Kate Dailey via Monty Solomon <monty@roscom.com>
Date: Wed, 17 Apr 2013 23:38:20 -0400
Kate Dailey, BBC News Magazine, 17 April 2013
More personal videos are being shot now than ever before, and such footage could help identify the Boston Marathon bomber[s]. But how is that footage processed - and could civilians really solve the crime?
There was the marathon runner closing in on the finish line, and the businessman with offices in a prime position over Boylston Street.
And there were thousands of others crowding the last stretch of the Boston Marathon, all capturing the events before and after the bombs exploded.
"The reality is with the number of people who are carrying with them the equivalent of video camera, history is being documented by millions of people every day," says Karen North, director of University of Southern California's Annenberg Program on online communities.
Infusing video
In just over a decade, she says, the amount of video being shot by amateurs has increased dramatically - and so too, has the evidence available to law enforcement officials. ...
PGN <neumann@csl.sri.com>
Date: Thu, 18 Apr 2013 16:12:10 PDT
Online morons nearly ruin innocent lives after Boston bombings (*New York Post*, 18 Apr 2013)
How the Internet Accused a High School Student of Terrorism Online sleuths thought they nailed two suspects in the Boston bombing—and there they were on the cover of the *New York Post* the next day. But now everyone's backpedaling in a big way." http://j.mp/17sAfJA (Daily Beast)
[Paul Saffo noted to me some remarkable annotated by-stander footage before and after the Boston Marathon bombing: http://imgur.com/a/sUrnA He later noted that "Now people are photoshopping pics with the FBI's suspects in them..." PGN] http://gawker.com/5995025/did-reddits-boston-bomber-sleuthing-actually-turn-up-a-decent-piece-of-evidence-update?tag=marathon-bombing
Fowler/Schectman <technews@HQ.ACM.ORG>
Date: Fri, 19 Apr 2013 11:39:20 -0400
*Wall Street Journal*, 17 Apr 2013, Geoffrey A. Fowler, Joel Schectman [via ACM TechNews, 19 Apr 2013]
The proliferation of surveillance technology to popular commercial products such as smartphones is proving to be a boon for criminal investigations, as evidenced by the U.S. Federal Bureau of Investigation using video surveillance from department store and restaurant cameras, along with photos from citizens, news organizations, and others, to help identify a suspicious individual at the Boston Marathon. Forrester Research says video surveillance technologies have been adopted by 68 percent of public-sector and 59 percent of private-sector companies, with another 9 percent planning to adopt them in the next two years. Furthermore, more than 1 billion people now own camera-equipped, Web-linked smartphones. Integrating forensic data from professional and personal sources has helped with earlier investigations, although a lack of full-frontal images makes facial recognition problematic in large probes. Moreover, collecting and sifting through the data is a major challenge, as Boston has one of 77 nationwide intelligence fusion centers used to pool data and conduct analysis, notes the Northern California Regional Intelligence Center's Mike Sena. Meanwhile, researchers at Boston's Northeastern University have organized a 10-person social media research team to run a project that would let people upload video from the marathon bombing to tag clues. http://online.wsj.com/article/SB10001424127887324763404578429220091342796.html
[This morning's news media report the seemingly definitive identification of the two suspected brothers, the shooting of one, and the manhunt in progress for the other. Not quite incidentally, some analists report a considerable increase in popular acceptance of ubiquitous surveillance -- despite the privacy implications frequently discussed in RISKS. PGN]
Dewayne Hendricks <*Dewayne Hendricks*>
Date: Wednesday, April 17, 2013
The Shame of Boston's Wireless Woes Anthony Townsend, The Atlantic Cities, 17 Apr 2013 http://www.warpspeed.com/wordpress>
ibm36044 <ibm36044@sbcglobal.net>
Date: Wed, 17 Apr 2013 06:20:09 +0200
American Airlines had to ground all its flights across the US for several hours on Tuesday due to a fault with its computerized reservation system. The carrier halted all departures from about 13:30 ET (18:30 GMT), saying that it was working ""to resolve this issue as quickly as we can". [Source: BBC News Business: 17 Apr 2013]
[Gene Wirchenko noted an article by Ashley Halsey III in *The Washington Post* giving the number 900 for flights grounded. PGN] http://www.washingtonpost.com/local/trafficandcommuting/computer-problem-grounds-american-airlines/2013/04/16/75d4c410-a6d3-11e2-a8e2-5b98cb59187f_story.html
[Bob Heuman noted a Fox News report that “American Airlines has fixed the computer glitch but not told anyone precisely what happened.'' PGN] http://www.foxnews.com/us/2013/04/16/american-airlines-reservations-system-down-flights-grounded-nationwide/
Bob Heuman <robert.heuman@alumni.monmouth.edu>
Date: Thu, 18 Apr 2013 21:18:01 -0400
The Constitution forbids manual recounting of votes in a Presidential Election
You can read the full article, but the following is a quick summary of what I consider a risk we have discussed forever and a load of bull.... if they have really implemented a system that makes manual checking impossible.
CARACAS, 17 Apr 2013 (Xinhua)—Manual vote counting is not possible in Venezuela, the president of the Supreme Court said Wednesday amid opposition's request for an audit. "The electoral system is fully automated, so there is no manual counting. Anyone who thought that could really happen has been deceived," Luisa Estella Morales said at a press conference. Manual counting was canceled in Venezuela by the 1999 constitution, she said, adding [that] the majority of those asking for a manual count know it. http://news.xinhuanet.com/english/world/2013-04/18/c_132319635.htm
R. S. (Bob) Heuman North York, ON, Canada
KurzweilAI via Michael Cheponis via Dewayne Hendricks <michael.cheponis@gmail.com>
Date: April 4, 2013 1:29:22 PM PDT
Reclaiming the American Republic from the corruption of election funding April 3, 2013 http://www.warpspeed.com/wordpress>
Joe Weisenthal via Geoff Goodfellow <geoff@iconia.com>
Date: Wednesday, April 17, 2013
Joe Weisenthal, *Business Insider*, 17 Apr 2013 http://www.businessinsider.com/reinhart-and-rogoff-admit-excel-blunder-2013-4
The big talk in the world of economics continues to be the famous study by Carmen Reinhart and Ken Rogoff, which claimed that as countries see debt/GDP going above 90%, growth slows dramatically.
Economists have always been skeptical of the correlation/causality on this.
But yesterday, a new study emerged which claimed that Reinhart and Rogoff used a faulty dataset to make that claim and (most stunningly) had an excel error that exacerbated the growth dropoff for countries with debt/GDP higher than 90%.
After the report dropped (and proceeded to blow up the Internet), Reinhart and Rogoff rushed out a quick statement claiming that the new study (which was done by some UMass professors) supported their thesis that growth slowed as debt to GDP got higher. And Reinhart and Rogoff were quick to reiterate that even they weren't necessarily implying causation on this (which may be true, but the fact that they say this is not well known to the politicians who are always citing the dreaded 90% level).
But in a new response, Reinhart and Rogoff admit they did make an Excel blunder, and that it mattered!
Here's the key part:... http://www.businessinsider.com/reinhart-and-rogoff-admit-excel-blunder-2013-4
http://geoff.livejournal.com * Geoff@iconia.com <javascript:;>
Jeremy Epstein <jeremy.j.epstein@gmail.com>
Date: Wed, 17 Apr 2013 09:11:30 -0400
An error in a formula in an Excel spreadsheet seems to have led to some incorrect results about the effects of government debt, and thereby may have affected economic policy. The error, which was in a formula developed by the authors of a key paper and not in the Excel software itself, was that a cell contained the formula AVERAGE(L30:L44) where it should have said AVERAGE(L30:L49).
The error led to a small but significant discrepancy in conclusions, although the authors of the original paper are disputing how important the error is.
Perhaps we need methods for spreadsheet assurance, just as we need methods for assuring the security and reliability of our operating systems and applications?
WashPost: "The paper in question is Carmen Reinhart and Kenneth Rogoff's famous 2010 study—Growth in a Time of Debt—which found that economic growth severely suffers when a country's public debt level reaches 90 percent of GDP. "
A further description and a rebuttal by Reinhart & Rogoff can be found at http://www.washingtonpost.com/blogs/wonkblog/wp/2013/04/16/is-the-best-evidence-for-austerity-based-on-an-excel-spreadsheet-error/
Another article (http://blogs.marketwatch.com/thetell/2013/04/16/the-spreadsheet-error-in-reinhart-and-rogoffs-famous-paper-on-debt-sustainability/) notes "Reinhart and Rogoff are not the only people to have difficulty navigating the Microsoft product. One of the reasons behind the so-called London Whale incident at J.P. Morgan, in which the bank took a $6.2 billion trading loss, was a spreadsheet error in their model."
Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
Date: Thu, 18 Apr 2013 19:26:20 -0400
In today's *New York Magazine*, Thomas Herndon explains how he found a problem with Reinhart and Rogoff's work that has been used as a basis for austerity spending by governments.
"I clicked on cell L51, and saw that they had only averaged rows 30 through 44, instead of rows 30 through 49."
Given the economic damage done by austerity spending over the past few years, this is quite likely by far the most expensive programming error ever made.
http://nymag.com/daily/intelligencer/2013/04/grad-student-who-shook-global-austerity-movement.html
Paul Nash <*Paul Nash*>
Date: Friday, April 19, 2013
Quite apart from being "clumsy" with their Excel model, they forgot the first rule of research: correlation does not imply causation.
So when are they going to resign, and when are the various central bankers who used their model to impose austerity going to change tack? Or will they just brush it aside and get on with screwing the working man?
Stacey Higginbotham via ACM TechNews <technews@HQ.ACM.ORG>
Date: Fri, 19 Apr 2013 11:39:20 -0400
Stacey Higginbotham, Google's Vint Cerf Explains How to Make SDN as Successful as the Internet (GigaOm.com) 16 Apr 2013
Google chief Internet evangelist and ACM president Vint Cerf believes that software defined networking (SDN) could benefit from some of the Internet's design flaws and lessons learned in creating the Internet. For example, open standards should be implemented, with differentiation stemming from branded versions of standard protocols rather than from patented protocols. Interoperability is essential for stable networks, and that requires standards, notes Cerf. As companies create SDNs, they also should take into account the successful design features of the Internet, including the loose pairing of underlying equipment instead of a heavily integrated solution, the modular approach, and open source technologies. However, he says SDNs can improve on the Internet's traffic routing, which now relies on sending packets to a physical port. Instead of this physical port, the OpenFlow protocol changes the destination address to a table entry, enabling a new type of networking that is better suited to the collaborative Web of the future. Another option could be content-based routing, in which the content of a packet determines its destiny. SDN's basic principal, dividing the control plane and the data plane, should have been incorporated into the Internet's design, Cerf notes. In the future, SDN could improve controlled access to intellectual property to help prevent piracy, and could bring together various existing networks. http://gigaom.com/2013/04/16/googles-vint-cerf-explains-how-to-make-sdn-as-successful-as-the-internet/
Lauren Weinstein <lauren@vortex.com>
Date: Thu, 18 Apr 2013 16:19:28 -0700
"The Internet was one of the greatest disasters to befall mankind. Now its survivors share their experiences of the tragedy." http://j.mp/14A3HBy (YouTube via NNSquad)
[Caution: Grain of Salt required. PGN]
Geoff Goodfellow <geoff@iconia.com>
Date: Apr 18, 2013 4:44 PM
The average bandwidth seen in distributed denial-of-service (DDoS) attacks has recently increased by a factor of seven, jumping from 6 Gbps to 48 Gbps. Furthermore, 10% of DDoS attacks now exceed 60 Gbps.
Those findings come from a new report released Wednesday by DDoS mitigation service provider Prolexic Technologies, which saw across-the-board increases in DDoS attack metrics involving the company's customers... http://www.prolexic.com/knowledge-center-ddos-attack-report-2013-q1.html http://www.informationweek.com/security/attacks/ddos-attack-bandwidth-jumps-718/240153084
http://geoff.livejournal.com * Geoff@iconia.com
Jordan Graham via Monty Solomon <monty@roscom.com>
Date: Sun, 7 Apr 2013 15:21:58 -0400
Jordan Graham, *Boston Herald*, 7 Apr 2013 90 Framingham students displaced
An overheated laptop burst into flames inside a Framingham State University dorm room Friday in what officials warn is the latest in a string of computer-related fires.
Firefighters also were called to a blaze caused by a laptop in Western Massachusetts several weeks ago, and crews declared a Milford home a total loss two weeks ago after an unattended laptop left on some cardboard sparked an inferno, State Fire Marshal Stephen D. Coan said. ...
http://bostonherald.com/news_opinion/local_coverage/2013/04/laptop_goes_up_in_flames
Earl Boebert <boebert@swcp.com>
Date: Wed, 3 Apr 2013 13:36:28 -0600
Here's a screed I wrote for a journalist who asked "how do you code a secure system."
First, you don't code secure systems, you design them. All the important stuff takes place at a level of abstraction above that of coding. Once you have a design you have internalized both your problem and your solution. Coding is then mechanical, and code verification will be straightforward. So how do you get a design? Start by studying exploits that have defeated the kinds of systems you're interested in.
The various development life cycles attempt to sanitize the inherently dirty and reactive business of secure systems design. The late Rick Proto, who retired as the director of research for the National Security Agency said it best: "Theories of Security come from Theories of Insecurity." Or, in my favorite quote from Seneca, "There is a great deal of difference between a person who chooses not to sin and one who doesn't know how." Your goal in this phase is to become like Sherlock Holmes and have a first-class criminal mind without a criminal temperament. Being a good guy who thinks like a bad guy lets you have all the intellectual fun without running the risk of coming to a sticky end.
Your study of exploits should focus on forming Theories of Insecurity, factors that are common to whole classes of exploits. Stack games are a well known example. A good approach is to analyze exploits using the "bindings model." A binding is an important association between two values. For example, a system may maintain a binding between a user name and a set of privileges. A second binding may be between that user name and a human being. Important systems decisions may assume that both bindings are valuable, i.e., my access to my files. Exploits then can be characterized as breaking or forging significant bindings. Looking at things this way will get you familiar with two valuable concepts: bindings and dependencies.
After you've developed your Theories of Insecurity you then invert them to form your Theories of Security. If you're up on your systems engineering (which you should be) then the Theories of Security are, in effect, the specifications of the desired emergent properties of your system. They will almost all expressed as negatives, that is, things that aren't supposed to happen. As such they will not be testable and must be verified (as far as possible) by analytic methods. What you've done so far will provide the basis for your analysis plan. Your object, and the best you can probably do, is to force attackers to expend the resources to come up with a new class of exploit, instead of sticking it to you by putting a systems-specific spin on something they already know how to do. And of course you have to do the functional requirements, the stuff that pays the rent, whatever problem your system is supposed to solve while being secure.
Then you go through the design process du jour and come up with a modular decomposition in the descriptive notation du jour and submit progress reports in the life cycle process du jour to keep the marketeers and spreadsheet jockeys happy. To keep yourself up on progress I strongly recommend the use of Earned Value Management, which you can implement with a sheet of graph paper you keep up on a nearby bulletin board. Within all this you submit your design to an intensive analysis from every direction you can think of. As a minimum you should understand how it enforces critical bindings and you should also construct a dependency diagram. This is a tree based on the "uses" concept Dave Parnas came up with 40 years ago or so. Module A "uses" Module B if the correctness of A depends on the correctness of B. Modules at the bottom (those that lots of things depend on) should be scheduled for extra scrutiny in the implementation stage. Circularities in the diagram are deadly. These are spots where A depends on B and B depends on A. A circularity means your modularity is an illusion, A and B are actually one "blob."
After you've got the cleanest design you can devise it's just a problem of pounding code in the implementation language du jour and integrating. The motto of the integration team should be "integrate early, integrate often." Put stuff together as soon as it's ready and feed it test cases that only touch the modules you have.
When it all works you have the victory celebration and deploy. Sooner or later you're going to get whacked. First thing you do after rolling the alert PR squadron is to analyze the exploit (which you should be good at by now) and determine if it is a variation on a class you thought you handled or something completely different. If it's a variation on a class you thought you handled then the chances are good there's a low-level coding flaw that can be patched. If it's something completely different then it's time for Rev 2, starting with a rethink of your Theory of Security and going all the way down to code.
And so it goes, round and round, white hats vs. black hats. Computer security fits the description a diplomat once gave of diplomacy: all you do is buy time, and if you buy enough time you get to die in bed and it becomes somebody else's problem :-)
Mark Thorson <eee@sonic.net>
Date: Sun, 7 Apr 2013 13:25:39 -0700
Fake followers and fake retweets have become a large and growing market.
"There are now more than two dozen services that sell fake Twitter accounts, but Mr. Stroppa and Mr. De Micheli said they limited themselves to the most popular networks, forums and Web sites, which include Fiverr, SeoClerks, InterTwitter, FanMeNow, LikedSocial, SocialPresence and Viral Media Boost. Based on the number of accounts for sale through those services -- and eliminating overlapping accounts—they estimate that there are now as many as 20 million fake follower accounts."
As the technology of software to create and manage large numbers of fake entities is refined, how will people discern real from fake? They won't, and a putative Twitter follower will have as little value as a review on Yelp.
http://j.mp/16C8Cxn (Wikimedia France)
"Unhappy with the Foundation's answer, the DCRI summoned a Wikipedia volunteer in their offices on April 4th. This volunteer, which was one of those having access to the tools that allow the deletion of pages, was forced to delete the article while in the DCRI offices, on the understanding that he would have been held in custody and prosecuted if he did not comply. Under pressure, he had no other choice than to delete the article, despite explaining to the DCRI this is not how Wikipedia works. He warned the other sysops that trying to undelete the article would engage their responsibility before the law. This volunteer had no link with that article, having never edited it and not even knowing of its existence before entering the DCRI offices. He was chosen and summoned because he was easily identifiable, given his regular promotional actions of Wikipedia and Wikimedia projects in France."
The return of "Vichy France" mentalities, apparently.
Lauren Weinstein <lauren@vortex.com>
Date: Sat, 6 Apr 2013 12:30:40 -0700
Here is apparently an English language version of the article that France attempted to censor with threats
http://j.mp/16CbqKF (Google+)
This apparently is a newly translated version of the French Wikipedia article that France attempted to censor by threatening a non-associated Wikipedia volunteer in France. And it wasn't lobbying—it was direct threats. (English and French material.)
"Streisand Effect" fully engaged.
NNSquad <gingrich@internode.on.net>
Date: Wed, 17 Apr 2013 13:02:55 +1000
I just received an e-mail on 11 April from AMEX touting a few current
offers, but the name in the message was not mine—luckily the final digits
*were* from my card, though it could also have been his and, though
unlikely, just happened to be the same.
When I contacted AMEX about it I received the following:
- ------
Dear Cardmember,
On the 11th April 2013 you received an e-mail from us entitled 'Enjoy more rewards in more places'. Due to a technical issue this e-mail was incorrectly addressed.
We confirm this e-mail and the offers enclosed were intended for you. We would also like to assure you that your privacy and security has not been compromised in any way.
We would like to sincerely apologise for any confusion this may have caused to you.
Yours sincerely,
American Express Australia
- ------
This apparently went out to everyone who received the original message.
The real problem for me was the lack of awareness on the part of the person with whom I spoke at AMEX. It took a long time to convince them that this sort of stuff-up is a real problem. I'm also not completely convinced of the statements in the second paragraph.