Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Fake news on Twitter during the 2016 U.S. presidential election Science (AAAS) 363 issue 6425, 25 Jan 2019, pp. 374-378 This a noteworthy five-authored paper on their detailed examination. For example, only 1% of individuals accounted for 80% of fake news source exposures, and 0.1% accounted for 80% of fake news sources shared. For RISKS readers who are interested in this phenomenon, the article is worth reading.
Contains a landmark law article on deepfakes: 107 California Law Review (2019, Forthcoming) U of Texas Law, Public Law Research Paper No. 692 U of Maryland Legal Studies Research Paper No. 2018-21 59 Pages Posted: 21 Jul 2018 Last revised: 23 Aug 2018 Robert Chesney, University of Texas School of Law Danielle Keats Citron, University of Maryland Francis King Carey School of Law; Yale University Yale Information Society Project; Stanford Law School Center for Internet and Society Date Written: July 14, 2018 Abstract Harmful lies are nothing new. But the ability to distort reality has taken an exponential leap forward with `deep fake' technology. This capability makes it possible to create audio and video of real people saying and doing things they never said or did. Machine learning techniques are escalating the technology's sophistication, making deep fakes ever more realistic and increasingly resistant to detection. Deep-fake technology has characteristics that enable rapid and widespread diffusion, putting it into the hands of both sophisticated and unsophisticated actors. While deep-fake technology will bring with it certain benefits, it also will introduce many harms. The marketplace of ideas already suffers from truth decay as our networked information environment interacts in toxic ways with our cognitive biases. Deep fakes will exacerbate this problem significantly. Individuals and businesses will face novel forms of exploitation, intimidation, and personal sabotage. The risks to our democracy and to national security are profound as well. Our aim is to provide the first in-depth assessment of the causes and consequences of this disruptive technological change, and to explore the existing and potential tools for responding to it. We survey a broad array of responses, including: the role of technological solutions; criminal penalties, civil liability, and regulatory action; military and covert-action responses; economic sanctions; and market developments. We cover the waterfront from immunities to immutable authentication trails, offering recommendations to improve law and policy and anticipating the pitfalls embedded in various solutions. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3213954&utm_source=newsletter&utm_medium=email&utm_campaign=newsletter_axiosfutureofwork&stream=future
The Japanese government approved a law amendment on Friday that will allow government workers to hack into people's Internet of Things devices as part of an unprecedented survey of insecure IoT devices. https://www.zdnet.com/article/japanese-government-plans-to-hack-into-citizens-iot-devices/
[Q: How many hackers does it take to change a light bulb? A: Only one, and keep him and it off your network.] Charlie Osborne for Zero Day | 1 Feb 2019 This smart light bulb could leak your Wi-Fi password. LIFX smart bulbs contained vulnerabilities that could be exploited with a little ingenuity and the help of a hacksaw. https://www.zdnet.com/article/this-smart-light-bulb-could-leak-your-wi-fi-password/ selected text: LimitedResults used the LIFX mini white as a test product, a $15.99 device which can be controlled via smartphone to change the temperature and dimness levels of lighting at home. After installing the bulb's accompanying app on an Android device and setting up the Wi-Fi connection, the researcher grabbed a saw to hack his way into the hardware within. After exposing the innards of the bulb and wiping away fireproof paste, the hacker found that the main component of the bulb is an ESP32D0WDQ6 system-on-chip (SoC) manufactured by Espressif. It didn't take long to solder a few pins to a board in order to connect to the LIFX hardware, and after this link was established, LimitedResults found that Wi-Fi credentials were stored in plaintext within the flash memory.
Martha Irvine, AP, December 26, 2018 https://www.apnews.com/38141d993106400f8228706334e9b7f4 BELLEVUE, Wash. (AP) ” We like to say we're addicted to our phones or an app or some new show on a streaming video service. But for some people, tech gets in the way of daily functioning and self-care. We're talking flunk-your-classes, can't-find-a-job, live-in-a-dark-hole kinds of problems, with depression, anxiety and sometimes suicidal thoughts part of the mix. Suburban Seattle, a major tech center, has become a hub for help for so-called `tech addicts', with residential rehab, psychologists who specialize in such treatment and 12-step meetings.
https://www.scientificamerican.com/article/how-machine-learning-could-keep-dangerous-dna-out-of-terrorists-hands/ "But Rob Carlson, managing director at Bioeconomy Capital, a venture-capital firm in Seattle, Washington, is skeptical that stopping DNA-synthesis companies from being exploited will prevent bioterror attacks. 'If you look at what sorts of biological threats have cropped up to date, this isn't one of them,' he says. Most attacks have involved the release of existing pathogens grown in labs; in 2001, for instance, five people in the United States died and 17 were sickened after receiving anthrax-laced letters. "Terrorists are more likely to follow the blueprint of published research, rather than embark on a research project to design new organisms, Carlson says. He fears that any government efforts to regulate DNA synthesis would push would-be bioterrorists underground." Risk: Ineffective government investment to deter bioweapon deployment by terrorists.
The FBI is messing with Joanap, a botnet run by a major North Korean blackhat group. https://nakedsecurity.sophos.com/2019/02/04/fbi-burrowing-into-north-koreas-big-bad-botnet/ Joanap itself is fairly complicated, with infections being started by an SMB worm, which then installs the Joanap RAT (Remote Access Trojan). Command and control is done via a peer-to-peer distributed network. Which is where the FBI comes in. A court in the US granted them permission to set up fake servers pretending to be controllers on Joanap. As such, they could spy on individual machines, collect information, or even install software (possibly to remove the infections and patch vulnerabilities). In examining the ethics of active defence, I find this fascinating. http://www.infosecbc.org/events/new-calendar-event-2/ I'm pretty sure than in Canadian law the FBI action would actually be illegal, which is possibly why they are contacting host governments in the cases of non-US victims. (Oh, and remember to patch your systems, which is the only reason the blackhats were able to build Joanap in the first place ...)
https://www.scientificamerican.com/article/what-if-your-fitbit-could-run-on-a-wi-fi-signal/ "...molybdenum disulfide (MoS2)—a two dimensional material because it is just three atoms thick—can act like an antenna to convert radio signals from wi-fi, cell phones and radio or television broadcasts into power for wireless devices. "Palacios says the two-dimensional semiconductor can reap 30 to 50 microwatts from ambient wi-fi signals of about 100 microwatts, enough to operate pacemakers, hearing aids, strain sensors, communication links and many low-power IoT objects. Such a system could potentially operate without a battery, lowering weight and avoiding leakage from a medical implant's power source inside the body." http://catless.ncl.ac.uk/Risks/30/72#subj29.1 discusses harvesting human body heat to power devices. Steer clear of TEMPEST facilities, or low ambient RF environments if you wear an implantable device powered by MoS2. Neglecting to use a battery backup may be hazardous to your health.
https://www.nytimes.com/2019/01/29/technology/facetime-glitch-apple.html On Jan. 19, Grant Thompson, a 14-year-old in Arizona, made an unexpected discovery: Using FaceTime, Apple's video chatting software, he could eavesdrop on his friend's phone before his friend had even answered the call. His mother, Michele Thompson, sent a video of the hack to Apple the next day, warning the company of a "major security flaw" that exposed millions of iPhone users to eavesdropping. When she didn't hear from Apple Support, she exhausted every other avenue she could, including emailing and faxing Apple's security team, and posting to Twitter and Facebook. On Friday, Apple's product security team encouraged Ms. Thompson, a lawyer, to set up a developer account to send a formal bug report. But it wasn't until Monday, more than a week after Ms. Thompson first notified Apple of the problem, that Apple raced to disable Group FaceTime and said it was working on a fix. The company reacted after a separate developer reported the FaceTime flaw and it was written about on the Apple fan site 9to5mac.com, in an article that went viral.
The companies said they are hoping to resolve the issue quickly. https://www.washingtonpost.com/technology/2019/01/31/apple-revokes-googles-ability-use-internal-ios-apps-just-like-facebook/
* TechCrunch found that Facebook had been paying people to install a research app that grants access to all of the user's phone and web activity. * Following the report, Apple said the app violates its policies. * A Facebook spokesperson said the app had "a clear on-boarding process" that asked participants for permission. CNBC: Apple hits back at Facebook and revokes a key license https://www.cnbc.com/2019/01/30/apple-says-facebook-violated-its-policies-with-its-research-app.html?__source=iosappshare%7Ccom.apple.UIKit.activity.Mail
"5,678 square meters prime farm land for sale, $xx0000. Call Mrs. Holmes at LLoyd 5-1212." Or if Junior happens to have the local cadaster list, he can go visit the property himself, disposing of Mrs. Holmes. Just sort the list on the size column, and `voila', only one parcel in town with that size!
Crypto exchange QuadrigaCX seems to be filing for bankruptcy. It's got lots of money--locked up in cryptocurrency "cold storage." The password was only known to the CEO. The CEO died in December. https://www.coindesk.com/quadriga-creditor-protection-filing Lots and lots of legal battles are involved ...
On 28 Jan 2009 for RISKS 25.55 I wrote: >Subject: What if you can't pull the plug? > >Last night I literally awoke from a nightmare about my iPhone getting >hacked, spewing spam and doing other nasty things. The nightmare was that I >had no way to shut it off, and no way to disconnect it from the Internet. Recently, while trying to move from an old iPhone to an iPhone 8 Plus - and following Apple's online instructions - the newer iPhone froze with the power ON. The "hold the power button down for a long time" trick didn't work. For one troubleshooting cycle, the 8+ stayed on-but-frozen for over 60 hours while connected to power. Luckily, the 8+ doesn't appear to be hacked by anything other than buggy upgrade software. Called Apple support—they gave me another combination of button presses to unfreeze the phone. Except it took four tries to work. Apparently Apple changed the forced restart scheme twice since the iPhone's introduction. But if your phone is frozen, you probably don't have any way to look up the latest method.
Author writes: In November, I broke the law. I crossed over a solid white line to make a right turn at a traffic intersection. At the time I was unaware of my violation. I was on my way to a shopping mall in an unfamiliar part of town to buy my wife a gift for her birthday. My only defense is that I was following the instructions emitted from the map app on my cellphone. It told me to make a right turn. So I did. Little did I know I was being watched. https://devops.com/minor-crimes-and-misdemeanors-in-the-age-of-automation/
Never heard of the University of Farmington? That's because it never actually existed. https://www.washingtonpost.com/nation/2019/01/31/ice-set-up-fake-university-hundreds-enrolled-not-realizing-it-was-sting-operation/
The Chinese firm Hytera is subject to a U.S. import ban after a judge ruled it infringed on patents held by Motorola Solutions. https://www.washingtonpost.com/business/economy/chinese-maker-of-radios-for-police-firefighters-promises-to-outlast-trump-trade-fight/2019/01/30/42a118a8-1f33-11e9-8b59-0a28f2191131_story.html
"Thefts involving electronic devices are on the up, and it's clear manufacturers could do more to make their vehicles secure," the consumer organization quoted David Jamieson, the West Midlands police commissioner, as saying. However, the U.K.'s Society of Motor Manufacturers and Traders (SMMT) insisted that new cars "are more secure than ever, and the latest technology has helped bring down theft dramatically with, on average, less than 0.3% of the cars on our roads stolen." <https://www.autoexpress.co.uk/car-news/105809/almost-all-keyless-car-systems-vulnerable-to-relay-attacks "We continue to call for action to stop the open sale of equipment with no legal purpose that helps criminals steal cars," said SMMT CEO Mike Hawes. http://fortune.com/2019/01/28/keyless-car-theft-steal/ Who you gonna believe—the manufacturers association or that empty space where your car was?
This has had much coverage in UK newspapers recently, such as this article from today: Claire Duffin, *The Daily Mail*, 28 Jan 2019 Almost all of the UK's best-selling cars can be 'unlocked in minutes' by cheap gadgets bought online as watchdog warns of spike in 'keyless thefts' * Four out of five of the most popular cars in the UK last year at risk of keyless theft. * Official figures for the year to September showed car thefts were up 10 per cent. * In one test consumer watchdog Which? found only the Vauxhall Corsa was safe. https://www.dailymail.co.uk/news/article-6638121/Almost-UKs-best-selling-cars-unlocked-minutes-cheap-gadgets-bought-online.html > Almost all of the UK's bestselling cars are at risk of keyless theft, a > study shows. > Many new cars now have keyless entry systems, or can have them added as > an upgrade. > It allows the driver to open and start the car without using a > traditional key, as long as the fob is nearby. > > But thieves have taken advantage of this new technology. Using two > devices, known as a relay amplifier and a relay transmitter, they can > capture electromagnetic signals emitted by key fobs from where they are > sitting inside the car owner's home. > Working in pairs, one thief stands by the car with his transmitter, > while a second waves the amplifier close to the house. > The amplifier will detect a signal from the key fob, amplify it and send > it to the accomplice's transmitter. > This tricks the car into thinking the key is in close proximity, > prompting it to open. Thieves can then drive the vehicle away using the > push-button keyless ignition. > The process can take less than one minute � and once they have the car, > they can quickly replace locks and entry devices. I'm guessing that the cars constantly send a signal inviting any fobs within range to respond, and if one does reply with the correct code for the car, it unlocks the doors and allows the engine to be started; it's designed to work only over a few yards/metres, but the thieves' relays enable the range to be extended. People often drop their keys in a bowl or case just inside the front door of their houses so that they can be grabbed as they leave. (In the olden days, thieves used magnets on rods passed through the letterbox to snaffle bunches of keys on keyrings, or would ring the doorbell and have an accomplice discreetly take keys while the householder was distracted.) By the way, Vauxhall was the UK brand name for GM cars, although it's recently been sold to a European automaker.)
People with car key fobs were staying away from a Canadian co-op store because they might not be able to start their cars. Anarchists? Gremlins? Competitors? No, just "a malfunctioning remote car starter" nearby. https://gizmodo.com/mystery-of-blocked-key-fobs-at-parking-lot-likely-solve-1832277387
> The big announcement came, > From: "Google+ Team" <noreply@plus.google.com> > Subject: Your personal Google+ account is going away on April 2, 2019 : X-VR-STATUS: SPAM Alas, a little too big, as it was nailed as spam by big-time mail filtering companie(s). Wonder what will happen when Facebook eventually sends theirs to an even larger list. My mom says that "X-VR-SPAMCAUSE: ggystttmpsimb..." means "GooGle, you sent this to too many people so it must be spam."
Coinstar? Those are the machines where you put in $10 in cash and it gives you a slip for $8. Seems just the thing for Bitcoin.
A couple of thoughts on automation: 1. What do we really want these soon-to-be-laid-off people to do? Does it make any sense to pay people to produce goods inefficiently, in the style of Soviet factories making goods that will never be consumed, just so they have a job? The economist Milton Friedman supposedly asked why workmen were using shovels instead of machinery to build a canal. The answer came back: "We need to provide more jobs." Friedman's response: "Then why not give them spoons instead of shovels." To his credit, Friedman championed a version of universal basic income (UBI) to allow for both economic efficiency and economic support for those displaced. I'm not sure that UBI provides much of an identity of self-worth for these ex-workers, but it is at least a start in the right direction. 2. Since the Great Recession starting in 2008-9, governments around the First World have kept interest rates at negative or zero ("ZIRP"). Who do you think benefits directly from ZIRP? The coal miner? The minimum wage employee? Not so much. When capital becomes cheaper than labor, it's a *no-brainer* to invest in automation, and the Davos elites have "backed up the truck" to gorge on zero-interest-rate money to invest in robotics and AI, knowing that eventually ZIRP would end, and this gravy train would stop. At that point, these investments would pay off as labor became more expensive relative to robots and automation. The truth is, most of the First World has a demographic problem, in that their populations are *falling*, so countries like Japan and China are going to become totally reliant upon robots just to support their ever-growing percentage of retired workers. So we're going to need robots and automation, but we're also going to need mechanisms to provide support and activities other than meaningless jobs to enable people to live full and meaningful lives.
I was waiting for another to reply to this message from Risk 31.02 as I feel my lowly station of systems engineer in a small team in an education setting I shouldn't be preaching to the masses, there are many more worth voices than my own. That being said, I don't feel Linux is the solution that some seems to claim it is. As always, all views are my own and do not represent anyone other than myself. I disagree with the ideas and ideals that Linux is some bastion of security while I will admit Linux does have the edge on Microsoft OS's I simply do not believe that in itself this enough to necessarily say it should be used over any operating system, Microsoft or otherwise. I also feel Linux has a perceived higher level of security than it actually does along with a number of userbase and technical climate realities that skews both hard and anecdotal evidence in Linux's favor. The first of these things is the Linux userbase. windows is the worlds most popular desktop OS. This leads by default to a less technical userbase, where Linux as a desktop OS is often used by the more technically adept. The more technically adept and I.T. security savvy are less likely to fall for certain types of attacks such as phishing and clicking on suspicious links. Both the higher volume of users and the chances of encountering one of these less savvy users means windows is the more profitable target when engaging on attacks when the net is cast wide. Despite its open source nature this doesn't make Linux impervious to vulnerabilities. Last year Windows 10 had 28 {1} vulnerabilities given a CVE rating of 9 or more. Debian (which I'm using and I could get the stats easily) had 20 in 2018 {2}. While 9 is a significant number Debian received a total of 938 CVE's in 2018 with windows 10 only receiving 254. Some of this can be chalked up to the open source model allowing vulnerabilities to be more easily identified but the concept that Linux has fewer vulnerabilities or doesn't ship with them is simply not true. Furthermore the low use case of thing like anti malware products on Linux means that there is currently a lack of research in this area. In December 2018 ESET discovered 21 "new" families of Linux based malware. The issue being these malware families weren't new, some appeared to be over 4 years old. Furthermore, ESET only discovered these families because they we're being removed by a competing malware ESET were actually investigating. When you ask a long-term Linux user when they last saw some Linux malware the answer will likely be never, but with the lack of strong widely used anti malware tools for Linux the real question would be how would you know? If everyone was to take the advice and switch to Linux exclusively for both home and work environment to outcome could result in worse security as threat actors target the new environment, more malicious actors looking for weaknesses and vulnerabilities and a lack of tools to provide a decent defense in depth response. While this may be a pie in the sky idea, I believe security principles should be both hardware and software agnostic and this simple changing of an OS doesn't necessarily make you more secure. Defense in depth, user training and engagement, proper configuration, and a healthy dose of skepticism and luck in equal measures. Is really the only way to provide a safe environment, not specific tools, tech.
I can think of two reasons, both of which make an equal amount of sense. a) If 5G was perfect how would we sell them 6G? We have to make money too. b) Security is like global warming—if we can get by just by paying lip service to the notion and not doing anything effective about it, that's the easier and less expensive path. Until we have a real Pearl Harbor on the Internet, nobody that matters is going to care. It's going to take an incident that bankrupts a large high-profile company, paralyzes the Internet, kills hundreds of people, or forces the recall of millions of devices before what is optional becomes mandatory.
I once tried to read a shrink-wrap EULA (of commercial software) in its entirety; it took almost an hour, and that's just the reading, I cannot claim to have actually understood it—despite having more than the 14.5 years of education cited as required by the article, I have no formal legal education. That's irrelevant anyway, because under that EULA, by clicking "I agree" I have put any future dispute I may have with the company under the jurisdiction of courts in the State of New York; there aren't many lawyers around here who know enough about NY law to file a case (not at any reasonable price), so this clause essentially puts possible legal resolution out of my reach. IOW, this is not really an "agreement", more like a CYA legal trick designed to exempt the company from legal responsibility to possible damage (accidental, and even intentional) their software might inflict upon their customers.
In the age of instant ubiquitous global communication, there is no need to manipulate reality in a professional level in order to make people believe in misinformation. See for example the anti-Vax case, where a pseudo scientific article (rejected later) which connected one type of (disused) vaccine to a rare type of autism—or rather, just the rumour of the article, since it seems no one had actually read it anyway—had caused so many people to stop vaccination completely, enough to cause new outbreaks of diseases thought to be long gone. Unfortunately, it seems too many people would just believe anything sent by their friends, rather than bother one click to check facts.
Please report problems with the web pages to the maintainer