Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
http://www.cnn.com/2017/12/17/us/atlanta-airport-power-outage/index.html [This one is in need of some definitive explanation. There are reports that some Georgia power equipment might have failed, caught fire, and damaged adjacent circuit cables and switches, wiping out redundant backup facilities. If that is the case, this is just one more example of bad system design. PGN]
RISKS includes numerous discussions of air travel risks, from vulnerabilities in airplane software, to crashes in airline reservation systems, pricing errors, etc. This one is more mundane—a bug in American Airlines' pilot scheduling software allowed too many pilots to request vacation during the busy holiday travel season. The result is not enough pilots to fly all the scheduled flights, although the airline and unions disagree on how many flights will be affected. https://www.washingtonpost.com/news/dr-gridlock/wp/2017/11/30/american-airlines-says-only-a-few-hundred-flights-are-without-pilots-for-christmas-travel/
[UK news service] Hackers took 'full control' of container ship's navigation systems for 10 hours In February 2017 hackers reportedly took control of the navigation systems of a German-owned 8,250 teu container vessel en route from Cyprus to Djibouti for 10 hours. "Suddenly the captain could not manoeuvre," an industry source who did not wish to be identified told Fairplay sister title Safety At Sea (SAS). "The IT system of the vessel was completely hacked." There are three German shipowners that operate eight vessels between 8,200 and 8,300 teu, according to IHS Markit data, one of which confirmed knowledge of the attack to SAS but denied it was a vessel from their own company. While details are limited, according to the source, the 10-hour attack was carried out by "pirates" who gained full control of the vessel's navigation system intending to steer it to an area where they could board and take over. The crew attempted to regain control of the navigation system but had to bring IT experts on board, who eventually managed to get them running again after hours of work. rest: https://www-asket-co-uk.cdn.ampproject.org/c/s/www.asket.co.uk/single-post/2017/11/26/Hackers-took-full-control-of-container-ships-navigation-systems-for-10-hours-AsketOperations-AsketBroker-ELouisv-IHS4SafetyAtSea-TanyaBlake-cybersecurity-piracy-shipping
An amusing observation on Twitter: https://twitter.com/joelrubin/status/938574971852304384 "The Los Angeles Police Department asked drivers to avoid navigation apps, which are steering users onto more open routes—in this case, streets in the neighborhoods that are on fire." https://twitter.com/rhenderson/status/938800585553219586 having an algorithm drive you straight into a climate change caused inferno is an extremely 2017 way to go. rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
Yara, a shipping company out of Oslo, Norway, in partnership with Kongsberg <https://www.km.kongsberg.com/>, a maritime engineering group also out of Norway, has created an autonomous container ship, the Yara Birkeland, that is set to hit the high seas in 2018. This ocean-going vessel will be manned by a crew of none. It's completely driverless. https://devops.com/when-big-automation-too-big-comfort/ The risks? This one's too easy...
via NNSquad https://www.geekwire.com/2017/reported-google-update-glitch-disconnects-student-chromebooks-schools-across-u-s/ Tens of thousands, perhaps millions, of Google Chromebooks, widely prized by schools due to their low cost and ease of configuration, were reported to be offline for several hours on Tuesday. The apparent cause? A seemingly botched WiFi policy update pushed out by Google that caused many Chromebooks to forget their approved network connection, leaving students disconnected. I agree: Requiring large fleets of Chromebooks to be manually re-associated with their Wi-Fi networks cannot be called a practical solution. And of course, most Chromebooks have never been on Ethernet since most people don't have the requisite USB<->Ethernet adapters.
NNSquad https://www.theverge.com/2017/12/11/16761016/former-facebook-exec-ripping-apart-society Another former Facebook executive has spoken out about the harm the social network is doing to civil society around the world. Chamath Palihapitiya, who joined Facebook in 2007 and became its vice president for user growth, said he feels "tremendous guilt" about the company he helped make. "I think we have created tools that are ripping apart the social fabric of how society works," he told an audience at Stanford Graduate School of Business, before recommending people take a "hard break" from social media. Palihapitiya's criticisms were aimed not only at Facebook, but the wider online ecosystem. "The short-term, dopamine-driven feedback loops we've created are destroying how society works," he said, referring to online interactions driven by "hearts, likes, thumbs-up." "No civil discourse, no cooperation; misinformation, mistruth. And it's not an American problem—this is not about Russians ads. This is a global problem."
Jim Finkle, Reuters https://reut.rs/2AGTjhA (Reuters)—Hackers likely working for a nation-state recently invaded the safety system of a critical infrastructure facility in a watershed attack that halted plant operations, according to cyber-investigators and the firm whose software was targeted. FireEye Inc (FEYE.O) disclosed the incident on Thursday, saying it targeted Triconex industrial safety technology from Schneider Electric SE (SCHN.PA). FireEye and Schneider declined to identify the victim, industry or location of the attack. Cybersecurity company Dragos said the hackers targeted an organization in the Middle East, while a second firm, CyberX, said it believe the victim was in Saudi Arabia. It marks the first report of a safety system breach at an industrial plant by hackers, who have in recent years placed increasing attention on breaking into utilities, factories and other types of critical infrastructure, cyber-experts said. Compromising a safety system could let hackers shut them down in advance of attacking other parts of an industrial plant, potentially preventing operators from identifying and halting destructive attacks, they said. Safety systems could be fooled to indicate that everything is okay even as hackers damage a plant, said Galina Antova, co-founder of cybersecurity firm Claroty.
this has been slashdotted: https://medium.com/4iqdelvedeep/1-4-billion-clear-text-credentials-discovered-in-a-single-database-3131d0a1ae14 https://www.itworldcanada.com/article/searchable-database-of-1-4-billion-stolen-credentials-found-on-dark-web/399810?sub=&utm_source=263010&utm_medium=dailyitwire&utm_campaign=enews&scid=49d88d60-2122-4bb5-f4b3-4e601d76c6d3
- *Scarab malware is being sent out by Necurs, the largest email spam botnet ever* - *Infected files are hidden in fake scanned documents that appear to be legitimate* - *Once an attached 7zip is opened, malware takes over your computer and files* - *A text file which then pops up threatens to erase them if the ransom isn't paid* Millions of computers are at risk of infection by a virulent spam attack that threatens to destroy your files, unless you pay a Bitcoin ransom. The Scarab malware is being distributed by Necurs, the Internet's largest email spam botnet, which has been used in a number of previous online onslaughts. Within the first six hours of the attack 12.5 million emails had been distributed, with more than two million messages being sent out per hour at its height. [...] http://www.dailymail.co.uk/sciencetech/article-5121105/Worlds-biggest-botnet-sent-12-5-million-emails.html
Department of Homeland Security is studying the security and privacy of mobile apps used within federal, state and local government including by first responders. Of 33 first responder apps studied, 32 had security flaws. Once the flaws were found, the application developers were able to rectify the flaws in about one hour of coding. Project Website: https://www.dhs.gov/science-and-technology/csd-mobile-app-security Press Release: https://www.dhs.gov/science-and-technology/news/2017/12/18/news-release-st-pilot-project-helps-secure-first-responder
3 Blockchain Credit Agencies Changing Our Relationship With Money http://www.makeuseof.com/tag/blockchain-credit-agencies/ Why You Should Keep Your Bitcoin in Cold Storage http://www.makeuseof.com/tag/bitcoin-crypto-cold-wallets/ What could go wrong? Add up all the con arguments. And "con", of course, has multiple meanings.
https://www.nytimes.com/2017/11/26/business/initial-coin-offering-critic.html As I understand it, in an ICO, you invent a new virtual currency (because there aren't enough of them, yet, and the world needs more) and sell it for Bitcoin or cash or whatever. Hey, I could probably do that. So this former SEC regulator thinks that maybe this isn't such a good idea: 'ICOs represent the most pervasive, open and notorious violation of federal securities laws since the Code of Hammurabi,' Mr. Grundfest said in an interview. What could possibly go wrong?
https://www.coindesk.com/south-korean-bitcoin-exchange-declare-bankruptcy-hack/ 'The cyber-attack is the second for Youbit, previously known Yapizon. The exchange was previously targeted in April in an attack which South Korean officials believe was conducted with the support of neighboring North Korea. Recent reports indicate that intelligence services in South Korea suspect that North Korea is behind additional attacks against domestic cryptocurrency exchanges, including market-leader Bithumb.'
Help is in sight for that batch of early-Bitcoin-adopters who are sitting on untapped bounties because they've forgotten the passwords needed to get into their wallets. A hypnotist in South Carolina has recently begun offering to help people recall forgotten passwords or find misplaced storage devices. Jason Miller charges one bitcoin plus 5% of the amount recovered—though he claims that rate is flexible. “I've developed a collection of techniques that allow people to access older memories or see things they've put away in a stashed spot,'' he told *The Wall Street Journal*. A number of investors who bet on Bitcoin years ago are now in a painful limbo. In the way that bank accounts are protected by passwords, Bitcoin wallets that use keys to transact are also typically guarded by complex security codes. However, unlike a bank, Bitcoin has no central hotline to call for a reset. http://fortune.com/2017/12/20/bitcoin-investors-hypnotherapy/ The risks? being human, being careless, being idiotic?
CryptoKitties game threatens capacity of Ethereum blockchain. http://www.taipeitimes.com/News/biz/archives/2017/12/06/2003683493
New Study: Data breaches have been a headache for many years and for a long time there seemed to be a general apathy about them. Our sense was that things may have changed in the wake of the most severe breach ever—the theft of 145 million social security numbers and other sensitive data from Equifax—which leaves most Americans with the burden of having to monitor for identity theft for the rest of their lives. Against this backdrop, we decided to find out how aware Americans are of cybersecurity threats and risks, how concerned they are about getting their information stolen, and what they might be doing, or more importantly, not doing about it. We also wanted to learn if recent breaches have caused Americans to change their behavior at all. Tenable recently commissioned a survey, conducted online by Harris Poll of more than 2,000 U.S. adults, to determine how data breaches—and media attention around them—are impacting consumers' perceptions about their online security and their behavior. https://www.tenable.com/blog/new-study-many-consumers-lack-understanding-of-basic-cyber-hygiene No surprises; chat with nearly any non-tech person to learn this...
McLean-Based Hilton to Begin Rolling Out High-Tech "Connected Rooms" McLean, Va.—*Hilton*, the McLean-based hospitality giant, said on Thursday it plans to begin rolling out what it calls "connected rooms"—high-tech guest rooms that let users control most aspects of their stay from their mobile device. Currently in beta testing, the concept will allow guests to use their Hilton Honors app to manage most things they would traditionally do manually, from controlling the temperature and lighting to the TV and window coverings. Users also will be able to load the most popular streaming media and other accounts to in-room TVs. In the longer-term, Hilton said that guests will be able to use voice commands to control their room or access their content, and to upload their own artwork and photos to display on walls. "The technology we put in hotel rooms has to be intuitive, simple and quick to pick up because guests typically spend a limited amount of time in their rooms," said Joshua Sloser*, the company's senior vice president of digital product. Hilton said it will begin scaling the concept rapidly to hotels across the United States over the coming weeks. http://trk.cp20.com/click/l8ns2-cxcu8y-7fgw0x86/> http://www.businesswire.com/news/home/20171207005545/en/Hilton-Announces-%E2%80%98Connected-Room%E2%80%99-Mobile-Centric-Hotel-Room <http://trk.cp20.com/click/l8ns2-cxcu8z-7fgw0x87/> What could go wrong? Screaming at your hotel room because it can't understand you—voice control in my car sure isn't 100% accurate/compliant. Hilton app always listening to what goes on in the room. Tech support demands on ... bell staff, maybe.
It's nice to take a free trip using credit card rewards. Unfortunately, criminal gangs feel the same way and are stealing other people's rewards points—including those for British Airways and booking site Orbitz—in order to resell them on the Internet. The rewards scam, which began in Russia but has since spread to English and Spanish speaking markets, represents yet another frontier for cybercriminals to make money by hacking consumer accounts. http://fortune.com/2017/11/27/frequent-flyer-hotel-rewards-scams/
https://gizmodo.com/microsoft-researcher-details-real-world-dangers-of-algo-1821129334 Sidney Fussell <//kinja.com/sidneyfussell> [LONG, TRUNCATED. PGN] The Trouble With Bias at NIPS 2 However quickly artificial intelligence evolves, however steadfastly it becomes embedded in our lives—in health <http://fortune.com/2017/10/30/ai-early-cancer-detection/>, law enforcement <https://www.washingtonpost.com/local/public-safety/police-are-using-software-to-predict-crime-is-it-a-holy-grail-or-biased-against-minorities/2016/11/17/525a6649-0472-440a-aae1-b283aa8e5de8_story.html?utm_term=.37a7d249ff8a>, sex <https://gizmodo.com/the-future-of-online-dating-is-unsexy-and-brutally-effe-1819781116>, etc.—it can't outpace the biases of its creators, humans. Microsoft Researcher Kate Crawford delivered an incredible keynote speech, titled The Trouble with Bias, at Spain's Neural Information Processing System Conference on Tuesday. In Crawford's keynote, she presented a fascinating breakdown of different types of harms done by algorithmic biases. As she explained, the word "bias" has a mathematically specific definition in machine learning, usually referring to errors in estimation or over/under representing populations when sampling. Less discussed is bias in terms of the disparate impact machine learning might have on different populations. There's a real danger to ignoring the latter type of bias. Crawford details two types of harm: allocative harm and representational harm. “An allocative harm is when a system allocates or withholds a certain opportunity or resource,'' she began. It's when AI is used to make a certain decision, let's say mortgage applications, but unfairly or erroneously denies them to a certain group. She offered the hypothetical example of a bank's AI continually denying mortgage applications to women. She then offered a startling real world example: a risk assessment AI routinely found that black criminals were a higher risk <https://www.propublica.org/article/machine-bias-risk-assessments-in-criminal-sentencing> than white criminals. (Black criminals were referred to pre-trial detention more often because of this decision.)
Cyberterrorists have the potential to put millions of lives at risk by hacking <https://www.thetimes.co.uk/article/hackers-could-take-control-of-cars-and-kill-millions-ministers-warned-fx8gv5sk7> the sophisticated cars on 21st Century roadways, one expert has warned. The caution comes amid a host of technological advances pervading the automotive industry. “The current state of vehicles on the road today—the new, modern car, not even self-driving—have become rolling computers,'' said John Simpson, Consumer Watchdog's privacy project director. <http://www.detroitnews.com/story/business/autos/mobility/2017/11/15/carmakers-stuggle-robot-car-hacking-fears/107696450/> And it's suggested that any computer is open to being hacked. In 2015, the National Highway Traffic Safety Administration recalled nearly 1.5 million vehicles over fears that they could potentially be compromised. https://www.westernjournal.com/experts-warn-terrorists-kill-millions-remotely-hacking-peoples-cars/ ...not exactly news, though useful recap and alert. Interesting appeal at end, hardly related to this article: The Western Journal strives to achieve the highest conservative values, editorial standards and truth in journalism, all of which are under attack. Your donation funds the fight against mainstream media corruption and helps us reach millions of readers around the world with the truth.
One unanticipated effect of combining trip-planning applications that use "real time" data with disaster events such as the yuge fire in the LA area: "The Los Angeles Police Department asked drivers to avoid navigation apps, which are steering users onto more open routes—in this case, streets in the neighborhoods that are on fire." http://www.latimes.com/local/california/la-me-southern-california-wildfires-live-firefighters-attempt-to-contain-bel-air-1512605377-htmlstory.html
"The Los Angeles Police Department asked drivers to avoid navigation apps, which are steering users onto more open routes—in this case, streets in the neighborhoods that are on fire."
https://9to5mac.com/2017/12/01/ios-11-security-hole-elcomsoft/ Changes to the way that Apple protects encrypted iOS backups leave devices more vulnerable to certain types of attack, says ElcomSoft, a Russian company used by law enforcement agencies and others to access iPhones. However, it only applies if the attacker has physical access to the device and can crack the passcode. The changes were deliberately introduced as part of iOS 11 <https://9to5mac.com/guides/ios-11/>
http://www.smh.com.au/technology/consumer-security/aami-suncorp-suspend-online-insurance-quote-feature-over-burglary-fears-20171204-gzyo1c.html “One of Australia's largest home and contents insurers has suspended a new online feature that made private details about the security of peoples' homes publicly accessible, including whether monitored alarm systems were installed on their premises.'' It seems that those seeking quotes for their address found that some fields were pre-filled from a previous quote, all in the name of making it easy, of course. Well, it sure made it easy for any potential burglars interested in knocking that place over, such as whether deadlocks were likely fitted, burglar alarms, etc. Gadzooks; didn't anyone think? Dave Horsfall, North Gosford NSW 2250, Australia
ACTION AT LAST ON ELECTION SECURITY?—After months of debate but little action, there appears to be a modicum of momentum building on Capitol Hill to address some of the security shortcomings that voting integrity experts say threaten to undermine the upcoming midterm elections. Several lawmakers made public pleas for movement on Friday and a bipartisan group of senators are expected to drop an election security bill this week. THE BILL: The upcoming legislation is aimed at greasing the information-sharing channels that connect the Homeland Security Department, the intelligence community and state election offices. Election officials said an inability to effectively swap data on hacker threats during the 2016 election left many in the dark about the digital invaders that were probing the country's election networks. The proposed bill—backed by Republicans Sens. Lindsey Graham and James Lankford, as well as Democrats Sens. Kamala Harris and Amy Klobuchar—would also earmark additional resources for states to bolster their digital defenses, according to an aide to one of the lawmakers. The group is eager to get the legislation passed before the 2018 midterm primaries, the aide said.
nor any word for "irony". :-) https://www.bleepingcomputer.com/news/government/germany-preparing-law-for-backdoors-in-any-type-of-modern-device/ Catalin Cimpanu 5 Dec 2017 Germany Preparing Law for Backdoors in Any Type of Modern Device German authorities are preparing a law that will force device manufacturers to include backdoors within their products that law enforcement agencies could use at their discretion for legal investigations. The law would target all modern devices, such as cars, phones, computers, IoT products, and more. Officials are expected to submit their proposed law for debate this week, according to local news outlet RedaktionsNetzwerk Deutschland (RND). Difficulties in investigating modern crime, terrorist attacks The man supporting this proposal is Thomas de Maizière, Germany's Interior Minister, who cites the difficulty law enforcement agents have had in past months investigating the recent surge of terrorist attacks and other crimes. The Interior Minister says that police officers are having a hard time investigating cases because smart devices are warning owners before officers could do anything about it. The Minister cites the cases of smart cars that alert an owner as soon as the car is shaken, even a little bit. He says he'd like police to be able to intercept that warning and stop it when investigating a case. De Maizière claims that companies have a "legal obligation" to introduce backdoors for the use of law enforcement agencies and he also wants to require the industry to disclose its "programming protocols" for future analysis. This latter clause could allow German officials to force companies to disclose details about their encrypted communication practices. German officials want "Hack Back" clause Furthermore, the new law would also give German officials powers akin to the "Hack Back" bill proposed in the US, allowing authorities the power to hack any remote computer. The Minister says this is important to "shut down private computers in the event of a crisis," such as is the case with botnet takedowns. But privacy advocates who also read the new law proposal say the text also contains verbiage that would allow the German state to intercept any traffic on the Internet [1, 2], effectively setting up a surveillance state with full snooping powers over everyone's online communications. Experts called for caution before approving the new law, which could be abused in its current state. German authorities anticipated such reaction and said that any access to such data would be allowed only after law enforcement have obtained a court order. But the problem with encryption backdoors is not how you access them, but that they exist in the first place and that they could be abused by ill-intent actors as well. Concerted efforts to weaken encryption across the globe The law proposal is not a surprise for people who've been keeping an eye on such things. There are concerted efforts going on in Germany, France, and the UK to introduce legislation for mandatory encryption backdoors. In fact, de Maizière and his French counterpart even signed a joint letter they sent to the European Commission that supported encryption backdoors. Similarly, the fight for encryption backdoors has been recently reopened in the US as well, after a series of comments made by US Deputy Attorney General Rod Rosenstein. While the EU was very clear it does not intend to support the introduction of laws that allow for generic encryption backdoors, in March 2017, the European Commission offered its support for a plan that would allow law enforcement to access data exchanged via encrypted instant messaging services, such as WhatsApp, Telegram, Signal, and others. Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.
Already struggling with its workload, the agency must start adapting systems to the new tax code while processing returns under the old one. https://www.nytimes.com/2017/12/18/business/irs-tax-bill.html The risk? Starving IT infrastructure and staffing while expecting everything to work just fine. Also, of course, nonsense reporting like: Updating the agency's vast computer system is also a gargantuan undertaking. The IRS (along with much of the federal government and major financial institutions) uses a computer programming language called Cobol, developed almost 60 years ago. Almost every coding change will, in effect, have to be entered by hand. ...disparaging Cobol because it's been used for a while (and sounding like it's unchanged since initial development), and being alarmed at making coding changes "by hand". As opposed to how?
More than a third of U.S. federal websites are missing key elements of online security architecture, according to a report released Monday by the Information Technology & Innovation Foundation (ITIF). Out of 469 government websites surveyed by ITIF, just 36% passed the test for both Domain Name System Security (DNSSEC) and Secure Sockets Layer (SSL) certificates. These two security features are crucial elements of online security, without which browsing can be insecure. Federal government websites still require significant improvement. Doing so will help ensure that the many Americans who routinely use the Internet to access government services and information can continue to do so. http://fortune.com/2017/11/28/us-federal-websites-security-test-failure/ The risk? Things don't change much.
[via David Farber] So, yet another issue to give us angst: how to take it when your car becomes more popular than you are? As I read this, the researchers are proposing that it would be helpful if your car were socially networked, i.e., more readily communicated with cars where past history and interests suggested common concerns, value of informational leads, etc. Lots of exercises left to the reader, e.g., a ton of privacy implications, opportunities for marketing (think cars whose owners are being paid to "push" specific routing/destinations as better than others... in the olden days, when Jeb suggests the best route into town is to pass the Kroger, and not the K-Mart...), etc. https://www.nsf.gov/awardsearch/showAward?AWD_ID=1761641 > Award Abstract #1761641 > NeTS: EAGER: Intelligent Information Dissemination in Vehicular > Networks based on Social Computing
http://news.sky.com/story/any-11145015 http://www.itv.com/news/central/2017-11-26/police-release-footage-of-relay-crime/ Also, from Gabe Goldberg: Watch thieves steal car using technology instead of keys http://www.cnn.com/videos/world/2017/11/27/relay-box-auto-theft-orig-trnd-lab.cnn
Cory Doctorow, BoingBoing, 25 Nov 2017 <https://boingboing.net/2017/11/25/la-la-la-cant-hear-you.html> Yale Privacy Lab and Exodus Privacy's devastating report on the dozens of invasive, dangerous "trackers" hidden in common Android apps was generated by writing code that spied on their target devices' internal operations, uncovering all manner of sneaking trickery. it would be great if we had effective regulatory oversight and the power to seek legal relief from these companies for lying to us and/or sneaking spyware into our lives; but every bit as important is the right to independently audit their actions (as Privacy Lab and Exodus have done) and to install code that overrides the undesirable functions of this spyware -- for example, by blocking its communications or chaffing it with plausible garbage data. The Exodus Privacy app's functionality is key to attaining the first goal , gathering independent evidence about the conduct of mobile firms and app providers. Without that evidentiary basis, there's no way to know you need self-help measures, nor is there any way to convince regulators to take action, nor is there the possibility of creating public clamor for competing products that would spur investors and entrepreneurs to make tools that let you reclaim control over your device. As Exodus and Yale note, these trackers are almost certainly also present in iOS: the companies that make them advertise their iOS compatibility, for one thing. But iOS is DRM-locked and it's a felony—punishable by a 5-year prison sentence and a $500,000 fine for a first offense in the USA under DMCA 1201, and similar provisions of Article 6 of the EUCD in France where Exodus is located—to distribute tools that bypass this DRM, even for the essential work of discovering whether billions of people are at risk due to covert spying from the platform. It's true that the US Copyright Office gave us a soon-to-expire exemption to this rule that started in 2016, but that exemption only allows Exodus to use that tool; it doesn't allow Exodus to make that tool, or to distribute it so independent researchers can investigate iOS.
>>>>> "SC" == S..., C.. <...@earlywarning.com> writes: SC> Yes, the Zelle app is [available only] in the US right now. Well that creates a huge problem for many citizens who happen to be out of the country at the moment and suddenly are cut off from their funds. It would have been more wise to first introduce the app, and then three months later after all users are safely moved over to it, only then have them close down their clearXchange accounts. But following the instructions, we all first close our clearXchange accounts in order to move over to the app. This seems a classic risk right out of ACM Risks Digest.
Consumer groups report endless complaints from Israelis who say they are mischarged, lied to, pushed into debt, and even stopped at the airport for fees they never agreed to. https://www.timesofisrael.com/wrong-number-are-israels-phone-companies-systematically-overcharging/ Go figure: an abusive, arrogant, crooked phone company. What next, inadequate consumer protections?!
I think the atq(1) command should order its results. I mean that is what "queues" are about, order. "atq—lists the user's pending jobs, unless the user is the superuser; in that case, everybody's jobs are listed. The format of the output lines (one for each job) is: Job number, date, hour, queue, and username." Now 15 years later I think they at least should warn on the man page that the results are not necessarily in order. The RISK is someone might just happen to get ordered results a few times, and then build a program to process the results based on this assumption. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=183583
Found this on a website on the account setup page—finally, a halfway-reasonable explanation for why so many sites use multiple-choice security questions: Your account must include five security questions. [...] We provide predefined questions and answers because we've found that the majority of security issues our customers face can be traced to computer viruses that record typing, and using predefined answers protects against this type of intrusion.
A trivial-to-exploit flaw in macOS High Sierra, aka macOS 10.13, allows users to gain admin rights, or log in as root, without a password. The security bug can be triggered via the authentication dialog box in Apple's operating system, which prompts you for an administrator's username and password when you need to do stuff like configure privacy and network settings. If you type in "root" as the username, leave the password box blank, hit "enter" and then click on unlock a few times, the prompt disappears and, congrats, you now have admin rights. You can do this from the user login screen. The vulnerability effectively allows someone with physical access to the machine to log in, cause extra mischief, install malware, and so on. You should not leave your vulnerable Mac unattended, nor allow remote desktop access, until you can fix the problem. [...] http://www.theregister.co.uk/2017/11/28/root_access_bypass_macos_high_sierra/
As Feds get smarter about Artificial Intelligence on the cyber-frontier, seems agencies' IT defenders are suffering from schizophrenia about cybercyborgs. That's the topline takeaway from the new MeriTalk Federal Cyber-AI IQ Test study. Where 90 percent of cyberfolks swoon about AI as the fix for the cybersieve, almost half of Feds suffer AI anxiety disorder. With the exponential increase in cyber-attacks and insider-threat nightmares, now is a fascinating time to consider AI's role in cybersecurity. We see Kevin Cox and the CDM program office exploring AI and every cyber-vendor's touting its new AI pixie dust. So, what's the state of Fed's AI IQ and what's the path forward? https://www.meritalk.com/articles/feds-in-two-minds-about-artificial-intelligence-defense/ The risk? Aside from sophomoric and over-the-top writing, the risk is—as usual—talking around and generalizing about a technology without defining -- or, likely understanding—what it is. Or putting it in the context of whatever is being discussed—here, cybersecurity. The article would make as much sense with "AI" replaced by "walnuts".
Sean Gallagher, Ars Technica, 29 Nov 2017 https://arstechnica.com/information-technology/2017/11/australian-man-uses-snack-bags-as-faraday-cage-to-block-tracking-by-employer/ A 60-year-old electrician in Perth, Western Australia had his termination upheld by a labor grievance commission when it was determined he had been abusing his position and technical knowledge to squeeze in some recreation during working hours. Tom Colella used mylar snack bags to block GPS tracking via his employer-assigned personal digital assistant to go out to play a round of golf—more than 140 times—while he reported he was offsite performing repairs.
https://www.bloomberg.com/politics/articles/2017-11-27/white-house-is-said-to-weigh-personal-mobile-phone-ban-for-staff Horse, barn door? Maybe make entire White House a Faraday cage?
Straits Times, 19 Dec 2017 http://www.straitstimes.com/singapore/transport/simulation-facility-to-test-new-mrt-signalling-system "A simulation facility will be built for the East-West Line's (EWL) new signaling system to undergo extra tests before it is rolled out, in a move to beef up safety and not disrupt train services. The facility will be set up by French firm Thales, which aims to deliver the new signaling system for the EWL by next June. It is the first of its kind testing facility outside Toronto and Paris, where the firm is based." Given Thales' prior release history, is it advisable to build the stack, and also build the simulation? Recall http://catless.ncl.ac.uk/Risks/7/64#subj5.1 and Richard Feynman's appendix on the Challenger disaster for the Roger's Commission. Wow! Talk about using human guinea pigs. Seems like a page from corporate control fraud: Build a product and sell it with impunity. The newspaper publication trail does not reproduce the statement of work. I wonder what the SMRT procurement team was thinking when they signed- off? Did they ask to review Thales content for: test plan, prior release defect escape density, prior test results, wall clock to qualify any candidate change? Life cycle practices to preserve integrity and publication viability of intellectual property? Did the procurement team consult software release subject matter experts? Where's the "wall" between development and test? Certain subject matter needs to be communicated—like a common specification—to enable development and qualification. As engineering is cooperative activity, ideas must circulate to create better ones. Will the same stack developers also participate by building the simulation stimulus—test programs? Does Thales' new (to Singapore) signaling system simulation environment accommodate editorial tension? Ideally, "test author" v. "stack author" is applied to create and generate editorial tension for qualification within a software factory. Editorial tension is characterized by: 1. Speed— How quickly can the stimulus and assertion conditions detect and reveal latent defects or discover new ones arising from feature/patch application -per release metric as demonstrated in http://catless.ncl.ac.uk/Risks/30/50#subj2? High-speed regression test and evaluation is important here (~10K measurements/hour, for instance) 2. Frequency—How often does the simulation run? For pre-check in? Before a candidate change is accepted into a project baseline, it needs to pass the simulation at top of branch merged w/candidate change). At post-integration? To qualify candidate release bits using all pre-check in passing candidate changes merged together into the candidate baseline? Who inspects and certifies the simulation results prior to publication? How many pairs of eyes are on this content? Are the change control board eyes trained/qualified to judge the simulation outcome? 3. Determinism—Simulation results are identical for a constant stack and environment using constant stimulus/assertion conditions? Do the results match, assuming identical initial conditions? If there's a detected failure, does it arise from the environment? Ecosystem infrastructure or target stack? Stimulus/assertion conditions? Whomsoever does the triage is usually one of the best pairs of eyes to participate in the decision to determine release viability. This is usually a software test engineer, a highly interdisciplinary life cycle participant possessing: a comprehensive knowledge of the stack/ecosystem under test, the test environment, and the test stimulus. http://www.straitstimes.com/singapore/transport/lta-reserves-the-right-to-take-action-against-parties-involved-in-nov-15-mrt, 19 Dec 2017 "Action could still be taken against the parties who were involved in a collision of two MRT trains on Nov 15, the Land Transport Authority (LTA) said yesterday, in response to queries from The Straits Times. The LTA said it "reserves the right" to take appropriate action, without stating what that might be. The French company building the new signaling system for the line has taken full responsibility for the collision, which left 38 people injured and caused train delays affecting nearly 13,000 commuters. It was caused by compatibility issues between the existing signaling system and the new communications-based train control (CBTC) system which Thales is installing for the East-West Line." If liability indemnification was proscribed for software, assuming vigilant enforcement, would certain technology businesses be brave (or foolish) enough to foist their wares on the public? Retrospective coverage of this incident -- http://www.straitstimes.com/singapore/transport/signal-fault-to-blame-for-joo-koon-mrt-collision -- incident event date 15NOV2017. Minute-by-minute description of incident event sequence—pictorial graph of collision event precursors. http://www.straitstimes.com/singapore/transport/signalling-system-firm-thales-apologises-for-joo-koon-train-collision-assures -- published 21NOV2017. Thales acknowledges problem with signaling system. "French company Thales has taken "full responsibility" for its part in the Nov 15 train collision at Joo Koon MRT station. It said an "unexpected" problem occurred in the interface between the old and new signaling systems of the East-West Line (EWL). Thales, which is supplying the new system for the EWL, has also apologised to commuters who were inconvenienced, and the 38 people injured by the accident." http://www.straitstimes.com/singapore/protective-bubbles-became-disabled-causing-collision -- published 22NOV2017. High-level summary of fault. "Protective "bubbles" meant to keep trains at a safe distance from each other were inadvertently disabled on Nov 15 before two trains collided at Joo Koon MRT station." http://www.straitstimes.com/singapore/transport/khaw-firm-behind-signalling-system-could-have-done-better -- published 22NOV2017. Singapore government expresses umbrage from incident "The company supplying the new signaling system for the East-West Line (EWL), on which a train collision occurred last week, "could have done better", Transport Minister Khaw Boon Wan said yesterday."
You've probably had submissions on this already; hardly end-of-the-world
stuff, though may be of interest. I surf the web with Firefox on a Windows
7 laptop, and following advice on this very forum, I usually have JavaScript
disabled. Allegedly this avoids possible security problems, but the big
advantage is that web pages load in a flash, *and* there's no problem with
loads of unwanted stuff wasting my monthly bandwidth allowance. Some web
sites, particularly important ones like on-line bill payment or web e-mail
access, need JavaScript, so I manually enable this when required.
Last year, to my dismay a Firefox update removed the option to disable
JavaScript from the list, but I quickly found a 3rd-party add-on to put this
in the Tools menu (phew!). Then last week Firefox updated to 57.0
("Quantum") which (according to the 'what's new' info) disables unauthorised
add-ons including this one, so I was stuck without JavaScript with no
choice...
Oh well, at least there's good old Internet Explorer 11 which I've hardly
ever used... but it runs without JavaScript as well?!? I couldn't even find
any references to JavaScript in any of the set-up options either, and when I
tried the on-line help feature, this said "needs JavaScript to run"!
(Sounds like that old joke about 'the instructions for the microfilm reader
are on microfilm'.) I don't recall ever changing this, but must have
disabled scripting when I first got the laptop to avoid any security issues.
Sigh...
To cut a long story short, A Google search (at least this doesn't need
JavaScript!) showed (a) IE actually uses the term 'Active scripting' for
this, with radio buttons for Disable/Prompt/Enable, so that fixed that, and
(b) Firefox set-up can be accessed via 'about:config' and the "I promise to
be good" screen. What I plan to do is use IE for sites where JavaScript is
needed, and Firefox for everything else.
... the implicit assumption—that if ISPs just delivered all the mail things would be fine—is quite false. Most mail systems see about 90% spam. An ISP like World that's been around for a long time probably gets even more. That means there are about ten spam messages for every real one. Even if your ISP spent the extra money for the extra bandwidth and storage to receive and deliver all the spam, your mail would be unusable, with the trickle of real mail hidden in the torrent of junk. I once met a person at the EFF who had a principled unfiltered mailbox, and she said that every day she manually deleted 3000 messages from her inbox. I don't know how she got any work done, and how many of those 3000 were real. You don't want mail systems to send non-delivery notices for all the mail they don't deliver, since most of the return addresses are fake, and that would just be more spam to the holders of the fake addresses. Enough systems do this that it has a name, blowback spam, and on my system I have special rules to try and deal with the blowback spam I get to a few domains that seem particularly popular with spammers. The original problem, an SEC notification misfiled in a spam folder, was clearly due to a bug in the spam filtering. The SEC does not send out notices at random, so the recipient must have given the SEC the address they sent it to. If the spam filters for that mailbox weren't set to deliver mail from the SEC, which is not hard to recognize, that's just a bug. What's much harder are bulk legal notices, such as ones notifying members of a proposed class action. Those are bulk mail sent to people who didn't ask for it, typically from a sending system that's never sent them mail before, which makes it technically identical to spam. (Some people would say it is spam.) You can't just whitelist anything that looks like a legal notice since spammers, not being totally stupid, would make their spam look like legal notices. Bulk mail services try to tell public blacklists when they plan to do a run, and the blacklists tend to be cooperative, but even so, when automated systems see a blast of unfamiliar mail, they tend to treat it unfavorably. The actual unsurprising moral here is that spammers ruin things for everyone.
> This is true, but the implicit assumption that it ISPs just delivered > all the mail things would be fine is quite false. I never made such an assumption. I stated a fact: email is not a reliable communications medium. There is no means of making it that way. Having a government that punishes people for not receiving their Very Important Email is a Bad Thing. I received an email reply from someone who demanded the right to be a "nomad" who has no snail mail access but does have email. I would say that if you choose a lifestyle with known limitations, you have that right.
Comcast replies, plus a Wyoming ISP chimes in: https://www.listbox.com/member/archive/247/2017/12/sort/time_rev/page/1/entry/5:25/20171210204407:C4C2CB62-DE14-11E7-AAAD-B8E98D242E52/ https://www.listbox.com/member/archive/247/2017/12/sort/time_rev/page/1/entry/2:25/20171211135436:B9BBFC1C-DEA4-11E7-ABD4-C4D067573D43/ On Sun, Dec 10, 2017 at 2:33 PM, the keyboard of geoff goodfellow < geoff@iconia.com> wrote: https://www.listbox.com/member/archive/247/2017/12/sort/time_rev/page/1/entry/2:19/20171210105448:70B9CD24-DDC2-11E7-8953-E97FD683EF5B/
Please report problems with the web pages to the maintainer