In an era of Russian Hacks, the US is still installing Russian Software on Government Systems. http://www.nextgov.com/cybersecurity/2017/06/era-russian-hacks-us-still-installing-russian-software-government-systems/138683/ https://www.washingtonpost.com/news/post-politics/wp/2017/05/11/full-transcript-acting-fbi-director-mccabe-and-others-testify-before-the-senate-intelligence-committee/?utm_term=.4256455dd381 This is the basic paradox: On one hand, top intelligence officials at the FBI, CIA and the National Security Agency tell members of Congress that Kaspersky Lab can't be trusted, that they wouldn't put its products on their personal computers, let alone the nation's. On the other hand, federal agencies still use the Moscow-headquartered anti-virus software. During the past decade, it's plugged into systems at the Consumer Product Safety Commission, the Treasury Department, the National Institutes of Health and U.S. embassies, among other locations, contracting data shows. Kaspersky anti-virus also frequently protects state, local and tribal government computers, former officials told *Nextgov*. It may even be on some non-national security systems at the Homeland Security Department, according to testimony from Homeland Security Secretary John Kelly, though it's generally barred from intelligence and national security systems throughout government, according to official testimony. <http://www.nextgov.com/cybersecurity/2017/05/dhs-secretary-promises-report-russian-antivirus-software-agency/138183/>
NNSquad http://www.seattletimes.com/business/researcher-finds-georgia-voter-records-exposed-on-internet/ A security researcher disclosed a gaping security hole at the outfit that manages Georgia's election technology, days before the state holds a closely watched congressional runoff vote on June 20. The security failure left the state's 6.7 million voter records and other sensitive files exposed to hackers, and may have been left unpatched for seven months. The revealed files might have allowed attackers to plant malware and possibly rig votes or wreak chaos with voter rolls during elections. Georgia is especially vulnerable to such disruption, as the entire state relies on antiquated touchscreen voting machines that provide no hardcopy record of votes, making it all but impossible to tell if anyone has manipulated the tallies.
NNSquad http://www.tomshardware.com/news/european-parliament-end-to-end-encryption-communications,34809.html The European Parliament's (EP's) Committee on Civil Liberties, Justice, and Home Affairs released a draft proposal for a new Regulation on Privacy and Electronic Communications. The draft recommends a regulation that will enforce end-to-end encryption on all communications to protect European Union citizens' fundamental privacy rights. The committee also recommended a ban on backdoors. Hilarious—meanwhile, EU governments are moving to demand bans on strong crypto—and requiring backdoors! Which shows you what a paper tiger this EU committee is.
NNSquad https://arstechnica.com/information-technology/2017/06/psa-commenting-on-fcc-net-neutrality-plan-could-make-your-e-mail-public/ If you're one of the many people filing comments on the Federal Communications Commission plan to gut net neutrality rules, be aware that your e-mail address and any other information you submit could be made public.
NNSquad News Corp. CEO: The Almighty Algorithm http://www.foxnews.com/opinion/2017/06/15/news-corp-ceo-almighty-algorithm-fake-news-and-other-consequences-google-amazon-and-facebooks-relentless-focus-on-quantity-over-quality.html We are here to pay homage to the almighty algorithm. Algorithmic alchemy is redefining our commercial and social experiences, turning base matter into noble metals. But like the alchemists of old, algorithms are also a charlatan's charter, allowing claims of pure science when human intervention is clearly doctoring results to suit either commercial imperatives or political agendas. The News Corp CEO slamming Google, etc., is like Adolph Hitler ranting about people who eat meat.
"Officials under fire for keeping details of all city's 3.78 million on voters on laptop that was stolen the day after chief executive election" http://www.scmp.com/news/hong-kong/politics/article/2098002/hong-kong-privacy-watchdog-blasts-electoral-office-massive
NNSquad https://boingboing.net/2017/06/22/security-questions-suck.html In a paper for IEEE Security, researchers from Cyberpion and Israel's College of Management Academic Studies describe a "Password Reset Man-in-the-Middle Attack" that leverages a bunch of clever insights into how password resets work to steal your email account (and other kinds of accounts), even when it's protected by two-factor authentication. [Also noted by Gabe Goldberg. PGN]
Mallory, a 60-year-old former Central Intelligence Agency employee living in Leesburg, Virginia, had thought the documents were in messages that had been deleted automatically from the device. Mallory faces life in prison if convicted. https://arstechnica.com/tech-policy/2017/06/former-intelligence-employee-caught-selling-top-secret-docs-to-chinese/
I guess it's futile to expect things to change, but this particular problem is so old that one would hope that it would. It seems that chess.com no longer works in 32-bit iPads because their game-id overflowed a 32-bit field. The following was on Slashdot today (italics mine): The reason that some iOS devices are unable to connect to live chess games is because of a limit in 32-bit devices, which cannot handle gameIDs above 2,147,483,647. So, literally, once we hit more than 2 billion games, older iOS devices fail to interpret that number! This was *obviously an unforeseen bug* that was nearly impossible to anticipate and we apologize for the frustration. We are currently working on a fix and should have it resolved within 48 hours. (Italics mine.) One of the places we've seen this bug before is when Comair (the no longer extant Delta airlines commuter operation) was unable to schedule flights towards the end of December 2004 because, due to bad weather they had already had to make 32,767 crew changes during the month.
This story has it all: Y2K bugs create fake news that is distributed by automated alert systems, and picked up by robot news readers. The only thing missing: this "fake earthquake alert" *could have* tripped a large number of remotely-triggered "Seismic Gas Shutoff Valves", many of which must be reset manually at the shutoff valve itself. Heisenberg's Uncertainty principle at work: making the location more precise by 6 miles increased the uncertainty of the time by 92 years. :-) http://www.earthquakestore.com/valve-regulations-la.html "LOS ANGELES REGION ORDINANCE NO. 171874 An ordinance amending section 94.1219 of the Los Angeles Municipal Code relating to the installation of seismic gas shutoff valves in new construction and existing buildings" http://www.latimes.com/local/lanow/la-me-earthquakesa-earthquake-68-quake-strikes-near-isla-vista-calif-jyhw-htmlstory.html Revenge of Y2K? A software bug might have caused false alert for big (and very old) earthquake The error happened when someone tried to correct the exact location of the earthquake. (June 22, 2017) By Rong-Gong Lin II Remember Y2K, that hyped computer bug and harbinger of digital apocalypse that never happened when the year 2000 arrived? Well, 17 years later, it appears something like a Y2K bug played a role in a mistaken alert sent out Wednesday about a magnitude 6.8 earthquake off the Santa Barbara coast back in 1925. The error happened when someone at Caltech tried to correct the exact location recorded for the Prohibition-era Santa Barbara earthquake, which happened 92 years ago. The erroneous report was issued around 4:49 p.m., according to the U.S. Geological Survey, and began arriving in quake-trackers' email in-boxes around 4:51 p.m. A closer look at the alert, however, would have shown that something was amiss. The time of the alert was dated June 29, 2025, at 7:42 a.m. But it corresponds with a real earthquake that occurred a century earlier. The false alert also did not show up on the USGS website that maps new earthquakes. "That's a mistake. It's not real," said Caltech seismologist Egill Hauksson. He said that a seismologist at UC Santa Barbara had recently complained to the USGS National Earthquake Information Center that the precise location of Santa Barbara's 1925 earthquake was not correct and about 6 miles off from where records actually indicated. Hauksson's team was asked by the National Earthquake Information Center to update the location of the historic event in the Advanced National Seismic System database. Someone on Hauksson's team did so. If everything had gone right, almost no one should have noticed the change. The USGS Web pages were updated correctly. But in the USGS email notification system, the year got changed from 1925 to 2025, which caused an email to be sent from the server that typically distributes alerts of new earthquakes. "Apparently, there is a software bug around somewhere," a summary of the incident provided by Hauksson said. The bug was related to something called "Unix epoch time," which starts in 1970, Hauksson said in an email. "The year of 1925 wrapped around in the software and became 2025," he said. In a statement posted on Twitter, the USGS said the revision of the 1925 earthquake was "misinterpreted by software as a current event. We are working to resolve the issue." As to whether an earthquake off the Santa Barbara coast of that magnitude would have been felt in downtown L.A., Hauksson said: "Yes, it would have been very lightly felt. Particularly, people in high-rises would have felt swaying back and forth for a while." If the quake had just occurred, the L.A. area would have felt the shaking before the USGS alert arrived in local email boxes, Hauksson said. For instance, Pasadena, which is about 96 miles from the origin of the 1925 Santa Barbara earthquake, would be expected to feel shaking about 40 seconds after the earthquake would have begun in the Santa Barbara Channel fast enough to outpace the existing USGS email alert system. The expected intensity in Pasadena for a magnitude 6.8 quake that originated 96 miles away would be a 3.3 on the Modified Mercalli Intensity scale. Here is what intensity 3 and intensity 4 quakes feel like, according to the USGS: Intensity 3: "Felt quite noticeably by persons indoors, especially on upper floors of buildings. Many people do not recognize it as an earthquake. Standing motor cars may rock slightly. Vibrations similar to the passing of a truck." Intensity 4: "Felt indoors by many, outdoors by few during the day. At night, some awakened. Dishes, windows, doors disturbed; walls make cracking sound. Sensation like heavy truck striking building. Standing motor cars rocked noticeably." https://twitter.com/USGS/status/877685556003692545 nhttps://twitter.com/alxxdes/status/877677727301554176 UPDATES: 11:55 a.m.: This article was updated with additional details about the software bug and how, if there had been a quake, the Los Angeles area would have felt shaking before the the USGS notifications arrived in email boxes. 10:10 a.m., June 22: This article was updated with more information about the origin of the error, involving USGS email notification. 7:35 p.m.: This article was updated with information on what showed up on the USGS website. 5:55 p.m.: This article was updated with a statement from the USGS. 4:55 p.m.: This article was updated with information that the report was erroneous.
* The driver who died in a Tesla crash using Autopilot ignored at least 7 safety warnings https://www.washingtonpost.com/news/the-switch/wp/2017/06/20/the-driver-who-died-in-a-tesla-crash-using-autopilot-ignored-7-safety-warnings/ * Obama's secret struggle to retaliate against Putin https://www.washingtonpost.com/graphics/2017/world/national-security/obama-putin-election-hacking/ * Homeland Security official: Russian government actors potentially tried to hack election systems in 21 states. Most of the hacking was just scanning for vulnerabilities, though a few were successfully exploited. https://www.washingtonpost.com/world/national-security/homeland-security-official-russian-government-actors-potentially-tried-to-hack-election-systems-in-21-states/2017/06/21/33bf31d4-5686-11e7-ba90-f5875b7d1876_story.html * Under pressure, Western tech firms bow to Russian demands to share cybersecrets http://www.reuters.com/article/us-usa-russia-tech-insight-idUSKBN19E0XB * How the CIA infects air-gapped networks https://arstechnica.com/security/2017/06/leaked-documents-reveal-secret-cia-operation-for-infecting-air-gapped-pcs/ * Found: "Crash Override" malware that triggered Ukrainian power outage https://arstechnica.com/security/2017/06/crash-override-malware-may-sabotage-electric-grids-but-its-no-stuxnet/ https://www.nytimes.com/2017/06/19/technology/britain-encryption-privacy-hate-speech.html * Using Texts as Lures, Government Spyware Targets Mexican Journalists and Their Families https://www.nytimes.com/2017/06/19/technology/britain-encryption-privacy-hate-speech.html * Computational Propaganda Worldwide: Executive Summary http://comprop.oii.ox.ac.uk/2017/06/19/computational-propaganda-worldwide-executive-summary/ * Move Over, Bitcoin. Ether Is the Digital Currency of the Moment. https://www.nytimes.com/2017/06/19/business/dealbook/ethereum-bitcoin-digital-currency.html * U.S. Tech Firm The Bitfury Group in Blockchain Tie-Up With Insurance Advisory Firm https://www.nytimes.com/reuters/2017/06/16/business/16reuters-bitfury-blockchain-insurance.html * Scammer who made 96 million robocalls should pay $120M fine, FCC says https://arstechnica.com/information-technology/2017/06/scammer-who-made-96-million-robocalls-should-pay-120m-fine-fcc-says/ * AES-256 keys sniffed in seconds using EU200 of kit a few inches away, covertly stealing keys for 200 euros. https://www.theregister.co.uk/2017/06/23/aes_256_cracked_50_seconds_200_kit/
Every Risks reader should see the original note of this incident, and post it on every wall (https://np.reddit.com/r/cscareerquestions/comments/ 6ez8ag/accidentally_destroyed_production_database_on/): ---Quote --- I was basically given a document detailing how to setup my local development environment. Which involves run a small script to create my own personal DB instance from some test data. After running the command i was supposed to copy the database url/password/username outputted by the command and configure my dev environment to point to that database. Unfortunately instead of copying the values outputted by the tool, i instead for whatever reason used the values the document had. Unfortunately apparently those values were actually for the production database (why they are documented in the dev setup guide i have no idea). Then from my understanding that the tests add fake data, and clear existing data between test runs which basically cleared all the data from the production database... ---End Quote --- The young developer's mistake was actually small and entirely predictable -- note that the only clear credentials given were those of the production DB! In a document intended for first day rookies! Then they made the poor guy believe it was his fault. They should have fired instead those responsible for the document, and everyone on their chain of command...
The risk goes the other way, too: your voice might not sound like your voice. Mine, for instance, sounds deeper the more alcohol I've had this evening... Not being allowed into your bank account when you're sloshed might sound like a good idea, but being locked out because you have the 'flu wouldn't make anyone happier.
David Owen Air Accident Investigation: How science is making flying safer. Patrick Stephens Ltd, 1998 ISBN: 1-85260-583-9 Paperback, 194 pages Air Accident Investigation is a collection of horror stories, a recounting of several dozen airliner crashes. It seeks to illustrate each crash significantly affected the evolution of safety in the air transport system. It necessarily focuses on many crashes in the distant past, and has a somewhat refreshing UK-centric bent to it all. Thematically, it's split into broad causal factors: - Metal fatigue - CAT and mountain waves. - Windshear - Freezing weather - Mid-Airs - Pilot Error - ATC - Human error - Systems Failures - Terrorism The metal fatigue section focuses on the Comet disasters: how the rollout of the airplane happened, when the crashes happened, and how the root causes were eventually discovered. It also touches on the 1985 JAL 747 crash resulting from the failure of the aft pressure bulkhead. It also discusses the Aloha convertible. Basic results: increased focus and competence in metallurgy. The CAT section has some eye-openers. Owen briefly touches on a Comet crash in 1953, in an airplane departing Calcutta, which apparently involved overstressing the airplane to fight turbulence. The 1966 BOAC 911 707 crash near Mt. Fuji is covered in detail. Also a 1966 Braniff BAC-111 crash, from Kansas City to Minneapolis. Both were victims of extremely strong lateral wind loads, causing tail empennage separation and engine separation and failure. The author also touches on a BA 747 volcanic ash incident, near Java. Basic result: control authority modifications and better weather forecasting and understanding of meteorology. The windshear section touches on the physics of microbursts, a 1975 EAL 727 crash at JFK on approach and a PAA 727 crash on takeoff from New Orleans. This chapter also covers a southern Airways DC-9 crash in 1977, resulting from dual flameouts. It wraps up with the Delta L-1011 crash at DFW in 1985. Basic result: forecasting, windshear technology, appreciation of limitations of weather radar. The freezing weather section focuses on a Capital Airlines Viscount 746D, which experienced in-flight icing. Most of the chapter deals with a BEA Airspeed Ambassador, which crashed on takeoff from Munich in 1958, carrying the Manchester United football team. There was deep slush on the runway, which the crew tried to muscle through, while dealing with a temperamental engine. After the third try, they overran the runway. When the investigators arrived, they discovered ice on the wings, which was likely due to snow contacting the warm wing after the crash, then freezing. They blamed the pilots, but the Brits blamed the slush. The captain was fired, then eventually exonerated. We then go on to the Air Florida 737 crash in 1982. The author wraps up with the 1974 crash of a Northwest Orient 727, which was likely due to icing over of the pitot-static system, due to failure to engage the probe heat. Basic results: refinement of anti-icing procedures; understanding of effects of slush on performance. Next up, mid-airs. Grand Canyon crash of 1956, the 1960 crash of a Connie and DC-8 over Staten Island. The author also briefly discusses a 1965 midair between an PAA 707 Eastern DC-7B; and a F-4 Phantom and a DC-4. It wraps up with more in-depth treatment of the PSA/Cessna mid-air in 1978, and the 1986 Aeromexico DC-9 crash. Results: positive radar control, ATC improvements, navaid improvements, TCAS. Pilot error: The next chapter is called CLosing the plot, and is also kind of where the book loses the plot. Up through this point, most of the crews did their jobs correctly. In this chapter, the author posits that accident investigation was so effective in cleaning up the engineering landscape that the only thing left is pilot error. And this leads us to a series of CFIT, fuel exhaustion accidents, get-there-itis, and poor CRM. Owen also throws in KAL 007 and the Erebus crash. Results: CRM. ATC: Another midair in 1967 (Piedmont 727 and a Cessna 310); the BEA/Inex midair over Zagreb. Tenerife. These descriptions focus more on ATC/systemic issues. Human error: a Victor crash in 1959 (paint job caused a pitot tube failure in weather); Kegworth. The Kegworth discussion takes as a given the theory that the captain confused air sources in his decision to shut down the wrong engine. As I recall, this theory was eventually deprecated, and a quick review of the accident report confirms this. There is also one black hole 727 crash, though the author doesn't really connect the dots as to this phenomenon. Despite the weaknesses in this chapter, there is also an interesting discussion of an uncontained engine failure on a National DC-10 in 1973, following the flight crew's in-flight experimentation with circuit breakers. Apparently this caused an overspeed condition in the engine, causing blade separation, explosive decompression, and a passenger fatality. The chapter concludes with the China Airlines flipover near Los Angeles in 1985, an in-pattern wake turbulence accident between a DC-10 and DC-9, and the crash of a Trident on takeoff, in 1972. Systems: a 1964 crash of an EAL DC-8 in Lake Pontchartrain (autopilot pitch trim/elevator problem); crash of an Argonaut in 1967 (engine failure followed by control issues); the 737 disaster in Manchester in 1985 (engine fire followed by bad evacuation procedures); the 1972 AA DC-10 cargo hold door failure and decompression; subsequent Turkish Airlines DC-10 crash; the 1979 DC-10 crash at ORD; UAL 232. Terrorism: bomb in the lav in a Continental 707 in 1962; cabin bomb in a Comet in 1967; Lockerbie. Overall: The book is an interesting technical summary of air accidents, but: - It has the sense of an engineer's determinism. There's barely anything on human factors or training issues, or any of the myriad other soft, systemic issues. The risks of cockpit automation in the final chapter are merely summarized as GIGO. - There's not really much about the science of accident investigation. The opening chapter has a well-written summary of forensic clues and how they might be interpreted, but we don't learn how crash investigations are structured. Instead, the crashes are presented as black-and-white, this happened, this was discovered, this is reality. There's little ambiguity. Even the discussion of the Indian Airlines A320 crash at Bangalore is just a couple of short paragraphs concluding the captain screwed up! The book is basically a collection of vignettes: this crash, and this is why. Not a lot about the process of discovery, with some good exceptions. - There's similarly no sense of ambiguity in the political context. Very black and white, no hint of the negotiation that goes into the final reports. Manufacturer and airline input, political input. The closest we get is the Munich crash, where the Brits locked horns with the Germans over their probable cause statement and findings. - And needless to say, nothing at all on the legalities of accident investigation. Nothing on how the accident process should be used. - Occasionally, the author writes strange things, like claiming the airplane is moving at high velocity while simultaneously claiming it was in a flat spin. Or that an airplane at an airport used its radar to check out the thunderstorm immediately above the airport. This demonstrates a limit to the author's familiarity with flight operations. - There is a strange bibliography. 17 pop-market books, and doesn't cite individual AARs. I wonder if that contributed to the Kegworth description. - Structurally, it shares the fundamental formatting issue of virtually all niche-market books, namely full justification. I just don't get it. Overall, the book is kind of a distilled summary of a few dozen aircraft accident reports, events all pilots should be familiar with. I kind of liked it. It's an easy read. A dark, disturbing read.
Please report problems with the web pages to the maintainer