easier was to attack a phone, like SIM swapping.
I just had a similar experience with Microsoft's help team for Outlook. I usually read my mail on Outlook's site, using Firefox. There's a bug which sometimes makes messages disappear from the Inbox. I reported it to Microsoft's help team and had a nice chat. When they heard that this problem does not happen on Chrome (or maybe I just don't use it often enough to encounter the bug), their reaction was something like "Oh, then it's a browser problem, Bye!" My comment that such a major application should work well on all major browsers, was simply ignored.
Regarding the practice of websites mandating Chrome: Yes, it's bad, but in a practical sense that's the world many of us are already living in. How often have you complained about some web site feature that isn't working for you in (e.g.) Firefox, only to be told by support that that's the way it is and you need to use Chrome to avoid the problem?
Ronan Farrow is a good reporter, but this time, quite unusually, he totally blew it. The people looking for info about Mudge are not Musk and his allies looking to discredit him. They are investment bankers and hedge funds using the expert networks they've been using for decades to figure out what their TWTR stock is worth. They only care whether Mudge is credible to see if he's going to have an effect on the outcome of the trial in Delaware. If Twitter wins, their stock is worth about $50, and if Musk wins, more like $20. (Informed observers say he won't.) The companies that connect investors with experts they pay for business info are nothing new or unusual, nor should it be surprising that the people asking about Mudge are doing so. Matt Levine noted this in his Bloomberg newsletter yesterday, as did Andrew Ross Sorkin in his NY Times Dealbook column today. The latter offered a link to an old story from 2001 about how the expert networks work: https://www.nytimes.com/2001/12/23/business/investing-it-s-not-what-they-know-but-whom.html They call me every few months, generally with a client who wants to understand Verisign's relationship with ICANN and USDoC.
Failure to document programs/routines is commonplace in the IT sector, and it is unarguably nice to have documentation of how programs/routines work and where their outputs are stored. But the fact is that programs get modified over time and the documentation doesn't always keep pace. In many cases the doc wasn't accurate to begin with. So there is something to be said for "self-documenting" code, if one is skilled enough to be able to read it.
I've seen it a number of times, on 3D printing sites and "gun nut" sites, that it costs $2-3 in filament to print a pistol frame/receiver good for a thousand-ish shots. But that is it: *filament* for *pistol frame*. No wear and tear on the printer, no electricity bill, no barrel, pin, springs, nor any other parts that make a working pistol, included. (Some rifle receivers apparently can be printed too, but require better quality filament and more of it.) Nor the program cost: some a free, many are not. I lived in Australia during its much hyped gun buy-back and saw pictures of heaps of rust for which the government had to pay, by law, a "fair market price of a weapon". So I don't really doubt that Houston "buy back program gone LOL/wrong" in many cases. But I do very much doubt the "$3 gun".
Please report problems with the web pages to the maintainer