Hackers getting a free T pass may be the least of our worries — local hackers-turned-security experts suggest RFID keycards, wireless networks and medical devices implanted in the body are also vulnerable to hacks.

At last week’s Defcon hacker convention in Las Vegas, a team of researchers showed it was possible to get information such as Social Security numbers and medical diagnoses, and change the settings on an implantable defibrillator by impersonating the computer it communicates with wirelessly. By doing so, a hacker could send a fatal shock to a patient’s heart, said William Maisel of the Beth Israel Deaconess Medical Center.

It is almost like things haven’t changed since the 90’s when the L0pht worked to change the mindset of security:

1. Don’t trust vendor claims around security
2. Attacks aren’t “theoretical”
3. Security by obscurity is no security

The L0pht worked as an independent security research think tank.  For us it was non-profit side job researching and publishing vulnerabilities in software and hardware.  We did it for our love of technology and published what we found out because purchasers and users of the vulnerable systems deserve to know.

It’s 10 years later and the situation hasn’t improved much.  Mudge talks about the vulnerabilities the L0pht found in highway transponder systems that are still in systems being fielded today.  But more important than the vulnerabilities themselves is the nature of how these vulnerabilities are coming to light.  They are being found by hobbyists, students, and IT people working in their spare time.  How can something as important as the security of public fare collection systems and medical equipment not have a standard process for security acceptance testing? 

As we become more reliant on digital systems, with some even keeping us alive, it is high time for security testing to move beyond student papers and part time IT work.  Security testing needs to become a formal part of the process of purchasing and fielding digital systems.  Our lives are starting to depend on it.

"The rigorous studies clearly show red-light cameras don't work," said lead author Barbara Langland-Orban, professor and chair of health policy and management at the USF College of Public Health. "Instead, they increase crashes and injuries as drivers attempt to abruptly stop at camera intersections."

Comprehensive studies from North Carolina, Virginia, and Ontario have all reported cameras are associated with increases in crashes. The study by the Virginia Transportation Research Council also found that cameras were linked to increased crash costs. The only studies that conclude cameras reduced crashes or injuries contained "major research design flaws," such as incomplete data or inadequate analyses, and were always conducted by researchers with links to the Insurance Institute for Highway Safety. The IIHS, funded by automobile insurance companies, is the leading advocate for red-light cameras since insurance companies can profit from red-light cameras by way of higher premiums due to increased crashes and citations.

And, of course, the agenda of the government is to increase revenue due to fines:

A 2001 paper by the Office of the Majority Leader of the U.S. House of Representatives reported that red-light cameras are "a hidden tax levied on motorists." The report came to the same conclusions that all of the other valid studies have, that red-light cameras are associated with increased crashes and that the timings at yellow lights are often set too short to increase tickets for red-light running. That's right, the state actually tampers with the yellow light settings to make them shorter, and more likely to turn red as you're driving through them.

In fact, six U.S. cities have been found guilty of shortening the yellow light cycles below what is allowed by law on intersections equipped with cameras meant to catch red-light runners. Those local governments have completely ignored the safety benefit of increasing the yellow light time and decided to install red-light cameras, shorten the yellow light duration, and collect the profits instead.

The cities in question include Union City, CA, Dallas and Lubbock, TX, Nashville and Chattanooga, TN, and Springfield, MO, according to Motorists.org, which collected information from reports from around the country.

However, it turns out there’s other effects as well. In a paper I presented last week to the Fifth Conference on Email and Anti-Spam (CEAS 2008), I showed that the first letter of the local part of the email address also plays a part.

Incoming email to Demon Internet where the email address local part (the bit left of the @) begins with “A” (think of these as aardvarks) is almost exactly 50% spam and 50% non-spam. However, where the local part begins with “Z” (zebras) then it is about 75% spam.

However, if one only considers “real” aardvarks and zebras, viz: where a particular email address was legitimate enough to receive some non-spam email, then the picture changes. If one treats an email address as “real” if there’s one non-spam email on average every second day, then real aardvarks receive 35% spam, but real zebras receive only 20% spam.

The most likely reason for these results is the prevalence of “dictionary” or “Rumpelstiltskin” attacks (where spammers guess addresses). If there are not many other zebras, then guessing zebra names is less likely.

Aardvarks should consider changing species — or asking their favourite email filter designer to think about how this unexpected empirical result can be leveraged into blocking more of their unwanted email.

[[[ ** Note that these percentages are way down from general spam rates because Demon rejects out of hand email from sites listed in the PBL (which are not expected to send email) and greylists email from sites in the ZEN list. This reduces overall volumes considerably -- so YMMV! ]]]

He’s a bit indignant that so much energy goes to sporting events like the Olympics rather than more important news that isn’t getting reported around the world.

This is in a year when tons of journalists are getting laid off.

This is in a year when there are tons of stories around the world that aren’t getting reported on.

Could we take half of those photographers and send them to Russia, for instance

Reminds me of a feeling I had back in college as an undergrad student studying social sciences and humanities, about the way my friends who were physicists interacted with the world. They were so awed by the stars, Mars, astrophysics, and it seemed to me interesting but altogether unimportant. They argued they may find something outside our planet that could help solve Earth-bound problems like disease, or find the origins of earth and humanity — but really they were doing it because they loved it. One of my friends had a good argument, though — there are enough people right now that we can specialize in what we care about, and there will still be others covering other topics. He could be a physicist and look into the universe’s origin, while I studied social interaction and writing, and our other friends looked into solving cancer or eradicating invasive plants in the native wetlands. We have to specialize, and there are enough of us to do it too.

I think it’s the same way in journalism — whether it’s sports, celebrity journalism, or coverage of politics and war, there are a lot of opportunities right now for journalists. Of course the business model is changing, and some old-schoolers won’t know how to roll with that, but generations change slowly; we’re learning.

Also, the Olympics is seen as more than a sporting event, it’s also a symbol of world competition and cooperation too — a way for countries to come together and share entertainment globally. I think that’s worth covering.

In the second post, Robert Scoble says there are plenty of great journalists but the public doesn’t care. In some ways I have to agree with that, but I don’t think it’s negative, necessarily. I had a conversation with someone the other day about world news reportage. He says, “I was just reading this story, but what does it matter to me if there’s a flood in some city in another country I’ll never visit and some farmer lost his sheep?” World news is only important when it’s relevant, so it’s no wonder that many people don’t care — if they don’t know much about the area, and it doesn’t affect them, they have no incentive to give it full attention. You can call that apathy, but I think it’s an important selectivity skill that humans have. We have to choose what to give priority to, so if nothing stands out as being particularly important, we just ignore it or gloss over it. Human nature…

Also I think the common person today just gets desensitized and doesn’t know where to turn their energy, when surrounded by so many crises. Either you focus on one specialty and do your best to work toward one cause in your life — and maybe that’s just in the course of your daily work — or you become a complete Attention-Deficit-Disorder case and bounce from one problem to the next, without knowing how to solve anything. That just causes a sense of bewilderment, despair, and either that bogs you down or eventually you get desensitized.

There’s a commenter on Scoble’s blog, Spencer, who talks about this generation’s apathy. There are so many people who want to blame today’s generation or the young generation for this “apathy” that they sense. But I see it as a survival mechanism that arises from the way information flows these days. We’re surrounded by crises, everyone wants us to know about them — the water shortage, global warming, death in Iraq, the national deficit. Okay, crisis, I get it. But no one gives a real clear idea on what any individual is really supposed to do to solve the problem. You can’t get involved with one global cause, without ignoring all the others, and if you do get involved it’s likely to become your life’s purpose. Most people are concerned with other things — their families, their work, personal development, their homes and futures, and really that’s enough to take up all their time.

I’m always amazed when I read about the early unionists. Emma Goldman for example, the activist who pushed for the 8-hr workday, and campaigned for free love in the early 1900s when women were still wearing corsets, used to work 16 hour factory days as a seamstress, then lead meetings late into the night. Today we lead cushy lives comparatively–8 hour days, plus commute and lunch, family time, dinner time, gym maybe, sleep… but it still doesn’t seem like we ever have enough energy and time.

What Emma had that most people today don’t, is a community living in the same conditions as herself, with clear goals about what they were campaigning for, and a cause that affected their own daily lives. Today, unionism and local activism is in much shorter supply, in part due to the many people who work fairly comfy desk jobs, and the problem that everyone has his own specialization, works in a cubicle, does his or her own thing. The problems we’re facing today in terms of global warming, global water shortage, aren’t the same kinds of problems that activists have fought for in the past, and there’s no clear road map for how to solve them. Our leaders sure aren’t leading the way.

What we do have, at least, is the Olympics, which is an age old symbol of international cooperation, play and competition…so, uh, go sports! As for full disclosure, I don’t actually have a TV and haven’t watched the Olympics in many years, but I do try taking short showers–does that help?

New life for dead Tempe network? Another firm has expressed interest in buying the pennies on the dollar assets that remain of the former Kite Networks installation in Tempe from the firm that financed the venture as long as they can negotiate a new, more favorable deal with the city for mounting and removal rights. CTC, Inc., which the East Valley Tribune reports runs networks in the Kansas City, Mo., area, thinks there's an opportunity. The article notes that reception problems were due in part to the prevalence of stucco in Tempe, common in the southwest. Stucco walls layer plaster or other materials on a wire mesh for strength that turns a house into a bit of an accidental Faraday cage, partially shielding the home from electromagnetic radiation. (Could I go so far to say that Tempe's network could be a phoenix? Ouch.)

Wake up, you darn computer: Intel's new Remote Wake motherboards won't work with Wi-Fi, it's important to note. The feature, announced today, will let an incoming VoIP call (the articles all say "phone call over the Internet") to wake a computer, as long as the call comes from a particular source. Of course, the standard SIP protocol for VoIP doesn't have the kind of security and integrity that would allow this; Intel has to overcome the problem with network address translation that renders most computer unreachable from outside the local network without a separate service like GoToMyPC or LogMeIn; and it will only work for computers connected via Ethernet to a local network, because Wi-Fi is off when a computer sleeps, while Ethernet can remain lightly active. I don't have the protocol details yet, but there's long been a Wake on LAN protocol that required support in a router, operating system, and Ethernet card; Intel may be leveraging this.

The company shuffled its products into three versions several weeks ago: Eye-Fi Home ($80), which uploads only to a specific computer over a local network; Eye-Fi Share ($100), a rebranded version identical to its first offering last year, which can upload to photo-sharing services or a computer or both; and the Explore. (You can purchase the Eye-Fi Explore from Amazon.com, as well as the other models.)

I reviewed the Explore as a geotagging system for The Seattle Times this last Saturday; I'd reviewed the original Eye-Fi (now Eye-Fi Share) for them last year as well. You can read that review for my take on geotagging, or skip to the bottom of this review, as well.

The hardware is apparently the same or nearly so, and it works just as well as it did last year. The biggest improvements, however, are a few workflow tweaks that make it far easier to manage and track uploads of pictures without draining your camera's batteries down to zero.

Since its birth 12 years ago after a fatal kidnapping in Texas, Amber Alert has quickly become one of the best-known tools in the national law enforcement arsenal. The warnings are familiar to anyone who watches cable TV news, especially during the summer, when the drumbeat of abduction stories seems to increase. Last year, 227 alerts were issued nationwide, each galvanizing interest in the local community and flooding police with tips. While the particulars of the state systems differ, the goal is the same: to disperse news of a kidnapping as widely and quickly as possible, in the hope that someone will spot the kidnapper before a child is harmed.

The program's champions say that its successes have been dramatic. According to the National Center for Missing and Exploited Children, more than 400 children have been saved by Amber Alerts. Of the 17 children Massachusetts has issued alerts on since it created its system in 2003, all have been safely returned.

These are encouraging statistics -- but also deeply misleading, according to some of the only outside scholars to examine the system in depth. In the first independent study of whether Amber Alerts work, a team led by University of Nevada criminologist Timothy Griffin looked at hundreds of abduction cases between 2003 and 2006 and found that Amber Alerts -- for all their urgency and drama -- actually accomplish little. In most cases where they were issued, Griffin found, Amber Alerts played no role in the eventual return of abducted children. Their successes were generally in child custody fights that didn't pose a risk to the child. And in those rare instances where kidnappers did intend to rape or kill the child, Amber Alerts usually failed to save lives.