Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Verge via NNSquad http://www.theverge.com/2014/9/8/6123801/pelosi-urges-title-ii-classification-of-broadband A good number of politicians have recently made statements in favor of net neutrality, but House Minority Leader Nancy Pelosi is going further than most of them today and asking that the Federal Communications Commission reclassify broadband as a utility using Title II of the Communications Act —exactly what net neutrality advocates have been pushing for. In a letter to FCC chair Tom Wheeler, Pelosi writes that Title II is "an appropriate tool to refine modern rules," and that it can do so without the FCC overburdening broadband providers.
Woody Leonhard | InfoWorld, 08 Sep 2014 August's Windows Installer Service patch causes wide range of inscrutable problems on Windows 7 and Windows 8 machines http://www.infoworld.com/t/microsoft-windows/microsoft-patch-kb-2918614-triggers-key-not-valid-use-more-errors-249973
Apple Media Advisory Update to Celebrity Photo Investigation http://www.apple.com/pr/library/2014/09/02Apple-Media-Advisory.html We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple's engineers to discover the source. Our customers' privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved. To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232 .
Transforming Mobile Payments with an Easy, Secure & Private Way to Pay CUPERTINO, California--September 9, 2014--Apple today announced Apple Pay, a new category of service that will transform mobile payments with an easy, secure and private way to pay. Apple Pay works with iPhone 6 and iPhone 6 Plus through a groundbreaking NFC antenna design, a dedicated chip called the Secure Element, and the security and convenience of Touch ID. Apple Pay is easy to set up, so hundreds of millions of users can simply add their credit or debit card on file from their iTunes Store account. Apple Pay will also work with the newly announced Apple Watch, extending Apple Pay to over 200 million owners of iPhone 5, iPhone 5c and iPhone 5s worldwide. Apple Pay supports credit and debit cards from the three major payment networks, American Express, MasterCard and Visa, issued by the most popular banks including Bank of America, Capital One Bank, Chase, Citi and Wells Fargo, representing 83 percent of credit card purchase volume in the US.* In addition to the 258 Apple retail stores in the US, some of the nation's leading retailers that will support Apple Pay include Bloomingdale's, Disney Store and Walt Disney World Resort, Duane Reade, Macy's, McDonald's, Sephora, Staples, Subway, Walgreens and Whole Foods Market. Apple Watch will also work at the over 220,000 merchant locations across the US that have contactless payment enabled. Apple Pay is also able to make purchases through apps in the App Store. ... http://www.apple.com/pr/library/2014/09/09Apple-Announces-Apple-Pay.html [Given the troubles around the world with online payments, this might be an invitation to disaster. PGN]
Casey Johnston, Ars Technica, 9 Sep 2014, This marks a complete transition to Lightning connectors, in just two years. When apple.com returned after the event announcing Apple's new iPhone 6, 6 Plus, and Apple Watch, one of its longest-standing members was gone: the iPod classic. Along with it goes the 30-pin dock connector, marking a complete transition to the Lightning connector for Apple's entire mobile device fleet in exactly two years. ... http://arstechnica.com/gadgets/2014/09/ipod-classic-is-dead-and-the-30-pin-connector-along-with-it/
I'm glad they're not actually fixing the root problems like strengthening authentication or making brute force attacks harder, now as long as nobody goes on vacation or doesn't check email for a few days we'll all be safe! BTW if someone is attacking my iCloud account what exactly can I do about it? Randomly change my password and hope for the best? Is there any way to contact apple? Nope!
After reports of it struggling in the market, the device gets a $200 price cut. Ron Amadeo, Ars Technica, 8 Sep 2014 http://arstechnica.com/gadgets/2014/09/amazons-fire-phone-falls-to-99-cents-on-a-two-year-contract/
David Kravets, *Ars Technica*, 6 Sep 2014 FBI says it found main server via a "misconfiguration" of the login interface. The FBI easily found the main server of the now-defunct Silk Road online drug-selling site, and didn't need the National Security's help, federal prosecutors said in a Friday court filing. The underground drug website, which was shuttered last year as part of a federal raid, was only accessible through the anonymizing tool Tor. The government alleges that Ross Ulbricht, as Dread Pirate Roberts, "reaped commissions worth tens of millions of dollars" through his role as the site's leader. Trial is set for later this year. The authorities said Friday that the FBI figured out the server's IP address through a misconfiguration in the site's login window. They said that a US warrant wasn't required to search the Icelandic server because "warrants are not required for searches by foreign authorities of property overseas." ... http://arstechnica.com/tech-policy/2014/09/feds-say-nsa-bogeyman-did-not-find-silk-roads-servers/ http://cdn.arstechnica.net/wp-content/uploads/2014/09/silkroaddoc.pdf
John Ribeiro, Infoworld, 09 Sep 2014 A coalition of tech industry groups writes a letter to Senate leaders saying an erosion of trust is affecting their business abroad http://www.infoworld.com/t/federal-regulations/tech-industry-groups-ask-us-senate-swiftly-pass-nsa-curbs-250096
News surfaced yesterday in Russia about this leak (via Dave Farber) Apparently you can check if you are on it at isleaked.com, but it's under a lot of load and in Russian. There is a text box and a button and you want to see in the green box. http://www.dailydot.com/crime/google-gmail-5-million-passwords-leaked/
Ian Paul, PC World, InfoWorld, 09 Sep 2014 By injecting JavaScript ads into your browser, Comcast could be creating unintended security vulnerabilities http://www.infoworld.com/d/networking/comcasts-open-wi-fi-hotspots-inject-ads-your-browser-250141
Lucian Constantin, InfoWorld, 09 Sep 2014 A new version of the Dyreza online banking Trojan is stealing Salesforce.com log-in credentials http://www.infoworld.com/d/security/salesforcecom-warns-customers-of-malware-attack-250140
Cable lobby also implores FCC not to change definition of broadband. Jon Brodkin, *Ars Technica*, 8 Sep 2014 AT&T and Verizon have asked the Federal Communications Commission not to change its definition of broadband from 4Mbps to 10Mbps, saying many Internet users get by just fine at the lower speeds. ... http://arstechnica.com/business/2014/09/att-and-verizon-say-10mbps-is-too-fast-for-broadband-4mbps-is-enough/
David Kravets, Ars Technica, 9 Sep 2014 New York prosecutor says driving while texting is as dangerous as drunk driving. Motorists popped for texting-while-driving violations in Long Island could be mandated to temporarily disable their mobile phones the next time they take to the road. That's according to Nassau County District Attorney Kathleen Rice, who says she is moving to mandate that either hardware be installed or apps be activated that disable the mobile phone while behind the wheel. The district attorney likened the texter's punishment to drunk drivers who sometimes are required to breathe into a device before turning on the ignition. ... http://arstechnica.com/tech-policy/2014/09/penalty-for-driving-while-texting-in-long-island-a-disabled-cell-phone/
One major risk in the cyberwar arena is overplaying one's own hand.
Here's a little calculation that I did last week that I hope might sober some people up a bit.
NOBUS BOGUS: "Do You Feel Lucky, Punk?"
Gen. Michael Hayden, former director of the NSA, has put forward the concept
of "NOBUS" ("Nobody But US").
According to *The Washington Post*:
"To a certain extent, this NOBUS idea reflects the weighing of the dual
defensive and offensive mission of the NSA. ... But we're talking about the
same agency that reportedly has a 600-some elite offensive hacker squad,
Tailored Access Operations or TAO, working out of its headquarters. And
NOBUS also raises a lot of questions about how the intelligence agency
determines if something is likely to be exploited by adversaries."
http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/04/why-everyone-is-left-less-secure-when-the-nsa-doesnt-help-fix-security-flaws/
Hayden's NOBUS concept depends critically on the U.S. having an overwhelming
advantage in terms of *computer power* relative to its competitors --
particularly China.
Hayden: "If there's a vulnerability here that weakens encryption but you
still need four acres of Cray computers in the basement in order to work it
you kind of think 'NOBUS' and that's a vulnerability we are not ethically or
legally compelled to try to patch—it's one that ethically and legally we
could try to exploit in order to keep Americans safe from others."
China can obviously afford to build any computer it wants; it owns ~$1.3T of
US debt, and China already makes many of the components needed for such
computers. So "four acres of Cray computers" isn't much of a show-stopper
for the Chinese.
http://www.treasury.gov/ticdata/Publish/mfh.txt
But based upon most reports of computer hacking I've read, the essential
element for hacking success isn't *computer* power, but *hacker* power;
i.e., human intelligence & hacking skill. Yes, the NSA might well have
brute-forced a "collision attack" for STUXNET with four acres of Crays, but
such brute force attacks are rare simply because there are so many other --
& far cheaper—hacks readily available.
So, given the current level of IQ and STEM education in the U.S., "NOBUS"
might just be a hollow (and therefore very dangerous) conceit.
In order to gain some better insight, I've developed a simple model of
hacker skill analogous to *chess ratings*. Of course, there's no studies
showing any correlation between chess ratings and hacker skills, nor even
studies showing that the probability distributions of chess skills and
hacker skills are similar.
https://en.wikipedia.org/wiki/Elo_rating_system
Nevertheless, I speculate that hacker skills are indeed distributed in a
manner similar to chess skills, and that hacker competitions might show
similar statistics to chess competitions.
Using these assumptions, I've done some calculations based on the
mathematics of chess ratings (developed by Zermelo, a half-century before
Elo).
http://www.glicko.net/research/preface-z28.pdf
If hacker skills were distributed *logistically* like chess ratings, then
one could calculate the probability of hacker A beating hacker B by looking
at the arithmetic *difference* of a chess-like hacker rating.
https://en.wikipedia.org/wiki/Logistic_distribution
Chess ratings seem to have a mean of perhaps 1130, and a standard deviation
of perhaps 315. Since the probability of winning at chess is based only on
the rating *differences*, we don't care very much about the mean.
A chess rating deficit of 382 gives a 10% chance of winning.
A chess rating deficit of 798 gives a 1% chance of winning.
A chess rating deficit of 1200 gives a .1% chance of winning.
We can rescale a chess rating-like system to a distribution that looks a lot
more like an IQ distribution by setting the mean=100 and the 2.275% quantile
at 130; i.e., only 2.275% of the population has an IQ greater than 130.
(With this rescaling, the logistic distribution "s" parameter is about 8.0.)
Let's call this rating system "HQ", for "Hacker Quotient", and I will
presume that this HQ rating captures hacking skill levels.
An HQ deficit of 17.6 gives a 10% chance of winning.
An HQ deficit of 36.8 gives a 1% chance of winning.
An HQ deficit of 55.3 gives a .1% chance of winning.
China's population is ~1.355 billion, while the US population is ~318.679
million (Wikipedia). If N=600 is the size of NSA's TAO group, then TAO
presumably represents the best 1.883x10^-4 % of the US population. But
N=600 represents the best 4.428x10^-5 % of the Chinese population. If the
tails of the distributions are thin, then the upper tail of a larger
population will have a larger mean than that of a smaller population.
If China's mean HQ is 100, and the US's mean HQ is 98 (following the IQ
difference between China and the US), the HQ deficit for the US TAO v. the
Chinese TAO is 13.58, hence the US's chance of winning a hacker war is only
15.5%.
If both the US and China's mean HQ is 100, the HQ deficit for the US TAO is
only 11.58, hence the US's chance of winning a hacker war is then 19%.
The core insight is that due to the 4.25x population advantage, the top N
(N=600) hackers in China are better than the top N hackers (i.e., NSA's TAO)
in the US. If there is also a difference in the population mean HQ, then
this effect is additive to the deficit due to population size.
Since we are dealing with the sparse *tails* of these distributions, the
uncertainty of these calculations is very high. Nevertheless, the overall
conclusion is similar: *population size matters* when looking at extreme
tails.
I should also point out that the US Internet infrastructure is far more
extensive than the Chinese infrastructure, so the US is a much juicer target
for any hacking. The US would suffer substantially greater damage from any
maliciousness—particularly on a relative basis—and hence "people who
live in glass houses shouldn't throw stones".
I'm not so sure that the US wants to continue talking like Dirty Harry with
long odds such as these.
It would also behoove the US to *harden* all that glass—not just against
nation-states, but against *all* malicious actors.
FYI—I don't know about kill switches for weapons, but I think that quite a number of us voters would like to see "automatic resign switches" for politicians who violate their campaign promises. I think that most of us would agree that lying and out-of-control politicians have done far more damage than any number of captured weapons. In particular, politicians are "captured" all the time by special interests. Wouldn't it be nice for the voters to be able to (Eric) Cantorize a politician who got too big for his/her britches? This wouldn't require any Constitutional or legal changes, but merely a computer-controlled lock box containing an irrevocable letter of resignation, which would be automatically and immediately opened by an online voting system after it tallied a simple majority "no confidence" vote of the electorate of his/her district/state/country. A politician could sign up for this service and tout it in his/her advertising. Otherwise, voters could safely assume that the politician was merely "blowing smoke". A more geeky solution could be developed using the Bitcoin blockchain & scripting language. http://www.nytimes.com/2014/09/09/us/politics/a-president-whose-assurances-have-come-back-to-haunt-him.html
FYI—But these systems don't work. But expect them to be used even more after Ferguson, even though (particularly because??) they don't work. These expensive systems are complete scams, but govts buy them to cover their asses (see, we've used "best practices"). Tami Abdollah, Technology Used to ID Troubled Cops, Sep 4 2014 http://www.officer.com/news/12001926/technology-used-to-id-troubled-cops Police departments across the U.S. are using technology to try to identify problem officers before their misbehavior harms innocent people, embarrasses their employer, or invites a costly lawsuit—from citizens or the federal government. While such "early warning systems" are often treated as a cure-all, experts say, little research exists on their effectiveness or—more importantly -- if they're even being properly used. Over the last decade, such systems have become the gold standard in accountability policing with a computerized system used by at least 39 percent of law enforcement agencies, according to the most recent data from the U.S. Bureau of Justice Statistics. The issue of police-community relations was thrust into the spotlight after an officer fatally shot Michael Brown in Missouri. Since then, departments have held public forums to build trust with residents. Some are testing cameras mounted to officers to monitor their interactions with the public. Experts say the early warning system can be another powerful tool to help officers do their jobs and improve relations, but it is only as good as the people and departments using it. "It's not a guarantee that you will catch all of those officers that are struggling," said Jim Bueermann of the nonprofit Police Foundation, which is dedicated to better policing. "These systems are designed to give you a forewarning of problems and then you have to do something." [Long item truncated for RISKS. PGN]
But you're steering and thus presumably watching the road. "Let the car do the work ... BUT remain alert"—currently people already drift off, lose focus, get hypnotized, and text while supposedly still driving. Increased automation (auto-mation?) and hands/foot-free driving can't help but worsen attention paid to driving. Alert? Not likely.
http://thenextweb.com/shareables/2014/08/19/watch-world-move-towards-smartphones-one-simple-chart/ I saw this plot when it first arrived on the web a few weeks ago (courtesy of Dave Farber's IP, IIRC). It takes only a minute or two to see that the animation is far more glitzy than accurate. For starters, it is clear that most of the national lines are extrapolated from a very small number of data points. Moreover, the few data points are likely derived from surveys with very different methodologies; the discrepancies are substantial. A clear example is India, in the lower left. It appears to be composed of three data points: date PC mobile 3/2011 36.9% 22.9% 3/2013 10.6% 12.8% 3/2014 11.3% 22.1% These numbers are simply not plausible. I have seen other Internet penetration numbers for India recently, that placed it at around 17% (independent of method). My *guess* is that the 2011 numbers actually represent growth rate, rather than %age of the population! Practically every country in the data shows some anomalous behavior. Indonesia shows an outright U-turn; Argentina and Thailand appear to suffer substantial declines in the actual number of Internet users via any platform, which seems unlikely. Korea shows a sudden sharp drop in PC use, over 10% in a year. Japan has an odd kink in its line in 2012, q declining 10% in six months but then recovering. Bottom line, I think this pretty hopeless.
Please report problems with the web pages to the maintainer