Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Kim Zetter, Motherboard Remote-access software and modems on election equipment 'is the worst decision for security short of leaving ballot boxes on a Moscow street corner.' Election Systems and Software, “the nation's top voting machine maker has admitted in a letter to a federal lawmaker that the company installed remote-access software on election-management systems it sold over a period of six years, raising questions about the security of those systems and the integrity of elections that were conducted with them...'' In a letter sent to Sen. Ron Wyden (D-OR) in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had “provided pcAnywhere remote connection software ... to a small number of customers between 2000 and 2006'' which was installed on the election-management system ES&S sold them. The statement contradicts what the company told me and fact checkers for a story I wrote for *The New York Times* in February. At that time, a spokesperson said ES&S had never installed pcAnywhere on any election system it sold. “None of the employees, ... including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software,'' the spokesperson said. [KZ] http://motherboard.vice.com/en_us/article/mb4ezy/top-voting-machine-vendor-admits-it-installed-remote-access-software-on-systems-sold-to-states [Kim Zetter has been superb in her long-time reporting on election integrity—and the lack thereof—and many other RISKS-related topics. Her article is extremely timely, and just one more serious warning of the potential risks. PGN]
The document highlights the increasing critical role that private-sector companies are playing in national security matters. http://www.cnbc.com%2F2018%2F07%2F20%2Fhow-the-justice-department-is-fighting-election-threats-cybercrime.html
The special counsel's indictment of 12 Russian intelligence officers is a technical guide to the Kremlin's 2016 operation. https://www.washingtonpost.com/world/national-security/how-the-russians-hacked-the-dnc-and-passed-its-emails-to-wikileaks/2018/07/13/af19a828-86c3-11e8-8553-a3ce89036c78_story.html
via NNSquad http://boingboing.net/2018/07/12/the-troll-factory-pwned-us-all.html As early as 2014, Russian operatives working out of the Internet Research Agency (IRC) in St. Petersburg were busy creating fake Twitter accounts for U.S. local news organizations that did not exist.
http://www.latimes.com/opinion/op-ed/la-oe-frantz-artificial-intelligence-treaty-20180716-story.html "The treaty would enshrine certain basic principles. The concept of "human-in-command" to guarantee that people retain control over AI should be a priority. Standards would be set for monitoring AI systems. Fundamental human rights should be specifically protected. A new international body should be created for oversight, similar to the International Atomic Energy Agency. "The obstacles are apparent, from rogue nations and monopoly-minded companies to the sorry state of international cooperation. But advances in AI and machine learning are moving so fast that today seems like yesterday, making the challenge urgent." Daniel H. Wilson, the author of "How to Survive a Robot Uprising" is a good candidate to lead treaty negotiations. Certain nations do not respect existing treaties governing human rights, WMDs, or even climate change accelerants. What possible incentives will motivate treaty compliance and membership in a hypothesized IAAIR—the International Agency for Artificial Intelligence and Robotics?
http://www.npr.org/2018/07/18/630146884/ai-innovators-take-pledge-against-autonomous-killer-weapons "... we the undersigned agree that the decision to take a human life should never be delegated to a machine," the pledge says. It goes on to say, "... we will neither participate in nor support the development, manufacture, trade, or use of lethal autonomous weapons." Compare with the IEEE Code of Ethics, Article 1 (see http://www.ieee.org/about/corporate/governance/p7-8.html "to hold paramount the safety, health, and welfare of the public, to strive to comply with ethical design and sustainable development practices, and to disclose promptly factors that might endanger the public or the environment;" The ACM articles (see http://www.acm.org/code-of-ethics) express similar intent. This pledge, while sincere and honorable, ignores long-established professional ethics and practices. Creativity's thrill apparently infected our colleagues' judgment, inducing myopia and amnesia toward these legacy guiding principles. Perhaps research grants were too enticing to refuse without risking university tenure or employment promotion opportunity? Open-source neural networks and artificial life training platforms enable even the smallest nation to initiate an autonomous killer program. These weapons will likely populate the next battlefield; the "human-in-control" probably faraway from the conflict zone. I doubt "Real Steel" engagement will become an effective tactic during a swarm intelligence battle. This leads to the question of how to possibly sterilize a battlefield deployment of AI-driven killers. A micro-EMP (preferably non-nuclear) might do it. A cluster-bomb of radar-guided or passive-metal-seeking ultra-tazers?
http://www.bbc.com/news/business-44799239 This technology motivates the old aphorism to "Keep smiling, the boss likes idiots." I wonder if employers will institute a "smile or frown" score as part of performance reviews?
Customer records for at least 14 million subscribers, including phone numbers and account PINs, were exposed. https://www.zdnet.com/article/millions-verizon-customer-records-israeli-data/
While Ramos' trial is still months away, the successful use of computer technology to confirm a murder suspect's identity made it clear that facial recognition systems have reached the point where they can perform reliably enough to identify a random person fairly reliability. http://www.eweek.com/security/facial-recognition-shows-promise-as-next-step-in-corporate-security "Fairly reliably"—new horizons in mistaken identity? New questions needed for defense lawyers to cross-examine facial recognition systems?
Mizuho Bank is one of the largest banks in Japan. Today (Monday, Japan time) is the last day of a three-day weekend. Mizuho decided to shut down *its entire ATM network* from midnight Friday night until 8a.m. Tuesday, so they could perform a flag day (maybe even forklift? not sure) upgrade on ATM software. Apparently, it's not just their own ATMs, but any 7-11 or other ATMs that would also normally give you access to your account cannot; it's a backend upgrade as well as frontend. Short blurb in English: http://www.japantimes.co.jp/news/2018/07/13/business/mizuho-halt-atm-online-banking-services-three-day-weekend/%23.W0xs8tgzbOQ40c4d5e9075%7C1D Short article in Japanese: http://headlines.yahoo.co.jp/hl%3Fa%3D20180714-00010006-bfj-bus_all *Mizuho nammin*, or *Mizuho refugees* https://twitter.com/hashtag/%25E3%2581%25BF%25E3%2581%259A%25E3%2581%25BB%25E9%259B%25A3%25E6%25B0%2591%3Fsrc%3Dhash4d9780cdf174bc47fd708d5eb04283b%7C40779d3379c44626b8bf140c4d5e9075%7C1 I'm sure the risks of this are pretty obvious to readers here. Suffice it to say, their 24 million customers aren't happy.
The Washington Post Josh Wiles, Novo Dia's founder and president, cited several reasons for the company's shutdown. The marketplace for SNAP transactions is highly regulated and requires extra (read: expensive) security measures beyond what is required for credit cards or debit cards. The profits are small because markets and individual farmers process micro-payments, often as little as a few dollars. The *tipping point*, though, Wiles said, was the decision by the new administrator of the SNAP equipment program to work with electronic-payment giant First Data, rather than Novo Dia and its Mobile Market app. Without continuing to gain new customers and economies of scale, Wiles said, Novo Dia could not remain financially viable: “Once it became clear that we were not going to be part of it, we knew we would not be able to scale in a manner that allowed us to be profitable or even sustainable.'' https://www.washingtonpost.com/lifestyle/food/some-food-stamp-recipients-may-soon-lose-access-to-farmers-market-benefits/2018/07/09/fafb2caa-838d-11e8-8f6c-46cb43e3f306_story.html
I'm not the only one who's noticed that the Tesla "Powerwall2" home battery system uses the same ubiquitous "CAN bus" found in automobiles. (Duh! It appears that the Powerwall2 is basically 1/4 of a standard base Tesla Model 3 battery.) Many home battery systems utilize several Powerwall2's, and hence approximate 1/4-3/4 of the energy storage capacity of a Tesla base Model 3. After a number of notorious car hacks using this same CAN bus over the past several years, what could possibly go wrong with a Powerwall2 system -- having the equivalent of several gallons of gasoline stored within its batteries—in/on your home? Furthermore, the Powerwall2 is connected to the Internet through your home router, so that the Tesla cellphone app can talk to Tesla and hence to your Powerwall2. Now Tesla has apparently put in a lot of effort into securing the communications of its *autos*, but I wonder if this same level of effort has been invested in the security of the Powerwall2? Unlike the Tesla automobile, which is connected only sporadically with the Internet, your home Powerwall2 is presumably capable of being attacked 24x7. It's also possible that a standard auto OBD-II connector could be installed by a hacker directly on the Powerwall2—after all, many Powerwall2 systems are mounted *outside the house*. With an OBD-II and Bluetooth/Wifi, hacking could then be done discretely from a nearby vehicle, and would completely bypass any security built into the Powerwall2's own wifi connection. Click once to turn off the refrigerator; click twice to *halt and catch fire*.
https://www.scientificamerican.com/article/china-expands-surveillance-of-sewage-to-police-illegal-drug-use/ April Fools for 2019: The PRC expands surveillance to detect halitosis and BO.
For more than a year, some of the most powerful women in entertainment -- including Amy Pascal, Kathleen Kennedy, Stacey Snider and a 'Homeland' director—have been impersonated by a cunning thief who targets insiders with promises of work, then bilks them out of thousands of dollars. The Hollywood Reporter has obtained exclusive audio recordings of the savvy imposter as victims come forward and a global investigation heats up. ... For a long time, Linka Glatter thought she was alone in being faked. She tried to contact the police and the FBI, but neither showed interest. The amount of money involved was too small, they told her. She hired a private investigator, who discovered that the scammers were using burner phones to cover their tracks and GoDaddy accounts for fake email addresses. She contacted corporate security at a major Hollywood studio, but that didn't help either. The calls kept coming. One day, a well-known political consultant in Washington got in touch. http://www.hollywoodreporter.com/features/hunting-con-queen-hollywood-1125932
The 64G Patriot micro SD I had been using in my cell phone from mid 2014 just decided to turn itself into a read-only memory card. From what I read, it most likely reached its maximum number of uses, as it happens at least with some Samsung cards too. It would be to protect the card from losing all its data, after its cells were erased "too many times" (limit number depending on the card, and appearing to be in the order of 10-100k). And according to Internet forums, and card reviews on Amazon, it looks like it's getting more and more common! A very bad point is that there were no error messages at all. I added music files before a trip, but I had none of the new files available later so at first I thought I didn't do it correctly (even if the transfer was fine, it could for example have been to my card backup on an hard drive instead of going to the actual card). Then, despite the pictures still being taken correctly by my phone (browsing was OK, able to delete the bad ones...), I lost all of the new ones when my phone rebooted. So they were only in a cache memory somewhere, but nowhere on the SD card (not found by deep recovery tools either). More fun, the older ones I deleted came back during the same reboot... I understand it would be bothering to have an error message at each card access, but at least I would have known to change the card and would not have lost 3 days of pictures! So beware...
A new risk when tracking birds (or any other kind of stuff): someone manage to recover the SIM card from the tracker, and used it! More detailed story at either https://www.theregister.co.uk/2018/07/03/stork_mobile_theft/ or http://www.iflscience.com/plants-and-animals/migrating-stork-racks-up-2700-on-researchers-cell-phone-bill/
Robocalls ravaged Americans' smartphones in record numbers last month. But some of the nation's top businesses are still urging the Trump administration to make it easier for them to dial and text mobile devices en masse. http://www.washingtonpost.com/technology/2018/07/12/robocalls-are-getting-worse-some-big-businesses-soon-could-start-calling-you-even-more/
http://www.scientificamerican.com/podcast/episode/smart-mouthguard-senses-muscle-fatigue/ "The mouth guard's batteries are rechargeable wirelessly, and the device can use low-power Bluetooth to send information to smartphones, watches and other electronic devices." Athlete bio-surveillance provides clues about peak performance and degradation under physical stress. This telemetry stream, if clear text and not subject to privacy management protection, can be exploited by gaming interests.
Happy Friday the 13th to all you professional paranoiacs out there. I have previously mentioned some of the risks involved in living here. http://community.isc2.org/t5/Career/Risk-and-cost-benefit/m-p/12101 In addition, the Lion's Gate Bridge is closed today, due to a "police incident." (That probably means a jumper.) This also means that the Ironworker's Memorial Second Narrows Bridge (and for risk fans I can recommend "Tragedy at Second Narrows," by Eric Jamieson) is completely clogged in both directions, while the Seabus has at least a two, and possibly as high as four, sailing wait. But that isn't the risk I wanted to talk about today. We have bears here. (When I was a young lad at university, back before there was an Internet, my residence had a fellow from Cambridge whose family, back in The Olde Country, were terrified that he would be eaten by a bear. So, whenever there were reports of bears in the north side communities, we helpfully cut out the stories for him to send back to his family.) Black bears are fairly cute, and not as vicious as grizzlys. But it is not a good idea to feed them. It's dangerous for people, and it's dangerous for the bears, too. (They get acclimated, and come to regard people as sources of food, and then there is trouble, and often the bears get shot.) So there are laws, here, prohibiting people from feeding bears. Some people do it anyway. http://vancouversun.com/news/local-news/dont-feed-the-bears-north-shore-residents-under-investigation-for-feeding-bears-from-house or http://is.gd/mq6okV Now, if you are going to break the law, it might be a good idea not to post videos of you doing so on your social media account ...
We still get some crazy cases with digitized processes: PayPal Apologizes for Letter Demanding Payment From Woman Who Died of Cancer: https://www.nytimes.com/2018/07/11/business/paypal-dead-wife-husband-letter-nyt.html So many corner/special cases to think about! In the same kind of problems, a(n old) friend of mine died recently, and facebook want me to organize an event for his birthday later this month. But at least, despite the posts by his family on his page, I guess facebook doesn't know he's dead. Not like Paypal!
Olivia Solon, *The Guardian*, 13 Jul 2018 So-called *anonymous* data can be easily used to identify everything from our medical records to purchase histories http://www.theguardian.com/world/2018/jul/13/anonymous-browsing-data-medical-records-identity-privacy In August 2016, the Australian government released an `anonymised' data set comprising the medical billing records, including every prescription and surgery, of 2.9 million people. Names and other identifying features were removed from the records in an effort to protect individuals' privacy, but a research team from the University of Melbourne soon discovered that it was simple to re-identify people, and learn about their entire medical history without their consent, by comparing the dataset to other publicly available information, such as reports of celebrities having babies or athletes having surgeries. The government pulled the data from its website, but not before it had been downloaded 1,500 times. This privacy nightmare is one of many examples of seemingly innocuous, de-identified pieces of information being reverse-engineered to expose people's identities. And it's only getting worse as people spend more of their lives online, sprinkling digital breadcrumbs that can be traced back to them to violate their privacy in ways they never expected. Nameless New York taxi logs were compared with paparazzi shots at locations around the city to reveal that Bradley Cooper and Jessica Alba were bad tippers. In 2017 German researchers were able to identify people based on their `anonymous' web browsing patterns. This week University College London researchers showed how they could identify an individual Twitter user based on the metadata associated with their tweets, while the fitness tracking app Polar revealed the homes and in some cases names of soldiers and spies. “It's convenient to pretend it's hard to re-identify people, but it's easy. The kinds of things we did are the kinds of things that any first-year data science student could do,'' said Vanessa Teague, one of the University of Melbourne researchers to reveal the flaws in the open health data. One of the earliest examples of this type of privacy violation occurred in 1996 when the Massachusetts Group Insurance Commission released `anonymised' data showing the hospital visits of state employees. As with the Australian data, the state removed obvious identifiers like name, address and social security number. Then the governor, William Weld, assured the public that patients' privacy was protected. Latanya Sweeney, a computer science grad who later became the chief technology officer at the Federal Trade Commission, showed how wrong Weld was by finding his medical records in the data set. Sweeney used Weld's zip code and birth date, taken from voter rolls, and the knowledge that he had visited the hospital on a particular day after collapsing during a public ceremony, to track him down. She sent his medical records to his office. In later work, Sweeney showed that 87% of the population of the United States could be uniquely identified by their date of birth, gender and five-digit zip codes. “The point is that data that may look anonymous is not necessarily anonymous,'' she said in testimony to a Department of Homeland Security privacy committee. More recently, Yves-Alexandre de Montjoye, a computational privacy researcher, showed how the vast majority of the population can be identified from the behavioural patterns revealed by location data from mobile phones. By analysing a mobile phone database of the approximate locations (based on the nearest cell tower) of 1.5 million people over 15 months (with no other identifying information) it was possible to uniquely identify 95% of the people with just four data points of places and times. About 50% could be identified from just two points. The four points could come from information that is publicly available, including a person's home address, work address and geo-tagged Twitter posts.
Oi. Creepy social engineering is one thing. https://community.isc2.org/t5/Industry-News/quot-The-Spnner-quot-Creepy-social-engineering-fraud-or-prank/m-p/12364 or https://is.gd/j5MNCT Basing law enforcement, physical security, investigations, and job interviews on highly questionable premises is quite another. Faception claims to be able to "reveal personality from facial images" and "dramatically improve public safety, communications, decision-making, and experiences." How? Well, after some buzzword filled marketing jargon about "first-to-technology and first-to-market with proprietary computer vision and machine learning technology" and mention of the magic word "biometrics," if you persist you may be able to find the theory behind the technology. It seems to boil down to the following logic: 1) DNA can determine (certain) personality traits (sometimes to a significant extent). (This is true, with the provisos I've put in parentheses.) 2) DNA can determine how you look. THEREFORE: Your personality is determined by how you look. (Finding the flaws in this argument is left as an exercise for students of logic.) I am inescapably reminded of the "bomb detectors" sold to Afghani and Iraqi security forces that had no detection capabilities at all, and caused large numbers of deaths. That's on the false negative side. The potential damage caused on the false positive side are likely considerably greater ... Of course, there's always: > Date: Sat, 14 Jul 2018 08:46:31 -0700 > From: "Peter G. Neumann" <email@example.com> > Subject: Regulation of facial-recognition software? (WashPo)
Last I heard El Al ground crews still fly the plane they serviced (always have), and they still are fully at liberty to seek gainful employment elsewhere. I'm not quite sure what makes med AI coders so different -- though in all fairness I would draw the line at family members. I think El Al does.
It seems that what had triggered Siri was the mention of "*a Syri*an democratic force". Conclusion: Don't bring Siri to a discussion about Syria... (And also be careful when talking about "*a Lexus*" or "*a court ana*lyzer")
Here's a book that might be of interest to RISKS readers who are serious about developing systems that must be much more trustworthy. It is quite comprehensive, addressing many problems that have been discussed in RISKS. It may not be a complete answer on how to fully turn the attainment of trustworthy systems into a true engineering discipline, but it should be very helpful to anyone pursuing the creation of such a discipline—which today does not seem to exist. O. Sami Saydjari Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time McGraw-Hill Education, 2018 xlvii+540, $60.00 ISBN 978-1-260-11817-9 Sami has extensive background (NSA, DARPA), and has managed to squeeze a lot of it into the book. http://www.engineeringtrustworthysystems.com The endorsements on the back cover and front-end material are copious, so I am not going to even begin to cite some of them here. They are available at https://samisaydjari.com/reviews-1/ .
Please report problems with the web pages to the maintainer