Welcome home, fellow Gator.

The Gator Nation's oldest and most active insider community
Join today!

Risks Digest

Discussion in 'Gator Bytes' started by LakeGator, Apr 25, 2015.

  1. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,420
    334
    258
    Apr 3, 2007
    Tampa
    I have been reading the Risks Digest for many years and often find some great observations and information. It struck me that having the Risk Digest articles here might be of interest to a number of GatorCountry subscribers. It can be viewed as a web site or via the comp.risks newsgroup. I will post articles as they appear as replies to this thread.

    Below is the description of the Risks Digest from WikiPedia:

    The RISKS Digest or Forum On Risks to the Public in Computers and Related Systems is an online periodical published since 1985 by the Committee on Computers and Public Policy of the Association for Computing Machinery. The editor is Peter G. Neumann.

    It is a moderated forum concerned with the security and safety of computers, software, and technological systems. Security, and risk, here are taken broadly; RISKS is concerned not merely with so-called security holes in software, but with unintended consequences and hazards stemming from the design (or lack thereof) of automated systems. Other recurring subjects include cryptography and the effects of technically ill-considered public policies. RISKS also publishes announcements and Calls for Papers from various technical conferences, and technical book reviews (usually by Rob Slade, though occasionally by others).

    Although RISKS is a forum of a computer science association, most contributions are readable and informative to anyone with an interest in the subject. It is heavily read by system administrators, and computer security managers, as well as computer scientists and engineers.

    The RISKS Digest is published on a frequent but irregular schedule through the moderated Usenet newsgroup comp.risks, which exists solely to carry the Digest.

    Summaries of the forum appear as columns edited by Neumann in the ACM SIGSOFT Software Engineering Notes (SEN) and the Communications of the ACM (CACM).
     
  2. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,420
    334
    258
    Apr 3, 2007
    Tampa
    Risks Digest 28.59

    RISKS List Owner

    Apr 23, 2015 1:29 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Wednesday 22 April 2015 Volume 28 : Issue 59

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/28.59.html>
    The current issue can be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents: [Sorry for the three-week gap. VERY BUSY. PGN]
    Passenger, avionics networks still not separated in B787, A350, A380
    (Mary Shaw)
    GAO report on FAA vulnerabilities to Cyberattack, and a news report on a
    claimed attack method (Peter Bernard Ladkin)
    First F-35 Jets Lack Ground-Combat Punch of 1970s-Era A-10s (Gabe Goldberg)
    Driver follows GPS off demolished bridge, killing wife (Gabe Goldberg)
    Automakers Say You Don't Really Own Your Car (Gabe Goldberg)
    Tweeting Fridges and Web Controlled Rice Cookers: 9 of the Stupidest Smart
    Home Appliances (Gabe Goldberg)
    "Smart home hacking is easier than you think" (Colin Neagle)
    Virginia decertified WinVote voting system (Jeremy Epstein)
    Australia government attacks researchers who reveal online election flaws
    (Lauren Weinstein)
    Curious election statistical observation (danny burstein)
    Bob Wachter on Technology and Hospitals at Medium (Prashanth Mundkur)
    Lawyers smell blood in electronic medical records (Lauren Weinstein)
    `Routine maintenance' and the EMR (Robert L Wears)
    "End-To-End Web Crypto: A Broken Security Model" (Indolering)
    Banks undermine chip and PIN security (Steven Murdoch via
    Prashanth Mundkur)
    Tewksbury police pay bitcoin ransom to hackers (Bob Frankston)
    State of the Internet (Akamai)
    The Internet Ruined April Fool's Day (The Atlantic)
    Hacked French TV network admits "blunder" that exposed YouTube password
    (Gabe Goldberg)
    Tech companies are sending your secrets to crowdsourced armies of
    low-paid workers (Gabe Goldberg)
    ISOS mass-defaceng websites (PGN)
    "How ICANN enabled legal Website extortion" (Cringely)
    "GitHub still recovering from massive DDoS attacks" (Jeremy Kirk)
    FBI would rather prosecutors drop cases than disclose stingray details
    (Cyrus Farivar)
    Cyberspace and the American Dream: A Magna Carta for the Knowledge Age
    (Daniel Berninger)
    "Lost in the clouds: 7 examples of compromised personal information"
    (Steve Ragan)
    French Senate Backs Bid To Force Google To Disclose Search Algorithm
    Workings (Lauren Weinstein)
    "4 no-bull facts about Microsoft's HTTP.sys vulnerability" (Serdar Yegulalp)
    Congress cannot be taken seriously on cybersecurity (Trevor Timm)
    How the New York Times is eluding censors in China (Lauren Weinstein)
    "Large-scale Google malvertising campaign hits users with exploits"
    (Lucian Constantin)
    Insurance co. wants to track you 24/7 for a discount (CNN)
    Fire TV Stick OS 1.5 Update (Gabe Goldberg)
    Internet Naming Body Moves to Crack Down on '.sucks' (Ars)
    Good news and bad news: Android Security State of the Union 2014
    (Lauren Weinstein)
    Re: Kali Linux security is a joke! (Henry Baker)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Thu, 16 Apr 2015 11:23:17 -0400
    From: Mary Shaw <sh...@cs.cmu.edu>
    Subject: Passenger, avionics networks still not separated in B787,
    A350, A380

    In 2008, RISKS reported that the design of the B787 onboard network did not
    completely separate the passenger entertainment network from the flight
    control network; the FAA was imposing special conditions for testing.

    According to Wired and CNN, a new GAO report says the vulnerabilities
    persist.
    http://www.wired.com/2015/04/hackers-commandeer-new-planes-passenger-wi-fi/
    http://www.gao.gov/products/GAO-15-370

    Neither article cites the report, though CNN names one of the authors.

    The GAO site shows only one new report that seems relevant, ``FAA Needs a
    More Comprehensive Approach to Address Cybersecurity as Agency Transitions
    to NextGen seems to be mostly about the Nextgen ATC system, considering as
    one significant element the possibility of unauthorized remote access to
    aircraft avionics systems via the passenger entertainment system.''
    http://www.gao.gov/products/GAO-15-370 This report (April 14)

    Mary Shaw, AJ Perlis University Professor of Computer Science, Carnegie
    Mellon University, http://cs.cmu.edu/~shaw http://orcid.org/0000-0003-1337-4557

    [PGN suggests: see also
    http://tech.slashdot.org/story/15/04/15/1437211/gao-warns-faa-of-hacking-threat-to-airliners
    ]

    ------------------------------

    Date: Sat, 18 Apr 2015 10:07:36 +0200
    From: Peter Bernard Ladkin <lad...@rvs.uni-bielefeld.de>
    Subject: GAO report on FAA vulnerabilities to Cyberattack, and a news
    report on a claimed attack method

    The US Government Accounting Office has published a report on the
    vulnerability of FAA equipment and avionics to cyberattack
    http://www.gao.gov/products/GAO-15-370 . It makes three main points. The
    third one is organisational; I am concerned here with the first two.

    First, the FAA has not developed and apparently doesn't intend to develop a
    threat model for its ground-based systems. Unsurprisingly, the GAO thinks it
    might be a good idea to do so.

    Many FAA ground-based systems are decades old and were installed in an era
    which didn't need to worry as much about cybersecurity. Many of them are
    dedicated systems, so some physical access would be required. But some are
    not. Does anyone remember the NY ATC outage a quarter century ago?
    http://catless.ncl.ac.uk/Risks/12.36.html#subj1.1 Failure of a commercial
    4ESS switch took out ATC. I seem to remember (or was it another incident?)
    ATCOs coordinating by using their private mobile phones. A DoS attack on ATC
    communications nowadays could take out a commercial switch but would have to
    take out the cellular phone comms also. So there's the first entry for the
    threat model.

    Second, the GAO queries the wisdom of critical avionics and passenger
    in-flight entertainment systems (IFE) sharing network resources. So did many
    of us when it was first mooted (for the Boeing 787, I seem to
    recall). Because, after all, the best start on assuring non-interference is
    physical separation of networks and good shielding. And indeed someone
    recently claimed on Fox News to be able to hack avionics through the IFE
    http://www.foxnews.com/us/2015/04/17/security-expert-pulled-off-flight-by-fbi-after-exposing-airline-tech/
    He was apparently subsequently pulled from a flight out of Denver by the
    FBI, interviewed for a number of hours and relieved of some kit.

    People may think: "shooting the messenger". But hang on. Roberts told Fox
    News (I quote from Fox) "We can still take planes out of the sky thanks to
    the flaws in the in-flight entertainment systems...."

    Here is a guy who claims publicly to be able to "take planes out of the sky"
    getting on an airplane with computer equipment. It is surely the task of
    security services to ensure he is not a threat in any way. If you were a
    passenger on that airplane, wouldn't you like at least to know he is not
    suicidal/paranoid/psychotic? In fact, wouldn't you rather he got on with a
    nice book to read and sent his kit ahead, separately, by courier?

    Some of this is quoted from my blog post
    http://www.abnormaldistribution.org/2015/04/18/cybersecurity-vulnerabilities-in-commercial-aviation/

    ------------------------------

    Date: Wed, 15 Apr 2015 09:12:27 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: First F-35 Jets Lack Ground-Combat Punch of 1970s-Era A-10s

    The first F-35 jets ready for combat won't be able to protect forces in
    ground combat as well as the nearly 40-year-old A-10s the Pentagon wants to
    retire, according to the Defense Department's chief weapons tester.
    <http://www.bloomberg.com/news/articles/2014-10-02/u-s-sending-a-10-plane-to-combat-while-trying-to-kill-it>,

    One major problem yet to be solved is the plane's computer information
    system that's designed to alert pilots to logistical problems, he said,
    adding that he has a plan to improve it through a redesign.

    Gilmore said the initial F-35s will fall short because "of the combined
    effects of digital communications deficiencies, lack of infrared pointer
    capability" to distinguish friendly from hostile forces and an inability to
    confirm the Global Positioning Satellite ground coordinates programmed into
    its two air-to-ground bombs.

    To read the entire article, go to http://bloom.bg/1H4fWXY

    Can't detect problems, can't tell friendly forces from foes, can't deploy
    bombs accurately. But let's build and fly it now, redesign it later. What
    could go wrong? It's only $12.7B/year for more than 20 years.

    ------------------------------

    Date: Tue, 07 Apr 2015 11:08:00 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Driver follows GPS off demolished bridge, killing wife, police say

    Title says it all; nothing new here...

    http://www.washingtonpost.com/news/morning-mix/wp/2015/03/31/driver-follows-gps-off-demolished-bridge-killing-wife-police-say/?tid=hybrid_experimentrandom_2_na

    ...but how would self-driving cars handle this? Presumably their GPS data
    was obsolete, but accuracy of data depends on local authorities supplying
    it. Presumably robocars read road signs and notice roadway surface
    ending. Presumably...

    ------------------------------

    Date: Wed, 15 Apr 2015 23:19:37 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Automakers Say You Don't Really Own Your Car

    If you have had problems with vehicle repair or tinkering because you were
    locked out of your vehicle's computers, if you would have engaged in a
    vehicle-related project but didn't because of the legal risk posed by the
    DMCA, or if you or your mechanic had to deal with obstacles in getting
    access to diagnostic information, then we want to hear from you -- the
    Copyright Office should hear from you, too.

    https://www.eff.org/deeplinks/2015/04/automakers-say-you-dont-really-own-your-car

    Cars as black boxes with wheels, subject to manufacturer software updates
    whenever they desire (I've heard advocated). Remember the joke about "If
    Microsoft made cars..."?

    ------------------------------

    Date: Mon, 13 Apr 2015 18:19:54 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Tweeting Fridges and Web Controlled Rice Cookers:
    9 of the Stupidest Smart Home Appliances

    There are a lot of incredible smart home devices out there that are worthy
    of your time and money. Some of the examples that spring immediately to mind
    include the Nest thermostat, which will save you energy and money by
    ensuring you only heat your house when needed. Then there's the Philips Hue
    Lights, which allow you to control the illumination in your home. Some will
    even save your life. The Nest Protect is an incredibly precise WiFi
    connected smoke and carbon monoxide detector.

    They are all useful products that will ultimately become ubiquitous because
    they're so incredibly helpful.

    But then there are the WiFi enabled, smartphone-powered appliances that
    aren't quite as useful. The kinds that should never see the light of
    day. Here are 9 of the worst.

    http://www.makeuseof.com/tag/9-stupidest-smart-home-appliances/

    Biggest risk here might be wasting money -- though surely some of these
    will be hack-vulnerable network entry points.

    ------------------------------

    Date: Tue, 07 Apr 2015 18:20:59 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Smart home hacking is easier than you think" (Colin Neagle)

    Colin Neagle, Network World, 3 Apr 2015
    Scary stories of hacking Internet of Things devices are emerging, but
    how realistic is the threat?

    http://www.infoworld.com/article/2905290/security/smart-home-hacking-is-easier-than-you-think.html

    opening text:

    Last March, a very satisfied user of the Honeywell Wi-Fi Thermostat left a
    product review on Amazon.com that shed some light on an unexpected benefit
    of the smart home -- revenge.

    The reviewer wrote that his wife had left him, and then moved her new lover
    into the home they once shared, which now featured the Honeywell Wi-Fi
    thermostat. The jilted ex-husband could still control the thermostat through
    the mobile app installed on his smartphone, so he used it to make the new
    couple's lives a little less happily ever after:

    ``Since this past Ohio winter has been so cold I've been messing with the
    temp while the new love birds are sleeping. Doesn't everyone want to wake
    up at 7 AM to a 40 degree house? When they are away on their weekend
    getaways, I crank the heat up to 80 degrees and back down to 40 before
    they arrive home. I can only imagine what their electricity bills might
    be. It makes me smile. I know this won't last forever, but I can't help
    but smile every time I log in and see that it still works. I also can't
    wait for warmer weather when I can crank the heat up to 80 degrees while
    the love birds are sleeping. After all, who doesn't want to wake up to an
    80 degree home in the middle of June?''

    In the past year, more than 8,200 of the 8,490 Amazon users who have read
    the review deemed it "useful."

    ------------------------------

    Date: Wed, 15 Apr 2015 18:17:19 -0400
    From: Jeremy Epstein <jeremy.j...@gmail.com>
    Subject: Virginia decertified WinVote voting system

    The Virginia State Board of Elections decertified the AVS WinVote machine,
    after releasing a brief but damning report on the vulnerabilities. Among
    the items they identified are:

    * The machines use an unpatched version of Windows from 2004.
    * The machines use the WEP protocol for WiFi encryption, which has been
    broken for over a decade.
    * The machines use a hardwired WEP encryption key ("abcde").
    * Even if configured to disable the wireless communication, the machines
    allow numerous services, including file services.
    * The adminstrator password is "admin", which can't be changed through the
    user interface provided to the election administrator.
    * The database is an obsolete version of Microsoft Access, with a hardwired
    password of "shoup" (the family that owned the company).
    * The entire database can be replaced without any verification (i.e.,
    there's no MD5 checksums).

    Oh, why keep piling on.

    More details at
    https://freedom-to-tinker.com/blog/jeremyepstein/decertifying-the-worst-voting-machine-in-the-us/

    Press coverage at
    http://www.theguardian.com/us-news/2015/apr/15/virginia-hacking-voting-machines-security
    http://arstechnica.com/tech-policy/2015/04/meet-the-e-voting-machine-so-easy-to-hack-it-will-take-your-breath-away/

    And much more.

    In nearly 30 years of working in security, this is the single worst system
    I've seen. Jeremy

    ------------------------------

    Date: Tue, 7 Apr 2015 20:17:50 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Australia government attacks researchers who reveal online election
    flaws

    EFF via NNSquad
    https://www.eff.org/deeplinks/2015/04/new-south-wales-attacks-researchers-who-warned-internet-voting-vulnerabilities

    While moving to Internet voting may sound reasonable to folks who haven't
    paid any attention to the rampant security problems of the Internet these
    days, it's just not feasible now. As Verified Voting notes: "Current
    systems lack auditability; there's no way to independently confirm their
    correct functioning and that the outcomes accurately reflect the will of
    the voters while maintaining voter privacy and the secret ballot."
    Indeed, the researchers' discovery was not the first indication that New
    South Wales was not ready for an Internet voting system. Australia's own
    Joint Standing Committee on Electoral Matters concluded last year,
    "Australia is not in a position to introduce any large-scale system of
    electronic voting in the near future without catastrophically compromising
    our electoral integrity."

    ------------------------------

    Date: Sat, 4 Apr 2015 09:33:01 -0400 (EDT)
    From: danny burstein <dan...@panix.com>
    Subject: Curious election statistical observation

    http://www.kansas.com/news/politics-government/article17139890.html

    ------------------------------

    Date: Fri, 10 Apr 2015 16:41:18 -0700
    From: Prashanth Mundkur <prashant...@gmail.com>
    Subject: Bob Wachter on Technology and Hospitals at Medium

    A 5-part series of articles by Bob Wachter, a UCSF MD and author of "The
    Digital Doctor: Hope, Hype, and Harm at the Dawn of Medicine's Computer
    Age", that would be appreciated by the RISKS audience, collected here:
    https://medium.com/@Bob_Wachter

    with the following titles:

    "How Medical Tech Gave a Patient a Massive Overdose"

    Pablo Garcia went to the hospital feeling fine. Then the hospital made him
    very sick.

    "Beware of the Robot Pharmacist"

    In tech-driven medicine, alerts are so common that doctors and pharmacists
    learn to ignore them -- at the patient's risk.

    "Why Clinicians Let Their Computers Make Mistakes"

    We tend to trust our computers a lot. Perhaps too much, as one hospital
    nurse learned the hard way.

    "Should Hospitals Be More Like Airplanes?"

    ``Alarm fatigue at Pablo Garcia's hospital sent him into a medical
    crisis. The aviation industry has faced the same problem -- and solved it.

    "How to Make Hospital Tech Much, Much Safer"

    We identified the root causes of Pablo Garcia's 39-fold overdose -- and
    ways to avoid them next time.

    ------------------------------

    Date: Tue, 14 Apr 2015 09:15:07 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Lawyers smell blood in electronic medical records

    Computerworld via NNSquad
    http://www.computerworld.com/article/2909348/lawyers-smell-blood-in-electronic-medical-records.html

    EMRs require physicians to perform their own data entry, stealing precious
    face time with patients. What had been a note jotted into a paper record,
    now involves a dozen or more mouse clicks to navigate a complex EMR
    workflow. Healthcare providers can be prone to taking shortcuts on
    entering the data or not entering it in a timely manner, Klein said. Vital
    sign data is often duplicated as it moves between hospital departments,
    but it remains part of one integral patient record. Data administrators
    may copy and paste patient information from an older record to a newer
    one, supposing that the data would remain the same. And the sheer
    complexity of EMRs pose issues with accuracy, as being able to track who
    has entered what data, and when, over time can become confusing. "This is
    a fire hydrant," Klein said. "Try to take a drink out of it. That's what
    it's like trying to read an EMR."

    ------------------------------

    Date: Wed, 08 Apr 2015 14:30:52 -0400
    From: "Robert L Wears, MD, MS, PhD" <we...@ufl.edu>
    Subject: `Routine maintenance' and the EMR

    The entire outpatient EMR for a large multihospital system in a major US
    city had to be taken off-line after it suffered a "severe unanticipated
    issue" during a maintenance update to improve performance this weekend.

    Yesterday, the decision was taken to roll the system back to its pre-update
    (presumably, last-known-good) state, which was late Friday evening.
    Everything entered after that point until Monday evening has been lost and
    must be re-created and re-entered.

    The hospital system is trying to ascertain which patients and charts may
    have been touched during that time. Staff are being asked to gather all
    their paper records (!) from Friday onwards to see if they are present in
    the read-only version of the system. The live system is still not yet
    operational.

    Robert L Wears, MD, MS, PhD, University of Florida 1-904-244-4405 (ass't)
    Imperial College London r.w...@imperial.ac.uk +44 (0)791 015 2219

    ------------------------------

    Date: Mon, 6 Apr 2015 17:29:47 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: "End-To-End Web Crypto: A Broken Security Model"

    Indolering via NNSquad
    https://www.indolering.com/e2e-web-crypto

    "Researchers have been testing the efficacy of security iconography for
    over a decade, and the results are dismal. The most dramatic "experiment"
    was performed by Moxie Marlinspike in 2009. Marlinspike removed
    encryption from connections using a malicious Tor exit node, which also
    removed the browser encryption icons. Despite drawing his sample from a
    population with above average technical acumen and paranoia, he achieved a
    100% "success" rate; meaning that every user who visited a login page
    logged into to their account. Marlinspike collected over 400 logins and 16
    credit card numbers in 24 hours."

    ------------------------------

    Date: Mon, 6 Apr 2015 21:00:42 -0700
    From: Prashanth Mundkur <prashant...@gmail.com>
    Subject: Banks undermine chip and PIN security (Steven Murdoch)

    Steven J. Murdoch, The Conversation, March 30 2015
    http://theconversation.com/banks-undermine-chip-and-pin-security-because-they-see-profits-rise-faster-than-fraud-38952

    Contactless cards are being promoted because it appears they cause
    customers to spend more. Some of this could be accounted for by a shift
    from cash to contactless, but some could also stem from a greater
    temptation to spend more due to the absence of tangible cash in a wallet
    as a means of budgeting.

    Greater convenience leads to increased spending, which means more fees for
    the card issuers and more profit for the merchant -- this is the real
    reason why the PIN check was dropped from contactless cards. The risk of
    fraud is mitigated to some degree by limiting transactions in the UK to
    £20 (rising to £30 in September), but it's been demonstrated
    that even these limits can be bypassed.

    ------------------------------

    Date: Tue, 7 Apr 2015 08:26:29 -0400
    From: "Bob Frankston" <bob19...@bobf.frankston.com>
    Subject: Tewksbury police pay bitcoin ransom to hackers

    *The Boston Globe*
    http://www.bostonglobe.com/business/2015/04/06/tewksbury-police-pay-bitcoinransom-hackers/PkcE1GBTOfU52p31F9FM5L/story.html

    Tewksbury had joined the list of police departments victimized by
    "ransomware," an insidious form of Internet crime that is crippling
    computers worldwide.

    ------------------------------

    Date: Tue, 31 Mar 2015 19:46:36 -0400
    From: "David Farber" <far...@gmail.com>
    Subject: State of the Internet (Akamai)

    http://www.akamai.com/stateoftheinternet/

    ------------------------------

    Date: Wed, 1 Apr 2015 08:50:09 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: "The Internet Ruined April Fool's Day" (The Atlantic)

    *The Atlantic* via NNSquad
    http://www.theatlantic.com/technology/archive/2015/04/how-the-internet-ruined-april-fools-day/389213/

    "What that means is that, this time of year, we become trained to doubt
    the people and institutions--news outlets, businesses, fellow humans--we
    are meant, ideally, to trust. Everything operates in a kind of limbo of
    credibility: Wait, is that a real thing or an April Fool's thing? How can
    we know for sure? What would it mean to know for sure? What is truth
    anyway?"

    I agree. And I'm not sharing or resharing any "joke" items today in any of
    my venues. The more sophisticated and heavily produced these "joke" items
    become, the less amusing I'm finding them. And I can tell you from my own
    inbox, that confusion and doubt sowed on 1 April lasts throughout the
    year. Just *too much* of what was once a reasonably fun thing. Thanks a
    bunch.

    ------------------------------

    Date: Mon, 13 Apr 2015 15:42:14 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Hacked French TV network admits "blunder" that exposed YouTube
    password

    Can you say ``DOH''? I knew you could!

    Dan Goodin, Ars Technica, 12 Apr 2015
    http://arstechnica.com/security/2015/04/hacked-french-tv-network-admits-blunder-that-exposed-youtube-password/

    The head of the French TV network that suspended broadcasting following last
    week's hack attack has confirmed the service exposed its own passwords
    during a TV interview, but said the gaffe came only after the breach. "We
    don't hide the fact that this is a blunder," the channel's director general
    Yves Bigot, told the AFP news service.

    The exposure came during an interview a rival TV service broadcast on the
    TV5Monde attack. During the questioning, a TV5Monde journalist sat in front
    of several scraps of paper hanging on a window. One of them showed the
    password of for the network's YouTube account. As Ars reported last week,
    the pass code was "lemotdepassedeyoutube," which translates in English to
    "the password of YouTube."

    Bigot stressed that the passwords were broadcast only after the hack attack,
    which occurred overnight Wednesday when hackers compromised TV5Monde servers
    and social networking accounts. A TV5Monde manager told AFP that the gaffe
    came in the immediate aftermath of the hack attack, when network managers
    were scrambling to quickly hand out new temporary online access codes.

    ------------------------------

    Date: Wed, 01 Apr 2015 15:30:53 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Tech companies are sending your secrets to crowdsourced armies of
    low-paid workers

    A couple of months ago, Laura Harper, a 44-year-old freelance writer and
    editor from Houston, Texas, got upset while reading a Jezebel story about a
    service called "Invisible Boyfriend."

    http://fusion.net/story/111041/crowdsourcing-and-privacy/

    Let us count the risks...

    Gabriel Goldberg, Computers and Publishing, Inc. ga...@gabegold.com
    3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433

    ------------------------------

    Date: Tue, 7 Apr 2015 21:24:23 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: ISOS mass-defacing websites

    The Federal Bureau of Investigation (FBI) is warning that individuals
    sympathetic to the Islamic State of Iraq and al-Shams (ISIS) are
    mass-defacing websites using known vulnerabilities in Wordpress. The FBI
    also issued an alert advising that criminals are hosting fraudulent
    government Web sites in a bid to collect personal and financial information
    from unwitting Web searchers.

    http://krebsonsecurity.com/2015/04/fbi-warns-of-fake-govt-sites-isis-defacements/

    ------------------------------

    Date: Wed, 15 Apr 2015 10:08:38 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "How ICANN enabled legal Website extortion" (Cringely)

    Robert X. Cringely, Notes from the Field InfoWorld, 14 Apr 2015
    The .sucks domain was all fun and games until a greedy but enterprising Web
    registry decided to blackmail major corporations into paying up
    http://www.infoworld.com/article/2909535/cringely/how-icann-enabled-legal-website-extortion.html

    ------------------------------

    Date: Wed, 01 Apr 2015 13:11:05 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "GitHub still recovering from massive DDoS attacks" (Jeremy Kirk)

    Jeremy Kirk, InfoWorld, 30 Mar 2015
    The attacks, which started Thursday, were particularly aimed at two
    GitHub-hosted projects fighting Chinese censorship
    http://www.infoworld.com/article/2903533/security/github-still-recovering-from-massive-ddos-attacks.html

    selected text:

    Software development platform GitHub said Sunday it was still experiencing
    intermittent outages from the largest cyber attack in its history but had
    halted most of the attack traffic.

    Starting on Thursday, GitHub was hit by distributed denial-of-service (DDoS)
    attacks that sent large volumes of Web traffic to the site, particularly
    towards two Chinese anti-censorship projects hosted there.

    Anthr@X wrote that it appeared advertising and tracking code used by many
    Chinese websites appeared to have been modified in order to attack the
    GitHub pages of the two software projects.

    "In other words, even people outside China are being weaponized to target
    things the Chinese government does not like, for example, freedom of
    speech," Anthr@X wrote.

    ------------------------------

    Date: Apr 8, 2015 11:11 AM
    From: "Dewayne Hendricks" <dew...@warpspeed.com>
    Subject: FBI would rather prosecutors drop cases than disclose stingray details
    (Cyrus Farivar)

    New documents released by NYCLU shed light on Erie County's use of spying
    tool.
    Cyrus Farivar, Ars Technica, 7 Apr 2015
    http://arstechnica.com/tech-policy/2015/04/fbi-would-rather-prosecutors-drop-cases-than-disclose-stingray-details/

    Not only is the FBI actively attempting to stop the public from knowing
    about stingrays, it has also forced local law enforcement agencies to stay
    quiet even in court and during public hearings, too. An FBI agreement,
    published for the first time in unredacted form on Tuesday, clearly
    demonstrates the full extent of the agency's attempt to quash public
    disclosure of information about stingrays. The most egregious example of
    this is language showing that the FBI would rather have a criminal case be
    dropped to protect secrecy surrounding the stingray.

    Relatively little is known about how, exactly, stingrays, known more
    generically as cell-site simulators, are used by law enforcement agencies
    nationwide, although new documents have recently been released showing how
    they have been purchased and used in some limited instances. Worse still,
    cops have lied to courts about their use. Not only can stingrays be used to
    determine location by spoofing a cell tower, they can also be used to
    intercept calls and text messages. Typically, police deploy them without
    first obtaining a search warrant.

    Ars previously published a redacted version of this document in February
    2015, which had been acquired by the Minneapolis Star Tribune in December
    2014. The fact that these two near-identical documents exist from the same
    year (2012) provides even more evidence that this language is boilerplate
    and likely exists in other agreements with other law enforcement agencies
    nationwide.

    The new document, which was released Tuesday by the New York Civil Liberties
    Union (NYCLU) in response to its March 2015 victory in a lawsuitfiled
    against the Erie County Sheriff's Office (ECSO) in Northwestern New York,
    includes this paragraph:

    In order to ensure that such wireless collection equipment/technology
    continues to be available for use by the law enforcement community, the
    equipment/technology and any information related to its functions, operation
    and use shall be protected from potential compromise by precluding
    disclosure of this information to the public in any manner including but not
    limited to: press releases, in court documents, during judicial hearings, or
    during other public forums or proceedings.

    In the version of the document previously obtained in Minnesota, the rest of
    the sentence after the phrase "limited to" was entirely redacted. Mariko
    Hirose, a NYCLU staff attorney, told Ars that she has never seen an
    agreement like this before.

    "This seems very broad in scope and undermines public safety and the
    workings of the criminal justice system," she said.

    Your tax dollars at work

    The FBI letter also explicitly confirms a practice that some local
    prosecutors have engaged in previously, which is to drop criminal charges
    rather than disclose exactly how a stingray is being used. Last year,
    prosecutors in Baltimore did just that during a robbery trial there,
    Baltimore Police Detective John L. Haley cited a non-disclosure agreement,
    and he declined to describe in detail how he obtained the location of the
    suspect. [...]

    ------------------------------

    Date: Apr 15, 2015 10:07 AM
    From: "Daniel Berninger" <dan.be...@gmail.com>
    Subject: Cyberspace and the American Dream: A Magna Carta for the Knowledge
    Age (via Dave Farber)

    IP'ers might enjoy revisiting Dyson, Gilder, Keyworth, Toffler's 1994
    manifesto - Cyberspace and the American Dream: A Magna Carta for the
    Knowledge Age.

    The longish 7000+ word essay (see link below) anticipates the disruptions of
    the present moment to an amazing extent.

    The Internet remained a government project in 1994 and the Web included all
    of 3000 or so websites.

    The futurist group identifies the regulatory risk to computer networks as
    the primary threat to the benefits of the Knowledge Age.

    The past provided plenty of evidence to doubt the benefits of industrial
    policy in the domain computer networks.

    The FCC's implementations of telephone network industrial policy in the
    Telecom Act of 1996 failed without exception otherwise known as the telecom
    crash.

    The steady stream of public interest benefits generated by the information
    technology sector left computer networks classified as non-regulated
    information services.

    The group did not predict the Commission would vote to impose telephone
    network industrial policy on the Internet after 20 years of successful
    non-regulation (and failed regulation of the telephone network).

    Daniel Berninger, Founder, Voice Communication Exchange Committee
    e: d...@danielberninger.com tel SD: +1.202.250.3838 w: www.vcxc.org

    Cyberspace and the American Dream: A Magna Carta for the Knowledge Age
    Esther Dyson, George Gilder, George Keyworth, and Alvin Toffler
    Future Insight, Release 1.2, August 1994

    Preamble

    The central event of the 20th century is the overthrow of matter. In
    technology, economics, and the politics of nations, wealth -- in the form
    of physical resources -- has been losing value and significance. The powers
    of mind are everywhere ascendant over the brute force of things. [...]

    http://www.pff.org/issues-pubs/futureinsights/fi1.2magnacarta.html

    ------------------------------

    Date: Fri, 10 Apr 2015 11:09:01 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Lost in the clouds: 7 examples of compromised personal information"
    (Steve Ragan)

    Steve Ragan, CSO, Apr 6, 2015
    While having instant access to your information via the cloud is a
    major bonus to productivity and convenience, there's a risk that the
    security trade-off will be too high.
    http://www.csoonline.com/article/2906143/cloud-security/lost-in-the-clouds-easily-compromised-personal-information.html

    opening text:

    Google has indexed thousands of backup drives

    Each day millions of people across the globe create backups of their
    files. These backups are supposed to offer a measure of assurance that their
    files are safe, but that's not entirely true.

    In fact, depending on how you've configured the device, your backups are
    freely available online to anyone who knows what they're looking for.

    ------------------------------

    Date: Sun, 19 Apr 2015 22:13:28 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: French Senate Backs Bid To Force Google To Disclose Search
    Algorithm Workings

    French Senate Backs Bid To Force Google To Disclose Search Algorithm Workings

    TechCrunch via NNSquad
    http://techcrunch.com/2015/04/17/french-senate-backs-bid-to-force-google-to=
    -disclose-search-algorithm-workings


    "Meanwhile in France, the upper house of parliament yesterday voted to
    support an amendment to a draft economy bill that would require search
    engines to display at least three rivals on their homepage. And also to
    reveal the workings of their search ranking algorithms ..."

    Give in to bullies, and they'll never stop demanding more. I've been saying
    this all along, and efforts like this -- whether or not they actually become
    law -- show that even when dealing with countries in the West politicians
    are attempting to take total control of information for their own purposes
    and their own pandering political ends. They cannot be permitted to succeed
    -- the end result could make Orwell's vision of government information
    management and censorship look like a walk in the park by comparison.

    ------------------------------

    Date: Thu, 16 Apr 2015 10:04:52 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "4 no-bull facts about Microsoft's HTTP.sys vulnerability"
    (Serdar Yegulalp)

    The latest Web server vulnerability affects desktop systems as well
    as Microsoft products
    Serdar Yegulalp, InfoWorld, 16 Apr 2015
    http://www.infoworld.com/article/2910262/windows-security/4-no-bull-facts-about-microsofts-http-sys-vulnerability.html

    ------------------------------

    Date: Sat, 18 Apr 2015 13:09:16 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Congress cannot be taken seriously on cybersecurity (Trevor Timm)

    Trevor Timm, *The Guardian*
    http://www.theguardian.com/commentisfree/2015/apr/18/congress-cannot-be-ta
    ken-seriously-on-cybersecurity


    ------------------------------

    Date: Mon, 6 Apr 2015 20:41:37 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: How the New York Times is eluding censors in China

    *The New York Times* via NNSquad
    http://qz.com/374299/how-the-new-york-times-is-eluding-chinas-censors/

    "The New York Times' English and Chinese-language websites have been
    blocked since an October 2012 article about the wealthy family of prime
    minister Wen Jiabao. But according to employees in the company, outside
    observers, and mainland Chinese readers, the Times is quietly pursuing a
    new, aggressive strategy to reach readers in China."

    ------------------------------

    Date: Fri, 10 Apr 2015 11:21:56 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Large-scale Google malvertising campaign hits users with exploits"
    (Lucian Constantin)

    [The closing text about responsibility does not bode well for a solution soon.]

    Malvertising has been a growing problem for years
    Lucian Constantin, InfoWorld, 8 Apr 2015
    http://www.infoworld.com/article/2907215/security/largescale-google-malvertising-campaign-hits-users-with-exploits.html

    opening text:

    A large number of ads distributed by a Google advertising partner redirected
    users to Web-based exploits that attempted to install malware on users'
    computers.

    closing text:

    A 2014 investigation into malvertising by the U.S Senate concluded that "the
    online advertising industry has grown in complexity to such an extent that
    each party can conceivably claim it is not responsible when malware is
    delivered to a user's computer through an advertisement."

    That's because a typical online advertisement goes through five or six
    intermediaries before being displayed in a user's browser and it can be
    replaced with a malicious one at any point in that chain. Website owners
    also have no control over what ads will be displayed on their websites, the
    U.S. Senate said.

    ------------------------------

    Date: Wed, 8 Apr 2015 10:10:38 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Insurance co. wants to track you 24/7 for a discount

    CNN via NNSquad
    http://money.cnn.com/2015/04/08/technology/security/insurance-data-tracking/index.html

    "John Hancock is partnering with Vitality, which many people probably know
    as one of those work-related wellness programs. The program is available
    in 30 states. If you sign up for this, John Hancock will send you a free
    Fitbit monitor. That's a tiny, pill-shaped device that some people wear in
    sleek-looking bracelets to track how far they walk/run, the calories
    burned, and the quality of sleep. That means the insurance company would
    know exactly when a customer does a sit-up, how far she runs -- or when
    she's skipped the gym for a few days ... Second, that personal data --
    your heart rate, preferred exercises, what gym you visit and when -- ends
    up on insurance company computers. And these databases are a target for
    hackers, who steal this information and sell it on the black market to
    identity thieves and fraudsters. CNNMoney has just asked John Hancock
    where the data will be kept, and whether it will be sold to other
    companies. The company has not provided an immediate reply."

    Yeah, like WHAT COULD GO WRONG? Slap it on the wrist of the nearest
    healthy 22-year-old?

    ------------------------------

    Date: Tue, 14 Apr 2015 08:14:54 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Fire TV Stick OS 1.5 Update

    Mixed feelings, this gives me:

    /Your Fire TV Stick has received a software update that contains features
    requested by customers like you. The update has been applied automatically
    to your device and you will notice the new features when you next use it./

    There seems to be no option controlling updates. Nor for Roku boxes, nor my
    cable box. But at least that last one isn't on my home network. I've no idea
    about security/authentication for Fire Stick and Roku updates so I wonder
    how hackable they are. Same for promised/threatened automatic automotive
    software updates.

    And, while I requested these updates -- sigh, I see no Unsubscribe link.

    [... Long message from Amazon truncated for RISKS. Check with gabe.]

    ------------------------------

    Date: Thu, 9 Apr 2015 17:59:30 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Internet Naming Body Moves to Crack Down on '.sucks'

    ABC via NNSquad
    http://abcnews.go.com/Technology/wireStory/internet-naming-body-moves-crack-sucks-30211323

    The Internet Corporation for Assigned Names and Numbers, or ICANN, on
    Thursday sent a letter to the U.S. Federal Trade Commission and Canada's
    Office of Consumer Affairs to see if the actions of company Vox Populi
    Registry Ltd. are illegal. ICANN initially approved of the so-called
    top-level domain name, among nearly 600 it has added recently to expand
    beyond common names such as ".com," ''.org" and ".us." But it is
    backtracking after an advisory panel made up of industry groups and
    companies like Microsoft, Verizon and eBay complained last month. Vox
    Populi began accepting registrations using ".sucks" on March 30 from
    trademark holders and celebrities before it's released to public
    applicants. It has recommended charging $2,499 a year for the privilege,
    and according to Vox Populi CEO John Berard, most of the names have been
    sold by resellers for around $2,000 a year. So far, purchased names
    include Youtube.sucks, Bing.sucks, Visa.sucks, Bankofamerica.sucks,
    Yahoo.sucks, Telusmobility.sucks and other major brand names.

    ------------------------------

    Date: Thu, 2 Apr 2015 11:44:58 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Good news and bad news: Android Security State of the Union 2014

    Google via NNSquad
    Android Security State of the Union 2014
    https://static.googleusercontent.com/media/source.android.com/en/us/devices/tech/security/reports/Google_Android_Security_2014_Report_Final.pdf

    "In 2014, the Android platform made numerous significant improvements in
    platform security technology, including enabling deployment of full disk
    encryption, expanding the use of hardware-protected cryptography, and
    improving the Android application sandbox with an SELinuxbased Mandatory
    Access Control system (MAC). Developers were also provided with improved
    tools to detect and react to security vulnerabilities, including the
    nogotofail project and the SecurityProvider. We provided device
    manufacturers with ongoing support for fixing security vulnerabilities in
    devices, including development of 79 security patches, and improved the
    ability to respond to potential vulnerabilities in key areas, such as the
    updatable WebView in Android 5.0."

    I just finished reading the entire report. I must simultaneously
    congratulate Google for their work improving app security on newer versions
    of Android -- and I must express my strong disappointment that the report
    seems to effectively ignore the impact of vulnerabilities associated with
    known WebView bugs affecting vast numbers of Android users who cannot update
    their phones to the newer versions, having been abandoned in this respect by
    OEMs, mobile carriers, and/or Google itself. Nor has (as far as I know)
    Google reached out proactively to the extremely large number of affected
    Android users to warn them of these vulnerabilities and inform them about
    potential workarounds that are available in various instances.

    ------------------------------

    Date: Wed, 01 Apr 2015 06:46:02 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Re: Kali Linux security is a joke! (Jackson, RISKS-28.58)

    This issue has been discussed at length on the crypto email list, and here
    are the conclusions, as I see them:

    * md5 itself is broken; there are better hashes around, so the
    recommendation of md5 on the Kali web page is indeed a joke (although not
    quite the same joke I originally had in mind).

    * https/TLS does not solve all SW distribution problems, but using it in
    conjunction with various signature mechanisms does make an attacker have to
    work harder and actively; http makes passive observation way too easy. Once
    an attacker knows exactly what SW you have, you are much easier to attack.

    * http makes a MITM/DOS attack trivial; you may never get a bad piece of SW,
    but you may also never get any SW update at all.

    Regarding "what would Henry Baker do" when designing a SW update mechanism:
    I'm not completely sure. The threat model for SW distribution today
    includes nation-states with "acres of Crays", with no regulatory, budget or
    location constraints, and with the entire Internet as a "free fire zone";
    this threat model may not have been anticipated by many of the SW
    distribution systems in existence today.

    SW distribution has been successfully attacked before (Stuxnet), and will
    continue to be attacked, because it is a Willie Sutton target -- "that's
    where the money is".

    http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/

    "You must reboot your computer now to finish installing the latest security
    updates. NSA/GCHQ/... thanks you for your support in their war of^Hn
    terror."

    ------------------------------

    Date: Mon, 17 Nov 2014 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
    if possible and convenient for you. The mailman Web interface can
    be used directly to subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks
    Alternatively, to subscribe or unsubscribe via e-mail to mailman
    your FROM: address, send a message to
    risks-...@csl.sri.com
    containing only the one-word text subscribe or unsubscribe. You may
    also specify a different receiving address: subscribe address= ... .
    You may short-circuit that process by sending directly to either
    risks-s...@csl.sri.com or risks-un...@csl.sri.com
    depending on which action is to be taken.

    Subscription and unsubscription requests require that you reply to a
    confirmation message sent to the subscribing mail address. Instructions
    are included in the confirmation message. Each issue of RISKS that you
    receive contains information on how to post, unsubscribe, etc.

    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines.

    => .UK users may contact <Lindsay....@newcastle.ac.uk>.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you NEVER send mail!
    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
    *** NOTE: Including the string `notsp' at the beginning or end of the subject
    *** line will be very helpful in separating real contributions from spam.
    *** This attention-string may change, so watch this space now and then.
    => ARCHIVES: ftp://ftp.sri.com/risks for current volume
    or ftp://ftp.sri.com/VL/risks for previous VoLume
    http://www.risks.org takes you to Lindsay Marshall's searchable archive at
    newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
    is no longer maintained up-to-date except for recent election problems.
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest28.59
    ************************
     
  3. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,420
    334
    258
    Apr 3, 2007
    Tampa
    Risks Digest 28.60

    RISKS List Owner

    Apr 27, 2015 6:43 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 27 Apr 2015 Volume 28 : Issue 60

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/28.60.html>
    The current issue can be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Obama's unclassified e-mail hacked by Russians (NYTimes via PGN)
    Computer Attacks Spur Congress to Act on Cybersecurity Bill Years
    in the Making (NYTimes via Monty Solomon)
    How computerized trading in the hands of a nobody in Britain
    allegedly crashed the stock market (WashPost via Gene Spafford)
    Next-Gen Navigation - CEA (Gabe Goldberg)
    Civilization near collapse; all Starbucks stores close due to
    point-of-sale failure (Jeremy Epstein)
    Wi-Fi software security bug could leave Android, Windows, Linux open to
    attack (Ars Technica via Lauren Weinstein)
    "HTTPS snooping flaw affected 1,000 iOS apps with millions of users"
    (Lucian Constantin via Gene Wirchenko)
    "Apple's OS X 'Rootpipe' patch flops, fails to fix flaw" (Gregg Keizer
    Gene Wirchenko)
    Shamir Reveals Sisyphus Algorithm (John Young)
    'Flash Crash' 101: How could one guy do that? (CNBC via Monty Solomon)
    All times are in UTC, any included timezone is ignored (Dan Jacobson)
    Court: Iowa casino doesn't have to pay $41M jackpot error (StLToday)
    Security scholarship awardees announced (Jeremy Epstein)
    Re: "Bob Wachter on Technology and Hospitals at Medium" (Gene Wirchenko)
    Re: Kali Linux security is a joke! (Henry Baker)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 27 Apr 2015 10:34:55 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Obama's unclassified e-mail hacked by Russians

    Here's another item on the general theme of the pervasiveness of security
    vulnerabilities.

    http://www.nytimes.com/2015/04/26/us/russian-hackers-read-obamas-unclassified-emails-officials-say.html

    ------------------------------

    Date: Wed, 22 Apr 2015 11:48:02 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Computer Attacks Spur Congress to Act on Cybersecurity Bill
    Years in the Making

    http://www.nytimes.com/2015/04/23/us/politics/computer-attacks-spur-congress-to-act-on-cybersecurity-bill-years-in-making.html

    The House is expected to pass a bill pushing companies to share data with
    federal investigators in the wake of breaches at Sony, Target and the health
    insurer Anthem.

    [So, these companies -- and the Congress -- might eventually realize that
    every computer system connected to the Internet is inherently vulnerable,
    as well as all the systems not even connected? And that ubiquitous
    abilities for surveillance can only make it worse? PGN]

    ------------------------------

    Date: Wed, 22 Apr 2015 08:57:31 -0700
    From: Gene Spafford <sp...@cerias.purdue.edu>
    Subject: How computerized trading in the hands of a nobody in Britain
    allegedly crashed the stock market

    *The Washington Post*, 22 Apr 2015
    http://www.washingtonpost.com/news/morning-mix/wp/2015/04/22/how-computerized-trading-in-the-hands-of-a-nobody-in-britain-allegedly-crashed-the-stock-market/ =

    ------------------------------

    Date: Sat, 25 Apr 2015 22:11:07 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Next-Gen Navigation - CEA

    It's a common refrain among car buyers: ``Why do I need a built-in
    navigation system when I can use the maps app on my smartphone?'' Now
    automakers are answering, turning factory-installed navigation systems and
    the maps that support them into crucial components of new advanced driver
    assistance systems (ADAS) and safety systems. No longer just a convenience
    item, in-dash navigation systems are evolving both technologically and
    strategically and someday will help drive not just autonomous vehicles, but
    new business models, as well. ...

    (15-years out concept car):

    Pedestrians can't see inside the vehicle to give passengers privacy.
    Passengers in the F 015 can see only partly out the side windows, so giant
    4K resolution displays in the door panels and a car width 5K display in the
    dashboard show representations of the vehicle's surroundings as they're
    detected by the vehicle's various sensors and cameras. A `Guided Path' menu
    item accesses the navigation system's point-of-interest (POI) database to
    show places the car will pass along its route -- in a timeline fashion, with
    photorealistic imagery -- giving passengers the opportunity to program a
    stop. Certain POIs also are linked to 360-degree photos, letting passengers
    get acquainted with destinations before they arrive. There are no buttons in
    the cars. For controls and menu selections, all the side displays are
    touch-sensitive and have proximity sensors.

    http://www.ce.org/i3/Features/2015/March-April/Next-Gen-Navigation

    What could...

    Gabriel Goldberg, Computers and Publishing, Inc. ga...@gabegold.com
    3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433

    ------------------------------

    Date: Sat, 25 Apr 2015 20:28:56 -0400
    From: Jeremy Epstein <jeremy.j...@gmail.com>
    Subject: Civilization near collapse; all Starbucks stores close due to
    point of sale failure

    Starbucks says an outage that affected all of their point of sale terminals
    was "caused by an internal failure during a daily system refresh and was not
    the result of an external breach". I find that a strange explanation, since
    the failure hit mid-day in the US, and I would think that a "daily system
    refresh" would be during the overnight hours.

    (During the outage, some locations gave away free drinks, some went
    cash-only, and other closed. No riots reported by caffeine addicts.)

    I don't know anything about running global IT infrastructures, so perhaps
    I'm naive, but I would think that rollouts would be done in a rolling
    fashion to avoid shutting down the entire company. I'm sure there any many
    cases like this, but I remember one that affected me, when the local cable
    TV provider (Cox) did a push update of every cable modem in the county, and
    in the process bricked 10s of thousands of units before they were realized
    the problem. It surprised me then that there weren't fail-safe mechanisms
    in place - i.e., making sure that units "phoned home" after an upgrade, and
    automatically stopping the rollout if any more than epsilon fail the phone
    home.

    https://news.starbucks.com/news/starbucks-point-of-sale-register-outage-resolved

    ------------------------------

    Date: Wed, 22 Apr 2015 14:34:58 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Wi-Fi software security bug could leave Android, Windows, Linux
    open to attack

    Ars Technica via NNSquad
    http://arstechnica.com/security/2015/04/wi-fi-software-security-bug-could-leave-android-windows-linux-open-to-attack/

    "The end result is that an attacker could corrupt information in memory,
    causing wpa_supplicant and Wi-Fi service to crash; a crafted SSID could
    essentially be used as a denial-of-service attack on affected devices
    simply by sending out responses to Wi-Fi probe requests or P2P network
    Public Action messages. But it could also expose memory contents during
    the three-way handshake of a peer-to-peer network negotiation (the GO
    negotiation) or potentially allow for the attacker to execute code on the
    target. A patch for the bug has been posted, and, based on Google's
    involvement, it will likely be part of an Android security update
    shortly. However, the distribution of that fix will depend on Android
    handset manufacturers and carriers to reach end users."

    And we can assume that owners of many older Android devices won't be
    getting a fix from carriers or Google.

    ------------------------------

    Date: Thu, 23 Apr 2015 10:01:31 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "HTTPS snooping flaw affected 1,000 iOS apps with millions of users"
    (Lucian Constantin)

    Lucian Constantin, InfoWorld, 21 Apr 2015
    Flaw in the third-party library AFNetworking broke HTTPS certificate
    validation, enabling man-in-the-middle attacks
    http://www.infoworld.com/article/2912440/security/https-snooping-flaw-affected-1000-ios-apps-with-millions-of-users.html

    Apps used by millions of iPhone and iPad owners became vulnerable to
    snooping when a flaw was introduced into third-party code they used to
    establish HTTPS connections. [...]

    ------------------------------

    Date: Thu, 23 Apr 2015 10:10:41 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Apple's OS X 'Rootpipe' patch flops, fails to fix flaw"
    (Gregg Keizer)

    Gregg Keizer, Computerworld, 21 Apr 2015
    Researcher finds 'trivial way' to exploit privilege escalation
    vulnerability after Apple tries to plug Yosemite hole
    http://www.infoworld.com/article/2912620/operating-systems/apples-os-x-rootpipe-patch-flops-fails-to-fix-flaw.html

    ------------------------------

    Date: April 22, 2015 at 12:24:20 PM EDT
    From: John Young <j...@pipeline.com>
    Subject: Shamir Reveals Sisyphus Algorithm

    [An item on many cryptography lists, via Dave Farber,
    on Adi Shamir at the RSA Conference last week.]

    Fully secure systems don't exist now and won't exist in the future.

    Cryptography won't be broken, it will be bypassed.

    Futility of trying to eliminate every single vulnerability in a given piece
    of software.

    https://threatpost.com/fully-secure-systems-dont-exist/112380#sthash.sKPz03sv.dpuf

    ------------------------------

    Date: Sat, 25 Apr 2015 11:08:06 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: 'Flash Crash' 101: How could one guy do that?

    Trader Charged in 'Flash Crash' Case to Fight Extradition to U.S.
    The trader, Navinder Singh Sarao, is facing criminal fraud charges,
    including claims that he helped set off a stock market crash in the United
    States.
    http://www.nytimes.com/2015/04/23/business/dealbook/trader-charged-in-flash-=
    crash-case-to-fight-extradition-to-us.html


    How did that UK trader allegedly cause the "flash crash?"
    Ex-trader Raj Malhotra breaks it down.
    http://www.cnbc.com/id/102610451

    ------------------------------

    Date: Sat, 25 Apr 2015 12:38:12 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: All times are in UTC, any included timezone is ignored

    In http://www.mediawiki.org/w/api.php?action=help&modules=main#main.datatypes
    we read "All times are in UTC, any included timezone is ignored."

    I say non-UTC timezones should instead raise errors!

    Why?

    Because one day, when you finally do implement parsing timezones, the system
    will be upwardly compatible.

    Each day you let users enter timezones that are ignored, one day when you
    finally do parse them correctly, you'll have all the more users scratching
    their heads as to why are results suddenly different.

    (Sure you can blame the users for not reading the instructions. But it is
    more likely they have already added a skew to correct for what turns out to
    be an ignored time zone.)

    OK I filed https://phabricator.wikimedia.org/T97214

    ------------------------------

    Date: Fri, 24 Apr 2015 21:14:09 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Court: Iowa casino doesn't have to pay $41M jackpot error

    http://m.stltoday.com/news/state-and-regional/illinois/court-iowa-casino-doesn-t-have-to-pay-m-jackpot/article_e0299503-e7e7-5003-a918-df7ae3b78bc4.html?mobile_touch=true

    ------------------------------

    Date: Thu, 23 Apr 2015 15:27:17 -0400
    From: Jeremy Epstein <jeremy.j...@gmail.com>
    Subject: Security scholarship awardees announced

    We talk on this list about the many risks to security and privacy of
    technology. And it's almost always a pretty bleak picture.

    But today, I'd like to mention a sunnier side - getting more women involved
    in the field.

    Four years ago, ACSA founded the Scholarships for Women Studying Information
    Security program (www.swsis.org). A year ago, HP made a generous
    contribution to allow us to grow the program. (Contributions from others
    are welcome - please contact me!)

    I'm proud to announce the 16 SWSIS Scholars for 2016-16, each of whom has
    received a scholarship to further their undergraduate or masters' degree.
    The HP press release can be found at
    http://money.cnn.com/news/newsfeeds/articles/marketwire/1188849.htm

    Photos and bios of most of the awardees can be found at
    https://swsis.wordpress.com/2015-16-awardees/

    The 2015-16 SWSIS Scholars are:

    Evelyn Brown, Embry Riddle Aeronautical University, Prescott
    Priya Chawla, University of Cincinnati
    Shelby Cunningham, Carnegie Mellon University
    Alejandra Diaz, University of Maryland Baltimore County
    Fumi Honda, Stony Brook University
    Ashley Huffman, Northern Kentucky University
    Cindy Jong, DePaul University
    Madison Oliver, Pennsylvania State University
    Mary Sharp, Marshall University
    Imani Sherman, Kentucky State University
    Angela Sun, Michigan State University
    Kebra Thompson, University of Washington, Tacoma
    Stefanye Walkes, California State University, Dominguez Hills
    Gena Welk, University of Colorado at Boulder
    Leah Xu, University of Maryland at College Park
    Brooke Young, University of Maryland Baltimore County

    Thanks in particular to Rebecca Wright from Rutgers University and CRA-W,
    and her team, who sifted through the applications to select the winners.

    Jeremy Epstein, Founder, Scholarship for Women Studying Information Security
    Applied Computer Security Associates, Inc.

    ------------------------------

    Date: Thu, 23 Apr 2015 23:18:06 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Bob Wachter on Technology and Hospitals at Medium" (Re: Mundkur,
    RISKS-28.59)

    > A 5-part series of articles by Bob Wachter, a UCSF MD and author of "The
    > Digital Doctor: Hope, Hype, and Harm at the Dawn of Medicine's Computer
    > Age", that would be appreciated by the RISKS audience, collected here:
    > https://medium.com/@Bob_Wachter

    I think that Mundkur grossly understated the value of this article series.

    I have been reading RISKS for many years, and no other information that I
    have read in connection with risks has hit anywhere nearly as hard as this
    article series did.

    The series is very clear and full of detail so it is easy to see how the
    horrific chain of events that is the main story came to happen.

    If you have not already read this series, please do so.

    [Gene's `grossly understated' seems *grossly overstated*, considering
    Prashanth did a wonderful thing by mentioning that this series of articles
    would be appreciated by RISKS readers. As a result, I for one really
    appreciate Bob's efforts, and echo Gene's comments on the significance of
    Bob Wachter's work. Incidentally, a `Wachter' is a watcher (auf deutsch),
    and that translation of Bob's name would indeed be a gross understatement
    of Bob's role in this five-part series. It really deserves careful
    scrutiny. PGN]

    ------------------------------

    Date: Wed, 01 Apr 2015 06:11:13 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Re: Kali Linux security is a joke! (Jackson, RISKS-28.59)

    This issue has been discussed at length on the crypto email list, and here
    are the conclusions, as I see them:

    * md5 itself is broken; there are better hashes around, so the
    recommendation of md5 on the Kali web page is indeed a joke (although not
    quite the same joke I originally had in mind).

    * https/TLS does not solve all SW distribution problems, but using it in
    conjunction with various signature mechanisms does make an attacker have to
    work harder and actively; http makes passive observation way too easy. Once
    an attacker knows exactly what SW you have, you are much easier to attack.

    * http makes a MITM/DOS attack trivial; you may never get a bad piece of SW,
    but you may also never get any SW update at all.

    Regarding "what would Henry Baker do" when designing a SW update mechanism:
    I'm not completely sure. The threat model for SW distribution today
    includes nation-states with "acres of Crays", with no regulatory, budget or
    location constraints, and with the entire Internet as a "free fire zone";
    this threat model may not have been anticipated by many of the SW
    distribution systems in existence today.

    SW distribution has been successfully attacked before (Stuxnet), and will
    continue to be attacked, because it is a Willie Sutton target -- "that's
    where the money is".

    http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/

    "You must reboot your computer now to finish installing the latest security
    updates. NSA/GCHQ/... thanks you for your support in their war of^Hn
    terror."

    ------------------------------

    Date: Mon, 17 Nov 2014 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
    if possible and convenient for you. The mailman Web interface can
    be used directly to subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks
    Alternatively, to subscribe or unsubscribe via e-mail to mailman
    your FROM: address, send a message to
    risks-...@csl.sri.com
    containing only the one-word text subscribe or unsubscribe. You may
    also specify a different receiving address: subscribe address= ... .
    You may short-circuit that process by sending directly to either
    risks-s...@csl.sri.com or risks-un...@csl.sri.com
    depending on which action is to be taken.

    Subscription and unsubscription requests require that you reply to a
    confirmation message sent to the subscribing mail address. Instructions
    are included in the confirmation message. Each issue of RISKS that you
    receive contains information on how to post, unsubscribe, etc.

    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines.

    => .UK users may contact <Lindsay....@newcastle.ac.uk>.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you NEVER send mail!
    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
    *** NOTE: Including the string `notsp' at the beginning or end of the subject
    *** line will be very helpful in separating real contributions from spam.
    *** This attention-string may change, so watch this space now and then.
    => ARCHIVES: ftp://ftp.sri.com/risks for current volume
    or ftp://ftp.sri.com/VL/risks for previous VoLume
    http://www.risks.org takes you to Lindsay Marshall's searchable archive at
    newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
    is no longer maintained up-to-date except for recent election problems.
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 28.60
    ************************
     
  4. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,420
    334
    258
    Apr 3, 2007
    Tampa
    Risks Digest 28.61

    RISKS List Owner

    May 1, 2015 5:34 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 1 May 2015 Volume 28 : Issue 61

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/28.61.html>
    The current issue can be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    An iPad glitch grounded several dozen American Airlines planes (Adam Pasick
    via Jim Reisert)
    At least one American Airlines plane is grounded because the pilots' iPads
    crashed (Ben Moore)
    FAA Orders Fix for Possible Power Loss in Boeing 787 (Jad Mouawad via
    Jan Wolitzky)
    Re: Software Overflow Could Cause Complete Power Loss in 787 (Richard Karash)
    Congressman with computer science degree: Encryption back doors are
    ``technologically stupid'' (Andrea Peterson via Lauren Weinstein)
    Cybersecurity mandated by those who don't use it (*The Guardian via
    Devon McCormick)
    Public wifi & man-in-the-middle (Henry Baker)
    Preparing for Warfare in Cyberspace (*The New York Times* via Monty Solomon)
    All cars must have tracking devices to cut road deaths, says EU
    (Chris Drewe)
    Doctors don't like EHRs? (DKross)
    Now you can embed classic MS-DOS games in tweets (Ian Paul via Jim Reisert)
    Re: Iowa casino doesn't have to pay $41M jackpot error (Craig Burton)
    Re: Starbucks Outage (Clay Jackson)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Wed, 29 Apr 2015 07:42:38 -0600
    From: Jim Reisert AD1C <jjre...@alum.mit.edu>
    Subject: : An iPad glitch grounded several dozen American Airlines planes
    (Adam Pasick)

    American Airlines flights experienced significant delays this evening after
    pilots' iPads--which the airline uses to distribute flight plans and other
    information to the crew--abruptly crashed. "Several dozen" flights were
    affected by the outage, according to a spokesperson for the airline.

    "The pilot told us when they were getting ready to take off, the iPad
    screens went blank, both for the captain and copilot, so they didn't have
    the flight plan," Toni Jacaruso, a passenger on American flight #1654 from
    Dallas to Austin, told Quartz.

    "The pilot came on and said that his first mate's iPad powered down
    unexpectedly, and his had too, and that the entire 737 fleet on American had
    experienced the same behavior," said passenger Philip McRell, who was also
    on flight #1654. "It seemed unprecedented and very unfamiliar to the
    pilots."

    Other passengers in New York and Chicago also said they were being
    affected by the outage.

    http://qz.com/393909/american-airlines-planes-are-grounded-because-their-pilots-ipads-have-crashed/

    ------------------------------

    Date: Tue, 28 Apr 2015 22:03:36 -0500
    From: Ben Moore <ben....@juno.com>
    Subject: At least one American Airlines plane is grounded because the
    pilots' iPads crashed

    Where's the backup system?

    ------------------------------

    Date: Thu, 30 Apr 2015 21:08:16 -0400
    From: Jan Wolitzky <jan.wo...@gmail.com>
    Subject: FAA Orders Fix for Possible Power Loss in Boeing 787 (Jad Mouawad)

    Jad Mouawad, *The New York Times*, 30 Apr 2015

    Federal regulators will order operators of Boeing 787 Dreamliners to shut
    down the plane's electrical power periodically after Boeing discovered a
    software error that could result in a total loss of power.

    The Federal Aviation Administration said on Thursday that Boeing found
    during laboratory testing that the plane's power control units could shut
    down power generators if they were powered without interruption for 248
    days, or about eight months. The findings were published in an airworthiness
    directive.

    Boeing said the problem had occurred only in lab simulation and no airplane
    had experienced it. Boeing said that powering the airplane down would
    eliminate the risk that all power generators would shut down at the same
    time.

    The company said it was working on a software update that should be ready by
    the fourth quarter this year.

    The plane maker said that power was shut down in all airplanes in service in
    the course of the regular maintenance schedule, and that it would be rare
    for a plane to remain with power on without interruption for eight months.
    [... Truncated for RISKS. PGN]

    ------------------------------

    Date: Fri, 1 May 2015 09:41:01 -0400
    From: Richard Karash <ric...@karash.com>
    Subject: Re: Software Overflow Could Cause Complete Power Loss in 787

    It's not clear how likely it is that generator could be left on for eight
    months. Do they run between flights and over-night? Only powered down at
    maintenance checks? Or go off when parked, like your car? Nice to see this
    was discovered in a lab simulation, not in mid-air.

    Richard Karash Richard@Karash.com +1 617-308-4750 -- http://Karash.com

    [Also noted by Jeremy Epstein... PGN]

    ------------------------------

    Date: Thu, 30 Apr 2015 17:03:40 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Congressman with computer science degree: Encryption back doors
    are ``technologically stupid''

    *The Washington Post*, 30 Apr 2015, via NNSquad
    http://www.washingtonpost.com/blogs/the-switch/wp/2015/04/30/congressman-with-computer-science-degree-encryption-back-doors-are-technologically-stupid/

    The debate over whether companies should be forced to build in ways for
    law enforcement to access communications protected by encryption took a
    tense turn this week in a congressional hearing. On one side were law
    enforcement officials, including a high-ranking FBI official. On the
    other were tech-savvy members of the House Government Oversight and Reform
    Committee's Information Technology subcommittee -- two with computer
    science degrees. "It is clear to me that creating a pathway for
    decryption only for good guys is technologically stupid," said Rep. Ted
    Lieu (D-Calif.), who has a bachelor's in computer science from Stanford
    University. "You just can't do that."

    ------------------------------

    Date: Tue, 28 Apr 2015 09:46:15 -0400
    From: Devon McCormick <devo...@gmail.com>
    Subject: Cybersecurity mandated by those who don't use it

    There's a good article in *The Guardian* pointing out that the members of
    the U.S. Congress, who would legislate cybersecurity for all Americans, do
    not themselves take the slightest security precautions - none of them
    encourage (or, for the most part, use) encrypted communication and none of
    their websites use https.

    http://www.theguardian.com/commentisfree/2015/apr/18/congress-cannot-be-taken-seriously-on-cybersecurity

    ------------------------------

    Date: Tue, 28 Apr 2015 08:40:13 +0200 (GMT+02:00)
    From: hbaker1 <hba...@pipeline.com>
    Subject: Public wifi & man-in-the-middle

    Public wifi networks in airports & hotels often utilize man-in-the-middle
    techniques to require some sort of login -- e.g., Ruckus Wireless.

    With "HTTPS Everywhere" & other new browser techniques to stop MITM
    techniques, it becomes almost impossible to use these networks.

    I now have to use a "throwaway" Chrome browser on my laptop that I use
    *only* for initial login to these networks with an HTTP throwaway home page.
    Once logged in, I can then fire up a real, *locked-down* browser that uses
    HTTPS Everywhere, NoScript, Tor, etc.

    Since public wifi networks place computers *most* at risk, these public wifi
    networks are going to have to find a better -- i.e., more secure -- way to
    login, as MITM'ing an http request is perhaps the world's worst (i.e., most
    insecure) idea ever invented.

    ------------------------------

    Date: Tue, 28 Apr 2015 16:41:23 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Preparing for Warfare in Cyberspace

    http://www.nytimes.com/2015/04/28/opinion/preparing-for-warfare-in-cyberspace.html

    A new strategy begins to lay out the conditions under which America would
    use cyberweapons.

    ------------------------------

    Date: Wed, 29 Apr 2015 15:38:40 +0100
    From: Chris Drewe <e76...@yahoo.co.uk>
    Subject: All cars must have tracking devices to cut road deaths, says EU.

    This idea has been around for a while, but the title says it all.

    All new cars will within three years contain tracking devices that alert
    the emergency services in the event of an accident.
    Under EU laws passed on Tuesday the technology will be compulsory from
    2018 and fitted as standard in every model of car and small van.

    A serious crash will prompt an automatic call to the nearest emergency
    centre. Even if nobody in the vehicle is able to speak, the device will
    still relay the exact location, time, direction of travel, the scale of
    the impact and whether airbags have been deployed.

    <http://ec.europa.eu/digital-agenda/en/news/ecall-all-new-cars-april-2018>

    Apart from the privacy concerns mentioned, a couple of queries occur to me,
    assuming that this feature will use the regular public mobile telephone
    (cellphone) network:

    - If there's a multi-vehicle pile-up, could the cellphone network in the
    vicinity of the crash be overloaded by these automatically-generated
    calls, possibly blocking other urgent communications (as happened in the
    Boston Marathon bombing)?

    - Presumably this will increase the call-handling load for the cellphone
    network, so who pays? Do car owners have to take out a cellphone
    subscription, or will cellphone companies get some sort of Gov't funding,
    or will their other customers effectively subsidise the service?

    http://www.telegraph.co.uk/news/uknews/road-and-rail-transport/11569453/All-cars-must-have-tracking-devices-to-cut-road-deaths-says-EU.html

    ------------------------------

    Date: Wed, 29 Apr 2015 18:50:07 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Doctors don't like EHRs?

    [I think that they may be thinking about closing the gate (after the horses
    ran away) by putting in a few pieces of bamboo :) DKross]

    http://www.c-span.org/video/?325544-1/health-human-services-secretary-testimony-fiscal-year-2016-budget

    Sen Lamar Alexander to HHS Secretary Burwell "... half of doctors don't like
    their EHRs to the point that they'll accept Medicare penalties rather than
    deal with workflow disruption..."

    And added that the "...AMA found that 70 percent of doctors say their EHRs
    weren't worth the cost and that EHRs are the leading cause of physician
    dissatisfaction..."

    ------------------------------

    Date: Thu, 30 Apr 2015 09:30:27 -0600
    From: Jim Reisert AD1C <jjre...@alum.mit.edu>
    Subject: : Now you can embed classic MS-DOS games in tweets (Ian Paul)

    Ian Paul, PCWorld, 30 Apr 2015

    Twitter Cards are cool for watching videos or listening to tunes without
    leaving Twitter. But now the Internet Archive has the best use for Twitter's
    rich media feature yet: old-school MS-DOS games that can be played right
    inside a tweet.

    http://www.pcworld.com/article/2916528/now-you-can-embed-classic-ms-dos-games-in-tweets.html

    I guess this is one way to find/fix security exploits, but probably not the
    best way...

    ------------------------------

    Date: Tue, 28 Apr 2015 10:17:10 +1000
    From: Craig Burton <craig.alexa...@gmail.com>
    Subject: Re: Iowa casino doesn't have to pay $41M jackpot error (RISKS-28.60)

    A case came up in Australia in 2011 of scratch-off gambling cards showing a
    winning match, and the winner got AUD100,000. However, company sue and won
    due to the code on the bottom of the card not being a "winning code". I was
    surprised the lotteries law allowed for this kind of opacity which could
    presumably be abused.

    http://www.abc.net.au/news/2011-08-25/scratchie-case-loss-a-picture-of-pain/2855046

    ------------------------------

    Date: Wed, 29 Apr 2015 08:58:10 -0700
    From: "Clay Jackson" <cl...@nwlink.com>
    Subject: Re: Starbucks Outage (RISKS-28.60)

    I worked in IT for Starbucks the 1990s (1996-1999) and we had a VERY similar
    (at least from what I can glean from the press reports of this one) failure
    in 1998 (might have been '97).

    Jeremy Epstein comments, "I don't know anything about running global IT
    infrastructures, so perhaps I'm naive, but I would think that rollouts would
    be done in a rolling fashion to avoid shutting down the entire company" - I
    do know a bit about this, and I don't think I'd be violating any
    non-disclosures by saying that even in the earlier failure, the updates
    "pushed" to the stores were staggered (and I assume still are). I'm sure
    the "failure mode" was much more complex. And, yeah, there probably is some
    naiviety there, preventing ALL possible failure modes like this costs money
    (at the very least, having onsite or rapidly available backups at every
    store AND having at least 2 partners trained in how to perform the restore),
    AND, even if that WAS a possibility, I can see how the "fog of the moment"
    could make it difficult to implement ("Before we strike out on our own,
    let's give corporate a chance to fix this", or "They told us they'd be back
    up in 1 hour, and the recovery will take at least 2"). I also worked for
    WaMu (another whole set of Risks:)); and I know the steps we took to ensure
    "branch Independence" were pretty amazing and also VERY costly.

    This is interesting from a number of standpoints - we now have 2 datapoints
    from the same company; I would assume that the various systems have
    changed/grown over the years (it would be REALLY interesting to have a
    current or more recent Starbucks partner comment). IMHO, 2 failures in 17
    or 18 years is really not too bad.

    ------------------------------

    Date: Mon, 17 Nov 2014 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
    if possible and convenient for you. The mailman Web interface can
    be used directly to subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks
    Alternatively, to subscribe or unsubscribe via e-mail to mailman
    your FROM: address, send a message to
    risks-...@csl.sri.com
    containing only the one-word text subscribe or unsubscribe. You may
    also specify a different receiving address: subscribe address= ... .
    You may short-circuit that process by sending directly to either
    risks-s...@csl.sri.com or risks-un...@csl.sri.com
    depending on which action is to be taken.

    Subscription and unsubscription requests require that you reply to a
    confirmation message sent to the subscribing mail address. Instructions
    are included in the confirmation message. Each issue of RISKS that you
    receive contains information on how to post, unsubscribe, etc.

    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines.

    => .UK users may contact <Lindsay....@newcastle.ac.uk>.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you NEVER send mail!
    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
    *** NOTE: Including the string `notsp' at the beginning or end of the subject
    *** line will be very helpful in separating real contributions from spam.
    *** This attention-string may change, so watch this space now and then.
    => ARCHIVES: ftp://ftp.sri.com/risks for current volume
    or ftp://ftp.sri.com/VL/risks for previous VoLume
    http://www.risks.org takes you to Lindsay Marshall's searchable archive at
    newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
    is no longer maintained up-to-date except for recent election problems.
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 28.61
    ************************
     
  5. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,420
    334
    258
    Apr 3, 2007
    Tampa
    Risks Digest 28.62

    RISKS List Owner

    May 8, 2015 6:30 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 8 May 2015 Volume 28 : Issue 62

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/28.62.html>
    The current issue can be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Dealing with rogue drones, Copping a 'copter (The Economist)
    Computer Scientists Use Twitter to Predict UK General Election Result
    (Lee Page)
    Vint Cerf on ACM, Internet Issues, Quantum Machine Computing
    (Stephan Ibarki)
    ACLU sues Fairfax County police over license-plate data (Jim Reisert)
    The man who wants to outlaw encryption (Daily Dot via Lauren Weinstein)
    Boxing Match: Video Piracy Battle Enters Latest Round -- Mobile Apps
    (NYTimes via Monty Solomon)
    Now you can embed classic MS-DOS games in tweets (Ian Paul via Jim Reisert)
    ZPM Espresso and the Rage of the Jilted Crowdfunder (NYTimes via
    Monty Solomon)
    Re: Doctors don't like EHRs (James Geissman)
    Re: All cars must have tracking devices ... (Alister Wm Macintyre)
    Re: FAA Orders Fix for Possible Power Loss in Boeing 787 (Jeff Makey)
    Re: At least one American Airlines plane is grounded because the pilots'
    iPads crashed (Michael Kohne)
    Authentication vs Identification: South Korean ID system in disarray
    (Jay Ashworth)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sun, 3 May 2015 9:29:28 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Dealing with rogue drones, Copping a 'copter (The Economist)

    In the hands of criminals, small drones could be a menace. Now is the time
    to think about how to detect them and knock them down safely. On 22 April,
    a drone carrying radioactive sand landed on the roof of the Japanese prime
    minister's office in Tokyo. It was the latest of a string of incidents
    around the world involving small drones. Last year more than a dozen French
    nuclear plants were buzzed by them. In January one crashed on the White
    House lawn. In February and early March several were spotted hovering near
    the Eiffel tower and other Parisian landmarks. Later in March someone
    attempted to fly one full of drugs (and also a screwdriver and a mobile
    phone) into a British prison. The employment of drones for nefarious, or
    potentially nefarious, purposes thus seems to have begun in earnest. It is
    only a matter of time before somebody attempts to use a drone, perhaps
    carrying an explosive payload, to cause serious damage or injury. The
    question for the authorities is how to try to stop this happening.

    *The Economist*, 1 May 2015

    ------------------------------

    Date: Fri, 8 May 2015 13:13:01 -0400 (EDT)
    From: "ACM TechNews" <tech...@hq.acm.org>
    Subject: Computer Scientists Use Twitter to Predict UK General Election Result
    (Lee Page)

    Lee Page, University of Warwick, 5 May 2015 via ACM TechNews,
    Friday, May 8, 2015

    Computer scientists from the University of Warwick used Twitter to predict
    the outcome of the U.K. general election. The team has developed an
    algorithm that harvests political tweets, and incorporating sentiment
    conveyed in tweets was one of its key features. The user-generated content
    is aggregated and put into conventional polling reports to produce a daily
    prediction of voting share. "We then put all this information into our
    forecasting model, along with the parties' share of the vote as measured by
    opinion polls," says Warwick researcher Adam Tsakalidis. The team says the
    approach will provide key insights into how public opinion is developing and
    what factors might be influencing any changes in support. The researchers
    believe their forecasts could be more accurate than traditional opinion
    methods. Tested during the Greek election in January, the model achieved
    better results than all of the most recent polls leading up to the vote and
    three exit polls once the ballots closed. "We are particularly interested
    in automatically identifying the sentiment expressed towards specific
    politicians or parties and topics such as immigration," Tsakalidis says.
    "This will help us obtain more accurate predictions as well as better
    understanding of the reasons behind public support or discontent."
    http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-dac7x2cca3x061924&

    ------------------------------

    Date: Mon, 4 May 2015 12:28:25 -0400 (EDT)
    From: "ACM TechNews" <tech...@hq.acm.org>
    Subject: Vint Cerf on ACM, Internet Issues, Quantum Machine Computing
    (Stephan Ibaraki)

    Stephan Ibaraki, IT World Canada, 1 May 2015
    via ACM TechNews, 4 May 2015

    In a wide-ranging interview, Vint Cerf, co-creator of the Internet and vice
    president at Google, discusses a range of topics, including the modern
    challenges of the Internet, the technologies of the future, and the
    Association for Computing Machinery (ACM). Asked what he sees as the main
    challenges and controversies surrounding the Internet today, Cerf,
    co-recipient in 2004 of the ACM A.M. Turing Award, identified the need to
    ensure users' safety, security, and privacy. He also reiterated his
    frequent warnings about a "digital Dark Age" that could result as software
    continues to advance and the means of interacting with older software and
    data falls away. Finally, he pointed to the Internet of Things,
    particularly the need to ensure the security of all Internet-connected
    devices. Cerf also commented on a number of speculative topics, saying he
    thinks the singularity envisioned by Ray Kurzweil is "a stretch," but that
    he sees a great deal of promise in current research into quantum computing
    and quantum entanglement. He also comments on the need for professionalism
    and credentialing in software development and discusses his time as
    president of ACM. Cerf says ACM's main challenges today are helping to
    establish 21st century business models, being relevant to computer science
    practitioners, and helping to promote computer science as a discipline.
    http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-da62x2cbd1x061742&

    ------------------------------

    Date: Wed, 6 May 2015 14:30:28 -0600
    From: Jim Reisert AD1C <jjre...@alum.mit.edu>
    Subject: ACLU sues Fairfax County police over license-plate data

    The Associated Press, 6 May 2015

    FAIRFAX, Va. (AP) - The American Civil Liberties Union of Virginia is suing
    Fairfax County police over a policy in which they store data collected on
    thousands of drivers through the use of license-plate readers.

    The civil-liberties group filed the suit Tuesday in Fairfax County Circuit
    Court. The ACLU alleges that keeping a database of information collected
    through license-plate readers amounts to an illegal invasion of privacy.

    http://www.wjla.com/articles/2015/05/aclu-sues-fairfax-county-police-over-license-plate-data-113755.html

    ------------------------------

    Date: Thu, 7 May 2015 22:00:53 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: The man who wants to outlaw encryption

    Unlike the gung-ho mood post-9/11 America, which led to the passage of the
    USA Patriot Act, industry and academic experts and even members of
    Congress have lambasted Comey's efforts to outlaw strong encryption as a
    vast overstep of government authority and grossly naive. Just last week,
    for example, a congressional hearing on encryption got downright hostile
    when Rep. Ted Lieu (D-Calif.) called Comey's proposal "stupid."
    The Daily Dot via NNSquad
    http://www.dailydot.com/politics/james-comey-no-tradeoff-between-liberty-and-security/

    [We note thatthe federal appeals court for the Second Circuit ruled
    on 7 May 2015 that the NSA's bulk record collection program is unlawful.
    PGN]

    ------------------------------

    Date: Tue, 5 May 2015 09:34:26 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Boxing Match: Video Piracy Battle Enters Latest Round -- Mobile Apps

    http://www.nytimes.com/2015/05/05/technology/with-boxing-match-video-piracy-battle-enters-latest-round-mobile-apps.html

    With the Mayweather-Pacquiao bout, live streaming from mobile apps was just
    one of the new piracy headaches facing media companies.

    [That, plus the fact that thousands of paying customers were unable to
    access the live streaming. PGN]

    ------------------------------

    Date: Tue, 5 May 2015 13:41:12 -0600
    From: Jim Reisert AD1C <jjre...@alum.mit.edu>
    Subject: Now you can embed classic MS-DOS games in tweets (Ian Paul)

    That didn't take long.....

    @SamuelGibbs, 4 May 2015

    Twitter kills MS-Dos games embedded in tweets

    Social network kills MS-Dos gaming fun, saying interactives and games breach
    its embedded cards terms of service

    http://www.theguardian.com/technology/2015/may/04/twitter-kills-ms-dos-games-embedded-in-tweets

    ------------------------------

    Date: Tue, 5 May 2015 09:47:32 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: ZPM Espresso and the Rage of the Jilted Crowdfunder

    http://www.nytimes.com/2015/05/03/magazine/zpm-espresso-and-the-rage-of-the-=
    jilted-crowdfunder.html


    What happens when a Kickstarter project fails to launch?

    ------------------------------

    Date: Sat, 02 May 2015 00:03:42 +0000
    From: "Geissman, James" <james.g...@bankofamerica.com>
    Subject: Re: Doctors don't like EHRs (RISKS 28.61)

    I looked in Wiki and the EHR article listed 11 different standards plus 3
    "open" ones for them. Whaa? In the mortgage banking industry where I work
    there's the MISMO standard. Different people modify it somewhat, but it's a
    single basic standard. Of course the idea with the mortgage data is the data
    is meant to be exchanged, not merely used by the creator. Isn't that the
    case with EHRs also?

    ------------------------------

    Date: Sat, 2 May 2015 01:11:23 -0500
    From: "Alister Wm Macintyre \(Wow\)" <macwh...@wowway.com>
    Subject: Re: All cars must have tracking devices ... (Drewe, RISKS-28.61)

    Several observations:

    * I think train locomotives should have radar in front to detect vehicles
    which have not yet cleared RR crossings, such as back end of a school bus or
    truck, that is stuck in a traffic jam.

    * Some cars are imported into EU. I assume it will be a requirement to have
    this installed in imports, before they are driven in EU. But EU auto
    manufacturers, which export to other nations, may need to disable this
    feature, or give owners the opportunity to have this disabled, depending on
    the laws of the other nations.

    * The USA has places where cell reception is no good, such as some rural
    areas, and valleys. Is this also true in Europe?

    * There are areas where cell phone service is blocked, because national
    security mentality thinks most bombs are set off by cell phone calls. That
    will work until the enemy uses alternative technology, such as timers (as in
    the Spain train bombing), and other techniques. It can also inconvenience
    first responders who may rely on that system. The Boston Marathon had no
    drones harassing the runners, thanks to a system which used cell phone
    communications.

    * There may need to be some threshold adjustment to recognize what some
    people do not consider to be an accident, such as car door hitting adjacent
    car, when they parked too close to each other, or what goes on when crossing
    the picket line of a labor management dispute . lots of hands thumping the
    roof.

    * Some riots may set off excess alarms, as the police shoot pellets into a
    crowd, and many parked cars get hit.

    * The US has systems where people are required to notify the police, such as
    medical personnel observing what appears to be evidence of child abuse, then
    funding for the police to do anything with the info is lost, and the
    mandatory reports go into the garbage, without updating the requirements.
    Is this also true in Europe?

    * Will this system be as easy to hack as prior systems installed in
    vehicles?

    * Many alarm systems in the USA trigger calls to the police, but some
    systems have lots of false alarms, then the police send the owners of the
    false alarm systems bills for the wasted time of the police or fire dept.
    Is this also true in Europe? What will happen with alleged false alarms
    from this system?

    There have been multiple disasters, where power outages take out cell phone
    towers, such as 9/11 in NYC where communication services used the Twin
    Towers.

    In the Haiti 2010 quake, which took out a capital city's infrastructure,
    many volunteer foreign first responders were flooded with SOS. Some
    speculated:

    * Where we come from, lots of people do prank 911 calls, so many of these
    may also be a similar situation.

    * Cell tower service was knocked out, until the USAF launched a flying cell
    tower, so what we are probably hearing is the last gasp of the batteries of
    the cell phones of now dead people.

    For these, and other reasons, many cell phone SOS were not responded to.
    But later examination of where dead bodies were found, showed a correlation
    that many of those SOS were in fact real, and had they been taken seriously,
    more lives could have been saved.

    ------------------------------

    Date: Mon, 4 May 2015 14:44:43 -0700
    From: Jeff Makey <je...@sdsc.edu>
    Subject: Re: FAA Orders Fix for Possible Power Loss in Boeing 787

    248 days is the time it takes a 100Hz counter to go from zero to 2**31. If
    such a counter is stored in a signed 32-bit integer, its value then
    overflows to become negative, and confusion may ensue. The Solaris 2.5
    operating system, circa 1996, had this problem with the system clock and
    would hang after 248 days of uptime.

    [Also noted by Gene Wirchenko and Kent Borg -- who recalls the day Berkshire
    Hathaway broke $(2^15)/share, and the stock market also broke. PGN]

    ------------------------------

    Date: Fri, 1 May 2015 20:36:39 -0400
    From: Michael Kohne <mhk...@kohne.org>
    Subject: Re: At least one American Airlines plane is grounded because the
    pilots' iPads crashed (Moore, RISKS-28.61)

    > Where's the backup system?

    What's the data on the iPad used for? Is it just stuff used to setup the
    flight computers and inform the tower and so-on? Because if it IS just
    pre-flight information, then staying at the gate is a perfectly safe (if
    moderately expensive) fallback procedure.

    ------------------------------

    Date: Mon, 4 May 2015 19:27:49 -0400 (EDT)
    From: Jay Ashworth <j...@baylink.com>
    Subject: Authentication vs Identification: South Korean ID system in disarray

    [Re: Lauren Weinstein, South Korean ID system in disarray, 14 Oct 2014,
    Privacy Forum and Network Neutrality Squad, but not in RISKS. PGN]

    PRIVACY Forum's Lauren Weinstein pointed out a BBC story about identity
    theft in South Korea, and the piece is interesting, because it points up the
    RISKS of *not learning lessons*.

    The problem there, it seems stems from the same source as in the US:

    Treating an identifier as an authenticator.

    Well, more properly, *knowledge of an identifier*.

    In the US, of course, this is the Social Security Number, which we are told
    to keep a State Secret... except for all the people to whom we are required
    to give it. (TTBOMK, you are only legally required to disclose your SSN to
    employers, the IRS, and -- thanks to the USA PATRIOT Act, passed by an
    entire Congress nearly none of whom have read it *by now*, much less before
    passing it -- banks, and non-bank debit card service providers. (And as
    another correspondent points out, state DMVs in REALID states, now.))

    Identifiers and authenticators each have several properties which it is
    necessary for them to fulfill in order to successfully accomplish their
    tasks. Herewith, a recap:

    For identifiers: they must be unique, they must be arbitrary (you cannot
    encode mnemonics into them, or, if you do, at least some part must be
    globally unique and arbitrary amongst the relevant namespace), and it
    *mustn't ever be necessary to change them*.

    Authenticators, on the other hand, *must* be changeable, to avoid and
    recover from authentication breaches, and they must *not* be researchable --
    that is, unlike "mothers maiden name" or "city you grew up in" or "name of
    your first pet", or any other bit of information that people can pry out of
    you by posting a cute quiz on Facebook, it must not be possible to determine
    what the authenticator is for a given identity relationship.

    Anything which is not a password/phrase/PIN violates the second requirement,
    and biometrics violate the first (quite apart from the requirement that
    biometrics must test for a living human, lest someone cut your finger off to
    scan it -- and please don't think I'm joking there).

    Identity theft problems in both the US and S Korea stem from the persistent
    and wilfull failure of businesses and governments in both countries to cease
    trying to extend SSN/identity numbers (which are identifiers) to fill the
    purpose of authenticators as well -- one data item cannot do both jobs, as
    they have conflicting requirements... and those requirements are absolute.

    As you realize, if you shop at Home Depot. Or Target. Or Kohls.

    Or have tried to make a change to your power utility account.

    It is often possible to convince someone who tells you they "must have your
    SSN" that they are wrong; some organizations have policy for this. Duke
    Energy was happy to put my FL DL number on file instead, once I insisted.

    In the 60s, a friend forced the Mass DMV to make up an SSN for him, rather
    than putting his on his MA DL.

    In the final analysis, each individual is responsible for their own
    security; while laws may protect you from some of the inevitable results,
    they generally don't protect you from the hassle.

    On the larger scale, CIOs of big organizations MUST (to borrow normative
    language from the RFCs) learn this lesson and MUST stop using "knowledge of
    SSN" as an authenticator, and MUST stop asking for it at all unless they
    have a real, legal reason to need it.

    That's the only way we'll *really* stop having to deal with Identity Theft
    in the United States.

    > (BBC): http://www.bbc.com/news/technology-29617196 (Oct 2014)
    >
    > The government is considering issuing new ID numbers to every citizen
    > aged over 17, costing billions of dollars. The ID numbers and
    > personal details of an estimated 80% of the country's 50 million
    > people have been stolen from banks and other targets, say experts.
    > Rebuilding the system could take up to a decade, said one. Some 20
    > million people, including the president Park Geun-hye, have been
    > victims of a data theft from three credit card companies. "The
    > problems have grown to a point where finding a way to completely solve
    > them looks unlikely,'' technology researcher Kilnam Chon told Reuters.

    Jay R. Ashworth, Ashworth & Associates, 2000 Land Rover DII, St Petersburg
    FL +1 727 647 1274 http://www.bcp38.info j...@baylink.com

    ------------------------------

    Date: Mon, 17 Nov 2014 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
    if possible and convenient for you. The mailman Web interface can
    be used directly to subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks
    Alternatively, to subscribe or unsubscribe via e-mail to mailman
    your FROM: address, send a message to
    risks-...@csl.sri.com
    containing only the one-word text subscribe or unsubscribe. You may
    also specify a different receiving address: subscribe address= ... .
    You may short-circuit that process by sending directly to either
    risks-s...@csl.sri.com or risks-un...@csl.sri.com
    depending on which action is to be taken.

    Subscription and unsubscription requests require that you reply to a
    confirmation message sent to the subscribing mail address. Instructions
    are included in the confirmation message. Each issue of RISKS that you
    receive contains information on how to post, unsubscribe, etc.

    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines.

    => .UK users may contact <Lindsay....@newcastle.ac.uk>.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you NEVER send mail!
    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
    *** NOTE: Including the string `notsp' at the beginning or end of the subject
    *** line will be very helpful in separating real contributions from spam.
    *** This attention-string may change, so watch this space now and then.
    => ARCHIVES: ftp://ftp.sri.com/risks for current volume
    or ftp://ftp.sri.com/VL/risks for previous VoLume
    http://www.risks.org takes you to Lindsay Marshall's searchable archive at
    newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
    is no longer maintained up-to-date except for recent election problems.
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 28.62
    ************************
     
  6. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,420
    334
    258
    Apr 3, 2007
    Tampa
    Risks Digest 28.63

    RISKS List Owner

    May 11, 2015 7:07 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 11 May 2015 Volume 28 : Issue 63

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/28.63.html>
    The current issue can be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Ed Felten joining WH OSTP (Richard Forno)
    Real-time emotion tracking by webcam (Nick Brown)
    Flawed encryption leaves millions of smart grid devices at risk of
    cyberattacks (ZDNet via Bob Frankston)
    Gustavo Duarte Blog Recommendation: "Brain Food for Hackers"
    (Lauren Weinstein)
    HTTPS: the end of an era (Medium via Lauren Weinstein)
    Another reason why any moves toward forced https: are so potentially
    dangerous (Google via NNSquad)
    Re: Authentication vs Identification ... (David Brodbeck)
    Re: Doctors don't like EHRs (Richard I Cook, Alister Wm Macintyre)
    Re: All cars must have tracking devices ... (Wols, John Levine)
    REVIEW: "Security for Service Oriented Architectures", Walter Williams
    (Rob Slade)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: May 11, 2015 5:22 PM
    From: "Richard Forno" <rfo...@infowarrior.org>
    Subject: Ed Felten joining WH OSTP (via Dave Farber)

    Andrea Peterson, *The Washington Post*, 11 May 2015
    http://www.washingtonpost.com/blogs/the-switch/wp/2015/05/11/the-white-house-just-snagged-one-of-the-most-valuable-players-in-the-tech-policy-world/?postshare=2921431378673360

    The White House is adding one of the tech policy world's most valuable
    players to it's roster: Princeton Professor Ed Felten. The White House
    announced today that Felten will join the Office of Science and Technology
    Policy as deputy U.S. chief technology officer.

    In his decades-long career, Felten has carved out a role as one of the
    world's top thinkers on computer security and privacy -- tackling
    technically difficult topics and translating them for Washington insiders.
    "There is no one more valuable to bridging tech and policy than Ed," said
    Joseph Lorenzo Hall, the chief technologist at the Center for Democracy &
    Technologist, who worked with Felten as a post-doctoral fellow at Princeton.

    He's also slipped seamlessly between academia and civil service: Felten has
    been a professor at Princeton for more than two decades, and currently
    serves as the founding director of the school's Center for Information
    Technology Policy. But from 2011 through 2012 he served as the first chief
    technologist at the Federal Trade Commission -- the government's de facto
    privacy watchdog.

    Felten's also weighed in on government surveillance efforts: In the wake of
    revelations about National Security Agency surveillance programs from former
    government contractor Edward Snowden, Felten publicly argued that phone
    record data being vacuumed up by the government could reveal extremely
    sensitive personal information. In fact, he made that point in a brief
    supporting the plaintiffs in a lawsuit that resulted in a federal appellate
    court decision last week that found the phone records program is illegal.

    "Ed joins a growing number of techies at the White House working to further
    President Obama's vision to ensure policy decisions are informed by our best
    understanding of state-of-the-art technology and innovation, to quickly and
    efficiently deliver great services for the American people, and to broaden
    and deepen the American people's engagement with their government,"
    Alexander Macgillivray, deputy chief technology officer, and Megan Smith,
    U.S. chief technology officer, said in a blog post today.

    Both Macgillivray and Smith come from big tech companies -- Macgillivray is
    a former general counsel at Twitter while Smith was a vice president at
    Google. That makes Felten's academic background unique among the current
    class of the nation's top tech civil servants.

    [See also
    https://www.whitehouse.gov/blog/2015/05/11/white-house-names-dr-ed-felten-deputy-us-chief-technology-officer
    PGN]

    ------------------------------

    Date: Sun, 10 May 2015 01:07:53 +0200 (CEST)
    From: nick....@free.fr
    Subject: Real-time emotion tracking by webcam

    The European Commission is giving financial backing to a company that claims
    its technology can read your emotional state by just having you look into a
    webcam.

    Highlights:

    "Realeyes is a London based start-up company that tracks people's facial
    reactions through webcams and smartphones in order to analyse their
    emotions. ... Realeyes has just received a 3,6 million euro funding from
    the European Commission to further develop emotion measurement
    technology. ... The technology is based on six basic emotional states that,
    according to the research of Dr Paul Ekman, a research psychologist, are
    universal across cultures, ages and geographic locations. ...

    [T]his technological development could be a very powerful tool not only for
    advertising agencies, but as well for improving classroom learning,
    increasing drivers' safety, or to be used as a type of lie detector test by
    the police."

    More at https://edri.org/emotion-tracking-company-gets-funding-from-ec/

    The risks are left as an exercise for the reader. I suspect that most people
    will have little difficulty in coming up with a few dozen, perhaps split
    into two categories: if the technology works, and if it doesn't work, the
    boundary between the two being some more-or-less arbitrary false-positive
    rate. The impossibility of falsifying the machine's verdict is top of my
    list.

    ------------------------------

    Date: Mon, 11 May 2015 02:27:45 -0400
    From: "Bob Frankston" <bob19...@bobf.frankston.com>
    Subject: Flawed encryption leaves millions of smart grid devices at risk of
    cyberattacks (ZDNet)

    http://www.zdnet.com/article/smart-grid-group-rolls-out-its-own-flawed-crypto-risking-device-security/

    ------------------------------

    Date: Sat, 9 May 2015 13:38:39 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Gustavo Duarte Blog Recommendation: "Brain Food for Hackers"

    Earlier today I literally stumbled into a site unfamiliar to me, the blog of
    Gustavo Duarte called "Brain Food for Hackers."

    Contrary to what you might expect from the name, it is not a guide to
    hacking, but (among other things) a series of extremely clear, lucid, and
    accessible articles -- most with great graphics -- explaining how modern PCs
    and OSes work in various respects -- CPU, system calls, page caches,
    recursion, and so on. While most of his examples are for UNIX/Linux, he also
    takes care to explain the relationship of these principles to Windows and
    other systems.

    His blog is only relatively infrequently updated -- the last update is from
    late last year. But if you've ever wondered how this stuff works -- and you
    really should! -- you might want to check out his blog archive at:

    http://duartes.org/gustavo/blog/archives/

    Great work, Gustavo!

    ------------------------------

    Date: Sun, 10 May 2015 12:26:08 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: HTTPS: the end of an era

    Medium via NNSquad
    https://medium.com/@b_k/https-the-end-of-an-era-c106acded474

    Mozilla, the foundation that maintains Firefox, has announced that it will
    effectively deprecate the insecure HTTP protocol, eventually forcing all
    sites to use HTTPS if they hope to use modern features. This essay
    explains why this was such depressing news to me, why this shift marks the
    death of a way of life ... An HTTPS site can not be built on a desert
    island network, because you need a signature from a certificate
    authority. A dissident is screwed, because the dissident must give
    identifying information to the certificate authority. -- Ben Klemens

    More on this theme: "When Mozilla's Fanatics Make Us All Look Bad":
    http://lauren.vortex.com/archive/001099.html

    ------------------------------

    Date: Sun, 10 May 2015 19:27:32 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Another reason why any moves toward forced https: are so
    potentially dangerous

    Google via NNSquad
    https://plus.google.com/+LaurenWeinstein/posts/N5c2RiTSBPf (Google+)

    The Internet is already far too dependent on centralized authorities. We've
    seen the DNS abused by LEOs (Law Enforcement Organizations) and courts, not
    to mention being turned into an extortion racket by many gTLD domainers and
    the domain-industrial complex. Any moves that would make Net communications
    even more dependent on centralized entities should be non-starters. I don't
    care who the central entities are -- even with the best of intentions they
    could be manipulated by LEOs, courts, crooks, black hat hackers, intel
    agencies, or whomever to the detriment of potentially vast numbers of sites
    coerced into dependency on issued certs and the associated "chains of
    trust."

    ------------------------------

    Date: Fri, 8 May 2015 23:49:03 -0700
    From: David Brodbeck <david.m....@gmail.com>
    Subject: Re: Authentication vs Identification ... (Ashworth, RISKS-28.62)

    Jay Ashworth makes a number of excellent points about the problems of using
    Social Security Numbers as both identifiers and authenticators, and suggests
    organizations should stop asking for them at all unless there's a legal
    need.

    A big sticking point here is the use of SSNs as identifiers for credit
    reports.

    Everyone from utility companies to landlords to prospective employers run
    credit checks, these days, which means they all need to ask for my SSN.
    Often, refusing to give it would either mean being denied, or providing a
    prohibitively large deposit. Landlords are especially risky, since I can
    never be sure if they're actually going to follow through with a lease, or
    if they're just going to abscond with my personal details and my application
    fee. A typical rental application has enough info for a very effective
    identity theft -- SSN, previous addresses, employment information...

    ------------------------------

    Date: Sat, 9 May 2015 14:52:00 -0400
    From: Richard I Cook MD <rico...@gmail.com>
    Subject: Re: Doctors don't like EHRs (Geissman, RISKS 28.62)

    This is a sore spot for the medical world but not, perhaps, as important as
    it at first appears. Exchange of data between systems is not as frequent as
    it might have been in the past. The reason is that insurance schemes [sic]
    severely limit the choice of provider so cross-system data access is the
    exception rather than the rule.

    It is true that EHR vendors benefit from non-standard databases. They get to
    program things as they like and the difficulty in moving existing data to
    another vendor's platform is an obstacle to switching vendors. But the
    significance of this is decreasing as the medical industry becomes an EHR
    monoculture. The EHR world is quite likely to end up with a single vendor by
    2020. Making data accessible for exchange doesn't do much if there is no one
    to exchange with.

    See Koppel & Lehmann (2015). Implications of an emerging EHR monoculture for
    hospitals and healthcare systems. JAMIA 22:465=96471. doi:10.1136, available
    as PDF: http://jamia.oxfordjournals.org/content/jaminfo/22/2/465.full.pdf

    ------------------------------

    Date: Fri, 8 May 2015 22:46:45 -0500
    From: "Alister Wm Macintyre \(Wow\)" <macwh...@wowway.com>
    Subject: Re: Doctors don't like EHRs (Geissman, RISKS-28.62)

    I think whoever is in charge of enforcing a standard has a lot to do with
    whether it is competent.

    Consider PCI-DSS, which most security professionals consider to be a minimum
    standard, but security professionals are not in charge of PCI-DSS, the
    credit card companies are. There is a slight variation for each card
    company. If a financial institution wishes to issue a particular credit
    card, or a retailer wishes to accept payment via some card, they must agree
    to the terms of the standard for that card, unless they are exempted by law
    such as using credit card to pay for government services. If they
    sub-contract card processing to some other firm, they are supposed to
    cascade the standard into whatever contract, but is this ever audited by the
    credit card companies? One of the reasons why there are so many breaches,
    is that agreeing to a standard is not the same as obeying it. The standard
    is supposedly adhered to, during an eye blink of an occasional audit, on
    systems which are forever in a state of flux with various hardware and
    software upgrades and patches. Standards Compliance Testing really needs to
    be continuous, or rerun after every update. Then the folks, who agreed to
    the standard, claim to have met it because of the eye blink test, when in
    fact many of them are ignorant of what all is in the standard. When I was
    full time IT, I occasionally saw on IT forums some peer who had been ordered
    to implement the PCI-DSS standard, with zero training, who was reaching out
    to fellow computing professionals for guidance on what the heck is that,
    because his or her boss had no idea?

    I believe EHR is a sub-set of Obama Care, which the Republicans have been
    trying to sabotage since day one. Then implementation was handed to a
    government agency which lacked experience in the scale of the project, and
    called on hundreds of contractors to each produce pieces of the giant jigsaw
    puzzle. We should be amazed the result is working as well as it is.

    Whether there is a single mortgage standard may be in the eyes of the
    beholder. In many US states there are court battles over whether the
    banking industry is permitted to supplant the old courthouse system of
    keeping track of who is a legal owner of real estate. Under the new
    standard, there have been cases of banks foreclosing on homes owned free and
    clear, because the records had failed to have been cleared of info on former
    owners of the property. I don't know if that ever happened under the
    courthouse system. But the court house system seems to be suffering a
    higher rate of breaches, thanks to government budgets and laws not keeping
    up with privacy risks.

    I am now retired, but when I was full time in manufacturing ERP, one
    standard we had was EDI (electronic data interchange), where companies in a
    supply chain send each other business forms associated with the ordering and
    delivery of widgets, and getting paid for them. I worked with EDI I and EDI
    II. I would not be surprised if there's an EDI III by now. These were
    packages of standards, where there was a standard for each type of form,
    each type of data, each type of company, each type of communication, and
    other ingredients. I knew of no company which adhered to relevant
    standards, except a few industries had a too-big-to-fail conglomerate, or
    super-store chain, creating their own independent standards, for any doing
    business with them. The normal rule was each company claimed to have
    exceptions, which required their customers and vendors to make modifications
    to the standards for the business to work. One of my employer's customers
    was mandating new modifications more frequently than Microsoft delivers
    critical patches. Upper management mandated we do anything a customer
    wants, claiming this customer's management had promised to pay all expenses
    because of implementation urgency. That lasted until they were willing to
    discuss the bill for tens of thousands of hours implementing the never
    ending modifications.

    The best enforced standard may be income tax forms like W-2, because there
    is a single organization in charge, with serious fines for outfits who
    violate the standard. Before I retired, the IRS would wait until a few
    months before filing deadline, to change form design, and our ERP company
    could not implement the changes until 6 months after the deadline, so we had
    to modify to meet IRS standards, then address it again when vendor patches
    arrived.

    ------------------------------

    Date: Sat, 09 May 2015 00:31:30 +0100
    From: Wols Lists <antl...@youngman.org.uk>
    Subject: Re: All cars must have tracking devices ... (AlMac, RISKS-28.62)

    Mmmm ... that's problematic. All level crossings *should* have automatic
    barriers, and sensors that leave the train signals on yellow until the
    barriers have properly deployed with a clear path left for the train.

    The problem here, in Europe at least, is that many times by the time the
    barrier is deployed and a problem detected, the train may be too close
    to stop.

    > But EU auto manufacturers, which export to other nations, may need to
    > disable this feature ...

    This is nothing new. Most new cars here have LED running lights. I believe
    they are (or were) not permitted in the US. Different standards for
    different markets is par for the course.

    > * The USA has places where cell reception is no good, such as some rural
    > areas, and valleys. Is this also true in Europe?

    Of course. Britain is the most densely populated country in Europe, yet
    we have vast swathes of hilly country with few people, and hence few
    mobile masts. Lots of hills and not many masts means plenty of areas
    where reception is poor or non-existent (and that includes a lot of
    large villages / small towns !!!)

    We don't, as far as I know, have many accidents caused by false deployment
    of airbags. If the airbag deployment also triggers the alarm, then the
    false-positive and false-negative rate is going to be low (false negative as
    in an accident causing critical injuries fails to trigger an alarm).

    Admittedly, given our dense population, the cost of responding to false
    alarms is likely to be low, and a precautionary over-response is likely to
    be fairly cost-effective.

    ------------------------------

    Date: 9 May 2015 02:23:43 -0000
    From: "John Levine" <jo...@iecc.com>
    Subject: Re: All cars must have tracking devices ... (AlMac, RISKS-28.62)

    Trains have drivers (engineers in US English) who can see vehicles blocking
    crossings. The problem isn't seeing them, the problem is that for reasons
    of physics and engineering by the time the driver or the radar can see the
    vehicle, it's too late to stop the train.

    The technical rules for cars in the EU are different from those for
    North America and other countries, even cars with the same model name.
    Having driven both the US Ford Focus and the European Ford Focus, I
    wish I could buy the European one here, since it's a much better car.
    Installing or removing a cell phone would be the least of the issues in
    converting one from somewhere else to meet EU rules.

    > * Will this system be as easy to hack as prior systems installed in
    > vehicles?

    Of course.

    ------------------------------

    Date: Sun, 10 May 2015 16:01:03 -0800
    From: Rob Slade <rms...@shaw.ca>
    Subject: REVIEW: "Security for Service Oriented Architectures", Walter Williams

    BKSECSOA.RVW 20150130

    "Security for Service Oriented Architectures", Walter Williams, 2014,
    978-1466584020, U$61.97
    %A Walter Williams walt.w...@gmail.com
    %C #300 - 6000 Broken Sound Parkway NW, Boca Raton, FL 33487-2742
    %D 2014
    %G 978-1466584020 1466584025
    %I CRC Press
    %O U$61.97 800-272-7737 http://www.bh.com/bh/
    %O http://www.amazon.com/exec/obidos/ASIN/1466584025/robsladesinterne
    http://www.amazon.co.uk/exec/obidos/ASIN/1466584025/robsladesinte-21
    %O http://www.amazon.ca/exec/obidos/ASIN/1466584025/robsladesin03-20
    %O Audience i+ Tech 2 Writing 2 (see revfaq.htm for explanation)
    %P 329 p.
    %T "Security for Service Oriented Architectures"

    Walt Williams is one of the sporadic, but thoughtful, posting members of the
    international CISSP Forum. He has come up with a significant text on an
    important topic.

    After some preface and introduction, the book starts in chapter two,
    defining the four kinds of architecture in computer systems: infrastructure,
    software, data, and security. This chapter covers foundational concepts, as
    well as service oriented architecture (SOA), and is, alone, worth the price
    of the book.

    Chapter three, on implementation, comprises the bulk of the space in the
    work, and is primarily of interest to those dealing with development,
    although it does have a number of points and observations of use to the
    manager or security practitioner. "Web 2.0" (chapter four) has some brief
    points on those advanced usages. A variety of additional SOA platforms are
    examined in chapter five. Chapter six, on the auditing of SOA applications,
    covers not only the how, but also notes specific types of attacks, and the
    most appropriate auditing tools for each case. Much the same is done, in
    terms of more general protection, in chapter seven. Chapter eight, simply
    entitled "Architecture," finishes off with sample cases.

    It is an unfortunate truism that most security professionals do not know
    enough about programming, and most programmers don't care anything about
    security. This is nowhere truer than in service oriented architecture and
    "the cloud," where speed of release and bolt-on functionality trumps every
    other consideration. Williams' work is almost alone in a badly under-served
    field. Despite a lack of competition, it is a worthy introduction. I can
    recommend this book to anyone involved in either security or development,
    particularly those working in that nebulous concept known as "the cloud."

    copyright, Robert M. Slade 2015 BKSECSOA.RVW 20150130
    rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org

    ------------------------------

    Date: Mon, 17 Nov 2014 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
    if possible and convenient for you. The mailman Web interface can
    be used directly to subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks
    Alternatively, to subscribe or unsubscribe via e-mail to mailman
    your FROM: address, send a message to
    risks-...@csl.sri.com
    containing only the one-word text subscribe or unsubscribe. You may
    also specify a different receiving address: subscribe address= ... .
    You may short-circuit that process by sending directly to either
    risks-s...@csl.sri.com or risks-un...@csl.sri.com
    depending on which action is to be taken.

    Subscription and unsubscription requests require that you reply to a
    confirmation message sent to the subscribing mail address. Instructions
    are included in the confirmation message. Each issue of RISKS that you
    receive contains information on how to post, unsubscribe, etc.

    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines.

    => .UK users may contact <Lindsay....@newcastle.ac.uk>.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you NEVER send mail!
    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
    *** NOTE: Including the string `notsp' at the beginning or end of the subject
    *** line will be very helpful in separating real contributions from spam.
    *** This attention-string may change, so watch this space now and then.
    => ARCHIVES: ftp://ftp.sri.com/risks for current volume
    or ftp://ftp.sri.com/VL/risks for previous VoLume
    http://www.risks.org takes you to Lindsay Marshall's searchable archive at
    newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
    is no longer maintained up-to-date except for recent election problems.
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 28.63
    ************************
     
  7. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,420
    334
    258
    Apr 3, 2007
    Tampa
    RISKS List Owner

    May 16, 2015 3:09 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Saturday 16 May 2015 Volume 28 : Issue 64

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/28.64.html>
    The current issue can be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Amtrak Says It Was Just Months Away From Installing Safety System (NYTimes)
    Self-driving cars are getting into accidents in California (LATimes)
    Worker fired for disabling GPS app that tracked her 24 hours a day
    (David Kravets via Jim Reisert)
    Banned Researcher Commandeered a Plane (Kim Zetter)
    United launches bug bounty (but in-flight systems off limits) (Jeremy Kirk)
    A Phantom Offer Sends Avon's Shares Surging (NYTimes)
    The big drug database in the sky: One firefighter's year-long legal
    nightmare (Gabe Goldberg)
    "Rombertik malware destroys computers if detected" (Jeremy Kirk)
    Extremely serious virtual machine bug threatens cloud providers everywhere
    (Ars Technica)
    "Google Confirms Cops Can Wiretap Your Hangouts" (Vice.com)
    Cybersecurity company accused of extortion (Henry Baker)
    Former federal employee busted for attempted cyber-attack to sell nuclear
    secrets (Gabe Goldberg)
    Mobile Spy Software Maker mSpy Hacked, Customer Data Leaked (Krebs via
    Lauren Weinstein)
    Team cracks Nvidia GPUs with malware for Windows and OS X (Digital Trends)
    Penn State severs engineering network after "incredibly serious" intrusion
    (Ars Technica)
    Anonymous accused of running a botnet using thousands of hacked home routers
    (Daily Dot)
    Witness Accounts in Midtown Hammer Attack Show the Power of False Memory
    (NYTimes)
    Trains re: All cars must have tracking devices (David Damerell)
    Re: Computer Scientists Use Twitter to Predict UK General Election
    Result (Gene Wirchenko)
    Re: Dealing with rogue drones, Copping a 'copter (Dick Mills)
    Re: Authentication vs Identification ... (John Levine)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Thu, 14 May 2015 21:24:14 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Amtrak Says It Was Just Months Away From Installing Safety System

    http://www.nytimes.com/2015/05/15/us/amtrak-says-it-was-just-months-away-from-installing-safety-system.html

    The railroad said technical and regulatory roadblocks had delayed operation
    of the system, which might have prevented this week's train derailment.

    ------------------------------

    Date: Tue, 12 May 2015 08:55:59 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Self-driving cars are getting into accidents in California

    http://www.latimes.com/business/la-fi-self-driving-accidents-20150512-story.html

    ------------------------------

    Date: Mon, 11 May 2015 19:02:15 -0600
    From: Jim Reisert AD1C <jjre...@alum.mit.edu>
    Subject: Worker fired for disabling GPS app that tracked her 24 hours a day
    (David Kravets)

    "This intrusion would be highly offensive to a reasonable person."

    David Kravets, Ars Technica, 11 May 2015
    http://arstechnica.com/tech-policy/2015/05/worker-fired-for-disabling-gps-app-that-tracked-her-24-hours-a-day/

    Let's just jump to the end of the article, shall we?

    "The app had a "clock in/out" feature which did not stop GPS monitoring,
    that function remained on. This is the problem about which Ms. Arias
    complained. Management never made mention of mileage. They would tell her
    co-workers and her of their driving speed, roads taken, and time spent at
    customer locations. Her manager made it clear that he was using the program
    to continuously monitor her, during company as well as personal time."

    ------------------------------

    Date: Fri, 15 May 2015 21:12:42 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Banned Researcher Commandeered a Plane (Kim Zetter)

    (Courtesy of Dan Farmer: Fly the unfriendly skies?)

    Kim Zetter, Feds Say That Banned Researcher Commandeered a Plane
    http://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-plane/

    A security researcher kicked off a United Airlines flight last month after
    tweeting about security vulnerabilities in its system had previously taken
    control of an airplane and caused it to briefly fly sideways, according to
    an application for a search warrant filed by an FBI agent.

    Chris Roberts, a security researcher with One World Labs, told the FBI agent
    during an interview in February that he had hacked the in-flight
    entertainment system, or IFE, on an airplane and overwrote code on the
    plane's Thrust Management Computer while aboard the flight. He was able to
    issue a climb command and make the plane briefly change course, the document
    states.

    FBI Special Agent Mark Hurley: ``He stated that he thereby caused one of the
    airplane engines to climb resulting in a lateral or sideways movement of the
    plane during one of these flights, He also stated that he used Vortex
    software after comprising/exploiting or hacking the airplane's networks. He
    used the software to monitor traffic from the cockpit system.''

    Hurley filed the search warrant application last month after Roberts was
    removed from a United Airlines flight from Chicago to Syracuse, New York,
    because he published a facetious tweet suggesting he might hack into the
    plane's network. Upon landing in Syracuse, two FBI agents and two local
    police officers escorted him from the plane and interrogated him for several
    hours. They also seized two laptop computers and several hard drives and USB
    sticks. Although the agents did not have a warrant when they seized the
    devices, they told Roberts a warrant was pending.

    A media outlet in Canada obtained the application for the warrant today and
    published it online.

    http://aptn.ca/news/2015/05/15/hacker-told-f-b-made-plane-fly-sideways-cracking-entertainment-system/

    The information outlined in the warrant application reveals a far more
    serious situation than Roberts has previously disclosed.

    Roberts had previously told WIRED that he caused a plane to climb during a
    simulated test on a virtual environment he and a colleague created, but he
    insisted that he had not interfered with the operation of a plane while in
    flight.

    He told WIRED that he did access in-flight networks about 15 times during
    various flights but had not done anything beyond explore the networks and
    observe data traffic crossing them. According to the FBI affidavit, however,
    he mentioned this to agents as well last February but also added that he had
    briefly commandeered a plane during one of those flights. He told the FBI he
    accessed the flights in which he accessed the in-flight networks more than a
    dozen times occurred between 2011 and 2014, but the affidavit does not
    indicate exactly which flight he allegedly caused to turn to the side.

    He obtained physical access to the networks through the Seat Electronic Box,
    or SEB. These are installed two to a row, on each side of the aisle under
    passenger seats, on certain planes. After removing the cover to the SEB by
    `wiggling and Squeezing the box', Roberts told agents he attached a Cat6
    ethernet cable, with a modified connector, to the box and to his laptop and
    then used default IDs and passwords to gain access to the inflight
    entertainment system. Once on that network, he was able to gain access to
    other systems on the planes.

    Reaction in the security community to the new revelations in the affidavit
    have been harsh. Although Roberts hasn't been charged yet with any
    crime, and there are questions about whether his actions really did cause
    the plane to list or he simply thought they did, a number of security
    researchers have expressed shock that he attempted to tamper with a plane
    during a flight.

    ``I find it really hard to believe but if that is the case he deserves going
    to jail,'' wrote Jaime Blasco, director of AlienVault Labs in a tweet.

    Alex Stamos, chief information security officer of Yahoo, wrote in a tweet,
    ``You cannot promote the (true) idea that security research benefits
    humanity while defending research that endangered hundreds of innocents.''

    [Wonderful long item truncated for RISKS. PGN]

    ------------------------------

    Date: Sat, 16 May 2015 10:35:30 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: United launches bug bounty (but in-flight systems off limits)
    (Jeremy Kirk)

    Jeremy Kirk (CSO), 15 May 2015
    http://www.cso.com.au/article/575093/united-launches-bug-bounty-in-flight-systems-off-limits/

    United Airlines is offering rewards to researchers for finding flaws in its
    websites but the company is excluding bugs related to in-flight systems,
    which the U.S. government says may be increasingly targeted by hackers.

    The bug bounty program rewards people with miles that can be used for the
    company's Mileage Plus loyalty program as opposed to cash, which web giants
    such as Google, Facebook and Yahoo pay.

    ------------------------------

    Date: Fri, 15 May 2015 08:29:44 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: A Phantom Offer Sends Avon's Shares Surging

    http://www.nytimes.com/2015/05/15/business/dealbook/a-phantom-offer-sends-avons-shares-surging.html

    ------------------------------

    Date: Tue, 12 May 2015 22:17:17 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The big drug database in the sky: One firefighter's year-long
    legal nightmare

    Together, Miller and Smith form the basis for what is now known as the
    "third-party doctrine." In its simplest form, the doctrine says that
    whenever someone hands over a private piece of information to a third party
    for a specific purpose, the Fourth Amendment doesn't protect her from a
    warrantless search of this information by authorities since she has already
    given up her privacy interest in the information by sharing it.

    The doctrine "has been problematic throughout the years, and with every
    passing year the problems get more and more stark," said Nathan Wessler, a
    staff attorney at the American Civil Liberties Union who is litigating a
    prescription drug database case in Oregon. Nearly everything we do online
    reveals information to a third party, from e-mail stored in the cloud to
    photo sharing to instant messaging to browsing the Web to geolocation.

    "It's totally clear that this doctrine has no place today in the digital
    age," Wessler added. "It's really impossible to participate in modern life,
    in social life, in work and business, to get medical care and legal advice
    without using digital technology and leaving behind a trail and digital
    bread crumbs."

    http://arstechnica.com/tech-policy/2015/05/the-big-drug-database-in-the-sky-one-firefighters-year-long-legal-nightmare/

    Gabriel Goldberg, 3401 Silver Maple Place, Falls Church, VA 22042
    (703) 204-0433 ga...@gabegold.com

    ------------------------------

    Date: Thu, 14 May 2015 09:55:51 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Rombertik malware destroys computers if detected" (Jeremy Kirk)

    Jeremy Kirk, InfoWorld, 5 May 2015
    Rombertik is designed to steal any plain text entered into a browser window
    http://www.infoworld.com/article/2918401/security/rombertik-malware-destroys-computers-if-detected.html

    A new type of malware resorts to crippling a computer if it is detected
    during security checks, a particularly catastrophic blow to its
    victims. [...]

    ------------------------------

    Date: Wed, 13 May 2015 13:48:13 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Extremely serious virtual machine bug threatens cloud providers
    everywhere (Ars Technica)

    http://arstechnica.com/security/2015/05/extremely-serious-virtual-machine-bug-threatens-cloud-providers-everywhere/

    http://www.zdnet.com/article/venom-security-flaw-millions-of-virtual-machines-datacenters/

    [This may be the tip of an iceberg in recognizing more broadly the risks
    inherent in outsourcing to a provider of unknown trustworthiness. PGN]

    ------------------------------

    Date: Tue, 12 May 2015 09:12:25 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: "Google Confirms Cops Can Wiretap Your Hangouts" (Vice.com)

    http://motherboard.vice.com/read/google-confirms-cops-can-wiretap-your-hangouts?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+xda-developers/ShsH+%28xda-developers%29&hootPostID=976dc560ff0952b50b22b479e285a435

    "We asked Google to clarify, or elaborate, on Monday, and a spokesperson
    confirmed that Hangouts doesn't use end-to-end encryption. That makes it
    technically possible for Google to wiretap conversations at the request of
    law enforcement agents, even when you turn on the "off the record"
    feature, which actually only prevents the chat conversations from
    appearing in your history--it doesn't provide extra encryption or
    security. It's unclear how many times this actually happens, however. In
    all likelihood, it's a rare occurrence."

    There has never been a claim of end-to-end crypto for Hangouts. Given the
    integration of Hangouts to both mobile and desktop, and the various history
    options, end-to-end crypto in that environment would be a nontrivial
    undertaking. Not every service is appropriate for every kind of
    communication.

    [LATER NOTE FROM LAUREN ADDED BY PGN;}
    The video of the discussion Hangout I hosted yesterday on the topic of
    the EU's "Right To Be Forgotten" and its ramifications is now available.
    Special thanks to the participants for a thoughtful hour!
    https://www.youtube.com/watch?v=ZSdhMfsxWOs

    ------------------------------

    Date: Thu, 14 May 2015 11:57:24 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Cybersecurity company accused of extortion

    A cybersecurity company has been accused of using FBI/NSA-style
    "cybersecurity" extortion against clients. Clearly, private companies like
    LabMD are less willing than the US Congress to abide these extortion
    attempts. Tell me that cover story again about that "drunken govt employee"
    who "inadvertently" flew his "private" drone onto the White House lawn...

    Apparently, when govt spooks go into private business, they forget to change
    their modus operandi...

    Jose Pagliery, CNNMoney, 7 May 2015
    Whistleblower accuses cybersecurity company of extorting clients
    http://money.cnn.com/2015/05/07/technology/tiversa-labmd-ftc/index.html

    A cybersecurity company faked hacks and extorted clients to buy its
    services, according to an ex-employee. In a federal court this week,
    Richard Wallace, a former investigator at cybersecurity company Tiversa,
    said the company routinely engaged in fraud -- and mafia-style shakedowns.
    To scare potential clients, Tiversa would typically make up fake data
    breaches, Wallace said. Then it pressured firms to pay up. "Hire us or
    face the music," Wallace said on Tuesday at a federal courtroom in
    Washington, D.C.. CNNMoney obtained a transcript of the hearing.

    The results were disastrous for at least one company that stood up to
    Tiversa and refused to pay. In 2010, Tiversa scammed LabMD, a cancer
    testing center in Atlanta, Wallace testified. Wallace said he tapped into
    LabMD's computers and pulled the medical records. The cybersecurity firm
    then alerted LabMD it had been hacked. Tiversa offered it emergency
    "incident response" cybersecurity services. After the lab refused the
    offer, Tiversa threatened to tip off federal regulators about the "data
    breach." When LabMD still refused, Tiversa let the Federal Trade Commission
    know about the "hack." [... LONG ITEM truncated for RISKS. PGN]

    ------------------------------

    Date: Thu, 14 May 2015 16:31:44 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Former federal employee busted for attempted cyber-attack to
    sell nuclear secrets

    A former employee of the U.S. Department of Energy and U.S. Nuclear
    Regulatory Commission was busted in an FBI sting for allegedly attempting to
    set off a "spear fishing" cyber-attack to extract nuclear information from
    the agency for personal gain.

    http://www.foxnews.com/politics/2015/05/09/former-department-energy-employee-busted-for-attempted-cyber-attack-to-sell/

    Gabriel Goldberg, 3401 Silver Maple Place, Falls Church, VA 22042
    (703) 204-0433 ga...@gabegold.com

    ------------------------------

    Date: Thu, 14 May 2015 19:41:51 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Mobile Spy Software Maker mSpy Hacked, Customer Data Leaked

    http://krebsonsecurity.com/2015/05/mobile-spy-software-maker-mspy-hacked-customer-data-leaked/

    mSpy, the makers of a dubious software-as-a-service product that claims to
    help more than two million people spy on the mobile devices of their kids
    and partners, appears to have been massively hacked. Last week, a huge
    trove of data apparently stolen from the company's servers was posted on
    the Deep Web, exposing countless emails, text messages, payment and
    location data on an undetermined number of mSpy "users."

    Live by the sword, die by the sword.

    [Also noted by Henry Baker, who remarked:
    ``Any pot with this much honey will get hacked. Any bets on how long
    before Bluffdale gets hacked (again)?''
    PGN]

    ------------------------------

    Date: 15 May 2015 19:39:46 -0400
    From: "Bob Frankston" <bob19...@bobf.frankston.com>
    Subject: Team cracks Nvidia GPUs with malware for Windows and OS X
    (Digital Trends)

    http://www.digitaltrends.com/computing/graphics-cards-beware-a-new-style-of-osx-malware-can-hide-in-the-ram-of-gpus/

    ------------------------------

    Date: Fri, 15 May 2015 14:34:54 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Penn State severs engineering network after "incredibly serious"
    intrusion (Ars Technica via NNSquad)

    http://arstechnica.com/security/2015/05/penn-state-severs-engineering-network-after-incredibly-serious-intrusion/

    "Penn State's College of Engineering has been disconnected from the
    Internet so it can recover from two serious computer intrusions that
    exposed personal information for at least 18,000 people and possibly other
    sensitive data, officials said Friday. The group responsible for one of
    the attacks appears to be based in China, a country many security analysts
    have said actively hacks and trawls the computer networks of western
    nations for a wide range of technical data. University officials said
    there's no evidence that the intruders obtained research data, but they
    didn't rule the possibility out. Officials have known of the breach since
    November 21, when the FBI reported an attack on the engineering college
    network by an outside entity."

    ------------------------------

    Date: Tue, 12 May 2015 08:27:14 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Anonymous accused of running a botnet using thousands of hacked
    home routers (Daily Dot)

    http://www.dailydot.com/politics/botnet-incapsula-research-report-default/

    "Lazy security has allowed various groups of hackers, likely including
    Anonymous, to hijack hundreds of thousands of home and office Internet
    routers, according to a new report from cybersecurity firm Incapsula."

    Well, "lax" security, anyway.

    ------------------------------

    Date: Fri, 15 May 2015 09:04:11 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Witness Accounts in Midtown Hammer Attack Show the Power of False Memory

    http://www.nytimes.com/2015/05/15/nyregion/witness-accounts-in-midtown-hammer-attack-show-the-power-of-false-memory.html

    Two people who saw a police encounter on Wednesday reported different
    details; surveillance videotape showed that both of them were wrong.

    ------------------------------

    Date: Wed, 13 May 2015 18:49:44 +0100
    From: David Damerell <dame...@chiark.greenend.org.uk>
    Subject: Trains re: All cars must have tracking devices (Levine, RISKS-28.63)

    An increasingly common arrangement (in the UK, at least) is that the signal
    control room can observe the level crossing via CCTV. That, especially with
    in-cab signaling, might allow the train to start a brake application before
    the driver or radar could see the stranded vehicle, either not hitting it or
    buying time.

    However - while I'm not disputing that people would do it - the
    fundamental problem here seems to be:
    1) your vehicle stops moving on a level crossing.
    2) the level crossing gates close.
    3) you stay in the vehicle.

    There is not much the railway can do about that.

    ------------------------------

    Date: Mon, 11 May 2015 18:52:26 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: Computer Scientists Use Twitter to Predict UK General Election
    Result (Page, RISKS-28.62)

    Congratulations to Mr. Page et al. on a very good result, BUT what about the
    people who do not use Twitter? Excluding them could skew results. There is
    a famous precedent: "*The Literary Digest*'s failure to predict the 1936
    U.S. presidential election (as covered:
    http://www.math.uah.edu/stat/data/LiteraryDigest.html

    Some quotes from that article:

    "The prospective voters were chosen from the subscription list of the
    magazine, from automobile registration lists, from phone lists, and from
    club membership lists."

    "Based on the poll, The Literary Digest predicted that Landon would win
    the 1936 presidential election with 57.1% of the popular vote and an
    electoral college margin of 370 to 161. In fact, Roosevelt won the
    election with 60.8% of the popular vote (27,751,841 to 16,679,491) and an
    electoral college landslide of 523 to 8 (the largest ever in a
    presidential election). Roosevelt won 46 of 48 states, losing only Maine
    and Vermont.

    The *Literary Digest*, using similar techniques, had correctly predicted the
    outcome of the last four presidential elections. But in this case, the
    magazine was not just wrong, it was spectacularly wrong. In part because of
    the subsequent loss of prestige and credibility, the magazine died just two
    years later.

    What went wrong? Clearly the sample was skewed towards wealthier
    voters--those who could afford magazine subscriptions, cars, phones, and
    club memberships in the depths of the Great Depression. This sort of bias
    would not matter if wealthier voters behaved in a similar manner to voters
    as a whole (as was basically the case in the previous four elections). But
    in 1936, at a time of great tension between economic classes, this was
    definitely not the case.

    Another problem, not easily understood, is self-selection bias. Were the
    voters who chose to return the questionnaires different, in terms of how
    they planned to vote, from the voters who did not respond?"

    Note that "The Literary Digest" had been correct for the previous four
    elections and then stunningly blew it. Might we have a repeat coming up?

    ------------------------------

    Date: Fri, 15 May 2015 17:45:20 -0400
    From: Dick Mills <dickandl...@gmail.com>
    Subject: Re: Dealing with rogue drones, Copping a 'copter (RISKS-28.62)

    On the *Economist* article about authorities trying to thwart drones:
    They better be careful, I saw this in recent news.

    "The Federal Aviation Administration felt the need to issue a statement
    Friday asking the general public not to shoot at drones flying over head as
    a small Colorado town is considering an ordinance urging townsfolk to shoot
    down unmanned aerial vehicles. Shooting at an unmanned aircraft could
    result in criminal or civil liability, just as would firing at a manned
    airplane,' the statement from the FAA read.

    http://defensetech.org/2013/07/22/faa-to-town-please-dont-shoot-down-drones/

    Other news comments warn states and law enforcement about the same legal
    liability risk if they did take action against drones. The legal status of
    drones needs clarification.

    ------------------------------

    Date: 12 May 2015 00:24:32 -0000
    From: "John Levine" <jo...@iecc.com>
    Subject: Re: Authentication vs Identification ... (Brodbeck, RISKS-28.63)

    That horse left the barn several generations ago, unfortunately.

    The problem is the fiction that the SSN is secret, so anyone who presents
    your SSN must be you. I'd prefer to address it directly by saying, sure,
    they can demand an SSN all they want, but any transaction validated with an
    SSN isn't enforceable.

    Did they ask for your SSN when you applied for a credit card? Great! You
    don't have to pay the bill.

    Did they use your SSN to request a credit report? They better not make any
    adverse decisions based on it.

    This might be a challenge to enforce, but I think the idea is right. There
    are other issues like the lack of a check digit and the dense number space
    makes it way too easy to get the number wrong (transpose the last two digits
    and you'll likely have the valid SSN of someone else born roughly when and
    where you were), but they're side issues compared to the faux secrecy.

    ------------------------------

    Date: Mon, 17 Nov 2014 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
    if possible and convenient for you. The mailman Web interface can
    be used directly to subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks
    Alternatively, to subscribe or unsubscribe via e-mail to mailman
    your FROM: address, send a message to
    risks-...@csl.sri.com
    containing only the one-word text subscribe or unsubscribe. You may
    also specify a different receiving address: subscribe address= ... .
    You may short-circuit that process by sending directly to either
    risks-s...@csl.sri.com or risks-un...@csl.sri.com
    depending on which action is to be taken.

    Subscription and unsubscription requests require that you reply to a
    confirmation message sent to the subscribing mail address. Instructions
    are included in the confirmation message. Each issue of RISKS that you
    receive contains information on how to post, unsubscribe, etc.

    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines.

    => .UK users may contact <Lindsay....@newcastle.ac.uk>.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you NEVER send mail!
    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
    *** NOTE: Including the string `notsp' at the beginning or end of the subject
    *** line will be very helpful in separating real contributions from spam.
    *** This attention-string may change, so watch this space now and then.
    => ARCHIVES: ftp://ftp.sri.com/risks for current volume
    or ftp://ftp.sri.com/VL/risks for previous VoLume
    http://www.risks.org takes you to Lindsay Marshall's searchable archive at
    newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
    is no longer maintained up-to-date except for recent election problems.
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 28.64
    ************************
     
  8. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,420
    334
    258
    Apr 3, 2007
    Tampa
    Risks Digest 28.65

    RISKS List Owner

    May 26, 2015 7:24 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Tuesday 25 May 2015 Volume 28 : Issue 65

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/28.65.html>
    The current issue can be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    The atrocious security of Trident nuclear subs (Henry Baker)
    Amtrak, After Derailment, Told to Expand Automatic Brake Use (NYTimes
    via Monty Solomon)
    A world ripe for the picking / Diploma mill edition (NYTimes via
    Bob Frankston)
    Fake Diplomas, Real Cash: Pakistani Company Axact Reaps Millions (more)
    Axact, Fake Diploma Company, Threatens Pakistani Bloggers Who Laugh
    at Its Expense (more)
    Text of Axact's Response to The New York Times (more)
    Net Neutrality (Melissa Silmore via Dewayne Hendricks)
    John Deere: of course you "own" your tractor, but only if you agree to let
    ... (Gabe Goldberg)
    Inside Google's Secret War Against Ad Fraud (Adage)
    Risks of online test taking (Jeremy Epstein)
    Secret files reveal police feared that Trekkies could turn on society
    (Elizabeth Roberts via Henry Baker)
    HTTPS-crippling attack threatens ten thousands of Web and mail servers
    (Ars Technica)
    Paranoid defence controls could criminalise teaching encryption
    (The Conversation)
    US proposes tighter export rules for computer security tools
    (Jeremy Kirk via Richard Forno)
    Africa's Worst New Internet Censorship Law Could be Coming to S.A. (EFF)
    "The Venom vulnerability: Little details bite back" (Paul Venezia)
    Only 3% of people aced Intel's phishing quiz (Jeff Jedras)
    URL-spoofing bug in Safari could enable phishing attacks (Lucian Constantin)
    New LogJam encryption flaw puts Web surfers at risk" (Jeremy Kirk)
    Critical vulnerability in NetUSB driver exposes millions of routers
    to hacking (Lucian Constantin)
    The Body Cam Hacker Who Schooled the Police (Medium)
    Cybersecurity letter to the President 19-May-2015 (John Denker)
    Is security really stuck in the Dark Ages? (Network World)
    Adult dating site hack exposes millions of users (Geoff White via
    Henry Baker)
    Man tries to report Starbucks vulnerability, is accused of fraud
    (Sakurity)
    A Russian Smartphone Has to Overcome Rivals and Jokes About Its Origin
    (NYTimes)
    Some People Do More Than Text While Driving (NYTimes)
    Re: Drug database: third-party doctrine (Harlan Rosenthal)
    Re: All cars must have tracking devices (Chris Drewe)
    Re: Banned Researcher Commandeered a Plane (Erling Kristiansen)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 18 May 2015 05:18:07 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: The atrocious security of Trident nuclear subs

    While the TSA fondly fondles all of us prior to getting on a commercial
    airplane flight, the security of a British Trident nuclear submarine is less
    than that of a posh nightclub!

    "It's harder to get into most nightclubs than it is to get into the Green
    Area. There's still the pin code system to get through the gate! Oh wait,
    No there's not, it's broke, and anyone standing there that has thrown their
    security pass in or *not*, will get buzzed through. If you have a Green
    area pass or any old green card you can just show it to them from about 3
    metres away (if the boat's on the first berths; if not 1 metre) then get
    Buzzed Through!!"

    "Missile Compartment 4 deck turns into a gym. There are people sweating
    their asses of [sic] between the missiles, people rowing between a blanket
    of s**t because the sewage system is defective, sometimes the s**t sprays
    onto the fwd starboard missile tubes and there's also a lot of rubbish
    stored near the missile tubes."

    "There were a few incidents of people in the gym dropping weights near the
    nuclear weapon's firing units. I heard one person joke about how he
    accidentally throw a weight and it nearly hit a missiles firing unit."

    "I sent this report on the 05/05/15 to every major newspaper, freelance
    journalists, and whistle-blower I could find. It is now the 12/05/15. I've
    had one email reply;"

    http://www.theguardian.com/uk-news/...blower-on-run-alleged-trident-safety-failings

    ALSO:

    Navy whistleblower on the run after exposing alleged Trident safety failings

    MoD launches investigation into claims of Able Seaman William McNeilly, who
    says he will hand himself into police.

    Josh Halliday

    Monday 18 May 2015 09.18 BST Last modified on Monday 18 May 2015 12.15 BST

    A Royal Navy submariner who blew the whistle on a catalogue of alleged
    security failings around the Trident nuclear programme has said he will hand
    himself in to police.

    http://cryptome.org/2015/05/william-mcneilly.pdf

    Able Seaman William McNeilly, 25, a newly qualified engineer, claimed that
    Britain's nuclear deterrent was a ``disaster waiting to happen'' in a report
    detailing 30 alleged safety and security breaches, including a collision
    between HMS Vanguard and a French submarine during which a senior officer
    thought: ``We're all going to die.''

    McNeilly wrote that a chronic manpower shortage meant that it was ``a matter
    of time before we're infiltrated by a psychopath or a terrorist; with this
    amount of people getting pushed through.''

    The police and Royal Navy launched a hunt for the whistleblower after he failed to report back for work last week at the Faslane submarine base on the Clyde. But on Monday morning McNeilly said he would hand himself over to the authorities despite facing a possible prosecution under the Official Secrets Act 1989.

    Speaking to the BBC, he said: ``I'm not hiding from arrest; I will be back
    in the UK in the next few days and I will hand myself in to the police.
    Prison -- such a nice reward for sacrificing everything to warn the public
    and government. Unfortunately that's the world we live in. I know it's a
    lot to sacrifice and it is a hard road to walk down, but other people need
    to start coming forward.''

    In the 19-page report, titled The Secret Nuclear Threat, published online
    alongside a picture of his UK passport and Royal Navy identity card,
    McNeilly said he wanted ``to break down the false images of a perfect
    system that most people envisage exists.''

    He described bags going unchecked and said it was ``harder getting into
    most nightclubs'' than into control rooms, with broken pin code systems
    and guards failing to check passes. ``All it takes is someone to bring a
    bomb on board to commit the worst terrorist attack the UK and the world has
    ever seen,'' he wrote.

    McNeilly, who said he was on patrol with HMS Victorious from January to
    April, accused Royal Navy bosses of covering up a collision between HMS
    Vanguard and a French submarine in the Atlantic Ocean in February 2009.

    At the time Ministry of Defence officials played down the incident and said
    the Vanguard had suffered only `scrapes'. But McNeilly said a Royal
    Navy chief who was on board at the time told him afterwards: ``We thought,
    this is it -- we're all going to die.''

    The more senior submariner allegedly told McNeilly that the French vessel
    ``took a massive chunk out of the front of HMS Vanguard'' and grazed the
    side of the boat. Bottles of high-pressured air came loose in the
    collision, he claimed, meaning the Royal Navy submarine had to return slowly
    to Faslane to prevent them from exploding.

    He also raised concerns about a number of his fellow seamen, including one
    whose hobbies he claimed were killing small animals and watching extreme
    pornography. Another submariner, whom he named only as Pole, had threatened
    to kill two fellow navy personnel and was routinely aggressive, McNeilly
    claimed.

    He described how HMS Vanguard's missile compartment doubled up as a gym,
    leading to potentially disastrous mishaps when seamen dropped weights near
    the boat's missile firing system.

    McNeilly said he raised these and other concerns through the chain of
    command on multiple occasions, but that ``not once did someone even
    attempt to make a change.'' [Long item truncated for RISKS. PGN]

    ------------------------------

    Date: Sat, 16 May 2015 17:10:28 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Amtrak, After Derailment, Told to Expand Automatic Brake Use

    The Federal Railroad Administration said it had ordered the railroad to make
    more use of technology that can automatically stop speeding trains.

    http://www.nytimes.com/2015/05/17/u...rders-amtrak-to-expand-automatic-braking.html

    ------------------------------

    Date: 18 May 2015 09:52:13 -0400
    From: "Bob Frankston" <bob19...@bobf.frankston.com>
    Subject: A world ripe for the picking / Diploma mill edition

    http://www.nytimes.com/2015/05/18/w...-axact-reaps-millions-columbiana-barkley.html

    Leveraging the use of unvetted sources for vetting. After all, if we can't
    trust LinkedIn what we can trust? And now that the topology of social
    relationships doesn't correspond to the topology of legal obligations the
    world is ripe for the picking.

    ------------------------------

    Date: Sun, 17 May 2015 22:05:55 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Fake Diplomas, Real Cash: Pakistani Company Axact Reaps Millions

    [More on Frankston's item follows. PGN]

    Seen from the Internet, it is a vast education empire: hundreds of
    universities and high schools, with elegant names and smiling professors at
    sun-dappled American campuses.

    Their websites, glossy and assured, offer online degrees in dozens of
    disciplines, like nursing and civil engineering. There are glowing
    endorsements on the CNN iReport website, enthusiastic video testimonials,
    and State Department authentication certificates bearing the signature of
    Secretary of State John Kerry.

    http://www.nytimes.com/2015/05/18/w...-axact-reaps-millions-columbiana-barkley.html

    Below is a partial list of sites analyzed by The New York Times and
    determined most likely to be linked to Axact's operation in Karachi,
    Pakistan.

    http://www.nytimes.com/2015/05/17/world/asia/tracking-axacts-websites.html

    ------------------------------

    Date: Tue, 19 May 2015 04:44:24 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Axact, Fake Diploma Company, Threatens Pakistani Bloggers Who Laugh
    at Its Expense

    The Pakistani company Axact threatened to sue a local blog, Pak Tea House,
    merely for rounding up Twitter reaction to an expose'.

    http://www.nytimes.com/2015/05/19/w...istani-bloggers-who-laugh-at-its-expense.html

    ------------------------------

    Date: Tue, 19 May 2015 09:48:32 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Text of Axact's Response to The New York Times

    Text of Axact's Response to *The New York Times*
    http://www.nytimes.com/2015/05/19/world/asia/text-of-axact-response-to-the-new-york-times.html

    The Pakistani company Axact condemned a New York Times article that asserted
    the company had reaped millions by selling fake diplomas.

    ------------------------------

    Date: May 19, 2015 5:58 AM
    From: "Hendricks Dewayne" <dew...@warpspeed.com>
    Subject: Net Neutrality (Melissa Silmore)

    [Note: This item comes from Dave Farber's IP List. DLH]

    Melissa Silmore, Net Neutrality, May 2015 Issue
    http://www.carnegiemellontoday.com/issues/may-2015-issue/feature-stories/net-neutrality/

    Douglas Sicker was relaxing at home in Boulder, Colo., late on a summer
    evening. It had been a busy day, and he was happy to settle down to watch
    some HBO, ready for a few laughs. The computer science professor had led a
    meeting of network engineers earlier in the day, followed by drinks with
    the group. Afterwards, while the out-of-towners returned to their hotels,
    he headed home.

    On his screen, a clean-cut British comedian sat smiling, hands clasped atop
    his desk, wearing a crisp blue shirt, burgundy tie, and sport coat. The
    segment began unassumingly but quickly gathered steam; a 13-minute hilarious
    and blistering rant, punctuated by photos, graphs, and laughter. On that
    first Sunday in June 2014, John Oliver, host of HBO's Last Week Tonight,
    managed the impossible. He transformed a technical, eye-glazing debate into
    a pop-culture topic.

    Net neutrality, Oliver began, ``two words that promise -- boredom,'' he said
    while a stupefyingly monotonous CSPAN hearing played above his head. ``The
    cable companies have figured out the great truth of America. If you want to
    do something evil, put it inside something boring.''

    ``Net neutrality essentially means that all data has to be treated equally,''
    Oliver went on, as the show played a news clip announcing that the Federal
    Communications Commission (FCC) was opening the door for a two-tiered
    system where giant internet service providers (ISPs), such as Comcast and
    Verizon, could charge to send content more quickly. It would allow ``big
    companies to buy their way into the fast lane, leaving everyone else in the
    slow lane,'' he asserted.

    As Oliver continued his witty entreaty for net neutrality, Sicker's ears
    perked up. The FCC's Chief Technology Officer in 2010-11, and previously
    senior advisor on the FCC's 2010 National Broadband Plan, was more than
    mildly interested.

    Amid the one-liners, Oliver displayed a line graph of Netflix's download
    speeds falling during a very public spat with Comcast, then pointed out the
    rapid improvement when terms were settled. ``That has all the ingredients of
    a mob shakedown,'' he declared.

    Ranting on about the cozy relationship the cable industry enjoys with
    government, Oliver homed in on President Barack Obama's appointment of FCC
    Chair Tom Wheeler. ``The guy who used to run the cable industry's lobbying
    arm is now running the agency tasked with its regulation. That's the
    equivalent of needing a babysitter and hiring a dingo!'' he exclaimed, below
    a photo of a wolf-like creature leering over a baby. He even pictured
    Comcast's chief executive officer in a metal top hat and car -- pointedly
    perched on a Monopoly game board.

    The pinnacle of the bit came at the end. With ceremonial music rising in the
    background, Oliver stood and addressed the hordes of internet commenters, as
    the web address for the FCC site loomed large onscreen. ``Good evening,
    monsters,'' he exhorted, ``we need you to get out there and focus your
    indiscriminate rage in a useful direction. ... Turn on caps lock and fly my
    pretties. Fly! Fly!'' he screamed, as the credits began to roll.

    Sicker was just one of a million viewers tuned in that evening (YouTube
    views are now nearly 9 million) as were many of Sicker's colleagues from
    the telecom sector. ``The next day, everyone was sharing links to that
    clip,'' he recalls. ``People could not stop talking about it.''

    That same day, the FCC comment site shut down, evidently flooded. Comments
    eventually reached nearly 4 million. Those 13 minutes of razor-tongued
    entertainment had galvanized the public to a new issue that has, in
    reality, been under debate for more than a decade. [...]

    ------------------------------

    Date: Tue, 19 May 2015 15:32:20 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: John Deere: of course you "own" your tractor, but only if you agree
    to let ...

    http://boingboing.net/2015/05/13/john-deere-of-course-you-ow.html

    Gabriel Goldberg, Computers and Publishing, Inc. ga...@gabegold.com
    3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433

    ------------------------------

    Date: Tue, 19 May 2015 12:30:19 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Inside Google's Secret War Against Ad Fraud (Adage)

    http://adage.com/article/digital/inside-google-s-secret-war-ad-fraud/298652/

    "Sasha is a member of Google's secretive antifraud team. The unit,
    numbering more than 100, is locked in a war against an unknown quantity of
    cybercriminals who are actively siphoning billions of dollars out of the
    digital advertising industry, primarily via the creation of robotic
    traffic that appears human. Mysterious to many even within Google, the
    group has never spoken to an outsider about the way it hunts botnets, let
    alone allowed someone into its offices to observe the process. But that
    silence ended the moment Sasha opened his computer."

    That's "Secret" ...

    ------------------------------

    Date: Thu, 21 May 2015 08:01:26 +0300
    From: Jeremy Epstein <jeremy.j...@gmail.com>
    Subject: Risks of online test taking

    Following is an excerpt from an e-mail I received from Fairfax County Public
    Schools (Fairfax VA, near Washington DC). Relying on internet connectivity
    without a backup plan, for a high stakes test - what could possibly go
    wrong? [Standards of Learning are a set of state-wide standardized tests
    taken by all elementary, middle school, and high school students.]

    -----

    [May 19] at approximately 12:30 p.m., Pearson Education, Inc., the company
    which provides the computer delivery system for Virginia's online
    Standards of Learning (SOL) tests, experienced an interruption in Internet
    connectivity. The 90-minute service interruption today affected FCPS test
    sites along with other school divisions throughout Virginia.

    Students who had already begun testing before the interruption of Internet
    service were not impacted. However, some students were unable to log on
    to the system to take scheduled SOL tests and other students received
    error messages when they tried to log off after completing tests. As a
    result, some students had to wait in the test environment after they
    completed their tests until connectivity was restored and they were able
    to submit the tests.

    The FCPS Office of Student Testing is working with schools to ensure that
    all tests were submitted properly following the interruption. At this
    time, we do not anticipate that any student responses on tests that were
    submitted were lost.

    In some cases, students started tests but, due to the interruption, were
    unable to finish before the end of the school day; tests for these
    students will need to be rescheduled. Some schools may have canceled SOL
    testing because of the interruption and will notify students and families
    when today;s SOL tests will be rescheduled.

    ------------------------------

    Date: Thu, 21 May 2015 06:55:51 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Secret files reveal police feared that Trekkies could turn on
    society (Elizabeth Roberts)

    FYI -- I had to check the date on this article several times to convince
    myself it wasn't April 1st. Beware Terrorist Trekkies!!!
    No wonder TSA keeps checking my ears...

    Elizabeth Roberts, *The Telegraph*, 17 May 2015
    http://www.telegraph.co.uk/news/ukn...ared-that-Trekkies-could-turn-on-society.html

    Scotland Yard kept a secret dossier on Star Trek and the X-Files in the run
    up to the millennium amid security concerns trekkies at a convention. For
    years Star Trek fans -- known as Trekkies -- have been the butt of jokes
    about their penchant for wearing pointy ears and attending science fiction
    conventions. But the police feared British fans of the cult American show
    might boldly go a little too far one day.

    It has emerged that Scotland Yard kept a secret dossier on Star Trek, The
    X-Files, and other US sci fi shows amid fears that British fans would go mad
    and kill themselves, turn against society or start a weird cult.
    The American TV shows Roswell and Dark Skies and the film The Lawnmower Man
    were also monitored to protect the country from rioting and cyber attacks.
    Special Branch was concerned that people hooked on such material could go
    into a frenzy triggered by the millennium leading to anarchy.

    An undated confidential report to the Metropolitan Police, thought to have
    been filed around 1998-99, listed concerns about conspiracy theorists who
    believed the end of the world was nigh.

    ``Fuel is added to the fire by television dramas and feature films mostly
    produced in America. These draw together the various strands of religion,
    UFOs, conspiracies, and mystic events and put them in an entertaining
    storyline.''

    The report added: "Obviously this is not sinister in itself, what is of
    concern is the devotion certain groups and individuals ascribe to the
    contents of these programmes."

    The dossier -- called UFO New Religious Movements and the Millennium -- was
    drawn up in response to the 1997 mass suicide by 39 cultists in San Diego
    known as Heaven's Gate. The group members were "ardent followers of The
    X-Files and Star Trek" according to Special Branch. [...]

    ------------------------------

    Date: Tue, 19 May 2015 23:11:18 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: HTTPS-crippling attack threatens ten thousands of Web and mail servers
    (Ars via NNSquad)

    http://arstechnica.com/security/201...ns-tens-of-thousands-of-web-and-mail-servers/

    The vulnerability affects an estimated 8.4 percent of the top one million
    websites and a slightly bigger percentage of mail servers populating the
    IPv4 address space, the researchers said. The threat stems from a flaw in
    the transport layer security protocol that websites and mail servers use
    to establish encrypted connections with end-users. The new attack, which
    its creators have dubbed Logjam, can be exploited against a subset of
    servers that support the widely used Diffie-Hellman key exchange, which
    allows two parties that have never met before to negotiate a secret key
    even though they're communicating over an unsecured, public channel.

    ------------------------------

    Date: Wed, 20 May 2015 07:56:15 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Paranoid defence controls could criminalise teaching encryption
    ((via NNSquad)

    http://theconversation.com/paranoid-defence-controls-could-criminalise-teaching-encryption-41238

    You might not think that an academic computer science course could be
    classified as an export of military technology. But under the Defence
    Trade Controls Act - which passed into law in April, and will come into
    force next year - there is a real possibility that even seemingly
    innocuous educational and research activities could fall foul of
    Australian defence export control laws.

    ------------------------------

    Date: May 21, 2015 12:00 PM
    From: "Richard Forno" <rfo...@infowarrior.org>
    Subject: US proposes tighter export rules for computer security tools
    (Jeremy Kirk)

    Jeremy Kirk, IT World, 20 May 2015 (link to the proposal is in the article.)
    http://www.itworld.com/article/2925...export-rules-for-computer-security-tools.html

    The U.S. Commerce Department has proposed tighter export rules for computer
    security tools, a potentially controversial revision to an international
    agreement aimed at controlling weapons technology.

    On Wednesday, the department published a proposal in the Federal Register
    and opened a two-month comment period.

    The changes are proposed to the Wassenaar Arrangement, an international
    agreement reached in 1995, aimed at limiting the spread of ``dual use''
    technologies that could be used for harm.

    Forty-one countries participate in the Wassenaar Arrangement, and lists of
    controlled items are revised annually.

    The Commerce Department's Bureau of Industry and Security (BIS) is
    proposing requiring a license in order to export certain cybersecurity
    tools used for penetrating systems and analyzing network communications.

    If asked by the BIS, those applying for a license ``must include a copy of
    the sections of source code and other software (e.g., libraries and header
    files) that implement or invoke the controlled cybersecurity functionality.

    Items destined for export to government users in Australia, Canada, New
    Zealand or the U.K. -- the so-called ``Five Eyes'' nations which the U.S.
    belongs to -- would be subject to looser restrictions. Those nations'
    intelligence agencies collaborate closely.

    The proposal would modify rules added to the Wassenaar Arrangement in 2013
    that limit the export of technologies related to intrusion and traffic
    inspection.

    The definition of intrusion software would also encompass ``proprietary
    research on the vulnerabilities and exploitation of computers and
    network-capable devices,'' the proposal said.

    Tools that would not be considered intrusion software include hypervisors,
    debuggers and ones used for reverse engineering software.

    There has long been concern that software tools in the wrong hands could
    cause harm. But security professionals who conduct security tests of
    organizations often employ the same software tools as those used by
    attackers.

    Thomas Rid, a professor in the Department of War Studies at King's College
    London, wrote on Twitter that the proposed export regulations ``seem too
    broad; could even damage cybersecurity.''

    Many private computer security companies sell information on software
    vulnerabilities for commercial purposes, a practice that has been
    criticized.

    Those companies have defended their sales models, arguing that without a
    financial incentive, the software vulnerabilities may not have been found,
    which ultimately protects users. Many have policies that forbid selling
    sensitive information to unvetted parties.

    The proposal said there is a ``policy of presumptive denial for items that
    have or support rootkit or zero-day exploit capabilities.''

    Rootkits are hard-to-detect programs used for electronically spying on a
    computer, and a zero-day exploit is attack code that can take advantage of
    a software flaw.

    Changes to the list of controlled items covered by the Wassenaar Agreement
    are decided by consensus at its annual plenary meeting in December.

    [It's better to burn out than fade away.]

    ------------------------------

    Date: Thu, 21 May 2015 10:33:51 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Africa's Worst New Internet Censorship Law Could be Coming to
    South Africa (EFF)

    https://www.eff.org/deeplinks/2015/...t-censorship-law-could-be-coming-south-africa

    Only once in a while does an Internet censorship law or regulation come
    along that is so audacious in its scope, so misguided in its premises, and
    so poorly thought out in its execution, that you have to check your
    calendar to make sure April 1 hasn't come around again. The Draft Online
    Regulation Policy recently issued by the Film and Publication Board (FPB)
    of South Africa is such a regulation. It's as if the fabled prude
    Mrs. Grundy had been brought forward from the 18th century, stumbled
    across hustler.com on her first excursion online, and promptly cobbled
    together a law to shut the Internet down. Yes, it's that bad.

    ------------------------------

    Date: Fri, 22 May 2015 10:23:50 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "The Venom vulnerability: Little details bite back" (Paul Venezia)

    http://www.infoworld.com/article/29...y-vulnerability-little-details-bite-back.html
    Paul Venezia, The Deep End, InfoWorld, 18 May 2015
    Bad attacks rarely come through the front door -- instead, the old
    cracks let in the problems

    selected text:

    It's fittingly ironic that a vulnerability of this nature is vectored
    through such an innocuous and fossilized function as a virtual floppy disk
    driver; it's even more ironic that the bug in that code has existed since
    2004.

    ------------------------------

    Date: Fri, 22 May 2015 10:25:24 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: Only 3% of people aced Intel's phishing quiz (Jeff Jedras)

    Jeff Jedras, IT Business, 15 May 2015
    http://www.itbusiness.ca/news/only-three-per-cent-of-people-aced-intels-phishing-quiz/55685

    opening text:

    We probably think we're pretty savvy when it comes to identifying online
    attacks and phishing emails, Intel Security put us to the test and found us
    lacking: 97 per cent of respondents were unable to identify all the examples
    of phishing in their email security quiz.

    ------------------------------

    Date: Fri, 22 May 2015 10:27:58 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "URL-spoofing bug in Safari could enable phishing attacks"
    (Lucian Constantin)

    Lucian Constantin, InfoWorld, 19 May 2015
    Researcher develops code that can trick Safari into showing a
    different URL in its address bar than the one currently loaded
    http://www.infoworld.com/article/29...-in-safari-could-enable-phishing-attacks.html

    selected text:

    The latest versions of Safari for Mac OS X and iOS are vulnerable to a
    URL-spoofing exploit that could allow hackers to launch credible phishing
    attacks.

    The issue was discovered by security researcher David Leo, who published a
    proof-of-concept exploit for it. Leo's demonstration consists of a Web page
    hosted on his domain that, when opened in Safari, causes the browser to
    display dailymail.co.uk in the address bar.

    The ability to control the URL shown by the browser can, for example, be
    used to easily convince users that they are on a bank's website when they
    are actually on a phishing page designed to steal their financial
    information.

    ------------------------------

    Date: Fri, 22 May 2015 10:34:04 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "New LogJam encryption flaw puts Web surfers at risk" (Jeremy Kirk)

    Jeremy Kirk, InfoWorld, 20 May 2015
    http://www.infoworld.com/article/29...encryption-flaw-puts-web-surfers-at-risk.html
    LogJam is closely related to the FREAK security vulnerability and
    involves downgrading TLS connections to a weak key

    selected text:

    The flaw, called LogJam, can allow an attacker to significantly weaken the
    encrypted connection between a user and a Web or email server, said Matthew
    D. Green, an assistant research professor in the department of computer
    science at Johns Hopkins University.

    ------------------------------

    Date: Fri, 22 May 2015 10:37:31 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Critical vulnerability in NetUSB driver exposes millions of
    routers to hacking" (Lucian Constantin)

    Lucian Constantin, InfoWorld, 20 May 2015
    Tens of routers and other embedded devices from various manufacturers
    likely have the flaw, security researchers say
    http://www.infoworld.com/article/29...r-exposes-millions-of-routers-to-hacking.html

    ------------------------------

    Date: Fri, 22 May 2015 10:57:42 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: The Body Cam Hacker Who Schooled the Police (Medium)

    https://medium.com/backchannel/the-body-cam-hacker-who-schooled-the-police-c046ff7f6f13

    Policies about where and when to turn cameras on, language to warn people
    who are being filmed, and limits on using the footage in investigations
    can address some of these concerns. But liberal public disclosure laws
    like Washington's leave a gaping loophole. How can police departments
    release videos to an eager public without invading the privacy of victims,
    patients and bystanders on some of the worst days of their lives?

    ------------------------------

    Date: May 20, 2015 at 12:29:54 AM EDT
    From: John Denker <j...@av8n.com>
    Subject: Cybersecurity letter to the President 19-May-2015 (via Dave Farber)

    [To:]
    President Barack Obama
    The White House
    1600 Pennsylvania Avenue NW
    Washington, DC 20500

    [...] We urge you to reject any proposal that U.S. companies deliberately
    weaken the security of their products. We request that the White House
    instead focus on developing policies that will promote rather than undermine
    the wide adoption of strong encryption technology. Such policies will in
    turn help to promote and protect cybersecurity, economic growth, and human
    rights, both here and abroad.

    [snip]

    [approximately 150 signatories, including security experts and tech companies]

    Full text at:
    https://static.newamerica.org/attachments/3138--113/Encryption_Letter_to_Obama_final_051915.pdf
    http://cdn.arstechnica.net/wp-content/uploads/2015/05/cryptoletter.pdf

    Lots of news media have picked up on this, but distressingly few link to the
    actual letter. Maybe I'm old-fashioned, but I think primary sources are
    important.

    [Also noted by Lauren Weinstein,
    https://docs.google.com/document/d/1mX98l2Y05t_pV_gu_o_h4WezVajAXkca0NtZ7V9dQ_U/edit?hl=en&forcehl=1
    who added. ``Not that it will likely make any difference in the final
    analysis regardless of who is President or in Congress, but hope springs
    eternal.'' PGN]

    ------------------------------

    Date: Fri, 22 May 2015 21:27:06 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Is security really stuck in the Dark Ages? (Network World)

    http://www.networkworld.com/article/2925171/security0/is-security-really-stuck-in-the-dark-ages.html

    It had to be a bit of a jolt for more than 500 exhibitors and thousands of
    attendees at RSA Conference 2015 last month, all pushing, promoting and
    inspecting the latest and greatest in digital security technology: The
    theme of RSA President Amit Yoran's opening keynote was that they are all
    stuck in the Dark Ages. [via NNSquad]

    ------------------------------

    Date: Sat, 23 May 2015 07:37:36 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Adult dating site hack exposes millions of users

    Why should the FBI (Martin Luther King), the CIA (numerous Muslims) and the
    NSA (LOVINT) have all the fun? Now we can all be extorted by non-govt
    criminals, too. The honeyplot thickens...

    Best LOL line of the article: "These sites are meant to be secure"

    Geoff White, Channel4, 21 May 2015
    http://www.channel4.com/news/adult-friendfinder-dating-hack-internet-dark-web

    Hackers have struck one of the world's largest internet dating websites,
    leaking the highly sensitive sexual information of almost four million users
    onto the web. The stolen data reveals the sexual preferences of users,
    whether they're gay or straight, and even indicates which ones might be
    seeking extramarital affairs. In addition, the hackers have revealed email
    addresses, usernames, dates of birth, postal codes and unique internet
    addresses of users' computers.

    Channel 4 News has been investigating the cyber underworld, discovering
    which websites have been hacked and exposing the trade in personal
    information of millions of people through so-called "dark web" sites.

    Secretive forum

    The investigation led to a secretive forum in which a hacker nicknamed
    ROR[RG] posted the details of users of Adult FriendFinder. The site boasts
    63 million users worldwide and claims more than 7 million British members.
    It bills itself as a "thriving sex community", and as a result users often
    share sensitive sexual information when they sign up.

    The information of 3.9m Adult FriendFinder members has been leaked,
    including those who told the site to delete their accounts.

    Shaun Harper is one of those whose details have been published. "The site
    seemed OK, but when I got into it I realised it wasn't really for me, I was
    looking for something longer term. But by that time I'd already given my
    information. You couldn't get into the site without handing over
    information.

    "I deleted my account, so I thought the information had gone. These sites
    are meant to be secure."

    [Long item truncated for RISKS. PGN]

    ------------------------------

    Date: Sat, 23 May 2015 07:52:40 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Man tries to report Starbucks vulnerability, is accused of fraud

    "The hardest part - responsible disclosure. Support guy honestly answered
    there's absolutely no way to get in touch with technical department and he's
    sorry I feel this way. Emailing InformationSe...@starbucks.com on
    March 23 was futile (and it only was answered on Apr 29). After trying
    really hard to find anyone who cares, I managed to get this bug fixed in
    like 10 days." -- Egor Homakov [Sakurity via NNSquad]
    http://sakurity.com/blog/2015/05/21/starbucks.html

    ------------------------------

    Date: Sun, 17 May 2015 09:03:22 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: A Russian Smartphone Has to Overcome Rivals and Jokes About Its Origin

    Few people looking to buy a state-of-the-art smartphone would even think
    about a Russian model, but the makers of the YotaPhone aspire to change
    that.

    http://www.nytimes.com/2015/05/17/w...o-overcome-rivals-and-jokes-about-origin.html

    ------------------------------

    Date: Tue, 19 May 2015 09:41:16 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Some People Do More Than Text While Driving

    Texting while driving has company. Some people are also using social media
    services, taking selfies, and even making videos while they are behind the
    wheel.

    http://bits.blogs.nytimes.com/2015/05/19/some-people-do-more-than-text-while-driving/

    ------------------------------

    Date: Sun, 17 May 2015 20:06:43 -0400
    From: Harlan Rosenthal <Harlan.R...@verizon.net>
    Subject: Re: Drug database: third-party doctrine (RISKS-28.64)

    Maybe I'm too much of a programmer, but the word "voluntary" should mean
    something. Most of the information we turn over today is NOT voluntary.
    You can't get a prescription without revealing it to the pharmacist; the
    pharmacist can't give it to you without revealing it to the state and
    insurance databases; and all of this is required by law. The change in
    accessibility over the years is a clear example of a difference of degree
    becoming a difference of kind.

    ------------------------------

    Date: Sun, 17 May 2015 22:45:38 +0100
    From: Chris Drewe <e76...@yahoo.co.uk>
    Subject: Re: All cars must have tracking devices (RISKS-28.63,64)

    If level-crossing gates block the full width of the road then there's the
    risk of vehicles being trapped as they close; if they only take half of the
    road then they provide a better warning than just flashing lights, but
    impatient drivers can zig-zag round them.

    The *REAL* fundamental problem is that trains traveling at 120mph
    (~200km/hr) or more can take several minutes/miles to stop -- which vehicle
    drivers don't always seem to appreciate -- and ensuring that a train has
    time to stop if the crossing is not clear would mean halting the traffic for
    quite a while, thus increasing the risk of impatient drivers attempting to
    cross anyway.

    As I understand it, crashes or near-misses often happen on busy roads when a
    line of slow-moving or stopped vehicles backs up across a level-crossing.
    So the moral is -- always be sure that there's enough empty road on the
    other side of the crossing for your vehicle before you drive onto it.

    ------------------------------

    Date: Fri, 22 May 2015 21:14:56 +0200
    From: Erling Kristiansen <erling.kr...@xs4all.nl>
    Subject: Re: Banned Researcher Commandeered a Plane

    Most publicity on this subject seems to focus on the specific hack and its
    perpetrator, condemning his action. This diverts attention away from the
    much more serious underlying problem: A hacker, using simple tools and a
    trivial intrusion into a network box, succeeded in breaching the isolation
    between the passenger network and a highly safety critical technical network
    of the aircraft. This raises serious concerns about the overall network
    design of the aircraft.

    And more problems may be coming: Today, passenger and safety air/ground
    communications are pretty well isolated from each other because they use
    separate radio links and different technologies that do not readily mix.<br>
    But one plausible future development option is a move towards integrating
    everything into a single air/ground link, all using IP technology. So,
    effectively, the closed aeronautical safety critical networks will come
    together physically with the Internet in this link, being separated only
    logically by routers, firewalls and the like. Just one compromised router
    somewhere in the world could make the safety critical networks, on-board as
    well as on the ground, reachable from the Internet. Physical isolation would
    no longer be possible.

    ------------------------------

    Date: Mon, 17 Nov 2014 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or
    equivalent)
    if possible and convenient for you. The mailman Web interface can
    be used directly to subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks
    Alternatively, to subscribe or unsubscribe via e-mail to mailman
    your FROM: address, send a message to
    risks-...@csl.sri.com
    containing only the one-word text subscribe or unsubscribe. You may
    also specify a different receiving address: subscribe address= ... .
    You may short-circuit that process by sending directly to either
    risks-s...@csl.sri.com or risks-un...@csl.sri.com
    depending on which action is to be taken.

    Subscription and unsubscription requests require that you reply to a
    confirmation message sent to the subscribing mail address. Instructions
    are included in the confirmation message. Each issue of RISKS that you
    receive contains information on how to post, unsubscribe, etc.

    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for
    guidelines.

    => .UK users may contact <Lindsay....@newcastle.ac.uk>.
    => SPAM challenge-responses will not be honored. Instead, use an
    alternative
    address from which you NEVER send mail!
    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
    *** NOTE: Including the string `notsp' at the beginning or end of the
    subject
    *** line will be very helpful in separating real contributions from spam.
    *** This attention-string may change, so watch this space now and then.
    => ARCHIVES: ftp://ftp.sri.com/risks for current volume
    or ftp://ftp.sri.com/VL/risks for previous VoLume
    http://www.risks.org takes you to Lindsay Marshall's searchable archive at
    newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume,
    ISsue.
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
    is no longer maintained up-to-date except for recent election problems.
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 28.65
    ************************
     
  9. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,420
    334
    258
    Apr 3, 2007
    Tampa
    Risks Digest 28.66

    RISKS List Owner

    Jun 1, 2015 8:01 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 1 June 2015 Volume 28 : Issue 66

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/28.66.html>
    The current issue can be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Airbus confirms A440M transport plane downed by badly configured SW
    (Gabe Goldberg)
    Belgian air traffic outage (Werner U)
    Software Glitch Pauses LightSail Test Mission (Jason Davis via
    (Prashanth Mundkur)
    Volvo horrible self-parking car accident (Fusion via Jim Reisert)
    Boston water main break disrupts telecommunication services for thousands
    throughout Massachusetts (MassLive via Monty Solomon)
    How Is Critical 'Life or Death' Software Tested? (Motherboard via
    Gene Spafford)
    Clueless Clause: Insurer Cites Lax Security in Challenge to Cottage Health
    Claim (robert schaefer)
    Even Tiny Updates to Tech Can Be Obstacles for the Disabled
    (WiReD via Lauren Weinstein)
    Woman plans to sue after Fla. license labels her a sex offender
    (Baynews9 via Bob Frankston)
    When Is A Violent Facebook Post A 'Threat'? SCOTUS Isn't Sure.
    (National Journal via NNSquad)
    House of Discards: Wikipedia pre-election edits (Henry Baker)
    New incredibly cumbersome online voting system (Readwrite via
    NNSquad)
    A Tech Boom Aimed at the Few, Instead of the World (NYT via Monty Solomon)
    Americans Don't Trust Government and Companies to Protect Privacy
    (Pew in NYT via Monty Solomon)
    The Government's Consumer Data Watchdog (NYT)
    IRS says thieves stole tax info from >100,000 taxpayers (Henry Baker)
    Up to 1.1 Million Customers Could be Affected in Data Breach at Insurer
    CareFirst (NYT via Monty Solomon)
    Adult FriendFinder hack EXPOSES MILLIONS of MEMBERS (John Leyden)
    Large-scale attack hijacks routers through users' browsers
    (Lucian Constantin via Gene Wirchenko)
    Ex-FIFA Official Cites Satirical 'Onion' Article in His Self-Defense
    (NYT)
    Elizabeth Warren's official website is untrusted by Firefox (Henry Baker)
    One-Tap Giving? Extra Steps Mire Mobile Donations (Monty Solomon)
    Monty Solomon <mo...@roscom.com>
    Partners launches $1.2 billion electronic health records system
    (The Boston Globe)
    Could wearing a smartwatch behind the wheel land you in hot water?
    (Hayley Tsukayama)
    Hacked billboard gets rude (Gawker via robert schaefer)
    Uber Closes In on Its Last Frontier: Airports (NYT)
    Driving Uber Mad (NYT)
    Behind the Downfall at BlackBerry (NYT)
    Verizon's 'Pick Your Own Cable TV Channels' Is Just Another Bait & Switch
    -- Read the Fine Print (Bruce Kushnick)
    Anti-NSA Pranksters Planted Tape Recorders Across New York and Published
    Your Conversations (Andy Greenberg)
    The Age Of Disinformation (James Spann via Dewayne Hendricks)
    BBC: The generation that tech forgot (Lauren Weinstein)
    A badly designed centralized desktop management can cause health risks
    (Chiaki Ishikawa)
    Lauren Weinstein <lau...@vortex.com>
    CONTRARY WARNING! - "How Google Finally Got Design" (FastCodesign)
    NYTimes.com is a very expensive "wall wart" (Henry Baker)
    This Ad for Banned Food in Russia Can Hide Itself From the Cops
    (gismodo via robert schaefer)
    Re: Only 3% of people aced Intel's phishing quiz (David Damerell)
    Re: All cars must have tracking devices (Alister Wm Macintyre)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 01 Jun 2015 17:30:34 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Airbus confirms A440M transport plane downed by badly configured SW

    http://www.theregister.co.uk/2015/05/31/airbus_software_config_brought_down_a400m/

    Supposedly correct engine-control software installed improperly [PGN-ed]

    ------------------------------

    Date: Wed, 27 May 2015 12:54:01 +0200
    From: Werner U <wer...@gmail.com>
    Subject: Belgian air traffic outage

    <http://deredactie.be/cm/vrtnieuws.english/News/1.2351961>
    [Please visit the article website to see 2 graphics.]

    At the moment, Belgian air traffic is completely shut down. Belgocontrol,
    the Belgian air traffic control agency, is dealing with a power cut due to
    overvoltage. This means that no planes are allowed to land on, or take off
    from Belgian airports. Belgian airspace will remain closed until at least
    5:30PM. There is increasing chaos at the airports as queues are growing, and
    more and more flights are being canceled and delayed.

    At 9:45AM, power went down at Belgocontrol. Flights preparing for landing
    at that very moment were still allowed to ground on the strip. All other
    flights were redirected to airports in neighbouring countries. Emergency
    generators appeared to be malfunctioning as well, as they did not
    automatically start running. "After that, we proceeded to a 'clear of the
    sky' operation", explains Belgocontrol spokesperson Dominique Dehaene.

    The power outage temporarily shuts down all air traffic in the country.
    However, fly-overs at 24,500 feet or higher are still possible, since they
    are not a Belgocontrol responsibility.

    Eurocontrol declares that air traffic will be down until at least 5:30PM.
    Airports at Brussels and Charleroi, for example, are already dealing with a
    significant number of delays. Liege and Antwerp-Deurne are out of service as
    well. Osten Airport is the only functioning airfield in the country right
    now. Most of the planes still in the air have been redirected to airports in
    neighbouring countries. [...]

    ------------------------------

    Date: Fri, 29 May 2015 11:56:59 -0700
    From: Prashanth Mundkur <prashant...@gmail.com>
    Subject: 'Software Glitch Pauses LightSail Test Mission' (Jason Davis)

    Jason Davis, The Planetary Society Blog, 26 May 2015
    http://www.planetary.org/blogs/jason-davis/2015/20150526-software-glitch-pauses-ls-test.html

    Every 15 seconds, LightSail transmits a telemetry beacon packet. The
    software controlling the main system board writes corresponding
    information to a file called beacon.csv. If you're not familiar with CSV
    files, you can think of them as simplified spreadsheets -- in fact, most
    can be opened with Microsoft Excel.

    As more beacons are transmitted, the file grows in size. When it reaches
    32 megabytes -- roughly the size of ten compressed music files -- it can
    crash the flight system.

    [Article also noted by robert schaefer: ``It is now believed that a
    vulnerability in the software controlling the main avionics board halted
    spacecraft operations, leaving a reboot as the only remedy to continue the
    mission.'' There's no one in outer space to push the reset button. RS]

    ------------------------------

    Date: Wed, 27 May 2015 07:52:22 -0600
    From: Jim Reisert AD1C <jjre...@alum.mit.edu>
    Subject: Volvo horrible self-parking car accident

    Fusion.net, 26 May 2015

    Last week, a gossip blog based in the Dominican Republic called Remolacha
    published a disturbing video of what it said was a self-parking car
    accident. A group of people stand in a garage watching and filming a grey
    Volvo XC60 that backs up, stops, and then accelerates toward the group. It
    smashes into two people, and causes the person filming the video with his
    phone to drop it and run. It is terrifying. [...]

    The main issue, said [Volvo spokesperson Johan] Larsson, is that it appears
    that the people who bought this Volvo did not pay for the Pedestrian
    detection functionality, which is a feature that costs more money.

    The Volvo XC60 comes with City Safety as a standard feature, however this
    does not include the Pedestrian detection functionality, said Larsson. The
    City Safety system kicks in when someone is in stop-and-go traffic, helping
    the driver avoid rear ending another car while driving slowly, or under 30
    mph.

    http://fusion.net/story/139703/self-parking-car-accident-no-pedestrian-detection/

    ------------------------------

    Date: Mon, 25 May 2015 15:07:44 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Boston water main break disrupts telecommunication services for
    thousands throughout Massachusetts

    http://www.masslive.com/news/index.ssf/2015/05/boston_water_main_break_disrup.html

    ------------------------------

    Date: Mon, 1 Jun 2015 09:41:40 -0400
    From: Gene Spafford <sp...@cerias.purdue.edu>
    Subject: How Is Critical 'Life or Death' Software Tested? | Motherboard

    Do read my whole blog post that is referenced here.

    http://motherboard.vice.com/read/how-is-critical-life-or-death-software-tested

    ------------------------------

    Date: Wed, 27 May 2015 08:28:02 -0400
    From: robert schaefer <r...@haystack.mit.edu>
    Subject: Clueless Clause: Insurer Cites Lax Security in Challenge to Cottage
    Health Claim

    Will software security insurance eventually change lax security behavior?

    "In-brief: In what may become a trend, an insurance company is denying a
    claim from a California healthcare provider following the leak of data on
    more than 32,000 patients. The insurer, Columbia Casualty, charges that
    Cottage Health System did an inadequate job of protecting patient data."

    securityledger.com/2015/05/clueless-clause-insurer-cites-lax-security-in-challenge-to-cottage-health-claim/

    [This article also noted by Henry Baker, :)
    FYI -- Finally, the costs of NOT securing people's data will exceed the
    costs of securing those data.
    Henry added, Companies will now pay more attention when the IRS
    demonstrates to them how to improve their computer security.
    PGN]

    ------------------------------

    Date: Mon, 25 May 2015 08:38:47 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Even Tiny Updates to Tech Can Be Obstacles for the Disabled (WiReD)

    http://www.wired.com/2015/05/even-tiny-updates-tech-can-obstacles-disabled/
    (WiReD via NNSquad)

    "For me, every step forward in making things lighter and smaller is a new
    obstacle. Often, the buttons I need to hit are too small, the screen too
    sensitive, or the glare off the screen too distracting to allow me to make
    use of my device. Updates to operating systems or apps that create slight
    changes to the size and position of buttons throw me off for days. While
    these changes might go unnoticed by a typical user, I endure a relearning
    process that slows me down and makes it more difficult to communicate." --
    Paul Kotler

    ------------------------------

    Date: 29 May 2015 22:15:35 -0400
    From: "Bob Frankston" <bob19...@bobf.frankston.com>
    Subject: Woman plans to sue after Fla. license labels her a sex offender

    http://www.baynews9.com/content/new...ticles/bn9/2015/5/7/woman_plans_to_sue_a.html

    This isn't exactly a new risk. But as we are increasingly dependent upon
    these systems we need to take into account human factors. If this were a
    consumer-facing system it's likely that such checks would be built in. But
    how do these design factors get addressed in systems built to
    specifications? Or must we accept bad design just to get conformance to
    requirements?

    What are the details of this particular system?

    ------------------------------

    Date: Mon, 1 Jun 2015 11:10:45 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: When Is A Violent Facebook Post A 'Threat'? SCOTUS Isn't Sure.

    [National Journal via NNSquad]
    http://www.nationaljournal.com/tech/supreme-court-intent-matters-in-violent-facebook-posts-20150601

    The Supreme Court on Monday inched a little bit closer to answering a
    major free-speech question: how to draw the line between real threats of
    violence and angry diatribes protected by the First Amendment. In an 8-1
    ruling, the court threw out the conviction of a Pennsylvania man who wrote
    violent, obscene Facebook posts about killing his wife, his coworkers, FBI
    agents and even kindergartners. But the court did not set a clear standard
    for future cases involving online threats, and some of the justices
    complained that the ruling would only make the legal landscape more
    complicated.

    ------------------------------

    Date: Tue, 26 May 2015 07:21:30 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: House of Discards: Wikipedia pre-election edits

    This kind of activity is precisely why Europe's purported "right to be
    forgotten" is so dangerous to democracy.

    Ben Riley-Smith, *The Telegraph*, 26 May 2015
    Expenses and sex scandal deleted from MPs' Wikipedia pages by computers
    inside Parliament
    Exclusive: References to 'chauffeur-driven cars' and a criminal arrest wiped
    from online biographies in run-up to election
    http://www.telegraph.co.uk/news/gen...dia-pages-by-computers-inside-Parliament.html

    Expense claims and a Westminster sex scandal were deleted from MPs'
    Wikipedia pages by computers inside Parliament before the election, The
    Telegraph has found.

    Details of a police arrest, electoral fraud allegation and the use of
    "chauffeur-driven cars" were also been wiped by people inside the Commons.

    The revelation will raise suspicion MPs or their political parties
    deliberately hid information from the public online to make candidates
    appear more electable to voters.

    More than a dozen online biographies of sitting MPs were doctored from
    computers with IP addresses owned by the Houses of Parliament in the run-up
    to the election.

    Requests for comment were made to all the MPs in question via their party
    press offices, but just a handful replied to say the changes had nothing to
    do with them.

    Anyone can edit Wikipedia, an online encyclopaedia kept up to date by
    users. However each change is tracked and linked to an IP address - a unique
    string of numbers that identifies each computer using an Internet network.

    By looking at the changes made by computers with IP addresses owned by the
    Houses of Parliament it is possible to see what edits are being made from
    inside the Commons.

    *The Telegraph* has discovered persistent changes to MPs' biographies made
    from Parliament in what appears to be a deliberate attempt to hide
    embarrassing information from the electorate.

    [Numerous dishy examples omitted for lack of RISKS-relevance. PGN]
    FULL DETAILS OF WHAT WIKIPEDIA CHANGES WERE MADE FROM PARLIAMENT COMPUTERS ...
    [omitted for RISKS]

    ------------------------------

    Date: Sat, 23 May 2015 10:33:45 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: New incredibly cumbersome online voting system

    "Maybe Online Voting Isn't A Pipe Dream After All" (via NNSquad)

    http://readwrite.com/2015/05/22/du-vote-secure-online-voting

    Finally, you'd have to have faith that people would be willing to enter
    strings of numbers into both a handheld token and the online electoral
    website. Not to mention the fact that the system's security also depends
    on voters' willingness to flip a coin and take action based on the
    result. If in practice most people just entered the "column A" digits out
    of habit, that would undermine the system's reliability.

    Uselessly cumbersome, unworkable, and does nothing to solve the problems of
    integrity of the election process in terms of maintaining recountability
    (e.g., validated paper receipts or other mechanisms) and anonymity of votes.

    ------------------------------

    Date: Mon, 25 May 2015 18:49:36 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: A Tech Boom Aimed at the Few, Instead of the World

    The industry once thought big, but today's wave of start-ups is
    characterized by a rise in services aimed at the wealthy and the young.
    http://www.nytimes.com/2015/05/21/t...m-aimed-aat-the-few-instead-of-the-world.html

    ------------------------------

    Date: Mon, 25 May 2015 18:48:46 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Americans Don't Trust Government and Companies to Protect Privacy

    Most Americans say it is important to control who has access to their
    personal information, but they have little faith that the government or
    companies will protect their private data, according to a new report by the
    Pew Research Center.
    http://bits.blogs.nytimes.com/2015/...-government-and-companies-to-protect-privacy/

    ------------------------------

    Date: Mon, 25 May 2015 18:40:19 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: The Government's Consumer Data Watchdog

    The Federal Trade Commission's chief technologist fights to ensure that
    companies keep consumers' information safe and private.
    http://www.nytimes.com/2015/05/24/technology/the-governments-consumer-data-watchdog.html

    ------------------------------

    Date: Tue, 26 May 2015 15:54:51 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: IRS says thieves stole tax info from >100,000 taxpayers

    FYI -- It doesn't get much worse than this; these are the same people that
    can take money out of your bank accounts any time they want to.

    "We don't care, we don't have to...we're the IRS." (apologies to Lily Tomlin).

    "During this filing season, taxpayers successfully and safely downloaded a
    total of approximately 23 million transcripts."

    So the real number is somewhere between 1 and 23 million; let's pick
    "100,000" as a nice average.?!.

    http://bigstory.ap.org/article/3453...sbreak-irs-says-thieves-stole-tax-info-100000

    APNewsBreak: IRS says thieves stole tax info from 100,000
    Stephen Ohlemacher, AP, 26 May 2015

    WASHINGTON (AP) --Thieves used an online service provided by the IRS to gain
    access to information from more than 100,000 taxpayers, the agency said
    Tuesday.

    The information included tax returns and other tax information on file with
    the IRS.

    The IRS said the thieves accessed a system called "Get Transcript." In
    order to access the information, the thieves cleared a security screen that
    required knowledge about the taxpayer, including Social Security number,
    date of birth, tax filing status and street address.

    "We're confident that these are not amateurs," said IRS Commissioner John
    Koskinen.

    Koskinen said the agency was alerted to the thieves when technicians noticed
    an increase in the number of taxpayers seeking transcripts.

    The IRS said they targeted the system from February to mid-May. The service
    has been temporarily shut down.

    Taxpayers sometimes need copies of old tax returns to apply for mortgages or
    college aid. While the system is shut down, taxpayers can still apply for
    transcripts by mail.

    The IRS said its main computer system, which handles tax filing submissions,
    remains secure.

    The IRS has launched a criminal investigation. The agency's inspector
    general is also investigating.

    "In all, about 200,000 attempts were made from questionable email domains,
    with more than 100,000 of those attempts successfully clearing
    authentication hurdles," the agency said. "During this filing season,
    taxpayers successfully and safely downloaded a total of approximately 23
    million transcripts."

    ------------------------------

    Date: Mon, 25 May 2015 18:47:41 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Up to 1.1 Million Customers Could be Affected in Data Breach at
    Insurer CareFirst

    The hacking of CareFirst, a health insurer, may have some common links to
    the attacks on Anthem and Premera.
    http://www.nytimes.com/2015/05/21/b...ach-up-to-1-1-million-customers-affected.html

    ------------------------------

    Date: Sat, 23 May 2015 15:30:40 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Adult FriendFinder hack EXPOSES MILLIONS of MEMBERS (John Leyden)

    John Leyden, *The Register*, 22 May 2015
    Users with a fetish for risky encounters in public spaces will be thrilled

    Hackers have swiped and leaked the personal details and sexual preferences
    of 3.9 million users of hookup website Adult FriendFinder.

    Lusty lonely hearts, including those who asked for their account to be
    deleted, have been left in an awkward position after hackers broke into
    systems before uploading the details to the dark web.

    Email addresses, usernames, postcodes, dates of birth and IP addresses of
    3.9 million members have been exposed.

    http://www.theregister.co.uk/2015/05/22/adult_hookup_site_breach_data/

    ------------------------------

    Date: Tue, 26 May 2015 15:58:10 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Large-scale attack hijacks routers through users' browsers"
    (Lucian Constantin)

    Lucian Constantin, InfoWorld, 26 Mak 2015
    Security researchers have found a Web attack tool designed specifically to
    exploit vulnerabilities in routers and hijack their DNS settings
    http://www.infoworld.com/article/29...k-hijacks-routers-through-users-browsers.html

    ------------------------------

    Date: Sun, 31 May 2015 19:20:41 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Ex-FIFA Official Cites Satirical 'Onion' Article in His Self-Defense

    http://www.nytimes.com/2015/06/01/w...ck-warner-cites-onion-article-in-defense.html

    Jack Warner, arrested last week in connection with a criminal investigation,
    held up the faux news report as evidence, he said, of an American
    conspiracy.

    ------------------------------

    Date: Mon, 01 Jun 2015 08:14:01 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Elizabeth Warren's official website is untrusted by Firefox

    This Connection is Untrusted

    You have asked Firefox to connect securely to www.warren.senate.gov, but we
    can't confirm that your connection is secure.

    Normally, when you try to connect securely, sites will present trusted
    identification to prove that you are going to the right place. However,
    this site's identity can't be verified. [...]

    www.warren.senate.gov uses an invalid security certificate.

    ------------------------------

    Date: Sat, 30 May 2015 11:30:56 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: One-Tap Giving? Extra Steps Mire Mobile Donations

    http://www.nytimes.com/2015/05/30/your-money/one-tap-giving-extra-steps-mire-mobile-donations.html

    Mobile apps can be used to summon a car or order food with a simple tap, but
    making a charitable donation is not as easy.

    ------------------------------

    Date: Mon, 1 Jun 2015 09:06:05 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Partners launches $1.2 billion electronic health records system

    http://www.bostonglobe.com/business...ords-system/oo4nJJW2rQyfWUWQlvydkK/story.html

    ------------------------------

    Date: Mon, 1 Jun 2015 11:10:26 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Could wearing a smartwatch behind the wheel land you in hot water?
    (Hayley Tsukayama)

    Hayley Tsukayama, 29 May 2015

    Smartwatches such as the Apple Watch are designed to keep us from being
    glued to our smartphone screens all day. But even with their bite-sized
    messages, are these new gadgets still too distracting for use behind the
    wheel?

    Some other countries' police officers certainly seem to think so. A Canadian
    man was fined $120 for using his Apple Watch while driving earlier this
    week, Montreal's CTV News reported. ...

    http://www.washingtonpost.com/blogs...watch-behind-the-wheel-land-you-in-hot-water/

    Pincourt man fined $120 for using Apple Watch while driving
    http://montreal.ctvnews.ca/pincourt-man-fined-120-for-using-apple-watch-while-driving-1.2394293

    ------------------------------

    Date: Wed, 27 May 2015 09:54:33 -0400
    From: robert schaefer <r...@haystack.mit.edu>
    Subject: Hacked billboard gets rude

    FBI and Homeland Security Respond to Shocking Goatse Bomb in Atlanta

    http://gawker.com/fbi-and-homeland-security-respond-to-shocking-goatse-bo-1704768347

    "The setup is exactly as insecure as you'd imagine: many of these electronic
    billboards are completely unprotected, dangling on the public Internet
    without a password or any kind of firewall. This means it's pretty simple to
    change the image displayed from a new AT&T offer to, say, Goatse.'' ...
    "security researcher Dan Tentler tweeted yesterday that he'd tried to warn
    this very same sign company that their software is easily penetrable by
    anyone with a computer and net connection and was told they were `not
    interested'.

    ------------------------------

    Date: Mon, 25 May 2015 18:33:52 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Uber Closes In on Its Last Frontier: Airports

    http://www.nytimes.com/2015/05/26/business/uber-closes-in-on-its-last-frontier-airports.html

    American airport officials know the ride-hailing phenomenon will not recede,
    and they are rewriting regulations to welcome all manner of cars.

    ------------------------------

    Date: Sun, 24 May 2015 23:08:42 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Driving Uber Mad

    http://www.nytimes.com/2015/05/24/opinion/sunday/maureen-dowd-driving-uber-mad.html

    The tragic saga of how Cinderella's Uber coach turned back into a judgmental
    pumpkin.

    ------------------------------

    Date: Sun, 24 May 2015 23:14:57 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Behind the Downfall at BlackBerry

    http://bits.blogs.nytimes.com/2015/05/24/behind-the-downfall-at-blackberry/

    A new book by two reporters from The Globe and Mail offers details about the
    emotional and business turmoil surrounding BlackBerry's near collapse.

    ------------------------------

    Date: Sun, 24 May 2015 13:37:55 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Verizon's 'Pick Your Own Cable TV Channels' Is Just Another Bait &
    Switch -- Read the Fine Print (Bruce Kushnick)

    Bruce Kushnick, *HuffPost*, 22 May 2015

    It amazes me how many media stories have decided to just cut and paste
    Verizon's supplied information about their new FiOS "customized TV plan"
    without examining the 'fine print'. I guess everyone is just desperate to
    get anything that smacks of ala-carte pricing for cable TV service, where
    the customer can pick and choose which cable programming they want to buy --
    and is supposed to save some money.

    http://www.huffingtonpost.com/bruce-kushnick/verizons-pick-your-own-ca_b_7419440.html

    ------------------------------

    Date: Sun, 24 May 2015 00:22:53 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Anti-NSA Pranksters Planted Tape Recorders Across New York and
    Published Your Conversations (Andy Greenberg)

    Andy Greenberg, 20 May 2015

    A woman at a gym tells her friend she pays rent higher than $2,000 a
    month. An ex-Microsoft employee describes his work as an artist to a woman
    he's interviewing to be his assistant -- he makes paintings and body casts,
    as well as something to do with infrared light that's hard to discern from
    his foreign accent. Another man describes his gay lover's unusual sexual
    fetish, which involves engaging in fake fistfights, ``like we were doing a
    scene from Batman Returns.''

    These conversations -- apparently real ones, whose participants had no
    knowledge an eavesdropper might be listening -- were recorded and published
    by the NSA. Well, actually no, not the NSA, but an anonymous group of
    anti-NSA protesters claiming to be contractors of the intelligence agency
    and launching a new `pilot program' in New York City on its behalf. That
    spoof of a pilot program, as the prankster provocateurs describe and
    document in videos on their website, involves planting micro-cassette
    recorders under tables and benches around New York city, retrieving the
    tapes and embedding the resulting audio on their website:
    Wearealwayslistening.com. ...

    http://www.wired.com/2015/05/nsa-pranksters-planted-tape-recorders-nyc/

    ------------------------------

    Date: May 29, 2015 at 8:36:04 AM EDT
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: The Age Of Disinformation (James Spann)

    James Spann, Medium.com, 27 May 2015 (via Dave Farber)
    <https://medium.com/@spann/the-age-of-disinformation-98d55837d7d9>

    I have been a professional meteorologist for 36 years. Since my debut on
    television in 1979, I have been an eyewitness to the many changes in
    technology, society, and how we communicate. I am one who embraces change,
    and celebrates the higher quality of life we enjoy now thanks to this
    progress.

    But, at the same time, I realize the instant communication platforms we
    enjoy now do have some negatives that are troubling. Just a few examples in
    recent days:

    I would say hundreds of people have sent this image to me over the past 24
    hours via social media. [Rest omitted; somewhat less computer relevant. PGN]

    ------------------------------

    Date: Sun, 24 May 2015 19:46:01 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: BBC: The generation that tech forgot (via NNSquad)

    http://www.bbc.com/news/technology-32511489 [an important read. LW]

    With a rising elderly population, the technology industry cannot afford to
    ignore the issue. It is estimated that, by 2030, 19% of the US population
    will be over 65 - roughly the same proportion that currently own iPhones.
    And by 2050, there will be one retired person for every two that are in
    work. Apple is looking to address this - but not with new hardware. In a
    joint venture with IBM, it announced last month it would design "iPad
    apps" that would be "very easy to use for seniors". Aimed at the Japanese
    market, the apps will help connect millions of older people with
    healthcare services. "It assumes that its product is inherently usable,"
    says Mr Hosking.

    And this situation is a terrible shame and waste, because this tech
    can bring enormous benefits even to very elderly persons, if the
    effort were made by someone with sufficient resources and talent to do
    it right. (I'm talking to you, Google.)

    ------------------------------

    Date: Tue, 26 May 2015 18:29:47 +0900
    From: chiaki ishikawa <ishi...@yk.rim.or.jp>
    Subject: A badly designed centralized desktop management can cause health risks

    In today's computing environment, especially in an enterprise setting where
    IT department looks after the PCs and other devices distributed across the
    premise, the need for centralized control is acute.

    Even PC's desktops are no exception with respect to the centralized
    control. We now have PCs running as if they were thin client in some
    environments.

    When a user logs in, these PCs load the user environment from centrally
    managed servers. The local files are swapped in/out when a different user
    logs in. (A similar complete wiping out of the previous user's desktop and
    restarting a computer with a fresh install even can often be seen at a PC
    made available at a hotel room or a hotel business center.)

    Such a centralized control may cause network load issues reported in web
    blogs and vendor white papers.

    With that background, let me tell you a story.

    I visited a hospital the other day for an appointment at 09:00. This is the
    earliest slot in the morning. I was there at about 08:50 and was instructed
    to wait in front of the doctor's office. Above the door, there is an LCD
    screen that shows whose turn (a number for the day's appointment which is
    printed on a supermarket receipt-like paper when I check in at the hospital
    using my ID card.). If there are people waiting, the queue is shown at the
    bottom. I thought it was really neat in this modern ICT age (although I
    thought it is a bit of waste of electricity although I am not sure if the
    LCD ran in energy saving mode or something.)

    >From the manner the doctor set up the 09:00 appointment a few weeks ago, I
    thought I would be consulted at 09:00 sharp.

    But 09:00 came and passed and nothing happened. I noticed the dentist's
    office in the back began accepting patients. (The hospital was a large
    general hospital with many departments.) Still nothing. Another doctor's
    office in the same row began accepting patient around 09:05. Still nothing
    at my doctor's office. I noticed the smoked glass window on the door of the
    doctor's office showed the interior lighting, so the doctor was already in.

    I began wondering if my previous medical tests turned out very bad and the
    doctor was going over them very carefully (?)

    At about 09:10, the LCD screen above my doctor's office door finally
    displayed my appoint number as the first patient that morning. I went in
    the office uneasily, and the first thing the doctor said is not related to
    my health at all: "Logging in is too slow in the morning. I could not get to
    read the data"(!)

    Wow. A great Risks item :)

    It seems that the PC in the doctor's office is used as a thin-client
    workstation [running Java applications] setting to access medical care
    system, and from what gathered looking at the screen and hardware in a short
    time while I was there, it seems that the user-profile and everything is
    first copied to the local PC for efficiency reasons, and that caused a flood
    of the network transfer in the morning just before 09:00 when doctors and
    clerks began using their computers. No wonder all other doctors, too, could
    not invite patients quickly enough.

    The doctor mentioned the particular system is not used widely although it is
    priced at low cost which the hospital could afford: the doctor said
    something about low-quality, but I doubt that in general terms. It seemed
    feature-rich from the menu and the doctor's interaction once the files were
    fetched from the server(s) was good and UI seemed better than some systems
    used at smaller hospitals I have seen.

    But the problem is that this particular installation is simply not designed
    very well for network peak usage for a big hospital, and presumably other
    high-priced systems use different approach regarding the centralized desktop
    management to avoid the peak usage issue (or uses even 10GHz for backbone
    for network transfer I suppose to take care of high volume of I/O at peak
    time and powerful servers that cost a lot.)

    Well, a bad system design can cause health risks.

    Anyone going to this particular hospital had better not have a heart attack
    or other sudden severe symptoms before 9 o'clock in the morning because by
    the time they may get to the hospital on an ambulance in time, the doctors
    may not be able to read vital data due to "network timeout" on their PCs (!)

    I never thought I would experience such a direct computer-related risk in a
    hospital I visit.

    ------------------------------

    Date: Mon, 1 Jun 2015 10:57:43 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: CONTRARY WARNING! - "How Google Finally Got Design"

    http://www.fastcodesign.com/3046512/how-google-finally-got-design?utm_content-buffer20941

    "Google's transformation into a company that creates beautiful software
    is the story of how tech itself has evolved in the mobile era."

    I'm posting this item here as an example of how different points of view can
    create *utterly contrary* reactions -- because to many observers Google's
    user interfaces (and this definitely isn't just a Google problem) have
    become increasingly, frustratingly *unusable* to significant and growing
    segments of the user population -- special needs, older users, and
    others. I'm currently conducting a survey on these issues -- please see:
    http://lauren.vortex.com/archive/001103.html

    and responses have been pouring in -- many of them maddeningly
    heartbreaking. More on this as I collect additional ongoing data.

    ------------------------------

    Date: Tue, 26 May 2015 08:57:26 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: NYTimes.com is a very expensive "wall wart"

    There's something very weird about the Firefox browser & *The New York
    Times* web site, which causes my computers to use 5-8x the electricity of
    most other web sites.

    I have Javascript completely turned off, thanks to NoScript, but the NYTimes
    web site still consumes 11-15% of my CPU's (tested with both Windows/32-bit
    and Ubuntu/64-bit).

    Other web sites -- e.g., LATimes.com, Boston.com, etc. (also with Javascript
    disabled) -- take only perhaps 1-3% of my CPU's.

    The high CPU load occurs only when NYTimes is the top tab; if I switch the
    top tab to LATimes.com, the CPU load drops down to 1-3%.

    The NYTimes CPU load persists even when these computers are disconnected
    from the Internet.

    These measurements are up-to-date (as of today, 5/26/2015) for Firefox v. 38.

    All add-ons & extensions are disabled -- except NoScript -- and
    particularly, *all video is disabled*.

    The problem is not expensive gif images, because other sites which use gifs
    are not so expensive.

    I'm mystified.

    Apparently, leaving The NYTimes open in your Firefox browser makes for very
    expensive wallpaper.

    ------------------------------

    Date: Fri, 29 May 2015 08:32:00 -0400
    From: robert schaefer <r...@haystack.mit.edu>
    Subject: This Ad for Banned Food in Russia Can Hide Itself From the Cops

    This is an advertising stunt, but has interesting implications all the same:

    "Websites are already able to serve up ads customized for whoever happens to
    be viewing a page. Now an ad agency in Russia is taking that idea one step
    further with an outdoor billboard that's able to automatically hide when it
    spots the police coming."

    http://gizmodo.com/this-ad-for-banned-food-in-russia-can-hide-itself-from-1707145443

    ------------------------------

    Date: Thu, 28 May 2015 13:17:31 +0100
    From: David Damerell <dame...@chiark.greenend.org.uk>
    Subject: Re: Only 3% of people aced Intel's phishing quiz (Jeff Jedras)

    An alarming figure! But when we look at the story, we find the reality is
    (slightly) less alarming; that includes people who identified non-phishes
    as phishes, whereas "only" 80% of the people tested misidentified phishes.

    ------------------------------

    Date: Tue, 26 May 2015 23:47:37 -0500
    From: "Alister Wm Macintyre \(Wow\)" <macwh...@wowway.com>
    Subject: Re: All cars must have tracking devices (Drewe)

    [Numerous collision incidents have occurred -- some days half a dozen]
    between trains and road vehicles, in the USA, described at this site:
    http://www.trainwreckdb.com/

    I wonder what the rate is like elsewhere in our world.

    I suspect some of this, and violations of school bus safety, is thanks to
    the USA eliminating driver education from the school system, allegedly
    triggered by budget cuts.

    We can be thankful that these incidents are not triggering bomb trains.

    Bomb trains go off typically at least twice a month -- there were almost 40
    of them in the USA in 2014. Basically the infrastructure, to move crude
    oil, was developed before we had Canadian Oil Sands, and US fracking. Oil
    from those sources contain a lot of pieces of rock and sand, which abrade
    the insides of pipelines and oil tankers, causing them to breach, reach
    something to trigger ignition, and away they go in a monster fire. Here's a
    source for the above statistics:
    http://www.wsj.com/articles/train-wrecks-hit-tougher-oil-railcars-1425861371

    ------------------------------

    Date: Mon, 17 Nov 2014 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
    if possible and convenient for you. The mailman Web interface can
    be used directly to subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks
    Alternatively, to subscribe or unsubscribe via e-mail to mailman
    your FROM: address, send a message to
    risks-...@csl.sri.com
    containing only the one-word text subscribe or unsubscribe. You may
    also specify a different receiving address: subscribe address= ... .
    You may short-circuit that process by sending directly to either
    risks-s...@csl.sri.com or risks-un...@csl.sri.com
    depending on which action is to be taken.

    Subscription and unsubscription requests require that you reply to a
    confirmation message sent to the subscribing mail address. Instructions
    are included in the confirmation message. Each issue of RISKS that you
    receive contains information on how to post, unsubscribe, etc.

    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines.

    => .UK users may contact <Lindsay....@newcastle.ac.uk>.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you NEVER send mail!
    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
    *** NOTE: Including the string `notsp' at the beginning or end of the subject
    *** line will be very helpful in separating real contributions from spam.
    *** This attention-string may change, so watch this space now and then.
    => ARCHIVES: ftp://ftp.sri.com/risks for current volume
    or ftp://ftp.sri.com/VL/risks for previous VoLume
    http://www.risks.org takes you to Lindsay Marshall's searchable archive at
    newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
    is no longer maintained up-to-date except for recent election problems.
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 28.66
    ************************
     
  10. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,420
    334
    258
    Apr 3, 2007
    Tampa
    RISKS-LIST: Risks-Forum Digest Thursday 4 June 2015 Volume 28 : Issue 67

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/28.67.html>
    The current issue can be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Simple String of Characters Crashes Skype (PCMag)
    You Can Be Prosecuted for Clearing Your Browser History (The Nation)
    Artificial Pancreas and Risks (IEEE Spectrum item via Werner U)
    EHR Costs More $ Billions Piled On For "Security" (Politico via D Kross)
    Long, detailed expose regarding Russia's massive, dangerous, professional
    Internet trolling misinformation operations (The NY Times)
    Cybersecurity Views from a National Intelligence Officer (Jon Oltsik via
    Werner U)
    NOBUS can shoot ourselves in the foot like this (Henry Baker)
    U.S. Surveillance in Place Since 9/11 Is Sharply Limited (The NY Times)
    "You haven't seen anything yet" Thought for the Day (Lauren Weinstein)
    Questions and Answers About Newly Approved USA Freedom Act (The NY Times)
    Article: How I tracked FBI aerial surveillance (PGN)
    Little Brothers are watching you: Nexar (Geektime via Amos Shapir)
    Intel's new Fortran Extended with Crap Algorithmic Language
    (Simon Sharwood via Henry Baker)
    Apple now dominates consumer digital video viewing, says new Adobe report
    (Jackie Dove)
    EU wants to kill open Wi-FI (Lauren Weinstein)
    Re: Volvo horrible self-parking car accident (Andrew Pam)
    Re: This Ad for Banned Food in Russia Can Hide Itself From the Cops
    (Amos Shapir)
    Re: Only 3% of people aced Intel's phishing quiz (Amos Shapir)
    Re: Woman plans to sue after Fla. license labels her a sex offender
    (Amos Shapir)
    Re: House of Discards: Wikipedia pre-election edits (Peter Bernard Ladkin)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Wed, 3 Jun 2015 10:42:03 -0700
    From: Lauren Weinstein <http://www.pcmag.com/article2/0,2817,2485271,00.asp

    Unit testing? BAH!

    ------------------------------

    Date: Thu, 4 Jun 2015 13:37:01 -0700
    From: Lauren Weinstein <http://m.thenation.com/article/208593-you-can-be-prosecuted-clearing-your-browser-history

    ------------------------------

    Date: Tue, 2 Jun 2015 19:22:37 +0200
    From: Werner U <http://spectrum.ieee.org/biomedical>" and the
    "Tech Talk" blog there ]

    (*The artificial pancreas is the culmination of a 50-year slog in
    bioengineering--one that is finally paying off because of improvements in
    insulin, sensors, and algorithms.*)

    Diabetes Has a New Enemy: Robo-Pancreas
    Sensors, actuators, and algorithms can automatically control blood sugar....
    <http://spectrum.ieee.org/biomedical/bionics/diabetes-has-a-new-enemy-robopancreas>

    Can Hackers Commit the Perfect Murder By Sabotaging an Artificial Pancreas?
    <http://spectrum.ieee.org/tech-talk/...-murder-by-sabotaging-an-artificial-pancreas->
    Robotic systems are, at last, beginning to take over some of the burden of
    managing the fluctuations in blood glucose in patients with Type 1
    diabetes. But a new report warns that as the systems get adopted more
    widely, the risk of criminal eavesdropping and sabotage will also increase.

    The report, by Yogish C. Kudva and colleagues at the Mayo Clinic in
    Rochester, Minn., and at the University of Virginia in Charlottesville, appears
    in *Diabetes Technology & Therapeutics*
    <http://online.liebertpub.com/doi/full/10.1089/dia.2014.0328>.

    Make the machine administer too little insulin, and the blood-glucose level
    may rise high enough to send the patient into a ketoacidosis coma. Make it
    administer too much, and the glucose falls until the brain fails causing the
    to patient faint, or even die. It might seem to bad guys like the way to
    commit the perfect murder. ...

    Read all about it in the June issue of *IEEE Spectrum*, which is devoted to
    a single topic: "Hacking the Human OS."

    ------------------------------

    Date: Wed, 3 Jun 2015 21:53:15 +0000
    From: http://www.politico.com/story/2015/...ords-it-spent-billions-to-install-118432.html

    ------------------------------

    Date: Tue, 2 Jun 2015 11:37:52 -0700
    From: Lauren Weinstein <http://www.nytimes.com/2015/06/07/magazine/the-agency.html

    From a nondescript office building in St. Petersburg, Russia, an army of
    well-paid `trolls' has tried to wreak havoc all around the Internet and in
    real-life American communities.

    The battle was conducted on multiple fronts. Laws were passed requiring
    bloggers to register with the state. A blacklist allowed the government to
    censor websites without a court order. Internet platforms like VKontakte
    and Yandex were brought under the control of Kremlin allies. Putin gave
    ideological cover to the crackdown by calling the entire Internet a
    "C.I.A. project," one that Russia needed to be protected from.
    Restrictions online were paired with a new wave of digital propaganda. The
    government consulted with the same public relations firms that worked with
    major corporate brands on social-media strategy. It began paying fashion
    and fitness bloggers to place pro-Kremlin material among innocuous posts
    about shoes and diets, according to Yelizaveta Surnacheva, a journalist
    with the magazine Kommersant Vlast. Surnacheva told me over Skype that the
    government was even trying to place propaganda with popular gay bloggers
    -- a surprising choice given the notorious new law against "gay
    propaganda," which fines anyone who promotes homosexuality to minors.
    [via NNSquad]

    ------------------------------

    Date: Wed, 3 Jun 2015 10:41:38 +0200
    From: Werner U <http://www.networkworld.com/author/Jon-Oltsik/>
    from the recent Cyber Exchange Forum event, sponsored by ACSC (the Advanced
    Cyber Security Center, <http://www.acscenter.org/>)

    The featured speaker was Sean Kanuck, National Intelligence Officer for
    Cyber Issues, Office of the Director of National Intelligence. In this role,
    Sean directs the production of national intelligence estimates (for
    cyber-threats), leads the intelligence community (IC) in cyber analysis, and
    writes personal assessments about strategic developments in cyberspace.

    Cybersecurity Views from a National Intelligence Officer
    <http://www.networkworld.com/article...ews-from-a-national-intelligence-officer.html>

    Some highlights:

    * On the scope of threats. Sean does not subscribe to the notion of a "cyber
    Pearl Harbor" for the most part. He stated that there are only a few
    nation states capable of this type of attack (i.e. China and Russia) and
    that an attack of this magnitude was highly unlikely during peace
    time. His caveat to this was that we already face a series of disruptive
    attacks like those at the Sands Hotel of Las Vegas and Sony Pictures that
    are having a cumulative impact on the U.S. economy and national security.

    * On future attacks. Sean spoke of a growing concern around data integrity
    using the Syrian Electronic Army hack of the Associated Press's Twitter
    account in 2013. This particular event led to a decrease of $137 billion
    in stock market valuation. He emphasized the fact that a relatively small
    crime moved billions of dollars and that these types of scams are often
    used to fund all types of other malicious activities.

    * On non-state actors. While these groups don't have the sophistication of
    nation states, Kanuck described the threat from non-state actors as being
    "as good as what can be purchased online from the cyber black market." In
    other words, the bad guys will improve malware attacks as well as their
    tactics, techniques, and procedures (TTPs) as the cybercrime industry
    becomes more organized and market-like. Unfortunately, this advancement is
    already well underway.

    * On political will. Sean stated that there are about 30 countries that are
    now developing offensive cyber capabilities. It's cheap and effective with
    very little risk.

    * On commercial cybersecurity innovation. New products like automated
    penetration testing software can really help companies identify IT risk,
    but Kanuck pointed out that they are also making it easier for the black
    hat community.

    Sean said that organizations can expect to encounter cyber-attacks that
    cause IT attrition and degradation.

    Much like disaster recovery, organizations should then create a plan that
    allows them to operate in a degraded state when this occurs...

    ------------------------------

    Date: Thu, 04 Jun 2015 10:58:10 -0700
    From: Henry Baker <http://www.washingtonpost.com/blogs...-when-the-nsa-doesnt-help-fix-security-flaws/

    Let's assume, for the sake of argument, that this is true; that no govt --
    with the exception of the U.S. -- can collect and interpret intelligence as
    well as the U.S.

    Most people would assume that this is a *GOOD* thing; after all, isn't
    intelligence *obviously* monotonically increasing? Isn't it *obvious* that
    more intelligence is always better? Isn't this monotonicity the whole point
    of "collect it all" ?

    A problem with "obvious" is that "obvious" doesn't necessarily mean "true".

    Perhaps the simplest example of non-monotonicity is the Ishihara Color Test
    *hidden digit plate*: "only individuals with color vision defect could
    recognize the figure". A person with normal color vision (i.e., without the
    color vision defect) wouldn't see the figure. In this case, more
    information is worse!

    https://en.wikipedia.org/wiki/Color_perception_test

    The "collect it all" mentality has already been challenged on Bayesian grounds:

    http://www-stat.wharton.upenn.edu/~hwainer/Readings/Wainer Savage.pdf

    I'm going to challenge NOBUS on "paranoia & arrogance" grounds; I claim that
    the NOBUS attitude has actually made it cheaper and easier for the U.S. to
    *attack itself* with a self-inflicted act of "terrorism".

    Here are the ingredients:

    * U.S. paranoia has put its entire govt security apparatus on a "hair
    trigger" response
    * U.S. is now capable and willing to shoot down commercial airliners as a
    defense against another "9/11"
    * "Collect it all" enables U.S. govt to make intelligence correlations
    impossible by other govts
    * Electronic intelligence "evidence" is given far greater weight than common
    sense by govt intelligence apparatus

    Since the U.S. govt has already loaded its gun, pointed it at its foot, and
    cocked it, all that a "terrorist" has to do now is to convince the govt that
    a threat from that foot is imminent, at which point the U.S. govt will blow
    its own foot off.

    This "terrorist" knows that the collect-it-all NSA is listening to meta-data
    world-wide, and actual data outside the U.S. Furthermore, the NSA is hard
    at work producing correlations, the overwhelming majority of which are
    spurious.

    Enter the Ishihara Color Test *vanishing plate*: only individuals with
    better color vision can recognize the figure; the US now has better
    intelligence vision, so NOBUS sees the figure.

    All that is necessary is to seed NSA-monitored communications channels with
    enough misdirections -- each of which is completely innocent by itself --
    but which, when "correlated" by a paranoid intelligence apparatus, will
    create the perception of imminent attack by a commercial airliner landing at
    a major U.S. city -- e.g., Washington, DC or New York City.

    Note that these seeds would be uncorrelated (and indeed uncorrelatable) by
    any other govt, but due to NOBUS, only the U.S. govt would "see" the
    "overwhelming" evidence of imminent attack.

    Note that this "terrorist" need not send any agents into the physical U.S.;
    he/she need not train anyone to fly a plane; he/she need never engage in an
    act more violent than tapping a computer keyboard, using a cell phone or an
    ATM machine or a credit card.

    All this "terrorist" has to do is to convince this paranoid govt that a
    commercial airliner is not under the complete control of its pilots, and
    that this "knowledge" is obtained too late in the plane's landing pattern
    before a missile would have to be fired.

    But it gets worse: even *practice attempts* at misdirection will be
    interpreted as additional evidence of a real plot, so this "terrorist" would
    eventually be able to accomplish his/her goal.

    I leave it to the Tom Clancy's of the world to construct the appropriate
    seeds to plant, but it doesn't seem that difficult to come up with
    appropriate scenarios.

    Note that -- due to NOBUS -- no other govt would (be able to) come to the
    same conclusions, and therefore that no other govt would willingly blow its
    own foot off.

    The NOBUS collect-it-all/correlate-it-all mentality has risks of its own.

    ------------------------------

    Date: Wed, 3 Jun 2015 08:42:12 -0400
    >From Monty Solomon <http://www.nytimes.com/2015/06/03/u...ce-bill-passes-hurdle-but-showdown-looms.html

    A bill to allow the government to restart surveillance operations, but with
    new restrictions, passed over the opposition of the Senate majority leader,
    and was signed by President Obama.

    ------------------------------

    Date: Wed, 3 Jun 2015 18:11:14 -0700
    From: Lauren Weinstein <http://www.nytimes.com/aponline/2015/06/03/us/politics/ap-us-nsa-surveillanc=
    e-qa.html


    ------------------------------

    Date: Thu, 4 Jun 2015 11:37:21 -0700
    From: Peter G Neumann
    Subject: Article: How I tracked FBI aerial surveillance

    http://arstechnica.com/tech-policy/2015/06/how-i-tracked-fbi-aerial-surveillance/

    ------------------------------

    Date: Wed, 3 Jun 2015 17:32:26 +0300
    From: Amos Shapir <http://www.geektime.com/2015/05/28/...nexar-you-can-easily-report-terrible-drivers/

    There is no mention of whether the application enables tagged drivers to
    review and/or appeal their rating (just the first issue which popped into my
    mind, there may be lots more). Amos

    ------------------------------

    Date: Wed, 03 Jun 2015 08:44:44 -0700
    From: Henry Baker <http://www.theregister.co.uk/2015/0...internet_of_span_classstrikeshtspan_ithingsi/

    Intel imagines chips in nappies to create the Internet of sh*t things

    We have a CODE BROWN down there, repeat CODE BROWN

    Intel-sponsored 'DiaperPie' connected nappy

    Simon Sharwood, *The Register*, 2 Jun 2015

    Computex 2015 If you think the Internet of Things (IoT) is a steaming pile
    of you-know-what, Intel's kind-of confirmed your suspicions by backing a
    team that's imagined an Internet-connected nappy (diaper for North American
    readers).

    Computex 2015 is full of folks spruiking the Internet of stuff. On the show
    floor you can hardly move for video cameras, sensors and associated
    networking kit.

    Intel's taken things a step further, revealing today that one of the `maker'
    teams its encouraged to play with its Edison platform has created a
    prototype Internet-connected nappy (diaper).

    The idea's simple: nappies of the future will include a sensor, or you'll
    get your tot to wear one, and when your offspring's alimentary canals
    produce waste you'll get a warning on your smartphone. WiFi produces too
    much energy to ensure the viability of infant innards, so Bluetooth LE gets
    the job of telling you about the presence of something brown or yellow.

    For now, the nappy is full of an Intel Edison system and its host board.
    The pair certainly have enough grunt to squeeze out some data: there's a
    dual core Atom at 500Mhz in there, along with 1GB of RAM and 4GB of flash to
    store -- let's leave that to the imagination.

    Before your correspondent's children were toilet trained, their mother and I
    employed a sophisticated remote olfactory sensing technology to determine
    whether their pants were full. That biological device had a remarkable
    range and never ran out of batteries but was susceptible to viruses, which
    could reduce its sensitivity by inducing unusual flows of mucus.

    Future parents, it seems, may be spared that marvelous part of child-rearing.

    Intel and its makers did not, however, discuss a solution for the nastiest
    part of the job, namely the bit involving wet wipes. Your correspondent
    will report if such a device can be found on the show floor.

    ------------------------------

    Date: Thu, 4 Jun 2015 13:35:53 -0400
    From: Monty Solomon <http://thenextweb.com/apple/2015/06...-digital-video-viewing-says-new-adobe-report/

    ------------------------------

    Date: Tue, 2 Jun 2015 12:52:57 -0700
    From: Lauren Weinstein <http://www.glasswings.com.au
    Serious Cybernetics http://www.xanadu.com.au/; http://www.sericyb.com.au/

    ------------------------------

    Date: Tue, 2 Jun 2015 12:44:13 +0300
    From: Amos Shapir <www.rvs.uni-bielefeld.de www.causalis.com

    ------------------------------

    Date: Mon, 17 Nov 2014 11:11:11 -0800
    From: panix.com as of June 2011.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
    if possible and convenient for you. The mailman Web interface can
    be used directly to subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks
    Alternatively, to subscribe or unsubscribe via e-mail to mailman
    your FROM: address, send a message to
    http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines.

    => .UK users may contact <ftp://ftp.sri.com/risks for current volume
    or ftp://ftp.sri.com/VL/risks for previous VoLume
    http://www.risks.org takes you to Lindsay Marshall's searchable archive at
    newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
    is no longer maintained up-to-date except for recent election problems.
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 28.67
    ************************
     
  11. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,420
    334
    258
    Apr 3, 2007
    Tampa
    Risks Digest 28.68

    RISKS List Owner

    Jun 11, 2015 3:11 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Thursday 11 June 2015 Volume 28 : Issue 68

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/28.68.html>
    The current issue can be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    All U.S. United Flights Grounded Over Mysterious Problem (PGN)
    Airbus transport crash caused by "wipe" of critical engine control data
    (Ars Technica)
    Man dies in Corvette after battery cable becomes loose (Khou via
    Mark Thorson)
    Traffic Hacking: Caution Light Is On (Nicole Perlroth)
    OpenSesame: 10-sec universal garage door opener (Dennis Fisher)
    Amtrak Engineer Not on Phone at Time of Derailment, Investigators Find
    (NYTimes)
    After Silences and Setbacks, the LightSail Spacecraft Is Revived (NYT)
    Evidence of Healthcare Breaches Lurks On Infected Medical Devices
    (Werner U)
    New exploit leaves most Macs vulnerable to permanent backdooring
    (Dan Goodin)
    Breach in a Federal Computer System Exposes Personnel Data (NYTimes)
    Chinese Hackers Behind Breach at Insurers Are Also Responsible for
    Government Attack (NYTimes)
    Single Test for All Virus Exposure Opens Doors for Researchers (NYT)
    Kaspersky Lab cybersecurity firm is hacked (BBC)
    Consumers Dislike Data-Mining but Feel Helpless to Stop It (NYT)
    Exclusive: In 'year of Apple Pay', many top retailers remain skeptical
    (Reuters)
    "Governments of the World Agree: Encryption Must Die!" (Lauren Weinstein)
    Japanese pension organization phished, 1.25M people's data leaked
    (chiaki ishikawa)
    Twitter Advertisers Can Now Target You Based on the Other Phone Apps
    (recode)
    Re: "NOBUS can shoot ourselves in the foot like this" (Chris Drewe)
    Re: Volvo has an accident, but not the one you thought (Peter Ladkin)
    Re: EU wants to kill open Wi-Fi (Peter Ladkin)
    Re: You Can Be Prosecuted for Clearing Your Browser History
    (Henry Baker)
    Re: House of Discards: Wikipedia pre-election edits (Henry Baker)
    REVIEW - "The Florentine Deception", Carey Nachenberg (Rob Slade)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Thu, 11 Jun 2015 11:03:52 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: All U.S. United Flights Grounded Over Mysterious Problem

    All United Airlines flights in the US were grounded this morning for nearly
    an hour, over `dispatching information'. Various tweets from passengers
    suggest different possible explanations: hacked network? fake flight plans?
    disgorging random plans? dropped flight plans? Considerable confusion?
    The problem was then resolved.
    http://www.wired.com/2015/06/united-flights-grounded-mysterious-problem/

    ------------------------------

    Date: Wed, 10 Jun 2015 08:44:33 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Report: Airbus transport crash caused by "wipe" of critical engine
    control data

    http://arstechnica.com/information-...used-by-wipe-of-critical-engine-control-data/

    ------------------------------

    Date: Wed, 10 Jun 2015 13:18:17 -0700
    From: Mark Thorson <e...@sonic.net>
    Subject: Man dies in Corvette after battery cable becomes loose

    The doors don't open without battery power. There is a mechanical release,
    but it's hidden and many Corvette owners don't know about it. This man may
    have died while reading his owner's manual, which adds a new dimension to
    the term RTFM.

    http://www.khou.com/story/news/loca...die-after-being-trapped-in-corvette/70999112/

    ------------------------------

    Date: 11 Jun 2015 09:49:32 -0400
    From: "Bob Frankston" <bob19...@bobf.frankston.com>
    Subject: Traffic Hacking: Caution Light Is On (Nicole Perlroth)

    Today's NYTimes.com
    http://bits.blogs.nytimes.com/2015/06/10/traffic-hacking-caution-light-is-on/?_r=0

    [The article might be interpreted as implying that so-called `smart'
    anythings could all be vulnerable. No surprise to RISKS readers. PGN]

    ------------------------------

    Date: Fri, 05 Jun 2015 14:24:25 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: OpenSesame: 10-sec universal garage door opener

    FYI -- It usually takes me longer than 10 seconds to find the right button
    to push...

    Dennis Fisher, 4 Jun 2015
    Using a Toy to Open a Fixed-Code Garage Door in 10 Seconds
    https://threatpost.com/using-a-toy-to-open-a-fixed-code-garage-door-in-10-seconds/113146

    ------------------------------

    Date: Wed, 10 Jun 2015 09:46:51 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Amtrak Engineer Not on Phone at Time of Derailment, Investigators Find

    http://www.nytimes.com/2015/06/11/u...andon-bostian-not-on-cellphone-ntsb-says.html

    ------------------------------

    Date: Tue, 9 Jun 2015 03:10:31 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: After Silences and Setbacks, the LightSail Spacecraft Is Revived

    http://www.nytimes.com/2015/06/08/s...setbacks-spacecraft-prepares-unfurl-sail.html

    LightSail was successfully deployed and worked for two days before its
    computer crashed because of a software flaw.

    Eight days of silence followed until, as engineers expected, a high-speed
    charged particle zipping through space fortuitously scrambled part of the
    computer's memory and caused the computer to restart ... and deploy its
    solar sail.

    ------------------------------

    Date: Tue, 9 Jun 2015 05:15:48 +0200
    From: Werner U <wer...@gmail.com>
    Subject: Evidence of Healthcare Breaches Lurks On Infected Medical Devices

    [ regarding 8 June 2015 article on The Security Ledger website ]

    chicksdaddy <http://it.slashdot.org/%7Echicksdaddy> wrote on SLASHDOT
    http://it.slashdot.org/story/15/06/...re-breaches-lurks-on-infected-medical-devices

    *Evidence that serious and widespread breaches of hospital- and healthcare
    networks is likely to be hiding on compromised and infect medical devices in
    clinical settings
    <https://securityledger.com/2015/06/...s-give-malware-foothold-on-hospital-networks/>,
    including medical imaging machines, blood gas analyzers and more, according
    to a report by the firm TrapX. In the report, which will be released this
    week, the company details incidents of medical devices and management
    stations infected with malicious software at three, separate customer
    engagements. According to the report, medical devices -- in particular
    so-called picture archive and communications systems (PACS) radiologic
    imaging systems -- are all but invisible to security monitoring systems
    and provide a ready platform for malware infections to lurk on hospital
    networks, and for malicious actors to launch attacks on other, high value IT
    assets. Malware at a TrapX customer site spread from a unmonitored PACS
    system to a key nurse's workstation. The result: confidential hospital data
    was secreted off the network to a server hosted in Guiyang, China.
    Communications went out encrypted using port 443 (SSL), resulting in the
    leak of an unknown number of patient records. "The medical devices
    themselves create far broader exposure to the healthcare institutions than
    standard information technology assets," the report concludes. One
    contributing factor to the breaches: Windows 2000 is the OS of choice for
    "many medical devices." The version that TrapX obtained "did not seem to
    have been updated or patched in a long time," the company writes.*

    ------------------------------

    Date: Sun, 7 Jun 2015 23:33:08 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: New exploit leaves most Macs vulnerable to permanent backdooring
    (Dan Goodin)

    Hack allows firmware to be rewritten right after older Macs awake from sleep.
    Dan Goodin, *Ars Technica*. 1 Jun 2015

    Macs older than a year are vulnerable to exploits that remotely overwrite
    the firmware that boots up the machine, a feat that allows attackers to
    control vulnerable devices from the very first instruction.

    http://arstechnica.com/security/201...ost-macs-vulnerable-to-permanent-backdooring/

    ------------------------------

    Date: Fri, 5 Jun 2015 01:50:53 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Breach in a Federal Computer System Exposes Personnel Data

    http://www.nytimes.com/2015/06/05/us/breach-in-a-federal-computer-system-exposes-personnel-data.html

    The intrusion, which appears to have involved information on about four
    million current and former government workers, was the third such breach in
    the last year.

    ------------------------------

    Date: Fri, 5 Jun 2015 01:51:46 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Chinese Hackers Behind Breach at Insurers Are Also Responsible for
    Government Attack

    Researchers say it suggests spies are no longer just stealing American
    corporate and military trade secrets, but personal information for some
    later purpose.
    http://www.nytimes.com/2015/06/05/t...le-for-government-attack-researchers-say.html

    [See also
    http://www.huffingtonpost.com/2015/06/04/government-data-breach_n_7514620.html
    PGN]

    ------------------------------

    Date: Thu, 4 Jun 2015 20:12:26 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Single Test for All Virus Exposure Opens Doors for Researchers

    http://www.nytimes.com/2015/06/05/health/single-blood-test-for-all-virus-exposures.html

    It's like one-stop shopping for scientists: a blood test can now show every
    virus that has a crossed a person's path, lending insight into disease.

    ------------------------------

    Date: Wed, 10 Jun 2015 18:46:49 +0000
    From: PGN
    Subject: Kaspersky Lab cybersecurity firm is hacked (BBC)

    BBC, 10 Jun 2015
    http://www.bbc.com/news/technology-33083050

    "Kaspersky Lab said it believed the attack was designed to spy on its newest
    technologies. It said the intrusion involved up to three previously unknown
    techniques."

    ------------------------------

    Date: Fri, 5 Jun 2015 14:36:32 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Consumers Dislike Data-Mining but Feel Helpless to Stop It

    Many Americans do not think the trade-off of their data for personalized
    services, giveaways or discounts is a fair deal, a University of
    Pennsylvania study found.
    http://www.nytimes.com/2015/06/05/t...d-over-data-mining-policies-report-finds.html

    ------------------------------

    Date: Sun, 7 Jun 2015 23:28:26 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Exclusive: In 'year of Apple Pay', many top retailers remain skeptical

    http://www.reuters.com/article/2015/06/05/us-apple-pay-idUSKBN0OL0CM20150605

    ------------------------------

    Date: Thu, 4 Jun 2015 14:18:52 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Lauren's Blog: "Governments of the World Agree: Encryption Must Die!"

    Governments of the World Agree: Encryption Must Die!
    http://lauren.vortex.com/archive/001104.html

    Finally! There's something that apparently virtually all governments around
    the world can actually agree upon. Unfortunately, it's on par conceptually
    with handing out hydrogen bombs as lottery prizes.

    If the drumbeat isn't actually coordinated, it might as well be. Around the
    world, in testimony before national legislatures and in countless interviews
    with media, government officials and their surrogates are proclaiming the
    immediate need to "do something" about encryption that law enforcement and
    other government agencies can't read on demand.

    Here in the U.S., it's a nearly constant harangue over on FOX News
    (nightmarishly, where most Americans apparently get their "news" these
    days). On CNN, it's almost as pervasive (though anti-crypto tirades on CNN
    must share space with primetime reruns of a globetrotting celebrity chef and
    crime "reality" shows).

    It's much the same if you survey media around the world. The names and
    officials vary, but the message is the same -- it's not just terrorism
    that's the enemy, it's encryption itself.

    That argument is a direct corollary to governments' decidedly mixed feelings
    about social media on the Internet. On one hand, they're ecstatic over the
    ability to monitor the public postings of criminal organizations like ISIL
    (or ISIS, or Islamic State, or Daesh -- just different labels for the same
    fanatical lunatics) that sprung forth from the disastrously misguided
    policies of Bush 1 and Bush 2 era right-wing neocons -- who not only set the
    stage for the resurrection of long-suppressed religious rivalries, but
    ultimately provided them with billions of dollars worth of U.S. weaponry as
    well. Great job there, guys.

    Since it's also the typical role of governments to conflate and confuse
    issues whenever possible for political advantage, when we dig deeper into
    their views on social media and encryption we really go down the rabbit
    hole.

    While governments love their theoretical ability to track pretty much every
    looney who posts publicly on Twitter or Facebook or Google+, governments
    simultaneously bemoan the fact that it's possible for uncontrolled
    communications -- especially international communications -- to take place
    at all in these contexts.

    In particular, it's the ability of radical nutcases overseas to recruit
    ignorant (especially so-called "lone wolf") nutcases in other countries that
    is said to be of especial concern, notably when these communications
    suddenly "go dark" off the public threads and into private, securely
    encrypted channels.

    "Go dark" -- by the way -- is now the government code phrase for crypto they
    can't read on demand. Dark threads, dark sites, dark links. You get the
    idea.

    One would be remiss to not admit that these radical recruiting efforts are
    of significant concern.

    But where governments' analysis breaks down massively is with the direction
    of their proposed solutions, which aren't aimed at addressing the root
    causes of fanatical religious terrorism, but rather appear almost entirely
    based on preventing secure communications -- for anybody! -- in the first
    place.

    Naturally they don't phrase this goal in quite those words. Rather, they
    continue to push (to blankly nodding politicians, journalists, and cable
    anchors) the tired and utterly discredited concept of "key escrow"
    cryptography, where governments would have "backdoor" keys to unlock
    encrypted communications, supposedly only when absolutely necessary and with
    due legal process.

    Rewind 20 years or so and it's like "Groundhog Day" all over again, back in
    the early to mid 90s when NSA was pushing their "Clipper Chip" hardware
    concept for key escrowed encryption, an idea that was mercilessly buried in
    relatively short order.

    But like a vampire entombed without appropriate rituals, the old key escrow
    concepts have returned to the land of the living, all the uglier and more
    dangerous after their decades festering in the backrooms of governments.

    The hardware Clipper concept dates to a time well before the founding of
    Twitter or Facebook, and a few years before Google's arrival. Apple existed
    back then, but centralized social media as we know it today wasn't yet even
    really a glimmer in anyone's eye.

    While governments generally seem to realize that stopping all crypto that
    they can't access on demand is not practical, they also realize that the big
    social media platforms (of which I've named only a few) -- where most users
    do most of their social communicating -- are the obvious targets for
    legislative, political, and other pressures.

    And this is why we see governments subtly (and often, not so subtly)
    demonizing these firms as being uncooperative or somehow uncaring about
    fighting evil, about fighting crime, about fighting terrorism. How dare
    they -- authorities repeat as a mantra -- implement encryption systems that
    governments cannot access at the click of a mouse, or sometimes access at
    all under any conditions.

    Well, welcome to the 21st century, because the encryption genie isn't going
    back into his bottle, no matter how hard you push.

    Strong crypto is critical to our communications, to our infrastructures, to
    our economies, and increasingly to many other aspects of our lives.

    Strong crypto is simply not possible -- let's say that once more with
    feeling -- not possible, given key escrow or other government backdoors
    designed into these systems. There is no practical or even theoretically
    accepted means for including such mechanisms without fatally weakening the
    entire associated encryption ecosystem, and opening it up to all manner of
    unauthorized access via hacking and various subversions of the key escrow
    process.

    But governments just don't seem willing to accept the science and reality of
    this, and keep pushing the key escrow meme. It's like the old joke about the
    would-be astronaut who wanted to travel to the sun, and when reminded that
    he'd burn up, replied that it wasn't a problem, because he'd go at
    night. Right.

    Notably, just as we had governments who ignored realistic advice and
    unleashed the monsters of religious fanatical terrorism, we now have many of
    the same governments on the cusp of trying to hobble, undermine, and
    decimate the strong encryption systems that are so very vital.

    There's every reason to believe that we'd experience a similarly disastrous
    outcome in the encryption context as well, especially if social media firms
    were required to deploy only weak crypto -- putting the vast populations of
    innocent users at risk -- while driving the bad guys even further
    underground and out of view.

    If we don't vigorously fight back against government efforts to weaken
    encryption, we're all going to be badly burned.

    ------------------------------

    Date: Fri, 05 Jun 2015 13:29:31 +0900
    From: chiaki ishikawa <ishi...@yk.rim.or.jp>
    Subject: Japanese pension organization phished, 1.25M people's data leaked

    Reading the discussion about "Re: Only 3% of people aced Intel's phishing
    quiz", I have to wonder how much we should educate the general public AND
    the SYSTEM INTEGRATORS who hire new graduates without much experience in
    security matters.

    The recent news brought home this issue:
    Japanese Pension Service (run by the government) was attacked by phishing,
    and as a result, data for 1.25 million people got leaked according to
    news articles in the past few days.

    What irked me most, as someone who is in ICT industry and has interest in
    security matters, is the comment uttered by a senior official according to
    some news articles in different publications. (So I assume it was on a live
    interview or something and *is* FOR REAL, to my utter dismay.):

    My translation:

    "The organization will take more security measures including that the PCs
    that handle individual's data cannot access outside Internet, ..."

    A PC/terminal that handles the privacy information at Pension Service can
    talk to directly to the outside WAN?
    I WAS INCREDULOUS INITIALLY.

    And this seems to be the case, indeed, and that is how a large amount (maybe
    not total) of the leak seems to have occurred. Sigh.

    In the aftermath of the revealed incidence, some high government officials
    blamed the pension fund for its handling of private data and that a clerk
    should not open an attachment to e-mail from outside sources.

    But to err is human.

    I think such an organization ought to

    1. - Use a customized mail client so that the clerk on a PC that handles the
    sensitive data can never open an attachment at all: Yes, what I mean is even
    if a clerk can click on an attachment or an URL within the main text by
    mistake or something, it SHOULD NOT OPEN it at all. (Well, I think mozilla's
    mailer is open source, and there are other source mail clients. Customizing
    to disable certain operations won't be difficult. (If a clueless
    correspondent sends an attachment, it can be opened in a very very carefully
    quarantined a computer running a virtual PC environment, after forwarding to
    it)

    AND OF COURSE

    2. - such PC with sensitive data should not be capable of talking to the
    outside Internet directly.

    Regarding the second point, the sophistication of the worms means that they
    may be able to install a communication proxy on an Internet-capable intranet
    PC that relays the communication from the Internet-blocked PC to the
    outside world, but a proper filtering at the local PCs or switches ought to
    prevent such issues: I looked at Norton Internet security on my PC and I
    think it can restrict communication only to a selected few and it can
    disable all the inbound communication. So it can thwart the use of proxy,
    etc. (And actually, this has been a pain in the neck when I try to use a
    Privoxy proxy running on a PC from a linux image running on a different PC).
    So it is doable easily today. Of course, we need constant and independent
    check of the firewall setting of such locally installed security tool.

    Anyway, I really would like to know who DESIGNED the intranet at the Pension
    Service so that
    we can learn from the mistakes...

    I found some English articles about this.

    [1]
    https://www.itgovernance.co.uk/blog...ion-records-leaked-following-phishing-attack/
    [2]
    http://www.tripwire.com/state-of-se...se-citizens-personal-data-in-targeted-attack/

    But these leave some key issues missing and a little misinformed to the
    degree of the serious nature of the attack.

    Today's Asahi Shimbun newspaper article (online) [in Japanese.]
    gives a very detailed good report of what has happened.
    http://www.asahi.com/articles/ASH647G88H64UTIL04R.html?iref=comtop_6_01

    Usually details remain obscured for this type of incidents, but given the
    sloppy work of system integrator(s) at key government services in the past,
    I think someone high up in the command of government security matters must
    have decided that the detailed explanation would be good to educate the ICT
    community to rise up from this shoddy level of awareness.

    At least the next time something like this happens, government can sue system
    integrators for gross negligence by citing this incident and publicized
    method of the attack.

    NOW THERE IS ECONOMICAL INCENTIVE on the side of system integrators to make
    sure proper security measures is in place.

    I suspect this is the only stick that sinks in security lessons.

    >From the above link of Asahi Shimbun, I have learned the following:

    A certaian "Takemura" sent an e-mail using some jargons in the pension
    business and explained that he sent some suggestions to the procedure at the
    organization and this made the recipient to believe that the sender is well
    versed in pension matters.

    Now, according to the article, the clerk clicked on the URL at the end of
    the e-mail (ok, so no attachment is involved this time around, but a mere
    URL clicking.) [At least my suggestion above would block this operation.]
    This caused a download of malware with 0-day attack ! It collected ID of
    the user on the PC, etc. Also, this malware subsequently downloaded a bot
    software.

    There was a trace that this malware created clones so that even if one is
    eradicated, the others would remain, and it seems that tried to connect to
    other PCs on the LAN.

    Within less than 5 hours of the contamination, the Pension Service was
    notified of strange network activity of the PC by NISC (National Information
    Security Center), and pulled the plug.

    This was on May 8th.

    10 days later, in two-minute intervals, about 100 phishing e-mails arrived
    at addresses within the organization, including some which were never
    publicized outside before, with virus attachment and now the "From:" address
    shown was that of an INTERNAL address (!). But the originating IP address
    was the same of the initial attack. [Obviously some clever attack is being
    waged.] I have no idea whether the e-mail from the originating IP address
    was blocked or not.

    Anyway, on May 21, two PCs in the same office were found to be communicating
    with external IP addresses. Surprise. One is the "replacement PC" of the
    clerk whose PC was pulled off the network (!?) On May 23, 9 more PCs in a
    different office (now in Tokyo) were found to be doing the same.

    The rest is history.

    At least the newspaper article stated the forensics has only determined how
    the initial PC and the two PCs found on May 21 were attacked and hijacked.
    It is not known how others got infected.

    Current Japanese administration is trying to introduce a single numeric ID
    for each citizen in Japan for efficient administrative process ala SS number
    in USA.

    In the face of this breach, it is hard to sell such a policy now. Too easy
    target for ID theft, etc. unless proper security measures and the preventive
    measures for limiting the damage of ID theft are in place.

    At least, I hope that there will be more scrutiny on the security design of
    the computer systems.

    P.S. I suspect this phishing is a part of well orchestrated attacks by an
    organized crime or something. News articles report the police seems to have
    found a part of the leaked data on a data servers used by previous phishing
    attacks (which I assume they have been monitoring for illegal activities).

    ------------------------------

    Date: Wed, 10 Jun 2015 22:27:53 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Twitter Advertisers Can Now Target You Based on the Other Phone Apps

    http://recode.net/2015/06/10/twitte...et-you-based-on-the-other-apps-on-your-phone/

    For the past six months, Twitter has been collecting data on which
    smartphone apps its users download. Now, the company is using that data to
    make some money. Twitter announced on Wednesday that its advertisers can
    use that app information to target users with ads. Marketers will be able
    to target you based on the different categories of apps you have
    downloaded onto your phone as well as how recently you downloaded them.

    I'm incredibly disappointed in the direction Twitter has been taking. I
    understand why they've felt they need to go in this direction, but that's
    not an excuse. They're spamming like mad, and now this. Unacceptable, and
    why I hardly use Twitter any more.

    ------------------------------

    Date: Wed, 10 Jun 2015 15:10:17 +0100
    From: Chris Drewe <e76...@yahoo.co.uk>
    Subject: Re: "NOBUS can shoot ourselves in the foot like this" (RISKS-28.67)

    As it happens, there's a review in this weekend's newspaper of a book 'The
    New Spymasters' by Stephen Grey (Viking) which makes a similar point.
    http://www.telegraph.co.uk/culture/books/bookreviews/11648193/Whats-the-point-of-spies.html

    In summary it says:

    Langley was far too reliant on technology (or SIGINT), preferring to amass
    vast amounts of data on suspected terrorists with few credible human
    sources to corroborate it. As Grey observes: ``All this scientific
    espionage was bewitching. Cool gadgets and smart techniques inspired awe
    and a confidence that was comparable to religious zeal.'' ... What was
    missing from the American approach, in the author's view, was good,
    old-fashioned HUMINT. ``Human spies can be terribly frail and unreliable,
    but without any element of understanding and verification through human
    intelligence, and without basic common sense, terrible errors are bound to
    follow.''

    There's some debate here in the UK right now (following the recent election)
    on what surveillance powers the authorities should have; as usual, there's a
    hard sell for the idea that if they can't "collect it all" then we'll all be
    blown up by terrorists, but personally I'm more afraid of the country
    becoming like 1970s East Germany.

    Charles Cumming, What's the point of spies?

    A new book about spying argues that modern digital surveillance is no
    substitute for old-fashioned espionage
    http://www.telegraph.co.uk/culture/books/bookreviews/11648193/Whats-the-point-of-spies.html
    [Long item truncated for RISKS. PGN]

    ------------------------------

    Date: Fri, 05 Jun 2015
    From: Peter Bernard Ladkin <lad...@rvs.uni-bielefeld.de>
    Subject: Re: Volvo has an accident, but not the one you thought (Reisert)

    Jim Reisert pointed to a fusion.net article in Risks 28.66 on someone
    experimenting with a Volvo inadvisedly. Andrew Pam pointed out some of the
    real context in Risks 28.67.

    I searched for articles on the incident. There are a few, but many are
    derivative. I summarised what I found in
    http://www.abnormaldistribution.org/2015/06/05/volvo-has-an-accident/ , and
    commented.

    There has to be some lesson in someone trying out a protective function, on
    live people, with which the car was not equipped. There has to be some
    lesson in trying out any protective function on live people. There has to be
    some lesson in conducting the trial in such a way that the protective
    function would have been suppressed. And there has to be some lesson in
    conducting this trial without informing oneself about the capabilities of
    the vehicle or taking elementary safety precautions in case things go wrong.

    This last, BTW, is also a problem for professionals. There are incidents of
    professional pilots conducting return-to-service tests on commercial
    aircraft ... and of auguring in because they were assuming the tests would
    succeed and they didn't! The main lesson is to remember that functional
    tests can always have at least two outcomes: pass and fail.

    Peter Bernard Ladkin, University of Bielefeld and Causalis Limited
    www.rvs.uni-bielefeld.de www.causalis.com

    ------------------------------

    Date: Fri, 05 Jun 2015 13:01:02 +0200
    From: Peter Bernard Ladkin <lad...@rvs.uni-bielefeld.de>
    Subject: Re: EU wants to kill open Wi-Fi (Weinstein, Risks 28.67)

    Lauren Weinstein writes misleadingly about German law and Wi-Fi networks in
    RISKS-28.67.

    He says "...the Court of Justice of the European Union ..... is asked
    whether an enforcement practice requiring open wireless networks to be
    locked is an acceptable one. Germany's Federal Supreme Court in 2010 held
    that the private operator of a wireless network is obliged to use password
    protection in order to prevent abuse by third parties....."

    Let me set the record straight.

    There is no such requirement and no such obligation in Germany (or anywhere
    else I know).

    The CJEU has been asked by a lawyer with Pinsent Masons to rule on whether
    operators of unsecured Wi-Fi networks can be held liable for copyright
    infringement conducted using their networks.

    http://www.out-law.com/en/articles/...f-operators-of-free-and-open-wi-fi-networks-/

    Peter Bernard Ladkin, University of Bielefeld and Causalis Limited
    www.rvs.uni-bielefeld.de www.causalis.com

    ------------------------------

    Date: Thu, 04 Jun 2015 21:39:43 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Re: You Can Be Prosecuted for Clearing Your Browser History (R-28.67)

    FYI -- Hmmm... Not a single Wall Street banker has faced jail time due to
    their part in almost bankrupting the country (and the world), yet we're
    using the *Sarbanes-Oxley Act* !?!, a law aimed at financial wrongdoing
    enacted by Congress in the wake of the Enron scandal, to prosecute
    non-financial crimes?

    Remind me again which Constitution is supposed to be in effect in the U.S. ?

    ------------------------------

    Date: Fri, 05 Jun 2015 10:25:17 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Re: House of Discards: Wikipedia pre-election edits (Ladkin)

    > It's only one sentence; he doesn't justify the connection he makes and I
    > don't see one.

    Two words: "Dennis Hastert".

    Dennis Hastert was 3rd in line to be President, and presided over a lot of
    legislation regarding sexual harassment (and worse).

    Due to wikipedia (& other) edits, "right-to-be-forgotten" countries will now
    be electing their own Dennis Hasterts.

    Those who are ready to forget the past shouldn't be surprised when the past
    repeats itself.

    Once again, "right-to-be-forgotten" is incompatible with democratic
    representative government. Yes, remembering past mistakes is painful, but
    the alternative (totalitarian govt) is far, far worse.

    ------------------------------

    Date: Wed, 10 Jun 2015 09:06:33 -0800
    From: Rob Slade <rms...@shaw.ca>
    Subject: REVIEW - "The Florentine Deception", Carey Nachenberg

    BKFLODEC.RVW 20150609

    "The Florentine Deception", Carey Nachenberg, 2015, 978-1-5040-0924-9,
    U$13.49/C$18.91
    %A Carey Nachenberg http://florentinedeception.com
    %C 345 Hudson Street, New York, NY 10014
    %D 2015
    %G 978-1-5040-0924-9 150400924X
    %I Open Road Distribution
    %O U$13.49/C$18.91 www.openroadmedia.com
    %O http://www.amazon.com/exec/obidos/ASIN/150400924X/robsladesinterne
    http://www.amazon.co.uk/exec/obidos/ASIN/150400924X/robsladesinte-21
    %O http://www.amazon.ca/exec/obidos/ASIN/150400924X/robsladesin03-20
    %O Audience n+ Tech 3 Writing 2 (see revfaq.htm for explanation)
    %P 321 p.
    %T "The Florentine Deception"

    It gets depressing, after a while. When you review a bunch of books on the
    basis of the quality of the technical information, books of fiction are
    disappointing. No author seems interested in making sure that the
    technology is in any way realistic. For every John Camp, who pays attention
    to the facts, there are a dozen Dan Browns who just make it up as they go
    along. For every Toni Dwiggins, who knows what she is talking about, there
    are a hundred who don't.

    So, when someone like Carey Nachenberg, who actually works in malware
    research, decides to write a story using malicious software as a major plot
    device, you have to be interested. (And besides, both Mikko Hypponen and
    Eugene Spafford, who know what they are talking about, say it is technically
    accurate.)

    I will definitely grant that the overall "attack" is technically sound. The
    forensics and anti-forensics makes sense. I can even see young geeks with
    more dollars than sense continuing to play "Nancy Drew" in the face of
    mounting odds and attackers. That a vulnerability can continue to go
    undetected for more than a decade would ordinarily raise a red flag, but
    Nachenberg's premise is realistic (especially since I know of a
    vulnerability at that very company that went unfixed for seven years after
    they had been warned about it). That a geek goes rock-climbing with a
    supermodel we can put down to poetic license (although it may increase the
    license rates). I can't find any flaws in the denouement.

    But. I *cannot* believe that, in this day and age, *anyone* with a
    background in malware research would knowingly stick a thumb/jump/flash/USB
    drive labeled "Florentine Controller" into his, her, or its computer. (This
    really isn't an objection: it would only take a couple of pages to have
    someone run up a test to make sure the thing was safe, but ...)

    Other than that, it's a joy to read. It's a decent thriller, with some
    breaks to make it relaxing rather than exhausting (too much "one damn thing
    after another" gets tiring), good dialog, and sympathetic characters. The
    fact that you can trust the technology aids in the "willing suspension of
    disbelief."

    While it doesn't make any difference to the quality of the book, I should
    mention that Carey is donating all author profits from sales of the book to
    charity: http://florentinedeception.weebly.com/charities.html

    copyright, Robert M. Slade 2015 BKFLODEC.RVW 20150609
    rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org
    victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links

    ------------------------------

    Date: Mon, 17 Nov 2014 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
    if possible and convenient for you. The mailman Web interface can
    be used directly to subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks
    Alternatively, to subscribe or unsubscribe via e-mail to mailman
    your FROM: address, send a message to
    risks-...@csl.sri.com
    containing only the one-word text subscribe or unsubscribe. You may
    also specify a different receiving address: subscribe address= ... .
    You may short-circuit that process by sending directly to either
    risks-s...@csl.sri.com or risks-un...@csl.sri.com
    depending on which action is to be taken.

    Subscription and unsubscription requests require that you reply to a
    confirmation message sent to the subscribing mail address. Instructions
    are included in the confirmation message. Each issue of RISKS that you
    receive contains information on how to post, unsubscribe, etc.

    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines.

    => .UK users may contact <Lindsay....@newcastle.ac.uk>.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you NEVER send mail!
    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
    *** NOTE: Including the string `notsp' at the beginning or end of the subject
    *** line will be very helpful in separating real contributions from spam.
    *** This attention-string may change, so watch this space now and then.
    => ARCHIVES: ftp://ftp.sri.com/risks for current volume
    or ftp://ftp.sri.com/VL/risks for previous VoLume
    http://www.risks.org takes you to Lindsay Marshall's searchable archive at
    newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
    is no longer maintained up-to-date except for recent election problems.
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 28.68
    ************************
     
  12. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,420
    334
    258
    Apr 3, 2007
    Tampa
    Risks Digest 28.69

    RISKS List Owner

    Jun 16, 2015 6:06 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 15 June 2015 Volume 28 : Issue 69

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/28.69.html>
    The current issue can be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Chris Roberts and Avionics Security (Bruce Schneier)
    Deja Vu All Over Again: The_Attack on Encryption (Gene Spafford)
    Why the OPM Breach is such a Security and Privacy Debacle
    (*WiReD*)
    Just Say "NON!" - France Demands Right of Global Google Censorship
    (Lauren Weinstein)
    US Navy wants 0Day Vulnerabilities (Henry Baker)
    White House Weighs Sanctions After Second Breach of a Computer System
    (Shear and Shane)
    Chinese Hackers Circumvent Popular Web Privacy Tools (Nicole Perlroth
    via Monty Solomon)
    If Google was really serious about Google Earth Pro now being free
    (Dan Jacobson)
    The Logjam Vulnerability against Diffie-Hellman Key Exchange
    (Bruce Schneier)
    Re: Man dies in Corvette after battery cable becomes loose (Kurt Seifried)
    Re: Japanese pension organization phished, 1.25M people's data leaked
    (Alister Wm Macintyre)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 15 Jun 2015 03:29:18 -0500
    From: Bruce Schneier <schn...@schneier.com>
    Subject: Chris Roberts and Avionics Security

    CRYPTO-GRAM, 15 June 2015

    Last month, I blogged about security researcher Chris Roberts being detained
    by the FBI after tweeting about avionics security while on a United flight:

    But to me, the fascinating part of this story is that a computer was
    monitoring the Twitter feed and understood the obscure references, alerted
    a person who figured out who wrote them, researched what flight he was on,
    and sent an FBI team to the Syracuse airport within a couple of
    hours. There's some serious surveillance going on.

    We know a lot more of the back story from the FBI's warrant application. He
    had been interviewed by the FBI multiple times previously, and was able to
    take control of at least some of the planes' controls during flight.

    During two interviews with F.B.I. agents in February and March of this
    year, Roberts said he hacked the in-flight entertainment systems of Boeing
    and Airbus aircraft, during flights, about 15 to 20 times between 2011 and
    2014. In one instance, Roberts told the federal agents he hacked into an
    airplane's thrust management computer and momentarily took control of an
    engine, according to an affidavit attached to the application for a search
    warrant.

    "He stated that he successfully commanded the system he had accessed to
    issue the 'CLB' or climb command. He stated that he thereby caused one of
    the airplane engines to climb resulting in a lateral or sideways movement
    of the plane during one of these flights," said the affidavit, signed by
    F.B.I. agent Mike Hurley.

    Roberts also told the agents he hacked into airplane networks and was able
    "to monitor traffic from the cockpit system."

    According to the search warrant application, Roberts said he hacked into
    the systems by accessing the in-flight entertainment system using his
    laptop and an Ethernet cable.

    This makes the FBI's behavior much more reasonable. They weren't scanning
    the Twitter feed for random keywords; they were watching his account.

    We don't know if the FBI's statements are true, though. But if Roberts was
    hacking an airplane while sitting in the passenger seat...wow, is that a
    stupid thing to do.

    *Christian Science Monitor*:

    But Roberts' statements and the FBI's actions raise as many questions as
    they answer. For Roberts, the question is why the FBI is suddenly focused
    on years-old research that has long been part of the public record.

    "This has been a known issue for four or five years, where a bunch of us
    have been stood up and pounding our chest and saying, 'This has to be
    fixed,'" Roberts noted. "Is there a credible threat? Is something
    happening? If so, they're not going to tell us," he said.

    Roberts isn't the only one confused by the series of events surrounding
    his detention in April and the revelations about his interviews with
    federal agents.

    "I would like to see a transcript (of the interviews)," said one former
    federal computer crimes prosecutor, speaking on condition of
    anonymity. "If he did what he said he did, why is he not in jail? And if
    he didn't do it, why is the FBI saying he did?"

    The real issue is that the avionics and the entertainment system are on the
    same network. That's an even stupider thing to do. Also last month, I wrote
    about the risks of hacking airplanes, and said that I wasn't all that
    worried about it. Now I'm more worried.

    Previous blog entry:
    https://www.schneier.com/blog/archives/2015/04/hacker_detained.html

    [Lots of relevant URLS omitted ... We had the item on Roberts by Kin
    Zetter exactly a month ago, in RISKS-28.64. Various folks complained to
    me out of band that what Roberts claimed was impossible, because the regs
    say there must be SEPARATION between the avionics and the entertainment
    systems. This reminds me of folks who claimed early on that Snowden could
    not have done what he claimed. RISKS readers should know by now that when
    something is presumed to be impossible, it probably is not impossible. PGN]

    ------------------------------

    Date: Thu, 11 Jun 2015 16:20:16 -0400
    From: Gene Spafford <sp...@cerias.purdue.edu>
    Subject: Deja Vu All Over Again: The_Attack on Encryption

    About 20 years ago, there was a heated debate in the U.S. about giving the
    government mandatory access to encrypted content via mandatory key escrow.
    The FBI and other government officials predicted all sorts of gloom and doom
    if it didn't happen, including that it would prevent them from fighting
    crime, especially terrorists, child pornographers, and drug dealers. That
    didn't happen.

    Once again the FBI and law enforcement agencies are clamoring for
    restrictions on encryption, with predictions of grave consequences.

    See the referenced item for discussion of this topic, with some historical
    and technical perspective, and a touch of unofficial USACM thinking:
    https://ceri.as/usacm-encrypt

    ------------------------------

    Date: Thu, 11 Jun 2015 20:19:11 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Why the OPM Breach is such a Security and Privacy Debacle

    *WiReD* via NNSquad
    http://www.wired.com/2015/06/opm-breach-security-privacy-debacle/

    It turns out the hackers, who are believed to be from China, also accessed
    so-called SF-86 forms, documents used for conducting background checks for
    worker security clearances. The forms can contain a wealth of sensitive
    data not only about workers seeking security clearance, but also about
    their friends, spouses and other family members. They can also include
    potentially sensitive information about the applicant's interactions with
    foreign nationals--information that could be used against those nationals
    in their own country ... The OPM had no IT security staff until 2013, and
    it showed. The agency was harshly criticized for its lax security in an
    inspector general's report released last November that cited its lack of
    encryption and the agency's failure to track its equipment. Investigators
    found that the OPM failed to maintain an inventory list of all of its
    servers and databases and didn't even know all the systems that were
    connected to its networks. The agency also failed to use multi-factor
    authentication for workers accessing the systems remotely from home or on
    the road.

    In many states, a corporation that operated this way could be facing
    criminal charges and enormous penalties.

    ------------------------------

    Date: Fri, 12 Jun 2015 09:22:38 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Just Say "NON!" - France Demands Right of Global Google Censorship

    http://lauren.vortex.com/archive/001106.html

    I've been waiting for this, much the way one waits for a violent case of
    food poisoning.

    France is now officially demanding that Google expand the hideous EU "Right
    To Be Forgotten" (RTBF) to Google.com worldwide, instead of just applying it
    to the appropriate localized (e.g. France) version of Google.
    http://www.wsj.com/articles/french-...le-to-expand-right-to-be-forgotten-1434098033

    And here's my official response as a concerned individual:

    To hell with this.

    That's nowhere near as strong a comment as I'd really like to make, but this
    is a general readership blog and I choose to avoid the use of the really
    appropriate invectives here. But man, I could justifiably pile on enough
    epithets here to melt your screens before your eyes.

    A key reason why I've been warning all along about the disastrous nature of
    RTBF is precisely this "camel's nose under the tent" situation. Giving in to
    localized censorship demands from the EU and/or member countries was bound
    to have this result.

    What's worse, if France or other EU countries get away with this attempt to
    impose their own censorship standards onto the entire planet, we can be sure
    that government leaders around the world will quickly follow suit, demanding
    that Google globally remove search results that are politically
    "inconvenient" -- or religiously "blasphemous" -- or, well, you get the
    idea. It's a virtually bottomless cesspool of evil censorship opportunities.

    It's bad enough when the ever more censorship and surveillance loving
    Western leaders have this kind of power. But how about Vladimir Putin, or
    China's rulers, or Iran's Supreme Leader as GLOBAL censors?

    It wouldn't be long before it would seem that every search on any
    controversial topic might as well be replaced with a "404 Not found" page --
    a rush to lowest common denominator mediocrity, purged of any and all
    information that government leaders, politicians, or bureaucrats would
    prefer people not be able to find and see.

    I've written and said so much about RTBF for years that it feels like an
    endless case of "Groundhog Day" at this point -- e.g. early on in "The
    'Right to Be Forgotten': A Threat We Dare Not Forget" (2/2012) (
    http://lauren.vortex.com/archive/000938.html ) and most recently in a one
    hour live RTBF hangout video discussion (about a month ago). (
    )

    And I'm certainly not alone in these concerns. Yet we continue to be sucked
    down this rathole, now with governments using overblown security concerns as
    an excuse to try justify even broader search engine censorship across a vast
    range of topics.

    So far, Google has resisted the concept of RTBF being applied globally. I
    not only applaud their stance on this, but I strongly urge them to stand
    utterly firm on this issue.

    RTBF even in localized forms is bad, but if countries had the ability to
    impose their individual censorship regimes onto the entire globe's
    population, we'd be -- with absolutely no exaggeration -- talking about an
    existential threat not just to "free speech" but to fundamental
    communications and information rights as well.

    This cannot be tolerated.

    Just say NO! Non! Nein! Nahin! Nyet!

    ------------------------------

    Date: Fri, 12 Jun 2015 08:50:39 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: US Navy wants 0Day Vulnerabilities

    FYI: Subsidizing this type of hacking is not going to end well, just as the British govt subsidizing privateers didn't end well. The *Navy* -- of all the services -- should be aware of this history!

    Also, why on Earth would a truly qualified vendor sell these services --
    exclusively (!) -- to the US govt, which is the lowest bidder ?

    My only conclusion is that this solicitation is a phishing scam, intended to
    uncover targets stupid enough for FBI prosecution.

    "please include only relevant past performance on the same/similar work
    within the last 3 years" <-- presumably this means hacking subject to
    prosecution within the statute of limitations?

    "identify qualified and *experienced* sources"

    "seeking a qualified vendor capable of producing operational exploit
    products"

    "a minimum of 10 unique reports with corresponding exploit binaries"

    "Products developed under these conditions will not be available to any
    other customer"

    "[Technical support] services must be available Monday through Friday
    during normal working hours (0730 EST through 1630 EST)" <-- This will be
    a problem for hackers far outside the U.S.

    Simon Sharwood, US Navy wants 0-day intelligence to develop weaponware,
    *The Register*, 12 Jun 2015 [long item truncated for RISKS. PGN]
    http://www.theregister.co.uk/2015/06/12/us_navy_wants_0day_intelligence_to_develop_weaponware/

    ------------------------------

    Date: Sun, 14 Jun 2015 00:10:47 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: White House Weighs Sanctions After Second Breach of a Computer System
    (Shear and Shane)

    Michael D. Shear and Scott Shane, *The New York Times*, 12 Jun 2015

    WASHINGTON -- The White House on Friday revealed that hackers had breached a
    second computer system at the Office of Personnel Management, and said that
    President Obama was considering financial sanctions against the attackers
    who gained access to the files of millions of federal workers.

    Investigators had already said that Chinese hackers appeared to have
    obtained personal data from more than four million current and former
    federal employees in one of the boldest invasions into a government network.

    But on Friday, officials said they believed that a separate computer system
    at the agency was breached by the same hackers, putting at risk not only
    data about the federal employees, but also information about friends, family
    members and associates that could number millions more. Officials said that
    the second system contained files related to intelligence officials working
    for the F.B.I., defense contractors and other government agencies.

    http://www.nytimes.com/2015/06/13/u...after-second-breach-of-a-computer-system.html

    ------------------------------

    Date: Sun, 14 Jun 2015 00:14:16 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Chinese Hackers Circumvent Popular Web Privacy Tools
    (Nicole Perlroth)

    Nicole Perlroth, *The New York Times*, 12 Jun 2015

    SAN FRANCISCO -- Chinese hackers have found a way around widely used privacy
    technology to target the creators and readers of web content that state
    censors have deemed hostile, according to new research.

    The hackers were able to circumvent two of the most trusted privacy tools on
    the Internet: virtual private networks, or VPNs, and Tor, the anonymity
    software that masks a computer's true whereabouts by routing its Internet
    connection through various points around the globe, according to findings by
    Jaime Blasco, a security researcher at AlienVault, a Silicon Valley security
    company.

    Both tools are used by Chinese businesses and by millions of citizens to
    bypass China's censorship technology, often called the Great Firewall, and
    to make their web activities unreadable to state snoopers.

    http://www.nytimes.com/2015/06/13/t...ers-circumvent-popular-web-privacy-tools.html

    ------------------------------

    Date: Sat, 13 Jun 2015 06:58:54 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: If Google was really serious about Google Earth Pro now being free

    "We recommend that everyone use Google Earth Pro, as it has a few extra
    features and is now free. If it asks you for a licence key, just use your
    email address and the key: GEPFREE."
    http://www.gearthblog.com/blog/archives/2015/06/google-earth-installation-issues.html

    One would think that if Google was really serious about Google Earth Pro
    now being free they would type their license key in for us and perhaps
    even be kind enough to press return.

    ------------------------------

    Date: Mon, 15 Jun 2015 03:29:18 -0500
    From: Bruce Schneier <schn...@schneier.com>
    Subject: The Logjam Vulnerability against Diffie-Hellman Key Exchange

    Bruce Schneier, CRYPTO-GRAM, 15 June 2015
    CTO, Resilient Systems, Inc., https://www.schneier.com

    Logjam is a new attack against the Diffie-Hellman key-exchange protocol used
    in TLS. Basically:

    The Logjam attack allows a man-in-the-middle attacker to downgrade
    vulnerable TLS connections to 512-bit export-grade cryptography. This
    allows the attacker to read and modify any data passed over the
    connection. The attack is reminiscent of the FREAK attack, but is due to a
    flaw in the TLS protocol rather than an implementation vulnerability, and
    attacks a Diffie-Hellman key exchange rather than an RSA key exchange.
    The attack affects any server that supports DHE_EXPORT ciphers, and
    affects all modern web browsers. 8.4% of the Top 1 Million domains were
    initially vulnerable.

    One of the problems with patching the vulnerability is that it breaks
    things:

    On the plus side, the vulnerability has largely been patched thanks to
    consultation with tech companies like Google, and updates are available
    now or coming soon for Chrome, Firefox and other browsers. The bad news is
    that the fix rendered many sites unreachable, including the main website
    at the University of Michigan, which is home to many of the researchers
    that *found* the security hole.

    This is a common problem with version downgrade attacks; patching them makes
    you incompatible with anyone who hasn't patched. And it's the vulnerability
    the media is focusing on.

    Much more interesting is the other vulnerability that the researchers found:

    Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for
    Diffie-Hellman key exchange. Practitioners believed this was safe as long
    as new key exchange messages were generated for every connection. However,
    the first step in the number field sieve -- the most efficient algorithm
    for breaking a Diffie-Hellman connection -- is dependent only on this
    prime. After this first step, an attacker can quickly break individual
    connections.

    The researchers believe the NSA has been using this attack:

    We carried out this computation against the most common 512-bit prime used
    for TLS and demonstrate that the Logjam attack can be used to downgrade
    connections to 80% of TLS servers supporting DHE_EXPORT. We further
    estimate that an academic team can break a 768-bit prime and that a
    nation-state can break a 1024-bit prime. Breaking the single, most common
    1024-bit prime used by web servers would allow passive eavesdropping on
    connections to 18% of the Top 1 Million HTTPS domains. A second prime
    would allow passive decryption of connections to 66% of VPN servers and
    26% of SSH servers. A close reading of published NSA leaks shows that the
    agency's attacks on VPNs are consistent with having achieved such a break.

    The DH precomputation easily lends itself to custom ASIC design, and is
    something that pipelines easily. Using Bitcoin mining hardware as a rough
    comparison, this means a couple orders of magnitude speedup.

    Remember James Bamford's 2012 comment about the NSA's cryptanalytic
    capabilities:

    According to another top official also involved with the program, the NSA
    made an enormous breakthrough several years ago in its ability to
    cryptanalyze, or break, unfathomably complex encryption systems employed
    by not only governments around the world but also many average computer
    users in the US. The upshot, according to this official: "Everybody's a
    target; everybody with communication is a target." [...]

    The breakthrough was enormous, says the former official, and soon
    afterward the agency pulled the shade down tight on the project, even
    within the intelligence community and Congress. "Only the chairman and
    vice chairman and the two staff directors of each intelligence committee
    were told about it," he says. The reason? "They were thinking that this
    computing breakthrough was going to give them the ability to crack current
    public encryption."

    And remember Director of National Intelligence James Clapper's introduction
    to the 2013 "Black Budget":

    Also, we are investing in groundbreaking cryptanalytic capabilities to
    defeat adversarial cryptography and exploit Internet traffic.

    It's a reasonable guess that this is what both Bamford's source and Clapper
    are talking about. It's an attack that requires a lot of precomputation --
    just the sort of thing a national intelligence agency would go for.

    But that requirement also speaks to its limitations. The NSA isn't going to
    put this capability at collection points like Room 641A at AT&T's San
    Francisco office: the precomputation table is too big, and the sensitivity
    of the capability is too high. More likely, an analyst identifies a target
    through some other means, and then looks for data by that target in
    databases like XKEYSCORE. Then he sends whatever ciphertext he finds to the
    Cryptanalysis and Exploitation Services (CES) group, which decrypts it if it
    can using this and other techniques.

    Ross Anderson wrote about this earlier this month, almost certainly quoting
    Snowden:

    As for crypto capabilities, a lot of stuff is decrypted automatically on
    ingest (e.g. using a "stolen cert", presumably a private key obtained
    through hacking). Else the analyst sends the ciphertext to CES and they
    either decrypt it or say they can't.

    The analysts are instructed not to think about how this all works. This
    quote also applied to NSA employees:

    Strict guidelines were laid down at the GCHQ complex in Cheltenham,
    Gloucestershire, on how to discuss projects relating to
    decryption. Analysts were instructed: "Do not ask about or speculate on
    sources or methods underpinning Bullrun."

    I remember the same instructions in documents I saw about the NSA's CES.

    Again, the NSA has put surveillance ahead of security. It never bothered to
    tell us that many of the "secure" encryption systems we were using were not
    secure. And we don't know what other national intelligence agencies
    independently discovered and used this attack.

    The good news is now that we know reusing prime numbers is a bad idea, we
    can stop doing it.

    https://weakdh.org/
    https://weakdh.org/imperfect-forward-secrecy.pdf
    [MORE URLs...]
    Good explanation of the attack by Matthew Green:
    http://blog.cryptographyengineering.com/2015/05/attack-of-week-logjam.html
    or http://tinyurl.com/kyvxhho

    ------------------------------

    Date: Thu, 11 Jun 2015 13:23:06 -0600
    From: Kurt Seifried <ku...@seifried.org>
    Subject: Re: Man dies in Corvette after battery cable becomes loose
    (Thorson, RISKS-28.68)

    This is why I keep a cheap $5 car window smasher/seatbelt cutting tool in
    my glove box. That way even if all the doors are physically jammed somehow
    (and the windows aren't broken?!?) I can still get out.

    ------------------------------

    Date: Fri, 12 Jun 2015 10:32:53 -0500
    From: "Alister Wm Macintyre \(Wow\)" <macwh...@wowway.com>
    Subject: Re: Japanese pension organization phished, 1.25M people's data
    leaked (ishikawa, RISKS-28.66)

    I have to wonder how much we should educate the general public AND the
    SYSTEM INTEGRATORS who hire new graduates without much experience in
    security matters.

    This year, I retired from a 50+ year career in IT, which included system
    integration, programming, network operations, forensic analysis, and much
    more.

    Before I had any job in IT, I attended classes in multiple topics I
    considered relevant to this career, and over the years have gone back for
    additional training as there is an evolution in business needs, software
    sophistication, applications new to me, but I have noted that many of my
    peers skip this entirely. There are various IT certifications available,
    but very few employers seem interested in factoring them into their hiring
    process.

    When I was first hired, in IT, in the 1960's, computer security topics were
    considered an advanced topic, denied to relatively entry level workers such
    as myself. In the 1970s & 1980s, I attended conferences of IT workers
    involved in the same kind of computer systems, hardware and software, which
    I had been working in. I managed to get into classes for security topics,
    and made multiple realizations.

    The work which I had been doing, should have been preceded by computer
    security education, because a lot of what I had been creating and managing,
    was vulnerable to all sorts of security risks. Furthermore, the educational
    establishment, which taught me various programming languages, and related
    topics, had been omitting this security awareness, not just for me, but for
    tens of thousands of my peers. I went and asked the teachers of entry level
    IT skills, what training they had had in computer security issues, as they
    apply to the systems we design, and learned that none of the ones, I spoke
    with, had any such training or awareness.

    I would like to see surveys of contemporary computer educators, and the
    people who hire them, do they believe that security issues play any role in
    the training of entry level IT workers, and have they themselves received
    any formal education in such topics?

    The next time one of my employers put me into the design of a major package,
    I requested that between design stage, and initial programming, we have the
    company auditors review the design, to see if they needed any additional
    audit trails or checks & balances. Request denied.

    There is a chain of command in any organization. If the top executives of
    an organization are security illiterates, then their beliefs can be used to
    over-rule what employees with specialized training believe is prudent.

    I believe that an organization's links to Internet services, such as e-mail,
    should never be on the same computer system, PC WAN, NC, Server, whatever,
    as one which accesses, or processes confidential data. Some operations need
    to be stand-alone. The computer engaged in e-banking should do that and
    nothing else. I realize that top executives want everything connected to
    everything, because convenience is more important than security, in their
    eyes. So long as that is the rule, there will be little funding to figure
    out practical alternatives.

    A related issue -- some government agencies mandate that confidential
    information be transmitted to them by means which some of us consider to be
    somewhat insecure.

    Security awareness training needs to be everyone. We had an incident at one
    employer, which illustrates the need for this. Our manager of Quality
    Assurance picked up something on the Internet, which he thought was really
    cool, and got it onto the PC supplied to him by the company, without asking
    anyone approval. Turned out, it supplied serious malware. At the time, I
    managed ERP systems, and another guy handled PC support. He was not able to
    fix the QC Mgr PC in one day, had other duties, and needed to research some
    topics related to fixing the QC Mgr PC, so he put a note on door to QC
    manager office, requesting that everyone stay off this PC until he is done
    with his repairs, and he also went around to every staffer office to
    verbally repeat the request.

    Well, each employee's personal job requirements take precedence in their
    eyes, over other people requests, except that of some bosses. The lady, who
    does HR, had a problem with her printer. So she transferred some data and
    software to a diskette, and walked around the office, trying out other
    people's PC printers, until she could get one to do what she needed.

    In this way, the malware traveled from QC Mgr PC to that of the lady who
    does payroll, a couple other important locations, and of course her own PC.
    The company had not supplied PC printers with all the same features to all
    our workers. Other people needed special functions, so were doing things
    similar to what the HR lady had been doing. The guy who's job it was to fix
    PCs infected with malware, could not keep up, but could not get any top
    management support, until a top executive's PC joined the collection
    infected.

    ------------------------------

    Date: Mon, 17 Nov 2014 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
    if possible and convenient for you. The mailman Web interface can
    be used directly to subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks
    Alternatively, to subscribe or unsubscribe via e-mail to mailman
    your FROM: address, send a message to
    risks-...@csl.sri.com
    containing only the one-word text subscribe or unsubscribe. You may
    also specify a different receiving address: subscribe address= ... .
    You may short-circuit that process by sending directly to either
    risks-s...@csl.sri.com or risks-un...@csl.sri.com
    depending on which action is to be taken.

    Subscription and unsubscription requests require that you reply to a
    confirmation message sent to the subscribing mail address. Instructions
    are included in the confirmation message. Each issue of RISKS that you
    receive contains information on how to post, unsubscribe, etc.

    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines.

    => .UK users may contact <Lindsay....@newcastle.ac.uk>.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you NEVER send mail!
    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
    *** NOTE: Including the string `notsp' at the beginning or end of the subject
    *** line will be very helpful in separating real contributions from spam.
    *** This attention-string may change, so watch this space now and then.
    => ARCHIVES: ftp://ftp.sri.com/risks for current volume
    or ftp://ftp.sri.com/VL/risks for previous VoLume
    http://www.risks.org takes you to Lindsay Marshall's searchable archive at
    newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
    is no longer maintained up-to-date except for recent election problems.
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 28.69
    ************************
     
  13. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,420
    334
    258
    Apr 3, 2007
    Tampa
    Risks Digest 28.70

    RISKS List Owner

    Jun 16, 2015 6:52 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Tuesday 16 June 2015 Volume 28 : Issue 70

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/28.70.html>
    The current issue can be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Armenia loses Internet access (PGN)
    Encryption "would not have helped" at OPM, says DHS official (Ars)
    Report: Russia, China Crack Snowden Docs (Daily Beast via LW)
    LastPass hacked -- here's what to do now (ComputerWorld via LW)
    Sex, lies and debt potentially exposed by OPM data hack -- and more
    (Arshad Mohammed and Joseph Menn plus Conor Friedersdorf via Henry Baker)
    St. Louis Cardinals Investigated by FBI for Hacking Astros
    (Michael S. Schmidt via Gabe Goldberg)
    "Be paranoid: 10 terrifying extreme hacks" (Roger A. Grimes)
    Re: Chris Roberts and Avionics Security (Rogier Wolff)
    Re: Corvette battery cable (Dimitri Maziuk)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 15 Jun 2015 19:01:20 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Armenia loses Internet access

    [Thanks to Paul Saffo. PGN]

    A 75-yr old woman digging for scrap metal cut into a fiber cable and cut off
    Internet access for all of Armenia!

    http://www.theguardian.com/world/2011/apr/06/georgian-woman-cuts-web-access

    [Perhaps she will get Armenial Servertude?]

    ------------------------------

    Date: Tue, 16 Jun 2015 12:59:18 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Encryption "would not have helped" at OPM, says DHS official (Ars)

    Ars Technica via NNSquad
    http://arstechnica.com/security/2015/06/encryption-would-not-have-helped-at-opm-says-dhs-official/

    But even if the systems had been encrypted, it would have likely not
    mattered. Department of Homeland Security Assistant Secretary for
    Cybersecurity Dr. Andy Ozment testified that encryption would "not have
    helped in this case" because the attackers had gained valid user
    credentials to the systems that they attacked--likely through social
    engineering. And because of the lack of multifactor authentication on
    these systems, the attackers would have been able to use those credentials
    at will to access systems from within and potentially even from outside
    the network.

    NO 2-FACTOR CREDENTIALS. Pretty much criminal negligence at this point.

    ------------------------------

    Date: Sat, 13 Jun 2015 21:38:48 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Report: Russia, China Crack Snowden Docs

    The Daily Beast via NNSquad
    http://www.thedailybeast.com/cheats/2015/06/13/russia-china-got-snowden-files.html

    Russia and China have allegedly decrypted the top-secret cache of files
    stolen by whistleblower Edward Snowden, according to a report from The
    Sunday Times, to be published tomorrow. The info has compelled British
    intelligence agency MI6 to withdraw some of its agents from active
    operations and other Western intelligence agencies are now actively
    involved in rescue operations.

    - - -

    If this report is true, it seems safe to assume that Snowden has likely lost
    any chance he ever had of asylum or any other "minimum incarceration" return
    to the West.

    ------------------------------

    Date: Mon, 15 Jun 2015 15:53:06 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: LastPass hacked -- here's what to do now

    ComputerWorld via NNSquad
    http://www.computerworld.com/article/2936144/cloud-computing/lastpass-hacked-itbwcw.html?shr=t

    LastPass, the cloud-based password manager, has been hacked. If you use
    LastPass, it's probably time for a precautionary master-password
    change. It might also be a good idea to check out the other options for
    securing your account.

    I don't use cloud-based password services. Now you know why.

    ------------------------------

    Date: Mon, 15 Jun 2015 15:59:26 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Sex, lies and debt potentially exposed by OPM data hack

    FYI -- I'm very sorry about this OPM data breach, because some members of my
    family may also be victims, but perhaps some of these very same government
    officials may now "get religion" re privacy issues.

    Either keep such information secure -- using strong non-backdoorable
    encryption -- or don't keep it at all. These 2 articles talk about the
    risks & costs of *keeping* such information.

    By Arshad Mohammed and Joseph Menn
    Sex, lies and debt potentially exposed by U.S. data hack
    https://ca.news.yahoo.com/sex-lies-debt-potentially-exposed-u-data-hack-054657057.html

    WASHINGTON (Reuters) -- When a retired 51-year-old military man disclosed in
    a U.S. security clearance application that he had a 20-year affair with his
    former college roommate's wife, it was supposed to remain a secret between
    him and the government.

    The disclosure last week that hackers had penetrated a database containing
    such intimate and possibly damaging facts about millions of government and
    private employees has shaken Washington.

    The hacking of the White House Office of Personnel Management (OPM) could
    provide a treasure trove for foreign spies.

    The military man's affair, divulged when he got a job with a defense
    contractor and applied to upgrade his clearance, is just one example of the
    extensive potential for disruption, embarrassment and even blackmail arising
    from the hacking.

    The man had kept the affair secret from his wife for two decades before
    disclosing it on the government's innocuously named Standard Form 86 (SF
    86), filled out by millions of Americans seeking security clearances.

    His case is described in a judge's ruling, published on the Pentagon
    website, that he should keep his security clearance because he told the
    government about the affair. His name is not given in the administrative
    judge's decision.

    The disclosure that OPM's data had been hacked sent shivers down the spines
    of current and former U.S. government officials as they realized their
    secrets about sex, drugs and money could be in the hands of a foreign
    government.

    The data that may be compromised by the incident, which was first reported
    by the Associated Press, included the detailed personal information on the
    SF 86 "QUESTIONNAIRE FOR NATIONAL SECURITY POSITIONS," according to
    U.S. officials.

    U.S. SUSPECTS LINK TO CHINA

    As with another cyberattack on OPM disclosed earlier this month,
    U.S. officials suspect it was linked to China, though they have less
    confidence about the origins of the second attack than about the first.

    China denies any involvement in hacking U.S. databases.

    While the Central Intelligence Agency does its own clearance investigations,
    agencies such as the State Department, Defense Department and National
    Security Agency, which eavesdrops on the world, all use OPM's services to
    some degree.

    It was not immediately clear how many Americans' information may have been
    compromised, nor precisely how many fill out form SF 86. As of Oct. 1,
    there were 4.51 million people cleared or eligible to receive national
    security information, according to a report by the Office of the Director of
    National Intelligence.

    Intelligence veterans said the breach may prove disastrous because China
    could use it to find relatives of U.S. officials abroad as well as evidence
    of love affairs or drug use which could be used to blackmail or influence
    U.S. officials.

    An even worse scenario would be the mass unmasking of covert operatives in
    the field, they said.

    "The potential loss here is truly staggering and, by the way, these records
    are a legitimate foreign intelligence target," said retired Gen. Michael
    Hayden, a former CIA and NSA director. "This isn't shame on China. This is
    shame on us."

    The SF 86 form, which is 127-pages long, is extraordinarily comprehensive
    and intrusive.

    Among other things, applicants must list where they have lived; contacts
    with foreign citizens and travel abroad; the names and personal details of
    relatives; illegal drug use and mental health counseling except in limited
    circumstances.

    A review of appeals of security denials published on the web shows the
    variety of information now in possession of the hackers, including financial
    troubles, infidelities, psychiatric diagnoses, substance abuse, health
    issues and arrests.

    "It's kind of scary that somebody could know that much about us," said a
    former senior U.S. diplomat, pointing out the ability to use such data to
    impersonate an American official online, obtain passwords and plunder bank
    accounts.

    SOME AGENCIES LESS VULNERABLE

    A U.S. official familiar with security procedures, but who declined to be
    identified, said some agencies do not use OPM for clearances, meaning their
    employees' data was at first glance less likely to have been compromised.

    However, the former senior diplomat said someone with access to a complete
    set of SF 86 forms and to the names of officials at U.S. embassies, which
    are usually public, could compare the two and make educated guesses about
    who might be a spy.

    "Negative information is an indicator just as much as a positive
    information," said the former diplomat.

    The case of the 51-year-old former military man who told the government, but
    not his wife, about his 20-year affair came to light when he filed an appeal
    because his effort to upgrade his security clearance ran into trouble.

    According to a May 13 decision by an administrative judge who heard his
    case, the man revealed the affair in the "Additional Comments" section of SF
    86 in January 2012, ended the affair in 2013, and told his wife about it in
    2014.

    "DOD (Department of Defense) is aware of the affair because Applicant
    disclosed it on his SF 86; the affair is over; and the key people in
    Applicant's life are aware of it," the judge wrote, according to a Defense
    Office of Hearings and Appeals document posted online.

    His access to classified information was approved.

    (Reporting by Arshad Mohammed in Washington and Joseph Menn in San Francisco; Additional reporting by Mark Hosenball; Editing by David Storey, Sue Horton and Alan Crosby)

    - - - -

    Conor Friedersdorf, *The Atlantic*, Jun 2015
    Adjusting to a World Where No Data Is Secure
    If government and corporations cannot safeguard their digital files, then they should regularly purge sensitive information.
    http://www.theatlantic.com/politics...-government-or-corporations-is-secure/395810/

    Imagine a piece of information that would be useful to store digitally if it
    could be kept secure, but that would do more harm than good if it ever fell
    into the wrong hands. With Friday's news that ``hackers have breached a
    database containing a wealth of sensitive information from federal
    employees' security background checks,'' just that sort of fraught
    information has arguably been exposed to hackers.

    One of the documents that they got, the Questionnaire for National Security
    Positions, asked federal workers and contractors seeking security clearances
    ``to disclose everything from mental illnesses, financial interests, and
    bankruptcy issues to any brush with the law, major and minor drug and
    alcohol use as well as a robust listing of an applicant's family members,
    associates, or former roommates,'' my colleague Adam Chandler explains.
    ``At the bottom of each page, a potential employee must submit his or her
    social security number. Given the length, that means if you;re filling out
    this document, you will write your SSN over 115 times.''

    That trove of information was useful to the national security bureaucracy in
    its efforts to stop espionage, monitor potential blackmail, and otherwise
    police its employees.

    Yet it now seems like the U.S. would have been better off reviewing
    information about cleared employees on intake and then destroying it, rather
    than retaining the records. ``These forms contain decades of personal
    information about people with clearances,'' Joel Brenner, a former
    high-ranking intelligence official told the Washington Post, ``which makes
    them easier to recruit for espionage on behalf of a foreign country.''

    In hindsight, retaining the documents betrayed a degree of hubris: National
    security officials had excessive confidence in their ability to keep these
    secrets from falling into the hands of malicious actors, so they risked
    storing them indefinitely.

    What else falls in this `better to destroy than to have stolen' category?

    After Chelsea Manning, Edward Snowden, and numerous successful hacks of
    various federal databases, perhaps the government should perform an audit
    and a purge on the theory that it won't ever be competent enough to reliably
    safeguard information.

    Isn't there good reason to surmise that is true?

    Perhaps the privacy activists who want to pass data retention laws forcing
    private corporations to purge the data that they hold at periodic intervals
    also have a point. Would it be a national security threat if the Google
    search histories and iPhone location data of all members of Congress,
    U.S. military personnel, and American CEOs fell into the hands of Vladimir
    Putin or China's government? If so, perhaps it makes more sense to prohibit
    retaining such information for longer than two years, even though the
    precision of Internet ads might suffer as a result.

    National security officials and Google leaders have institutional and
    psychological incentives to assert and believe that if they're just careful
    enough going forward, they can safeguard the information that they hold.
    And we have an incentive to believe them. Wouldn't it be great if our
    government and corporations that make cool products for us could exploit the
    benefits of unlimited data retention without any costs?

    But I no longer believe that they can. If you disagree, what sort of leak
    or hack or data breach would it take to persuade you otherwise? I expect
    you'll see it sooner, rather than later.

    ------------------------------

    Date: Tue, 16 Jun 2015 17:53:24 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: St. Louis Cardinals Investigated by FBI for Hacking Astros
    (Michael S. Schmidt)

    Michael S. Schmidt, *The New York Times*, 16 Jun 2015

    The FBI and Justice Department prosecutors are investigating front-office
    officials for the St. Louis Cardinals, one of the most successful teams in
    baseball over the past two decades, for hacking into the internal networks
    of a rival team to steal closely guarded information about player personnel.

    Investigators have uncovered evidence that Cardinals officials broke into a
    network of the Houston Astros that housed special databases the team had
    built, according to law enforcement officials. Internal discussions about
    trades, proprietary statistics and scouting reports were compromised, the
    officials said.

    The officials did not say which employees were the focus of the
    investigation or whether the team's highest-ranking officials were aware of
    the hacking or authorized it. The investigation is being led by the FBI's
    Houston field office and has progressed to the point that subpoenas have
    been served on the Cardinals and Major League Baseball for electronic
    correspondence.

    The attack represents the first known case of corporate espionage in which a
    professional sports team has hacked the network of another team. Illegal
    intrusions into companies' networks have become commonplace, but it is
    generally conducted by hackers operating in foreign countries, like Russia
    and China, who steal large tranches of data or trade secrets for military
    equipment and electronics.

    Major League Baseball has been aware of and has fully cooperated with the
    federal investigation into the illegal breach of the Astros' baseball
    operations database, a spokesman for baseball's commissioner, Rob Manfred,
    said in a written statement.

    http://www.nytimes.com/2015/06/17/sports/baseball/st-louis-cardinals-hack-astros-fbi.html

    [Also noted by Jim Reisert. PGN]

    ------------------------------

    Date: Tue, 16 Jun 2015 12:14:36 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Be paranoid: 10 terrifying extreme hacks" (Roger A. Grimes)

    Roger A. Grimes, InfoWorld, 15 Jun 2015
    Nothing is safe, thanks to the select few hacks that push the limits
    of what we thought possible
    http://www.infoworld.com/article/2933868/hacking/10-extreme-hacks-to-be-truly-paranoid-about.html

    ------------------------------

    Date: Tue, 16 Jun 2015 09:54:09 +0200
    From: Rogier Wolff <wo...@bitwizard.nl>
    Subject: Re: Chris Roberts and Avionics Security (Schneier, RISKS-28.69)

    > The real issue is that the avionics and the entertainment system are
    > on the same network. That's an even stupider thing to do. Also last
    > month, I wrote about the risks of hacking airplanes, and said that I
    > wasn't all that worried about it. Now I'm more worried.

    Are they?

    With Boeing saying that "it is impossible" (at least at first), I suspect
    that they have taken measures to prevent exactly what Roberts claims to have
    accomplished.

    Let's take a step back.

    Think of a Boeing aviation electronics engineer. Turns out that
    ethernet-connectivity on the plane is becoming more and more common. So
    instead of having a separate wire running from each of the sensors in the
    tail to the cockpit, there now is an ethernet link carrying information from
    many different sensors along the plane. Before you know it, also the
    engines have ethernet connectivity and can be commanded over their ethernet
    connection.

    So, one day he's sitting in his office and a guy from the cabin-electronics
    group walks in and says: "We have a plan for a new in-cabin-entertainment
    system. We need ethernet connectivity and hear you already have an ethernet
    link running along the plane, can we use that?"

    Multiple choice time (*): He answers: A) Sure! B) Sure, as long as you
    promise not to use more than 50% of the bandwidth, C) WTF are you thinking?

    I have enough confidence in Boeing that they got this one right.

    A few months later, the cabin-electronics guy walks into the aviation
    electronics office again, and asks: "We get questions from the passengers if
    they can get technical information about the flight on their infotainment
    screen. Stuff like airspeed and altitude. We'd be no trouble at all, we can
    gather this information from your flight-computer ourselves." MC time
    again... He suggests: A) Let's buy a hub: cheap, light, no hassle, great! B)
    We need to buy a switch, otherwise traffic from the autopilot to the engines
    will leak onto the entertainment network. C) We need a firewall.

    I still have enough confidence in Boeing that they got this right. But from
    the claims from the FBI and Chris, I strongly suspect that from this point
    on some mistakes were made. Somehow the "firewall" function got integrated
    into a computer "already there" or the firewall was expanded to have
    multiple functions, allowing someone to e.g., gain access by finding a
    vulnerability in a web script, and then continue to hack on "the other
    side".

    My opinion is that if you continue to threaten to throw guys like Chris in
    jail, the next time you'll find out about these bugs/design problems is when
    a plane is crashed by a teenager who accidentally deletes the engine
    calibration data or something like that.

    But "allowing" hacking on live planes is troublesome too. Difficult issue.

    (*) In many multiple choice tests, the correct answer is often the
    longest. In case you haven't noticed: not here.

    R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2600998
    Delftechpark 26 2628 XH Delft, The Netherlands. KVK: 27239233

    ------------------------------

    Date: Tue, 16 Jun 2015 11:55:17 -0500
    From: Dimitri Maziuk <dma...@bmrb.wisc.edu>
    Subject: Re: Corvette battery cable (RISKS-28.68,69)]

    [I don't remember this when I saw the original article. I only though of
    it now.]

    Some twenty or so years ago in Australia I heard a story about "back when
    electric windows were new". Apparently somebody's fuse blew killing both the
    air-conditioner and (closed tight of course) electric windows. In the 40+C
    heat in the middle of nowhere. So the poor guy drove 300 km to the first gas
    station where the owner/mechanic told them "this is an electrical problem,
    I'm not a licensed electrician, the nearest vehicle electrician is 400 km
    that way".

    (That's 105+ degrees and 190 & 250 miles resp. in the "standard" units.)

    The more things change...

    Dimitri Maziuk, BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu

    ------------------------------

    Date: Mon, 17 Nov 2014 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
    if possible and convenient for you. The mailman Web interface can
    be used directly to subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks
    Alternatively, to subscribe or unsubscribe via e-mail to mailman
    your FROM: address, send a message to
    risks-...@csl.sri.com
    containing only the one-word text subscribe or unsubscribe. You may
    also specify a different receiving address: subscribe address= ... .
    You may short-circuit that process by sending directly to either
    risks-s...@csl.sri.com or risks-un...@csl.sri.com
    depending on which action is to be taken.

    Subscription and unsubscription requests require that you reply to a
    confirmation message sent to the subscribing mail address. Instructions
    are included in the confirmation message. Each issue of RISKS that you
    receive contains information on how to post, unsubscribe, etc.

    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines.

    => .UK users may contact <Lindsay....@newcastle.ac.uk>.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you NEVER send mail!
    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
    *** NOTE: Including the string `notsp' at the beginning or end of the subject
    *** line will be very helpful in separating real contributions from spam.
    *** This attention-string may change, so watch this space now and then.
    => ARCHIVES: ftp://ftp.sri.com/risks for current volume
    or ftp://ftp.sri.com/VL/risks for previous VoLume
    http://www.risks.org takes you to Lindsay Marshall's searchable archive at
    newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
    is no longer maintained up-to-date except for recent election problems.
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 28.70
    ************************
     
  14. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,420
    334
    258
    Apr 3, 2007
    Tampa
    Risks Digest 28.71

    RISKS List Owner

    Jun 20, 2015 4:58 AM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Saturday 20 June 2015 Volume 28 : Issue 71

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/28.71.html>
    The current issue can be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Major League Baseball cancels 60 million all-star votes (PGN)
    L.A. plans potentially disastrous switch to "electronic" voting (Ars)
    No ticket with a long name (Debora Weber-Wulff)
    UN: Encryption a Fundamental Right (Eric Burger)
    Samsung Keyboard Security Risk - 600M+ devices affected (NowSecure)
    Payments to RBS customers missing (Richard I Cook)
    Shooting over cellphone: case is 'extreme', say police (CBC News)
    Heinz says sorry for ketchup QR code that links to porn site (Appy-geek)
    Zero-day exploit lets App Store malware steal OS X and iOS passwords
    (Glenn Fleishman)
    Don't pay your bills all at once (paul wallich)
    Officials say security lapses left OMB system open to hackers (PGN)
    Re: Report: Russia, China Crack Snowden Docs (William Brodie-Tyrrell)
    Liars trust cheaters, Re: sex, lies, debt exposed by OPM (Mark E. Smith)
    OPM: Gone Phishing: Shoot the Wounded (Lisa Rein via Henry Baker)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sat, 20 Jun 2015 02:27:50 -0400
    From: Peter G Neumann
    Subject: Major League Baseball cancels 60 million all-star votes

    We've long been suggesting in RISKS that Internet Voting was an inherently
    BAD IDEA. Now the folks who run the the so-called American Pastime at the
    top professional level may have decided that Internet Voting is really the
    American PastTime, although many of us think it is not past time -- it is
    NOT READY for prime time, and perhaps never will be, for elections of any
    real importance.

    http://bleacherreport.com/articles/...on-all-star-votes-for-fear-of-improper-voting

    By the way, apologies for letting "Armenia loses Internet access" slip
    through in the previous issue. That item from 2011 was really past time.

    ------------------------------

    Date: Sat, 13 Jun 2015 08:33:46 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: L.A. plans potentially disastrous switch to "electronic" voting

    L.A. plans potentially disastrous switch to "electronic" voting
    Ars Technica
    http://arstechnica.com/tech-policy/...ounty-moves-to-open-source-voting-technology/

    The county is also considering a number of customizable options to bolster
    voter turnout, which has suffered in recent years. Along with the new
    system, it plans to introduce a "poll pass," which allows users to
    pre-mark their votes using their phone, tablet, or desktop and scan them
    with a QR code at their polling place. Logan said the new system is
    designed to let users vote anywhere in the county, rather than at a
    designated polling station. He hopes to broaden the 7:00am to 8:00pm
    voting window to a multi-day "voting period," during which a limited
    number of stations would be open prior to the election. There's even talk
    of an electronic equivalent to absentee voting--if and when the law
    permits.

    Open source is not a panacea. So much here and planned that could go so very
    wrong. They never learn. Note the part about "electronic" absentee
    voting. Given how large the absentee voter population is in L.A., this
    almost certainly means the disaster of Internet voting.

    ------------------------------

    Date: Fri, 19 Jun 2015 17:22:53 +0200
    From: Prof. Dr. Debora Weber-Wulff <web...@htw-berlin.de>
    Subject: No ticket with a long name

    The Swiss newspaper "20 Minuten" (20 minutes) reports that a Swiss woman of
    Portuguese descent tried to purchase airline tickets online with the portal
    Edreams.ch. She was informed a few days later that the tickets were
    rejected by the airline Swiss because her name of 32 characters was too long
    - Swiss only accept 28.
    http://www.20min.ch/schweiz/romandie/story/Name-zu-lang---Flugticket-storniert-20762253

    Portuguese and Spanish names are quite long, as there is one from the
    mother's side and one from the father's side traditionally. Swiss pointed
    out that it was edreams fault - they should have asked the customer how she
    wanted to abbreviate her name. In the meantime, she was able to buy tickets
    from another airline with no length restriction on names -- but at a higher
    price.

    HTW Berlin, Studiengang IMI,Treskowallee 8, 10313 Berlin +49-30-5019-2320
    web...@htw-berlin.de http://www.f4.htw-berlin.de/people/weberwu/

    ------------------------------

    Date: Jun 16, 2015 3:15 PM
    From: "Eric Burger" <ebu...@standardstrack.com>
    Subject: UN: Encryption a Fundamental Right

    [via Dave Farbert]

    On Wednesday, Special Rapporteur on freedom of opinion and expression David
    Kaye will present his report on international legal protection for
    encryption and anonymity to the United Nations Human Rights Council. The
    report is an important contribution to the security conversation at a time
    when some Western leaders are calling for ill-informed and impossible
    loopholes in technology--a trend that facilitates surveillance and tends to
    enable states that openly seek to repress journalists.

    http://cpj.org/blog/2015/06/un-report-promotes-encryption-as-fundamental-and-p.php
    http://www.washingtonpost.com/blogs...dent-obama-is-getting-wrong-about-encryption/
    http://www.theguardian.com/commenti...tain-online-shopping-banking-messaging-terror
    http://cpj.org/blog/2015/01/classifying-media-and-encryption-as-a-threat-is-da.php
    http://cpj.org/blog/2015/04/when-it-comes-to-great-firewall-attacks-https-is-g.php
    http://www.ohchr.org/EN/Issues/FreedomOpinion/Pages/CallForSubmission.aspx

    ------------------------------

    Date: Tue, 16 Jun 2015 18:55:50 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Samsung Keyboard Security Risk - 600M+ devices affected

    NowSecure via NNSquad
    https://www.nowsecure.com/keyboard-vulnerability/

    Over 600 million Samsung mobile device users have been affected by a
    significant security risk on leading Samsung models, including the
    recently released Galaxy S6. The risk comes from a pre-installed keyboard
    that allows an attacker to remotely execute code as a privileged (system)
    user ... While Samsung began providing a patch to mobile network operators
    in early 2015, it is unknown if the carriers have provided the patch to
    the devices on their network. In addition, it is difficult to determine
    how many mobile device users remain vulnerable, given the devices models
    and number of network operators globally.

    ------------------------------

    Date: Wed, 17 Jun 2015 14:44:01 +0200
    From: Richard I Cook MD <rico...@gmail.com>
    Subject: Payments to RBS customers missing

    About 600,000 payments expected by customers of the RBS group of banks
    have failed to enter accounts overnight, the bank has admitted. Payments
    including tax credits and disability living allowance are among the payments
    that have failed to be credited to accounts. [...] it had now identified
    and fixed the underlying problem. However, it is an embarrassment for the
    group which was fined 56M pounds by regulators after a 2012 software issue
    left millions of customers unable to access accounts. RBS, NatWest, and
    Ulster Bank customers were affected in June 2012 after problems with a
    software upgrade. RBS said had invested hundreds of millions of pounds to
    improve its computer systems since then.

    http://www.bbc.com/news/business-33162855 =

    ------------------------------

    Date: Tue, 16 Jun 2015 23:27:33 -0600
    From: Jim Reisert AD1C <jjre...@alum.mit.edu>
    Subject: Shooting over cellphone: case is 'extreme', say police (CBC News)

    The shooting death of an 18-year-old man trying to retrieve his lost
    smartphone highlights the risks of using mobile-tracking app, say police.

    Jeremy Cook, a native of Brampton, Ont., was gunned down at about 5:15
    a.m. ET on Sunday. London police found his body at the rear of a strip mall
    near Huron Street and Highbury Avenue in the city's north end. He had
    multiple gunshot wounds.

    Cook had left his smartphone in a taxi and traced it electronically to an
    address on Highbury Avenue.

    When he and a relative went to the address, he was confronted by three men
    in a car, Steeves told CBC News.

    http://www.cbc.ca/news/canada/toronto/shooting-over-cellphone-case-is-extreme-say-police-1.3115069

    ------------------------------

    Date: Fri, 19 Jun 2015 08:20:46 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Heinz says sorry for ketchup QR code that links to porn site

    Appy-geek via NNSquad
    http://www.appy-geek.com/Web/ArticleWeb.aspx?regionid=1&articleid=43584144&source=3Dgoogleplus

    The QR code linked to a URL used for the "Spread the word with Heinz"
    competition between 2012 and 2014. Heinz allowed the domain name
    "sagsmithheinz.de" to lapse after the competition closed, which was
    subsequently purchased by a purveyor of German adult entertainment.

    The right way to have done this, of course, would have been to have the QR
    code point at some URL within the permanent Heinz domain and redirect to the
    promotion site. Then when the promotion ends you could change the redirect
    to something still sensible. But hey, that takes forethought.

    ------------------------------

    Date: Thu, 18 Jun 2015 12:16:35 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: Zero-day exploit lets App Store malware steal OS X and iOS passwords
    (Glenn Fleishman)

    Glenn Fleishman, Macworld, 18 Jun 2015
    Researchers discover an exploit that lets OS X and iOS malware in the
    App Store steal passwords and app data, as well as hijack session tokens
    http://www.infoworld.com/article/29...ore-malware-steal-os-x-and-ios-passwords.html

    ------------------------------

    Date: Thu, 18 Jun 2015 11:47:35 -0400
    From: paul wallich <p...@panix.com>
    Subject: Don't pay your bills all at once

    Early this morning my spouse texted me from the airport to let me know that
    our credit card had been declined just as she was leaving for a trip. Turns
    out there was "suspicious activity" on the card last night, and the
    fraud-control folks had put a hold on it. The suspicious transactions: one
    small purchase from an online retailer we use often, and three $100-plus
    payments over the course of 30 minutes to what turned out to be the local
    cable company, electric company and a mobile phone provider.

    In other words, my spouse had been financially diligent and made sure all
    our current bills were paid before leaving town.

    This is by no means intended to ridicule the credit-card company and its
    fraud-detection algorithms. The transactions (except, perhaps for the
    payees) do fit the common fraud pattern of one small test purchase and then
    a bunch of big-ticket ones. And it took less than 10 minutes on the phone to
    clear the problem up. But. It did make me think about how vulnerable our
    current payment infrastructure is, and about the reversal of roles that has
    occurred. Compromised accounts have become so common that, instead of
    fraudsters trying to avoid detection, it's the job of legitimate customers
    to figure out how not to be mistaken for crooks.

    ------------------------------

    Date: Wed, 17 Jun 2015 9:16:51 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Officials say security lapses left OMB system open to hackers

    http://bigstory.ap.org/article/d81b...-say-security-lapses-left-system-open-hackers

    [The information was indeed very sensitive. WHY was it on the Web? PGN]

    ------------------------------

    Date: Wed, 17 Jun 2015 09:19:15 +0930
    From: William Brodie-Tyrrell <wil...@brodie-tyrrell.org>
    Subject: Re: Report: Russia, China Crack Snowden Docs (RISKS-28.70)

    There is also significant risk in "journalists" publishing the
    uncorroborated assertions of anonymous government officials who have a
    direct interest in smearing people:

    https://firstlook.org/theintercept/...iles-journalism-worst-also-filled-falsehoods/

    ------------------------------

    Date: Wed, 17 Jun 2015 09:03:54 +0800
    From: "Mark E. Smith" <mym...@gmail.com>
    Subject: Liars trust cheaters

    Re: Sex, lies and debt potentially exposed by OPM data hack

    Had the retired officer disclosed to the government that he'd been cheating
    on his taxes rather than cheating on his wife for twenty years (but later
    paid up), would he have still gotten his security clearance?

    ------------------------------

    Date: Thu, 18 Jun 2015 14:21:26 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: OPM: Gone Phishing: Shoot the Wounded

    FYI -- OPM sent 750k e-mails to notify Fed employees & asked that *they
    click on a link* to sign up for credit monitoring and other protections.
    Isn't that how we got here in the first place?

    [Of course, whoever stole the OPM data just did a facepalm and is now
    thinking: "why didn't I think of that?"]

    Lisa Rein, *WashPost*, 18 June 2015
    Reacting to Chinese hack, the government may not have followed its own
    cybersecurity rules
    http://www.washingtonpost.com/blogs...ot-have-followed-its-own-cybersecurity-rules/

    In responding to China's massive hack of federal personnel data, the
    government may have run afoul of computer security again.

    Over the last nine days, the Office of Personnel Management has sent e-mail
    notices to hundreds of thousands of federal employees to notify them of the
    breach and recommend that they click on a link to a private contractor's Web
    site to sign up for credit monitoring and other protections.

    But those e-mails have been met with increasing alarm by employees -- along
    with retirees and former employees with personal data at risk -- who worry
    that the communications may be a form of spear phishing used by adversaries
    to penetrate sensitive government computer systems.

    After the Defense Department raised a red flag about the e-mails its 750,000
    civilian employees were starting to receive, OPM officials said late
    Wednesday that the government had suspended its electronic notifications
    this week.

    ``We've seen such distrust and concerns about phishing,'' OPM spokesman Sam
    Schumach acknowledged, describing the feedback from many of the 4.2 million
    current and former employees who are being notified that personnel files
    containing their Social Security numbers, addresses and other personal
    information may have been stolen.

    Computer experts said the personnel agency -- already under fire from
    lawmakers from both parties for failing to protect sensitive databases from
    hackers -- could be putting federal systems in jeopardy again by asking
    employees to click on links in the e-mails.

    ``There's a risk that you desensitize people by telling them that
    occasionally, there's going to be a very important email you have to click
    on,'' said Joseph Lorenzo Hall, chief technologist at the Center for
    Democracy & Technology. He called OPM's first round of e-mail transmissions
    the equivalent of ``sending a postcard to people saying gee, you just got
    hacked, go to this website. The hackers could wise up and send their own set
    of fake identity protection e-mails and get into your computers all over
    again.''

    That's precisely what worried top Defense officials before the chief
    information officer of the government's largest agency told OPM last week to
    suspend the notifications because they disregarded basic cybersecurity
    training that's crucial to ensuring the safety of military networks: Never
    click on unfamiliar links, attachments or e-mail addresses because they
    expose employees to spear phishing attacks.

    Defense offices across the country posted a bulletin in their internal
    communication networks from CIO Terry Halvorsen that said OPM was
    ``suspending notification to DoD personnel that their [Personal Identifying
    Information] may have been breached until an improved, more secure
    notification and response process can be put in place.'' [...]

    ------------------------------

    Date: Mon, 17 Nov 2014 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
    if possible and convenient for you. The mailman Web interface can
    be used directly to subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks
    Alternatively, to subscribe or unsubscribe via e-mail to mailman
    your FROM: address, send a message to
    risks-...@csl.sri.com
    containing only the one-word text subscribe or unsubscribe. You may
    also specify a different receiving address: subscribe address= ... .
    You may short-circuit that process by sending directly to either
    risks-s...@csl.sri.com or risks-un...@csl.sri.com
    depending on which action is to be taken.

    Subscription and unsubscription requests require that you reply to a
    confirmation message sent to the subscribing mail address. Instructions
    are included in the confirmation message. Each issue of RISKS that you
    receive contains information on how to post, unsubscribe, etc.

    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines.

    => .UK users may contact <Lindsay....@newcastle.ac.uk>.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you NEVER send mail!
    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
    *** NOTE: Including the string `notsp' at the beginning or end of the subject
    *** line will be very helpful in separating real contributions from spam.
    *** This attention-string may change, so watch this space now and then.
    => ARCHIVES: ftp://ftp.sri.com/risks for current volume
    or ftp://ftp.sri.com/VL/risks for previous VoLume
    http://www.risks.org takes you to Lindsay Marshall's searchable archive at
    newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
    is no longer maintained up-to-date except for recent election problems.
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 28.71
    ************************
     
  15. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,420
    334
    258
    Apr 3, 2007
    Tampa
    Risks Digest 28.72

    RISKS List Owner

    Jun 22, 2015 6:03 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 22 June 2015 Volume 28 : Issue 72

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/28.72.html>
    The current issue can be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents: [Possible Seasonal Slowdown Begins]
    Polish airline LOT hacked, flights suspended for hours (Michal Rosa)
    8 Indicted in Identity Thefts of Patients at Montefiore Medical Center
    (NYT via Monty Solomon)
    US agency plundered by Chinese hackers made one of the dumbest
    security moves possible (Business Insider)
    Australia passes controversial anti-piracy web censorship law (Ars Technica)
    Reason.com hit with federal subpoena to identify online commenters
    (Steve Golson)
    "Help, I'm Trapped in Facebook's Absurd Pseudonym Purgatory" (WiReD)
    Michael Bacon <michae...@tiscali.co.uk>
    The Titanic and the Ark -- Re: pension org phished (Michael Bacon)
    Re: L.A. plans potentially disastrous switch to "electronic" voting
    (Steve Lamont)
    Subject: Re: Major League Baseball cancels 60 million all-star votes
    (Harlan Rosenthal, RISKS-28.71)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sun, 21 Jun 2015 23:01:49 +0000
    From: "Rosa, Michal" <micha...@hp.com>
    Subject: Polish airline LOT hacked, flights suspended for hours notsp

    A number of flights operated by the Polish national airline LOT were
    grounded on Sunday, June 22 as the unknown hackers gained access to LOT's
    computers.

    According to the official communique the computers were attacked in a way
    which made impossible to print flight plans for airliners departing from
    Warsaw. According to LOT there was no danger to any of the aircraft already
    in the air, the only thing the attack prevented was creation and printing of
    flight plans for regular flights departing from Warsaw. LOT has informed
    about the problem at 4pm on Sunday and the problem was apparently resolved
    by 8.45 pm. At the moment no other details are know.

    http://niebezpiecznik.pl/post/komputery-lot-u-zaatakowane-samoloty-uziemione/ - link in Polish only, sorry.

    ------------------------------

    Date: Mon, 22 Jun 2015 02:10:25 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: 8 Indicted in Identity Thefts of Patients at Montefiore Medical Center

    A hospital employee and seven others were indicted on Friday on charges of
    stealing the personal information of as many as 12,000 patients.
    http://www.nytimes.com/2015/06/20/n...-of-patients-at-montefioremedical-center.html

    ------------------------------

    Date: Sat, 20 Jun 2015 20:30:37 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: US agency plundered by Chinese hackers made one of the dumbest
    security moves possible (Re: RISKS-28.69,71)

    http://www.businessinsider.com/the-...of-the-dumbest-security-moves-possible-2015-6

    Contractors in Argentina and China were given "direct access to every row
    of data in every database" when they were hired by the Office of Personnel
    Management (OPM) to manage the personnel records of more than 14 million
    federal employees, a federal consultant told ArsTechnica.

    [See also, from Monty Solomon: Undetected for nearly a year, Chinese
    intruders executed a sophisticated hack that gave them administrator
    privileges in government networks. Their ultimate target: information on
    anyone seeking a security clearance.
    http://www.nytimes.com/2015/06/21/u...-hackers-privileged-access-to-us-systems.html
    PGN]

    ------------------------------

    Date: Mon, 22 Jun 2015 07:29:56 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Australia passes controversial anti-piracy web censorship law (Ars)

    Ars via NNSquad
    http://arstechnica.co.uk/tech-polic...controversial-anti-piracy-web-censorship-law/

    As well as being based on a false premise, the new law will also be
    ineffectual, since Australians can simply use to web proxies and VPNs to
    circumvent any blocks that are imposed. This has raised the fear that the
    courts will go on to apply the new law to VPN providers, although
    Australia's Communications Minister Malcolm Turnbull has insisted this
    won't happen. According to TorrentFreak, last week Turnbull said: "VPNs
    have a wide range of legitimate purposes, not least of which is the
    preservation of privacy--something which every citizen is entitled to
    secure for themselves--and [VPN providers] have no oversight, control or
    influence over their customers' activities." If Turnbull sticks to that
    view, it is likely that Australians will turn increasingly to VPNs to
    nullify the new law.

    ------------------------------

    Date: Sat, 20 Jun 2015 14:13:35 -0400
    From: Steve Golson <sgo...@trilobyte.com>
    Subject: Reason.com hit with federal subpoena to identify online commenters

    Reason.com, a leading libertarian website affiliated with Reason magazine,
    received a federal grand jury subpoena compelling them to identify anonymous
    commenters. The subpoena included a gag order so Reason.com could not talk
    about it. Until now:

    http://reason.com/blog/2015/06/19/government-stifles-speech
    http://popehat.com/2015/06/08/depar...commenters-on-a-silk-road-post-at-reason-com/
    http://popehat.com/2015/06/11/media-coverage-of-the-reason-debacle/

    But Reason.com is not the dark web. Many of our regular commenters
    voluntarily display either personal website information or their email
    addresses. In fact, three of the six commenters subject to this very
    subpoena voluntarily displayed public links to personal blogs at Blogger
    as part of their comments, one of which further links to a Google+ page.
    Raising the question: How can the government view these so-called
    "threats" as so nefarious when people posted them in such a non-anonymous
    fashion?

    ------------------------------

    Date: Sat, 20 Jun 2015 16:54:40 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: "Help, I'm Trapped in Facebook's Absurd Pseudonym Purgatory"

    http://www.wired.com/2015/06/facebook-real-name-policy-problems/

    "TWO WEEKS AGO, Facebook locked me out of my profile. My photos and
    friends are gone, my profile vanished without a trace. Someone reported
    my account as pseudonymous, and Facebook kicked me out. To get back in, I
    must provide various forms of identification proving the authenticity of
    my username. I'm not going to. I am one of many casualties of Facebook's
    recently rejiggered "authentic name" policy, wherein anonymous users can
    report a name as fake and trigger a verification process. Part of the
    motivation is stopping the proliferation of celebrity imposter accounts
    and profiles made for pets. But it's also allowed Facebook to shutter the
    accounts of real people, based on "authenticity." What does "authentic"
    mean, though? It's both confusing and contextual, because identity itself
    is confusing and contextual."

    Yet another difference with Google. When they realized that the entire "real
    name" paradigm just didn't work out well for users in Google+, Google
    actually learned from this and moved beyond it to an open naming model. In
    contrast, Facebook just keeps repeating its own mistakes again, and again,
    and again ...

    [FaRcebook with R for Repeat? PGN]

    ------------------------------

    Date: Sat, 20 Jun 2015 13:17:38 +0100
    From: Michael Bacon <michae...@tiscali.co.uk>
    Subject: The Titanic and the Ark

    (was: Japanese pension organization phished ... (Macintyre RISKS- 28.67)

    "... very few employers seem interested in factoring [IT certifications]
    into their hiring process."

    Over many years I have interviewed prospective employees for a variety of
    roles, from screen-watchers in a SOC to top-flight consultants in 'Big Six'
    practices. A great many have adduced certificates of competency in IT and
    IT/Information Security. Few have stood my scrutiny.

    I have seen candidates with CISSP after their name who had zero trade
    experience; I have seen CISAs who couldn't audit their way out of a paper
    bag; I have seen people with a "practitioner" certificate whose acquired
    knowledge is useless in practice; and I have shown the door to those with a
    plethora of Microsoft, Cisco and other manufacturer certifications who
    couldn't explain what the first letter in SFTP, SSH, SHTTP meant, let alone
    how it worked.

    In short, I have never put much store by certificates, but a lot on
    real-world, nose-to-the-grindstone, ear-to-the-ground, demonstrable
    experience, ideally with a major cock-up in their past from which they have
    learned major lessons.

    As a consequence, I have recruited great people who were logical in thought,
    thorough in approach, and tenacious in execution, and who have gone on to
    have great careers. But not one of the best I could name had any
    certificate to back up the skills I hired them for.

    The Ark was built by one man with no qualifications, the Titanic by people
    with certificates.

    ------------------------------

    Date: Sat, 20 Jun 2015 15:07:04 -0700
    From: s...@tirebiter.org (Steve Lamont)
    Subject: Re: L.A. plans potentially disastrous switch to "electronic" voting

    Here's the problem: our election system is *already* hacked and has been for
    decades. It seems perversely (and perhaps intentionally) designed to keep
    all but the most fervent partisans from voting, especially in off-year
    elections, where most of the mischief seems to now occur.

    News archives are replete with tales of voters standing for hours in
    enormously long lines, waiting for the chance to exercise their franchise.
    Shortages of paper ballots are frequent. And, now, of course, states seem
    to be intent upon erecting further roadblocks to voting through voter ID
    laws, which "solve" the largely non-existent problem of voter fraud.

    And we wonder why voter turnout becomes progressively worse each election
    and why all too often elections are decided by a few zealots, resulting in
    the warped Congress and Senate currently installed in Washington, DC. (and
    that includes members of *both* parties, mind you).

    Now I'm not necessarily advocating electronic voting and certainly not
    Internet voting, given the current state of the technology, but perhaps the
    time has come for the technologists and security mavens reading this list to
    go beyond mere nay-saying and skepticism and come up with verifiable,
    auditable solutions that make voting as easy as, say, ordering a new gadget
    from Amazon.

    ------------------------------

    Date: Sun, 21 Jun 2015 07:13:38 -0500 (CDT)
    From: Harlan Rosenthal <harlan.r...@verizon.net>
    Subject: Re: Major League Baseball cancels 60 million all-star votes
    (RISKS-28.71)

    Look on the bright side: at least the risks were made obvious and apparent
    in a vote that has enough importance for people to care (and for publicity),
    but less importance than a real governmental vote.

    ------------------------------

    Date: Mon, 17 Nov 2014 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
    if possible and convenient for you. The mailman Web interface can
    be used directly to subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks
    Alternatively, to subscribe or unsubscribe via e-mail to mailman
    your FROM: address, send a message to
    risks-...@csl.sri.com
    containing only the one-word text subscribe or unsubscribe. You may
    also specify a different receiving address: subscribe address= ... .
    You may short-circuit that process by sending directly to either
    risks-s...@csl.sri.com or risks-un...@csl.sri.com
    depending on which action is to be taken.

    Subscription and unsubscription requests require that you reply to a
    confirmation message sent to the subscribing mail address. Instructions
    are included in the confirmation message. Each issue of RISKS that you
    receive contains information on how to post, unsubscribe, etc.

    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines.

    => .UK users may contact <Lindsay....@newcastle.ac.uk>.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you NEVER send mail!
    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
    *** NOTE: Including the string `notsp' at the beginning or end of the subject
    *** line will be very helpful in separating real contributions from spam.
    *** This attention-string may change, so watch this space now and then.
    => ARCHIVES: ftp://ftp.sri.com/risks for current volume
    or ftp://ftp.sri.com/VL/risks for previous VoLume
    http://www.risks.org takes you to Lindsay Marshall's searchable archive at
    newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
    is no longer maintained up-to-date except for recent election problems.
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 28.72
    ************************
     
  16. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,420
    334
    258
    Apr 3, 2007
    Tampa
    Risks Digest 28.73

    RISKS List Owner

    Jun 26, 2015 5:50 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 26 June 2015 Volume 28 : Issue 73

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/28.73.html>
    The current issue can be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    PITA: How Encryption Keys Could Be Stolen by Your Lunch (Jeremy Kirk)
    "Critical flaw in ESET products shows why spy groups are interested in
    antivirus programs" (Lucian Constantin)
    "Samsung sneakily disables Windows Update on some PCs" (Jared Newman)
    Major Internet providers slowing traffic speeds for thousands across U.S.
    (The Guardian)
    High-5s for OPM from govts lusting for control of the Internet (Henry Baker)
    "Help, I'm Trapped in Facebook's Absurd Pseudonym Purgatory" (Michael Bacon)
    Bootleggers & Baptists; Spooks & Copyrights wrt anti-virus (Henry Baker)
    Allstate patents spying on driver's physio data (Henry Baker)_
    Re: Weinstein on "L.A. plans potentially disastrous switch to
    'electronic' voting" (John Sebes)
    Re: The Titanic and the Ark (Gary Hinson)
    Re: OPM Hack: L0pht Testifies 17 Years Ago (Henry Baker)
    Cyber Security Hall of Fame ((Gene Spafford)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 22 Jun 2015 12:09:49 -0400 (EDT)
    From: "ACM TechNews" <tech...@hq.acm.org>
    Subject: PITA: How Encryption Keys Could Be Stolen by Your Lunch
    (Jeremy Kirk)

    Jeremy Kirk, IDG News Service, via ACM TechNews, 22 Jun 2015

    Israeli researchers from Tel Aviv University have developed a device that
    can be concealed within pita bread and has the ability to deduce encryption
    keys by sniffing the electromagnetic leakage from a computer. The device is
    an example of a side-channel attack, which relies on the tiny bits of
    information that leak from computers as they perform computations. The
    device, dubbed PITA (Portable Instrument for Trace Acquisition) by the
    researchers, was designed to target a laptop encrypted using the GnuPG 1.x
    encryption tool. The device consists of a copper unshielded loop antenna
    and a capacitor designed to pick up the frequencies at which encryption key
    information leaks. PITA sends out multiple ciphertexts to the targeted
    computer and then monitors the computer's electromagnetic emissions as it
    decrypts the ciphertexts. The signals are collected on an internal microSD
    card for offline analysis, which can deduce the key from the data in a
    matter of seconds. Such side-channel attacks can be very difficult to
    defend against and hardware solutions are unlikely to appear due to their
    cost. A more likely method of defending against them would be modifying
    software so the information leaked when it runs will be of no use to an
    attacker.

    http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-dd1ex2cf6ex062958&

    ------------------------------

    Date: Thu, 25 Jun 2015 00:45:11 +0200
    From: Werner U <wer...@gmail.com>
    Subject: Critical flaw in ESET products (Lucian Constantin)

    [ take a deep breath, RISKS readers... and don't forget to say "Me?
    Surprised?!!? hah!" ]

    Lucian Constantin. InfoWorld, 25 Jun 2015
    Critical flaw in ESET products shows why spy groups are interested in
    antivirus programs
    <http://www.infoworld.com/author/Lucian-Constantin/>
    IDG News Service <http://www.idgnews.net/> | Jun 24, 2015

    *The flaw could allow attackers to fully compromise systems via websites,
    email, USB drives, and other methods*

    Several antivirus products from security firm ESET had a critical
    vulnerability that was easy to exploit and could lead to a full system
    compromise. The discovery of the flaw, which has now been patched, comes on
    the heels of a report that intelligence agencies from the U.K. and the
    U.S. are reverse engineering antivirus products in search for
    vulnerabilities and methods to bypass detection.....

    The vulnerability in ESET products was discovered by Google security
    engineer Tavis Ormandy and was located in their emulator, the antivirus
    component responsible for unpacking and executing potentially malicious code
    inside a safe environment so that it can be scanned. The ESET products
    monitor disk input and output operations and when executable code is
    detected they run it through the emulator to apply the detection
    signatures.."Because it's so easy for attackers to trigger emulation of
    untrusted code, it's critically important that the emulator is robust and
    isolated," Ormandy said in a blog post
    <http://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html>.

    ... The vulnerability found by the Google researcher allows a remote
    attacker to execute arbitrary commands with the highest system privilege.
    The flaw is particularly dangerous because it can be exploited in many
    ways,... Because it's so easy to exploit, the flaw can be used to create a
    computer worm that spreads from one computer to another, including on
    "air-gapped" networks though USB thumb drives,..

    The vulnerability affects ESET Smart Security for Windows, ESET NOD32
    Antivirus for Windows, ESET Cyber Security Pro for OS X, ESET NOD32 For
    Linux Desktop, ESET Endpoint Security for Windows and OS X and ESET NOD32
    Business Edition. The company released a scanning engine update
    <http://www.virusradar.com/en/update/info/11824> Monday to fix the flaw, so
    users should make sure they update their products. The vulnerability was
    located in the emulation routine used by a particular scanner for a specific
    malware family and didn't affect the core emulation engine, ESET
    said. ... As a result of code-rewriting efforts to improve product quality,
    the company had already corrected the flaw, and it didn't exist in ESET's
    "pre-release" engine, which is available to all customers, the company said.

    This is not the first time that security researchers have found serious
    vulnerabilities in antivirus products. In 2012, Ormandy found critical
    vulnerabilities in Sophos Antivirus
    <http://www.pcworld.com/article/2013...nerabilities-in-sophos-antivirus-product.html>
    and last year he found a flaw that could be exploited to remotely disable
    the protection engine
    <http://www.pcworld.com/article/2365...-disable-microsofts-antimalware-products.html>
    used in many Microsoft antimalware products. Also last year, Joxean Koret,
    a researcher at Coseinc, found dozens of remotely and locally exploitable
    vulnerabilities in 14 antivirus engines.
    <http://www.computerworld.com/articl...products-are-riddled-with-security-flaws.html>

    Unlike some other software applications, antivirus programs have a very
    large attack surface because they need to inspect many types of files and
    code written in different languages from various sources, including the Web
    and email; and file parsing has historically been a source of many
    vulnerabilities. For the past several years there's been a push to limit
    the privileges of widely used software applications. Some programs like
    Google Chrome or Adobe Reader use sandboxing mechanisms, making it
    significantly harder for attackers to exploit remote code execution
    vulnerabilities. However, antivirus products need to run with high
    privileges so they can effectively fight off threats, so it's very important
    that their code is solid...as this allow attackers to gain full control of a
    system by exploiting a single vulnerability, without having to worry about
    bypassing sandboxes or escalating privileges (according to Carsten Eiram,
    the chief research officer at vulnerability intelligence firm Risk Based
    Security); 2.5% of the flaws recorded by Risk Based Security in its
    vulnerability database last year were for security products, including
    antivirus programs. The historical rate is 2.2% (of 10,000+).

    The Intercept reported
    <https://firstlook.org/theintercept/2015/06/22/nsa-gchq-targeted-kaspersky/>
    Monday that in 2008 GCHQ filed requests to renew a warrant that would have
    allowed the agency to reverse engineer antivirus products from Kaspersky Lab
    to find weaknesses. The NSA also studied antivirus products to bypass their
    detection (according to Edward Snowden).

    Earlier this month, Kaspersky Lab announced that some of its internal
    systems were infected with a new version of a sophisticated cyberespionage
    tool called Duqu. The attackers, who the company strongly believes were
    state-sponsored, were after Kaspersky's intellectual property, including
    information on its latest technologies and ongoing investigations.

    "It's neither new nor surprising that intelligence agencies are reverse
    engineering security products to find vulnerabilities, as well as ways to
    bypass their intended protection mechanisms," Eiram said. "It is, however,
    pretty concerning that they are also compromising security companies in
    order to steal intellectual property."

    ------------------------------

    Date: Fri, 26 Jun 2015 09:00:06 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Samsung sneakily disables Windows Update on some PCs"
    (Jared Newman)

    Jared Newman, PCWorld, 25 Jun 2015
    The switch supposedly helps maintain driver compatibility, but raises
    security concerns in the process
    http://www.infoworld.com/article/29...kily-disables-windows-update-on-some-pcs.html

    opening text:
    Samsung has allegedly been disabling Windows Update on some computers, so as
    not to interfere with its own update tool.

    ------------------------------

    Date: Tue, 23 Jun 2015 17:38:57 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Study: Major Internet providers slowing traffic speeds
    for thousands across U.S.

    http://www.theguardian.com/technology/2015/jun/22/major-internet-providers-slowing-traffic-speeds

    Major Internet providers, including AT&T, Time Warner and Verizon, are
    slowing data from popular websites to thousands of US businesses and
    residential customers in dozens of cities across the country, according to
    a study released on Monday. The study, conducted by Internet activists
    BattlefortheNet, looked at the results from 300,000 Internet users and
    found significant degradations on the networks of the five largest
    Internet service providers (ISPs), representing 75% of all wireline
    households across the US.

    ------------------------------

    Date: Thu, 25 Jun 2015 21:53:26 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: High-5s for OPM from govts lusting for control of the Internet

    FYI -- "the OPM breach would cause more damage to national security
    operations and personnel than the leaks by Edward Snowden"

    Those at the US NSA, UK GCHQ, Chinese govt, Russian govt, etc., are totally
    thrilled by this OPM hack, because incidents like these provide the
    political fuel for far greater govt control over the Internet. Intelligence
    agencies all over the world, from any and all sides, gain power when govts
    move in to better "protect" their citizens from spies very like themselves.

    The fact that the U.S. govt is criminally negligent w.r.t. not protecting
    its employees own private data will be completely lost in all of the
    hand-wringing. The press has not been holding politicians' feet to the fire
    on this issue, either.

    http://www.thedailybeast.com/articl...rets-of-u-s-government-workers-sex-lives.html

    Hackers Stole Secrets of U.S. Government Workers' Sex Lives. 24 Jun 2015

    Infidelity. Sexual fetishes. Drug abuse. Crushing debt. They;re the most
    intimate secrets of U.S. government workers. And now they;re in the hands
    of foreign hackers.

    It was already being described as the worst hack of the U.S. government in
    history. And it just got much worse.

    A senior U.S. official has confirmed that foreign hackers compromised the
    intimate personal details of an untold number of government workers. Likely
    included in the hackers' haul: information about workers' sexual partners,
    drug and alcohol abuse, debts, gambling compulsions, marital troubles, and
    any criminal activity.

    ------------------------------

    Date: Tue, 23 Jun 2015 05:22:40 +0100
    From: Michael Bacon <michae...@tiscali.co.uk>
    Subject: "Help, I'm Trapped in Facebook's Absurd Pseudonym Purgatory" (R 28.72)

    Facebook has clearly forgotten that: "On the Internet, no-one knows you're a
    dog"! -- says the man whose FB Profile picture is a dog, and who uses a
    pseudonym, albeit, with my given and family names below.

    ------------------------------

    Date: Mon, 22 Jun 2015 20:55:03 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Bootleggers & Baptists; Spooks & Copyrights wrt anti-virus

    FYI -- ``If you write an exploit for an anti-virus product you're likely
    going to get the highest privileges (root, system or even kernel) with just
    one shot.''

    Duh!

    Who watches the watchers ? (In this case virus-watchers...)

    "Software makers, fearing piracy, hacking and intellectual property theft,
    often forbid the practice in licensing agreements and sometimes protect the
    most sensitive inner workings of their software with encryption.
    Governments have passed laws, with digital media in mind, that strictly
    circumscribe tampering with this encryption. Software companies have also
    sued to block reverse engineering as copyright infringement..."

    Strange bedfellows: intelligence agencies team with "copyright maximalists"
    (DMCA, etc.), while reverse engineering like crazy. So much for "protecting
    the intellectual property of ordinary citizens". Mr. Comey doth protest too
    much, methinks.

    Andrew Fishman and Morgan Marquis-Boire, FirstLook, 22 Jun 2015
    Popular Security Software Came Under Relentless NSA and GCHQ Attacks
    https://firstlook.org/theintercept/2015/06/22/nsa-gchq-targeted-kaspersky/

    The National Security Agency and its British counterpart, Government
    Communications Headquarters, have worked to subvert anti-virus and other
    security software in order to track users and infiltrate networks, according
    to documents from NSA whistleblower Edward Snowden.

    The spy agencies have reverse engineered software products, sometimes under
    questionable legal authority, and monitored web and email traffic in order
    to discreetly thwart anti-virus software and obtain intelligence from
    companies about security software and users of such software. One security
    software maker repeatedly singled out in the documents is Moscow-based
    Kaspersky Lab, which has a holding registered in the U.K., claims more than
    270,000 corporate clients, and says it protects more than 400 million people
    with its products.

    British spies aimed to thwart Kaspersky software in part through a technique
    known as software reverse engineering, or SRE, according to a top-secret
    warrant renewal request. The NSA has also studied Kaspersky Lab's software
    for weaknesses, obtaining sensitive customer information by monitoring
    communications between the software and Kaspersky servers, according to a
    draft top-secret report. The U.S. spy agency also appears to have examined
    emails inbound to security software companies flagging new viruses and
    vulnerabilities.

    The efforts to compromise security software were of particular importance
    because such software is relied upon to defend against an array of digital
    threats and is typically more trusted by the operating system than other
    applications, running with elevated privileges that allow more vectors for
    surveillance and attack. Spy agencies seem to be engaged in a digital game
    of cat and mouse with anti-virus software companies; the U.S. and U.K. have
    aggressively probed for weaknesses in software deployed by the companies,
    which have themselves exposed sophisticated state-sponsored malware.

    [Long item truncated for RISKS. PGN]

    ------------------------------

    Date: Mon, 22 Jun 2015 16:20:09 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Allstate patents spying on driver's physio data

    FYI -- "George Orwell wrote this, right?", says Bob Hunter, insurance
    director for Consumer Federation of America.

    "The invention also teaches the monitoring and recording of data from
    onboard cameras and proximity sensors, as well as driver physiological
    monitoring systems. Also included within the invention is predictive
    modeling of future behavior as a function of recorded data an individual
    driver compared with other drivers within a database."

    "This analysis can allow assessment and comparison of a variety of life
    style/health factors"

    We're going to need "driving gloves" and/or a "driving wheel condom" before
    driving such Allstate-equipped cars.

    I wonder if capturing your physio data will become a requirement for renting
    a car?

    Note that the exact same information may already be available to companies
    like Fitbit, who can correlate physio data with cellphone data & report to
    insurance companies like Allstate.

    http://www.sun-sentinel.com/health/ct-allstate-patent-data-0618-biz-20150618-story.html

    Insurer monitoring your heart rate? Allstate's patent makes it possible
    *Sun Sentinel*, 18 Jun 2015

    A new patent secured by insurer Allstate reveals an invention that has the
    potential to evaluate drivers' physiological data, including heart rate,
    blood pressure and electrocardiogram signals, which could be recorded from
    steering wheel sensors.

    Becky Yerak , *The Chicago Tribune*
    https://www.google.com/patents/US20140080100

    An insurance company monitoring your heart rate through the steering wheel?
    Allstate's new patent opens door

    Could your bank or potential employer someday use data from your car?

    Attention tailgaters: Someday a bank or a potential employer considering
    your loan or your job application might become privy to your tendencies for
    aggressive driving.

    [Anthr lng itm trnctd. P.]

    ------------------------------

    Date: Tue, 23 Jun 2015 14:56:26 -0700
    From: John Sebes <jse...@osetfoundation.org>
    Subject: Re: Weinstein on "L.A. plans potentially disastrous switch to
    'electronic' voting" (RISKS-28.71)

    I respectfully disagree with Lauren's assessment of LA's Dean Logan's plans
    for future voting systems.

    First, let me agree on a couple points:
    1) There are several privacy and integrity issues to be addressed, and
    the devil is in the details.
    2) Whether or not the software involved is open-source does not, by
    itself, impart any amount of security, privacy, etc. for the system
    built from that source code.
    3) Internet voting is still crazy, and there is nothing, nothing at all
    about Internet voting in the plans of the LA CC-RR for electronic voting.

    Then, in the "however" part:
    3) LA's plans, as described in this article, are about in-person voting
    2) Open source would however help with independent assessment of whether
    those devilish details have been handled well.
    1) I myself prefer not to leap to judgment with "they never learn" but
    instead closely follow the development. My personal experience with the
    LA CC-RR organization is that they are well aware of these issues and
    quite diligent.

    Secondly, let me provide an explanation of why the QR-code idea is not
    by itself anything to worry about from an Internet voting perspective.
    Let's take this by steps from current practice (step 0).

    0) Ballot-marking devices (BMDs) in polling places, that present a voter's
    ballot in that precinct, visually, collecting voter choices, then presenting
    all the choices for voter approval (or modification) and producing a paper
    ballot of record that is: reviewed by the voter, opscanned, and later part
    of a risk-limiting audit.

    1) A similar BMD that operates in "vote center" mode capable of presenting
    any ballot style in the county to a voter. Just as in a precinct polling
    place there must be measures to ensure that each voter gets the proper
    ballot style, there must be similar measures in vote centers.

    2) A similar BMD where the "collect the voter's choices" step is a pre-load
    of voter choices done by scanning a voter-presented paper item or screen
    content item. The same steps of presenting all the choices for review, etc.,
    is followed as in (0). Local election officials might even choose to make
    the voter step through the ballot items sequentially with the pre-loaded
    choices, rather than skip to the "present all choices for approval or
    correction" step.

    There's nothing inherently Internet-voting-risky about this progression.
    That applies whether the paper item or screen content item is a QR code, bar
    code, or mass of human readable text that's OCR'd in the "pre load" step.

    There are, however, a separate set of issues about the process of a voter
    producing that paper item or screen content item, as a result of interacting
    with an "interactive sample ballot (ISB)" application that does a similar
    ballot presentation as a BMD, but produces that paper item or screen content
    item as a result. The ISB could be a native application like the Oregon
    "Alternative Format Ballot" tool that doesn't require a network
    connection. Or it could be a, ISB web application that's carefully
    constructed to deal with personal privacy and ballot anonymity issues.

    For a proposal of the latter system (which I contributed to) please see:
    http://ballot.ly and
    http://kng.ht/1Iz96Za

    That's intended to be in stark contrast to the existing online ballot
    marking tools that have some significant problems that some RISKS readers
    will be familiar with.

    Final point: it is possible to do this right, and I personally am confident
    that LA RR-CC will have the opportunity to do so.

    John Sebes
    CTO, OSET Foundation

    ------------------------------

    Date: Thu, 25 Jun 2015 13:19:30 +1200
    From: "Gary Hinson" <Ga...@isect.com>
    Subject: Re: The Titanic and the Ark (Bacon, RISKS-28.72)

    "... very few employers seem interested in factoring [IT certifications]
    into their hiring process."

    With respect, Michael, your argument doesn't hold water. While I agree that
    real-world experience often trumps theoretical study, to disregard anyone
    out of hand merely because they possess a certificate (as you imply) is
    crazy. What about those of us who have both? Do you not even accept that
    someone making the effort to study and improve their knowledge,
    understanding and competence is a good thing? The certificate itself is
    just a piece of paper, but it represents something worthwhile. Given the
    choice, I'd personally be more confident about taking on a candidate with
    relevant certifications than one without - all else being equal.

    Dr Gary Hinson PhD MBA CISSP
    CEO of IsecT Ltd., New Zealand www.isect.com

    ------------------------------

    Date: Fri, 26 Jun 2015 06:03:06 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Re: OPM Hack: L0pht Testifies 17 Years Ago

    FYI -- The Cassandra Files, Part Whatever.

    Watch this hour-long video from 1998 and weep (again).

    Hackers Testifying at the United States Senate, May 19, 1998 (L0pht Heavy
    Industries)

    L0pht Heavy Industries testifying before the United States Senate Committee
    on Governmental Affairs, Live feed from CSPAN, May 19, 1998. Starring Brian
    Oblivion, Kingpin, Tan, Space Rogue, Weld Pond, Mudge, and Stefan von
    Neumann.

    This is the infamous testimony where Mudge stated we could take down the
    Internet in 30 minutes. Although that's all the media took from it, much
    more was discussed. See for yourself.



    [PGN testified in the same session, with similar conclusions!]

    ------------------------------

    Date: Thu, 25 Jun 2015 22:06:36 -0400
    From: Gene Spafford <sp...@purdue.edu>
    Subject: Cyber Security Hall of Fame

    Do you know of someone who should be nominated for the Cyber Security
    Hall of Fame?

    You have until the end of the day July 5 to submit a nomination!
    https://www.cybersecurityhof.org <https://www.cybersecurityhof.org/>

    Please spread the word.

    Hall of Fame Inductees 2012
    F. Lynn McNulty
    Martin Hellman
    Ralph Merkle
    Whit Diffie
    Dorothy Denning
    Roger Schell
    Peter Neumann
    Carl Landwehr
    Ron Rivest
    Adi Shamir
    Len Adleman

    Hall of Fame Inductees 2013
    David E. Bell
    Jim Bidzos
    Eugene Spafford
    James Anderson
    Willis H. Ware

    Hall of Fame Inductees 2014
    Paul Kocher
    Vint Cerf
    Phil Zimmerman
    Steve Bellovin
    Richard A. Clarke

    ------------------------------

    Date: Mon, 17 Nov 2014 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
    if possible and convenient for you. The mailman Web interface can
    be used directly to subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks
    Alternatively, to subscribe or unsubscribe via e-mail to mailman
    your FROM: address, send a message to
    risks-...@csl.sri.com
    containing only the one-word text subscribe or unsubscribe. You may
    also specify a different receiving address: subscribe address= ... .
    You may short-circuit that process by sending directly to either
    risks-s...@csl.sri.com or risks-un...@csl.sri.com
    depending on which action is to be taken.

    Subscription and unsubscription requests require that you reply to a
    confirmation message sent to the subscribing mail address. Instructions
    are included in the confirmation message. Each issue of RISKS that you
    receive contains information on how to post, unsubscribe, etc.

    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines.

    => .UK users may contact <Lindsay....@newcastle.ac.uk>.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you NEVER send mail!
    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
    *** NOTE: Including the string `notsp' at the beginning or end of the subject
    *** line will be very helpful in separating real contributions from spam.
    *** This attention-string may change, so watch this space now and then.
    => ARCHIVES: ftp://ftp.sri.com/risks for current volume
    or ftp://ftp.sri.com/VL/risks for previous VoLume
    http://www.risks.org takes you to Lindsay Marshall's searchable archive at
    newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
    is no longer maintained up-to-date except for recent election problems.
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 28.73
    ************************
     
  17. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,420
    334
    258
    Apr 3, 2007
    Tampa
    Risks Digest 28.74

    RISKS List Owner

    Jul 1, 2015 4:42 AM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Wednesday 1 July 2015 Volume 28 : Issue 74

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/28.74.html>
    The current issue can be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Israel's comptroller: Biometric database full of flaws (Hanan Cohen)
    Most Internet anonymity [VPN service] software leaks users' details (QMUL)
    The latest RISKS items from TechWeekEurope (Werner U)
    *The Washington Post* to Deploy More Secure HTTPS Across Site
    (Gabe Goldberg)
    WiFi Offloading is Skyrocketing (Werner U)
    The sharp elbows of driverless cars (Mark Thorson)
    "Sad day for developers: SCOTUS denies Google's appeal on APIs"
    (Simon Phipps)
    "Microsoft quietly pushes 17 new trusted root certificates to all
    Windows systems" (Woody Leonhard)
    "Tap your iPad to order: Restaurant automation nobody needs"
    (Galen Gruman)
    Automation dependency: Children of the Magenta (Henry Baker)
    The Future of Car Keys? Smartphone Apps, Maybe (NYTimes)
    ISIS and the Lonely Young American (NYTimes)
    Leap Second problem (Bob Frankston)
    Growing opposition to the Leap Second (oMark Thorson)
    California mandatory vaccination harbinger of anti-virus software?
    (Henry Baker)
    Analyses of root causes? (Martyn Thomas)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sun, 28 Jun 2015 08:34:50 +0300
    From: Hanan Cohen <ha...@info.org.il>
    Subject: Israel's comptroller: Biometric database full of flaws

    Report says there is not enough information to determine whether the data-
    gathering system is even worthwhile. Meanwhile, Interior Minister Shalom
    orders extension of the trial period of the project.
    http://www.haaretz.com/news/israel/.premium-1.662605

    ------------------------------

    Date: Tue, 30 Jun 2015 07:57:36 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Most Internet anonymity [VPN service] software leaks users' details

    QMUL via NNSquad
    http://www.qmul.ac.uk/media/news/items/se/158459.html

    The study of fourteen popular VPN providers found that eleven of them
    leaked information about the user because of a vulnerability known as
    'IPv6 leakage'. The leaked information ranged from the websites a user is
    accessing to the actual content of user communications, for example
    comments being posted on forums. Interactions with websites running HTTPS
    encryption, which includes financial transactions, were not leaked. The
    leakage occurs because network operators are increasingly deploying a new
    version of the protocol used to run the Internet called IPv6. IPv6
    replaces the previous IPv4, but many VPNs only protect user's IPv4
    traffic. The researchers tested their ideas by choosing fourteen of the
    most famous VPN providers and connecting various devices to a WiFi access
    point which was designed to mimic the attacks hackers might use.

    ------------------------------

    Date: Sun, 28 Jun 2015 23:05:16 +0200
    From: Werner U <wer...@gmail.com>
    Subject: The latest RISKS items from TechWeekEurope

    (btw, the need for collaboration was the main point I made in a talk at the
    FIRST-conference in St.Louis in the early 90's)

    IBM Security CTO: Cloud Security Needs Collaboration
    <http://www.techweekeurope.co.uk/security/ibm-security-cto-cloud-collaboration-171387>

    WATCH: Cloud security needs to go beyond transparency to keep up with
    global coordinated attacks, according to IBM's Martin Borrett
    Ben Sullivan <http://www.techweekeurope.co.uk/author/bsullivan>, June 26,
    2015, 4:02 pm

    Third Of British Firms Targeted By Ransomware
    <http://www.techweekeurope.co.uk/e-regulation/british-firms-ransomware-171347>

    New study reveals alarming number of British firms have been held to ransom
    by hackers
    Tom Jowitt <http://www.techweekeurope.co.uk/author/tjowitt>, June 26,
    2015, 2:29 pm

    Apple iPhones Hit With Blue Screen Of Death Bug
    <http://www.techweekeurope.co.uk/mobility/apple-iphones-blue-screen-death-bug-171316>

    T-Mobile users in the US take to the Internet to share their anger at
    mystery outage
    Michael Moore <http://www.techweekeurope.co.uk/author/mmoore>, June 26,
    2015, 11:21 am

    Seven-Day Healthcare? Good Luck Without Mobile
    <http://www.techweekeurope.co.uk/mobility/mobile-apps/mubaloo-mobile-healthcare-smartphones-171384>

    Mubaloo's Alana Saunders tells us why the NHS needs to embrace mobile
    technology in order to provide a fuller service to patients
    Michael Moore <http://www.techweekeurope.co.uk/author/mmoore>, June 26,
    2015, 3:38 pm

    Apple Co-Founder Wozniak Predicts AI Will Treat Humans As Pets
    <http://www.techweekeurope.co.uk/e-innovation/apple-ai-humans-pets-171372>
    Steve Wozniak changes his mind about artificial intelligence and predicts
    benevolent machines

    Tom Jowitt <http://www.techweekeurope.co.uk/author/tjowitt>, June 26,
    2015, 2:32 pm
    Have Password Management Services Been Hacked To Death?
    http://www.techweekeurope.co.uk/security/password-management-hacked-171367

    The recent LastPass breach has dented users' confidence in password
    management firms
    Duncan Macrae <http://www.techweekeurope.co.uk/author/dmacrae>, June 26,
    2015, 12:54 pm

    Cisco Patches Default SSH Key Virtual Appliance Vulnerabilities
    <http://www.techweekeurope.co.uk/security/cisco-default-ssh-key-vulnerabilities-171354>

    Cisco urges firms to download fix for flaw that could allow attackers to
    gain access to systems and intercept traffic
    Steve McCaskill <http://www.techweekeurope.co.uk/author/smccaskill>, June
    26, 2015, 12:46 pm

    Sophos IPO Values UK Security Firm at 1-billion pounds
    http://www.techweekeurope.co.uk/security/sophos-ipo-security-london-171342
    Eugene Kaspersky: Internet Of Things? More Like The Internet Of Threats
    <http://www.techweekeurope.co.uk/networks/internet-of-things-security-kaspersky-171187>

    Security icon sounds dire warning over the security of the Internet of
    Things
    Michael Moore <http://www.techweekeurope.co.uk/author/mmoore>, June 25,
    2015, 1:53 pm

    ------------------------------

    Date: Tue, 30 Jun 2015 17:37:00 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: *The Washington Post* to Deploy More Secure HTTPS Across Site

    [Now if they'd only fix site navigation and search, it would be worthwhile
    visiting...]

    Washington, DC -- *The Washington Post* said on Tuesday it will become the
    first major news publisher to deploy HTTPS, an Internet protocol that
    encrypts data exchanged between browsers and websites, across both its
    desktop and mobile sites. The company said the move will give site visitors
    the same level of privacy and security as when they conduct e-commerce or
    online banking. "We will be able to offer our more than 50 million readers
    per month the peace of mind in knowing that their privacy and reading habits
    are protected when they are on our site," said CIO Shailesh Prakash. The
    Post's homepage, National Security section and The Switch technology policy
    blog will be the first to move to HTTPS, with the rest of the site migrating
    in the coming months.
    https://www.washingtonpost.com/pr/w...first-major-news-publisher-to-secure-website/
    <http://m1e.net/c?47971208-s6soIDZjIiqZY@316937987-oD3BSyWKJGO8M>

    Gabriel Goldberg, Computers and Publishing, Inc. ga...@gabegold.com
    3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433

    ------------------------------

    Date: Sun, 28 Jun 2015 16:42:52 +0200
    From: Werner U <wer...@gmail.com>
    Subject: WiFi Offloading is Skyrocketing

    [ smurfed from SlashDot -- why in RISKS ? do read the comments... :-]

    dkatana <http://mobile.slashdot.org/%7Edkatana> wrote on 25 Jun 2015
    <http://mobile.slashdot.org/story/15/06/25/2157218/wifi-offloading-is-skyrocketing>

    WiFi Offloading is skyrocketing. This is the conclusion of a new report from
    Juniper Research, which points out that the amount of smartphone and tablet
    data traffic on WiFi networks will will increase to more than 115,000
    petabytes by 2019, compared to under 30,000 petabytes this year,
    representing almost a four-fold increase. Most of this data is offloaded to
    consumer's WiFi by the carriers, offering the possibility to share your home
    Internet connection in exchange for "free" hotspots. [...] the growing
    number of WiFi devices using unlicensed bands is seriously affecting network
    efficiency. Capacity is compromised by the number of simultaneously active
    devices, with transmission speeds dropping as much as 20% of the nominal
    value. With the number of IoT and M2M applications using WiFi continuously
    rising, that could become a serious problem soon."*

    ------------------------------

    Date: Mon, 29 Jun 2015 13:17:48 -0700
    From: Mark Thorson <e...@sonic.net>
    Subject: The sharp elbows of driverless cars

    Google's driverless car cut off Delphi's driverless car in Mountain View.
    No collision occurred.

    http://www.theguardian.com/technology/2015/jun/26/google-delphi-two-self-driving-cars-near-miss

    ------------------------------

    Date: Tue, 30 Jun 2015 09:24:06 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Sad day for developers: SCOTUS denies Google's appeal on APIs"
    (Simon Phipps)

    Simon Phipps, InfoWorld, 29 Jun 2015
    Supreme Court's decision is bad news for developers targeting the
    U.S. market, who will now have to avoid any API not explicitly licensed as open
    InfoWorld Tech Watch
    http://www.infoworld.com/article/2941103/java/scotus-denies-google-appeal-on-apis.html

    opening text:

    In an unsurprising ruling today, the Supreme Court balanced a little of the
    good it did last week by denying Google's appeal against Oracle in the
    matter of the copyrightability of APIs. The case will now be returned to the
    lower courts to hear Google's fair use defenses.

    While the decision was foreshadowed by the amicus brief delivered by the
    Solicitor General a month ago, it's still bad news for 21st century
    developers and open communities. Denying the appeal gives corporations with
    a 20th century mindset the ability to require permission from developers
    seeking to innovate on top of their platforms. Instead of being able to just
    assume that use -- especially re-implementation -- of an API is OK,
    developers will now need to avoid any API that is not explicitly licensed as
    open.

    ------------------------------

    Date: Tue, 30 Jun 2015 09:27:00 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Microsoft quietly pushes 17 new trusted root certificates to
    all Windows systems" (Woody Leonhard)

    Woody Leonhard, InfoWorld, 29 Jun 2015
    The aging foundation of Certificate Authorities shows yet another
    crack as security experts are caught unaware
    http://www.infoworld.com/article/29...root-certificates-to-all-windows-systems.html

    opening text:

    Microsoft is under no obligation to notify you or ask your permission before
    placing a new trusted root certificate on your Windows PC. That said, just
    last year Microsoft was caught in the embarrassing position of yanking 45
    bogus certificates issued under the root certificate authority of the
    government of India's Controller of Certifying Authorities. Transparency in
    distributing new trusted root certs is a good thing.

    A certificate expert who goes by the Twitter handle @hexatomium said in an
    article on GitHub over the weekend that Microsoft started pushing the new
    trusted root certificates earlier this month to "all supported Windows
    systems." It isn't clear how the root certs were pushed, but he does say
    Microsoft "did not announce this change in any KB article or advisory."

    ------------------------------

    Date: Tue, 30 Jun 2015 09:37:28 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Tap your iPad to order: Restaurant automation nobody needs"
    (Galen Gruman)

    Galen Gruman, InfoWorld, 30 Jun 2015
    Self-checkout comes to the food court, with the same mixed experience
    as at any self-checkout terminal
    http://www.infoworld.com/article/29...order-restaurant-automation-nobody-needs.html

    opening text:

    OTG, one of those companies that manages restaurants at airports, is very
    proud of its iPad deployment at Newark Liberty International Airport in New
    Jersey. More than 1,000 iPad Airs are in use at restaurant tables in the
    airport's food courts, letting travelers order food directly and pay on the
    spot -- no need to wait for a server to take your order or to process your
    payment.

    I had a chance to check out this deployment on a recent trip, and I'm not
    sure OTG's pride is warranted. As we've seen in other automation efforts,
    such as those self-checkout stands at supermarkets and home-improvement
    stores, the reality is not as smooth as the promise. And the goal remains
    to remove human labor on the vendor side and have the customer pick up at
    least some of that work.

    Gene's Comments: 1) Look at the failure modes in the article. This is
    something that is not ready for general use. 2) Me pick up some of the
    work? This clashes with that when I go out, I typically want to be pampered
    a bit.

    ------------------------------

    Date: Sun, 28 Jun 2015 13:33:15 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Automation dependency: Children of the Magenta

    FYI -- "Semi-autonomous" cars are here today, so it is appropriate to
    revisit what can go wrong due to "automation dependency".

    Roman Mars's 31-minute podcast episode from "99% Invisible" discusses
    "Children of the Magenta", who are airline pilots who become such slaves to
    their autopilots that they allow their normal piloting skills to
    deteriorate.

    The real problem with the crash of Air France 447 wasn't the fact that its
    air speed sensor failed, but the inability of these "Children of the
    Magenta" pilots to respond.

    "What's It Doing Now": The user has no good model of what the autopilot is
    trying to do, but instead of simply disconnecting it, the pilot tries to
    "understand" the autopilot. An emergency situation is no place to be
    debugging your mental model of the autopilot.

    The excellent video in which the phrase "Children of the Magenta" first
    originated:



    1997 AA presentation about the Levels of Flight Deck Automation and how to
    keep out of trouble

    http://99percentinvisible.org/episode/children-of-the-magenta-automation-paradox-pt-1/

    http://www.podtrac.com/pts/redirect...n-of-the-Magenta-Automation-Paradox-pt.-1.mp3

    Episode 170: Children of the Magenta (Automation Paradox, pt. 1)

    Roman Mars, 23 Jun 2015

    On the evening of 31 May 2009, 216 passengers, three pilots, and nine
    flight attendants boarded an Airbus 330 in Rio de Janeiro. This flight, Air
    France 447, was headed across the Atlantic to Paris. The take-off was
    unremarkable. The plane reached a cruising altitude of 35,000 feet. The
    passengers read and watched movies and slept. Everything proceeded normally
    for several hours. Then, with no communication to the ground or air traffic
    control, flight 447 suddenly disappeared.

    Days later, several bodies and some pieces of the plane were found floating
    in the Atlantic Ocean. But it would be two more years before most of the
    wreckage was recovered from the ocean's depths. All 228 people on board had
    died. The cockpit voice recorder and the flight data recorders, however,
    were intact, and these recordings told a story about how Flight 447 ended up
    in the bottom of the Atlantic.

    The story they told was was about what happened when the automated system
    flying the plane suddenly shut off, and the pilots were left surprised,
    confused, and ultimately unable to fly their own plane.

    [Long item -- just part one of two -- truncated for RISKS. PGN]

    ------------------------------

    Date: Fri, 26 Jun 2015 23:19:23 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: The Future of Car Keys? Smartphone Apps, Maybe

    http://www.nytimes.com/2015/06/26/a...future-of-car-keys-smartphone-apps-maybe.html

    Apps are increasingly performing the functions of keys, but experts say
    there are still kinks to be worked out before, and if, physical keys become
    extinct.

    ------------------------------

    Date: Sun, 28 Jun 2015 13:32:53 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: ISIS and the Lonely Young American

    http://www.nytimes.com/2015/06/28/world/americas/isis-online-recruiting-american.html

    For months, Alex had been growing closer to a new group of friends online --
    the kindest she had ever had -- who were teaching her what it meant to be a
    Muslim.

    ------------------------------

    Date: 30 Jun 2015 16:51:23 -0400
    From: "Bob Frankston" <bob19...@bobf.frankston.com>
    Subject: Leap second problem

    Rather than write something long, I'll point out that he function

    new timeSpan(2 Minutes).Seconds

    cannot be implemented -- yet is in many libraries. Cannot, as in cannot by
    definition.

    There is no reason to break that function just because there are
    applications which need a more precise calculation relative to the rotation
    of the earth. Any programmer should know how to maintain a separate
    correction factor for those applications.

    So why break a fundamental function like a time span calculation for the
    rare applications that need the extra precision?

    Yes, I know that in 10,000 years it may matter but I have faith in our
    ability to program around it by then - most likely by an approach like time
    zones in which we simply create a standard correction factor for alarm
    clocks.

    http://Frankston.com

    ------------------------------

    Date: Mon, 29 Jun 2015 16:51:37 -0700
    From: Mark Thorson <e...@sonic.net>
    Subject: Growing opposition to the Leap Second

    More calls to abolish the Leap Second because it's alleged to cause problems
    for computers.

    http://the-japan-news.com/news/article/0002230145

    I'm reminded of all those planes that fell out of the sky
    when the date rolled over from 1999 to 2000. [!]

    ------------------------------

    Date: Mon, 29 Jun 2015 18:21:29 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: California mandatory vaccination harbinger of anti-virus software?

    FYI -- Whatever you may think of anti-vaxxers, the exact same arguments will
    be made to *require* "anti-virus" programs on your computers in order to
    connect to the Internet. Of course, since we know that
    NSA/GCHQ/*insert-your-favorite-spy-or-cybercriminal-name-here* put a very
    high priority on hacking anti-virus programs, these "vaccination" laws will
    -- in effect -- *require* the installation of a *back door* onto your
    computer. GAME OVER!

    http://www.theguardian.com/us-news/2015/jun/29/california-vaccine-bill-jerry-brown

    California mandatory vaccination bill heads to governor's desk

    Jerry Brown has not said if he will sign measure which would ban `personal
    belief' exemptions for vaccinating schoolchildren in wake of measles
    outbreak

    Rory Carroll, 29 June 2015

    The California legislature has passed a bill mandating vaccinations for
    children in public schools, moving the spotlight to Governor Jerry Brown,
    who must now decide whether to sign into law one of the strictest
    vaccination regimes in the United States.

    The senate in Sacramento passed a final vote on Monday to ban exemptions
    from state immunization laws based on religious or other personal beliefs, a
    contentious measure taken months after a measles outbreak at Disneyland
    infected more than 150 people in the US and Mexico.

    The law would require nearly all public schoolchildren to be vaccinated
    against diseases including measles and whooping cough, with exemptions only
    for children with serious health issues. Other unvaccinated children would
    need to be homeschooled.

    ------------------------------

    Date: Sat, 27 Jun 2015 11:02:37 +0100
    From: Martyn Thomas <mar...@thomas-associates.co.uk>
    Subject: Analyses of root causes

    Can anyone give me a link to any published analyses that identify the most
    common underlying errors in software (or systems) engineering that have led
    to exploitable security vulnerabilities or to safety-related failures?

    [Martyn, Try the NIST National Vulnerability Database, with CVE
    Vulnerabilities and lots more. PGN]

    ------------------------------

    Date: Mon, 17 Nov 2014 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
    if possible and convenient for you. The mailman Web interface can
    be used directly to subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks
    Alternatively, to subscribe or unsubscribe via e-mail to mailman
    your FROM: address, send a message to
    risks-...@csl.sri.com
    containing only the one-word text subscribe or unsubscribe. You may
    also specify a different receiving address: subscribe address= ... .
    You may short-circuit that process by sending directly to either
    risks-s...@csl.sri.com or risks-un...@csl.sri.com
    depending on which action is to be taken.

    Subscription and unsubscription requests require that you reply to a
    confirmation message sent to the subscribing mail address. Instructions
    are included in the confirmation message. Each issue of RISKS that you
    receive contains information on how to post, unsubscribe, etc.

    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines.

    => .UK users may contact <Lindsay....@newcastle.ac.uk>.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you NEVER send mail!
    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
    *** NOTE: Including the string `notsp' at the beginning or end of the subject
    *** line will be very helpful in separating real contributions from spam.
    *** This attention-string may change, so watch this space now and then.
    => ARCHIVES: ftp://ftp.sri.com/risks for current volume
    or ftp://ftp.sri.com/VL/risks for previous VoLume
    http://www.risks.org takes you to Lindsay Marshall's searchable archive at
    newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
    is no longer maintained up-to-date except for recent election problems.
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 28.74
    ************************
     
  18. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,420
    334
    258
    Apr 3, 2007
    Tampa
    Risks Digest 28.75

    RISKS List Owner

    Jul 7, 2015 9:51 AM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Tuesday 7 July 2015 Volume 28 : Issue 75

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/28.75.html>
    The current issue can be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Keys Under Doormats: Mandating insecurity by requiring government
    access to all data and communications (multiple authors)
    David Cameron: Twitter and Facebook privacy is unsustainable (Politics)
    Cameron reaffirms there will be no "safe spaces" from UK snooping (Ars)
    Kenya to require users of Wi-Fi to register with government (Ars Technica)
    "Terrorism, the Internet, and Google" (Lauren Weinstein)
    Hacking Team responds to data breach, issues public threats and denials
    (Steve Ragan)
    'Digital amnesia' on the rise as we outsource our memory to the Web
    (Science Alert via Lauren Weinstein)
    Mac OS Malware Exploits MacKeeper (BAE Systems via Werner U)
    Windows 10 will share your Wi-Fi key with your friends' friends
    (The Register)
    DVD drive in PC fire hazard (mctaylor)
    Embracing the Internet of Things Means Managing Privacy Risks With Care
    (HuffPost)
    Russian parliament adopts law forcing search engines to remove search
    results upon request (USNews)
    Researcher Who Reported E-voting Vulnerability Targeted by Police Raid
    in Argentina (Slashdot)
    Harvard announces data breach (The Boston Globe)
    Cisco leaves its Unified CDM software open to hackers (ComputerWorld)
    New MOOC: MediaLIT: Overcoming Information Overload (Dan Gillmor)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 07 Jul 2015 9:00:00 EDT
    From: Danny Weitzner <djwei...@csail.mit.edu>
    Subject: Keys Under Doormats: Mandating insecurity by requiring government
    access to all data and communications

    Keys Under Doormats: Mandating insecurity by requiring government access
    to all data and communications

    Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh,
    Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green,
    Peter G. Neumann, Susan Landau, Ronald L. Rivest, Jeffrey I. Schiller,
    Bruce Schneier, Michael Specter, Daniel J. Weitzner

    http://dspace.mit.edu/handle/1721.1/97690

    Abstract

    Twenty years ago, law enforcement organizations lobbied to require data and
    communication services to engineer their products to guarantee law
    enforcement access to all data. After lengthy debate and vigorous
    predictions of enforcement channels going dark, these attempts to regulate
    the emerging Internet were abandoned. In the intervening years, innovation
    on the Internet flourished, and law enforcement agencies found new and more
    effective means of accessing vastly larger quantities of data. Today we are
    again hearing calls for regulation to mandate the provision of exceptional
    access mechanisms. In this report, a group of computer scientists and
    security experts, many of whom participated in a 1997 study of these same
    topics, has convened to explore the likely effects of imposing extraordinary
    access mandates. We have found that the damage that could be caused by law
    enforcement exceptional access requirements would be even greater today than
    it would have been 20 years ago. In the wake of the growing economic and
    social cost of the fundamental insecurity of today's Internet environment,
    any proposals that alter the security dynamics online should be approached
    with caution. Exceptional access would force Internet system developers to
    reverse forward secrecy design practices that seek to minimize the impact on
    user privacy when systems are breached. The complexity of today's Internet
    environment, with millions of apps and globally connected services, means
    that new law enforcement requirements are likely to introduce unanticipated,
    hard to detect security flaws. Beyond these and other technical
    vulnerabilities, the prospect of globally deployed exceptional access
    systems raises difficult problems about how such an environment would be
    governed and how to ensure that such systems would respect human rights and
    the rule of law.

    Executive Summary

    Political and law enforcement leaders in the United States and the United
    Kingdom have called for Internet systems to be redesigned to ensure
    government access to information -- even encrypted information. They argue
    that the growing use of encryption will neutralize their investigative
    capabilities. They propose that data storage and communications systems
    must be designed for exceptional access by law enforcement agencies. These
    proposals are unworkable in practice, raise enormous legal and ethical
    questions, and would undo progress on security at a time when Internet
    vulnerabilities are causing extreme economic harm.

    As computer scientists with extensive security and systems experience, we
    believe that law enforcement has failed to account for the risks inherent in
    exceptional access systems. Based on our considerable expertise in
    real-world applications, we know that such risks lurk in the technical
    details. In this report we examine whether it is technically and
    operationally feasible to meet law enforcement's call for exceptional access
    without causing large-scale security vulnerabilities. We take no issue here
    with law enforcement's desire to execute lawful surveillance orders when
    they meet the requirements of human rights and the rule of law. Our strong
    recommendation is that anyone proposing regulations should first present
    concrete technical requirements, which industry, academics, and the public
    can analyze for technical weaknesses and for hidden costs.

    Many of us worked together in 1997 in response to a similar but narrower and
    better-defined proposal called the Clipper Chip [1]. The Clipper proposal
    sought to have all strong encryption systems retain a copy of keys necessary
    to decrypt information with a trusted third party who would turn over keys
    to law enforcement upon proper legal authorization. We found at that time
    that it was beyond the technical state of the art to build key escrow
    systems at scale. Governments kept pressing for key escrow, but Internet
    firms successfully resisted on the grounds of the enormous expense, the
    governance issues, and the risk. The Clipper Chip was eventually
    abandoned. A much more narrow set of law enforcement access requirements
    have been imposed, but only on regulated telecommunications systems. Still,
    in a small but troubling number of cases, weakness related to these
    requirements have emerged and been exploited by state actors and others.
    Those problems would have been worse had key escrow been widely deployed.
    And if all information applications had had to be designed and certified for
    exceptional access, it is doubtful that companies like Facebook and Twitter
    would even exist. Another important lesson from the 1990's is that the
    decline in surveillance capacity predicted by law enforcement 20 years ago
    did not happen. Indeed, in 1992, the FBI's Advanced Telephony Unit warned
    that within three years Title III wiretaps would be useless: no more than
    40% would be intelligible and that in the worst case all might be rendered
    useless [2]. The world did not "go dark." On the contrary, law enforcement
    has much better and more effective surveillance capabilities now than it did
    then.

    The goal of this report is to similarly analyze the newly proposed
    requirement of exceptional access to communications in today's more complex,
    global information infrastructure. We find that it would pose far more
    grave security risks, imperil innovation, and raise thorny issues for human
    rights and international relations.

    There are three general problems. First, providing exceptional access to
    communications would force a U-turn from the best practices now being
    deployed to make the Internet more secure. These practices include forward
    secrecy -- where decryption keys are deleted immediately after use, so that
    stealing the encryption key used by a communications server would not
    compromise earlier or later communications. A related technique,
    authenticated encryption, uses the same temporary key to guarantee
    confidentiality and to verify that the message has not been forged or
    tampered with.

    Second, building in exceptional access would substantially increase system
    complexity. Security researchers inside and outside government agree that
    complexity is the enemy of security -- every new feature can interact with
    others to create vulnerabilities. To achieve widespread exceptional
    access, new technology features would have to be deployed and tested with
    literally hundreds of thousands of developers all around the world. This is
    a far more complex environment than the electronic surveillance now deployed
    in telecommunications and Internet access services, which tend to use
    similar technologies and are more likely to have the resources to manage
    vulnerabilities that may arise from new features. Features to permit law
    enforcement exceptional access across a wide range of Internet and mobile
    computing applications could be particularly problematic because their
    typical use would be surreptitious -- making security testing difficult and
    less effective.

    Third, exceptional access would create concentrated targets that could
    attract bad actors. Security credentials that unlock the data would have to
    be retained by the platform provider, law enforcement agencies, or some
    other trusted third party. If law enforcement's keys guaranteed access to
    everything, an attacker who gained access to these keys would enjoy the same
    privilege. Moreover, law enforcement's stated need for rapid access to data
    would make it impractical to store keys offline or split keys among multiple
    keyholders, as security engineers would normally do with extremely
    high-value credentials. Recent attacks on the United States Government
    Office of Personnel Management (OPM) show how much harm can arise when many
    organizations rely on a single institution that itself has security
    vulnerabilities. In the case of OPM, numerous federal agencies lost
    sensitive data because OPM had insecure infrastructure. If service
    providers implement exceptional access requirements incorrectly, the
    security of all of their users will be at risk.

    Our analysis applies not just to systems providing access to encrypted data
    but also to systems providing access directly to plaintext. For example,
    law enforcement has called for social networks to allow automated, rapid
    access to their data. A law enforcement backdoor into a social network is
    also a vulnerability open to attack and abuse. Indeed, Google's database of
    surveillance targets was surveilled by Chinese agents who hacked into its
    systems, presumably for counterintelligence purposes [3].

    The greatest impediment to exceptional access may be jurisdiction. Building
    in exceptional access would be risky enough even if only one law enforcement
    agency in the world had it. But this is not only a US issue. The UK
    government promises legislation this fall to compel communications service
    providers, including US-based corporations, to grant access to UK law
    enforcement agencies, and other countries would certainly follow suit.
    China has already intimated that it may require exceptional access. If a
    British-based developer deploys a messaging application used by citizens of
    China, must it provide exceptional access to Chinese law enforcement? Which
    countries have sufficient respect for the rule of law to participate in an
    international exceptional access framework? How would such determinations
    be made? How would timely approvals be given for the millions of new
    products with communications capabilities? And how would this new
    surveillance ecosystem be funded and supervised? The US and UK governments
    have fought long and hard to keep the governance of the Internet open, in
    the face of demands from authoritarian countries that it be brought under
    state control. Does not the push for exceptional access represent a
    breathtaking policy reversal?

    The need to grapple with these legal and policy concerns could move the
    Internet overnight from its current open and entrepreneurial model to
    becoming a highly regulated industry. Tackling these questions requires
    more than our technical expertise as computer scientists, but they must be
    answered before anyone can embark on the technical design of an exceptional
    access system.

    In the body of this report, we seek to set the basis for the needed debate by
    presenting the historical background to exceptional access, summarizing law
    enforcement demands as we understand them, and then discussing them in the
    context of the two most popular and rapidly growing types of platform: a
    messaging service and a personal electronic device such as a smartphone or
    tablet. Finally, we set out in detail the questions for which policymakers
    should require answers if the demand for exceptional access is to be taken
    seriously. Absent a concrete technical proposal, and without adequate
    answers to the questions raised in this report, legislators should reject
    out of hand any proposal to return to the failed cryptography control policy
    of the 1990s.


    The full technical report MIT-CSAIL-TR-2015-026 including the references
    noted above is available at
    http://dspace.mit.edu/handle/1721.1/97690

    [Please read the entire report. It is very important.
    See also Nicole Perlroth's blog item on The New York Times website:
    http://www.nytimes.com/2015/07/08/t...o-encrypted-communication.html?ref=technology
    PGN]

    ------------------------------

    Date: Wed, 1 Jul 2015 14:33:23 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: David Cameron: Twitter and Facebook privacy is unsustainable

    Politics via NNSquad, 30 Jun 2015
    http://www.politics.co.uk/news/2015...twitter-and-facebook-privacy-is-unsustainable

    The absolute privacy of Facebook and Twitter users can no longer be
    tolerated in the face of international terror, David Cameron suggested
    yesterday. Tory MP Henry Bellingham asked the prime minister whether the
    attacks in Tunisia meant it was time "companies such as Google, Facebook
    and Twitter... understand that their current privacy policies are
    completely unsustainable?" Cameron agreed, saying that the security
    services must always be able to "get to the bottom" of online
    communications.

    [Also, David Cameron wants to ban encryption in Britain, Business Insider
    http://www.businessinsider.com.au/david-cameron-encryption-back-doors-iphone-whatsapp-2015-7
    PGN]

    ------------------------------

    Date: Thu, 2 Jul 2015 13:43:23 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Cameron reaffirms there will be no "safe spaces" from UK snooping

    Ars Technica via NNSquad
    http://arstechnica.co.uk/tech-polic...e-no-safe-spaces-from-uk-government-snooping/

    David Cameron was replying in the House of Commons on Monday to a question
    from the Conservative MP David Bellingham, who asked him whether he agreed
    that the "time has come for companies such as Google, Facebook and Twitter
    to accept and understand that their current privacy policies are
    completely unsustainable?" To which Cameron replied: "we must look at all
    the new media being produced and ensure that, in every case, we are able,
    in extremis and on the signature of a warrant, to get to the bottom of
    what is going on."

    ------------------------------

    Date: Wed, 1 Jul 2015 08:25:28 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Kenya to require users of Wi-Fi to register with government (Ars)

    Ars Technica via NNSquad
    http://arstechnica.com/tech-policy/...e-users-of-wi-fi-to-register-with-government/

    Yesterday, in a speech before the annual general meeting of the
    Association of Regulators of Information and Communications for Eastern
    and Southern Africa (ARICEA), Wangusi said, "We will license KENIC to
    register device owners using their national identity cards and telephone
    numbers. The identity of a device will be known when it connects to
    Wi-Fi." He also said that the Communications Authority would set up a
    forensics laboratory within three months to "proactively monitor impending
    cybersecurity attacks, detect reactive cybercrime, and link up with the
    judiciary in the fight," according to a report from Kenya's Daily Nation.
    The registry will enable Kenyan authorities to "be able to trace people
    using national identity cards that were registered and their phone numbers
    keyed in during registration" if the devices are associated with criminal
    activity on the Internet, Wangusi said. The regulation would apply to
    anyone connecting to a public Wi-Fi network. KENIC would maintain the
    database of devices; anyone connecting to a public network at a hotel,
    cafe, or other business would be required to register before accessing
    it. If businesses providing Wi-Fi fail to comply with the regulation, they
    could have their Internet services cut off. Additionally, Wangusi
    announced that all Kenyan businesses will be required to host their
    websites within Kenya, purportedly to "avoid extra costs associated with
    sending data out to a different location and back again to the website
    owner," reported Daily Nation's Lilian Ochieng. Kenya has just taken over
    the chair of ARICEA, which coordinates Internet and telecommunications
    policy across the members of the Common Market for Eastern and Southern
    Africa (COMESA). That puts Wangusi and the Communication Authority of
    Kenya in a position to press for similar Internet regulations in the other
    20 member states in Africa's free trade area, which spans from Libya to
    Namibia.

    Looks the real purpose is to try ensure political control to attack anyone
    who disagrees with the current government.

    ------------------------------

    Date: Tue, 30 Jun 2015 15:03:51 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Lauren's Blog: "Terrorism, the Internet, and Google"

    Terrorism, the Internet, and Google
    http://lauren.vortex.com/archive/001111.html

    For those of us involved in the early days of the Internet's creation and
    growth, it would at the time have seemed inconceivable that decades later
    the topic of this post would need to be typed. I think it's fair to say that
    none of us -- certainly not yours truly -- ever imagined that the fruits of
    our labors would one day become a crucial tool for terrorists.

    That day has nonetheless arrived, and it thrusts us directly into what
    arguably is the single most critical issue facing the Internet and Web today
    -- what to do about the commandeering of social media by the likes of ISIL
    (aka ISIS, or IS, or Daesh) and other terrorist groups.

    As we've discussed in the past, governments around the world are already
    using the highly visible Internet presence of these criminal terrorist
    organizations as excuses to call for broad Internet censorship powers,
    and for "backdoors" into encryption systems that would be devastating
    for both privacy and security worldwide.

    Yet it's the horrific terrorist "recruitment" videos that have quite
    understandably received the bulk of public attention, and they create a
    complex dilemma for advocates of free speech such as myself.

    We know that free speech is not without limits -- the "yelling fire in a
    crowded theater" case being the canonical example.

    How and where should we draw the lines on the Web?

    Let's begin with a fundamental fact that is all too often ignored or
    misrepresented. When a firm like Google -- or any other organization outside
    of government -- decides it does not want to host or encourage any given
    type of material, this is not censorship.

    Just as book publishers are not obligated to distribute every manuscript
    offered to them, and TV networks need not buy every series pilot that
    comes their way, nongovernmental organizations and firms are free to
    determine their own editorial standards and Terms of Service.

    They need not participate in the dissemination of sexually-oriented videos,
    kitten abuse compilations ... or beheading videos produced by medieval,
    religious fanatic monsters.

    Firms are free to determine for themselves the limits of what their content
    and services will be.

    Governments -- on the other hand -- can censor. That is, they determine what
    private parties, firms, and other organizations are (at least in theory)
    permitted to produce, disseminate, or hear and view. And governments can
    back up these censorship orders with both criminal and civil penalties. They
    can throw you in shackles into a dark cell for violating their orders. Last
    time I checked, Google and other Internet firms didn't have such
    capabilities.

    So when Google's chief legal officer David Drummond, and policy director
    Victoria Grand recently spoke of the need to fight back against ISIL and
    other terrorist groups' propaganda and recruiting use of YouTube in
    particular, and urged other firms to take similar social media stances, I
    was very proud of their positions and those of Google's broader policy team.

    Even for a vocal free speech advocate such as myself, I cannot ethically
    condone the use of powerful platforms like YouTube as genocide-promoting
    social media channels by technologically skilled savages.

    This is not to suggest that drawing the lines in such cases is anything but
    vastly complicated.

    I have some significant insight into this thanks to my recent consulting to
    Google, and I can state unequivocally that the amount of emotionally
    draining, Solomonic soul-searching judgments that go into decisions
    regarding abusive content removals at Google is absolutely
    awe-inspiring. The motivated and dedicated individuals and teams involved
    deserve our unending respect.

    Even seemingly obvious cases -- like those involving ISIL -- turn out to be
    decidedly difficult when you dig into the details.

    Some governments would love to try cleanse the entire Net of all references
    to these terror groups via broad censorship orders.

    That would be doomed to failure of course, and in fact attempts to utterly
    banish information about the utter brutality of these beasts would not at
    all serve in making sure the world clearly understands the depth of horror
    with which we're dealing.

    Yet there is vanishingly little true probative value -- and there is vast
    salacious propagandistic recruitment power -- in the display of actual
    beheadings conducted by these groups, and Google is correct to ban these as
    they have.

    A particularly disquieting corollary to this situation is the manner in
    which some of my colleagues seem unwilling or unable to appreciate the
    complexities and nuances inherent in these situations.

    Many of them have expressed anger at Google for drawing these content lines,
    arguing that YouTube users should be permitted to post whatever they want
    whenever they want, no matter the content -- even if the videos serve
    purposely and directly as vile terrorist recruiting instruments.

    Such arguments essentially attempt to equate all content and all speech as
    equal -- an appealing academic concept perhaps, but a devastatingly
    dangerous construct in the real world of today given the power and reach of
    modern social media.

    To be crystal clear about this, I'll emphasize again that decisions about
    content availability and removal in these contexts are complex, difficult,
    and not to be approached cavalierly.

    But I'm convinced that Google is doing this right, and the Web at large
    would do well to look toward Google as an example of best ethical practices
    in managing this nightmarish situation in the best interests of the global
    community at large.

    ------------------------------

    Date: Mon, 6 Jul 2015 9:53:04 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Hacking Team responds to data breach, issues public threats and
    denials (Steve Ragan)

    Steve Ragan, CSO, 5-6 Jul 2015

    On Sunday evening, someone hijacked the Hacking Team account on Twitter and
    used it to announce that the company known for developing hacking tools was
    itself a victim of a devastating hack. The hackers released a 400GB Torrent
    file with internal documents, source code, and email communications to the
    public at large. As researchers started to examine the leaked documents, the
    story developed and the public got its first real look into the inner
    workings of an exploit development firm.

    Article, Part 2, July 6
    http://www.csoonline.com/article/29...breach-issues-public-threats-and-denials.html

    Article, Part 1, July 5
    http://www.csoonline.com/article/29...ked-attackers-claim-400gb-in-dumped-data.html

    [See also a later take on this leak:
    Massive leak reveals Hacking Team's most private moments in messy detail
    Privacy and human rights advocates are having a field day picking
    through a massive leak purporting to show spyware developer Hacking
    Team's most candid moments, including documents that appear to
    contradict the company's carefully scripted PR campaign.
    http://arstechnica.com/security/201...g-teams-most-private-moments-in-messy-detail/
    PGN from LW]

    ------------------------------

    Date: Sun, 5 Jul 2015 13:31:38 -0700
    From: PRIVACY Forum mailing list <pri...@vortex.com>
    Subject: 'Digital amnesia' on the rise as we outsource our memory to the Web

    http://www.sciencealert.com/digital-amnesia-on-the-rise-as-we-outsource-our-memory-to-the-web

    But all of the convenience afforded by digital technologies and their
    capability to instantaneously provide us with answers could be taking a
    terrible toll on our own natural abilities to memorise and recall things,
    according to a new study by software firm Kaspersky Lab.

    An alternative point of view:

    "As We Age, Smartphones Don't Make Us Stupid -- They're Our Saviors":

    http://lauren.vortex.com/archive/001094.html

    ------------------------------

    Date: Wed, 1 Jul 2015 14:18:54 +0200
    From: Werner U <wer...@gmail.com>
    Subject: Mac OS Malware Exploits MacKeeper

    BAE Systems Applied Intelligence blog, 4 Jun 2015

    [ on May 6 it was reported on SlashDot ] MacKeeper May Have To Pay Millions
    In Class-Action Suit you use a Mac, you probably recognize MacKeeper from
    the omnipresent popup ads designed to look vaguely like system warnings
    urging you to download the product and use it to keep your computer
    safe. Now the Ukranian company behind the software and the ads may have to
    pay millions in a class action suit that accuses them of exaggerating
    security problems in order to convince customers to download the software*
    <http://apple.slashdot.org/story/15/...may-have-to-pay-millions-in-class-action-suit>*If
    <http://www.itworld.com/article/2919...-mackeeper-celebrates-difficult-birthday.html>

    [ it was an alert to what was reported on May 5 on ITworld ]

    *Apple security program, MacKeeper, celebrates difficult birthday*
    <https://www.itworld.com/article/291...-mackeeper-celebrates-difficult-birthday.html>

    MacKeeper, a utility and security program for Apple computers, celebrated
    its fifth birthday in April But its gift to U.S. consumers who bought the
    application may be a slice of a $2 million class-action settlement.

    Since 2010, MacKeeper has been dogged by accusations that it exaggerates
    security threats in order to convince customers to buy. Its aggressive
    marketing has splashed MacKeeper pop-up ads all over the web. .....<snip>...

    [ then, on June 4, BAE blog-announced ]

    Mac OS Malware Exploits MacKeeper
    <https://baesystemsai.blogspot.ch/2015/06/new-mac-os-malware-exploits-mackeeper.html>
    (*Written by Sergei Shevchenko, Cyber Research)*
    (BAE Systems Applied Intelligence blog @blogspot.ch)

    Last month a new advisory <http://www.exploit-db.com/exploits/36955/> was
    published on a vulnerability discovered
    <https://twitter.com/drspringfield/status/596316000385167361> in MacKeeper,
    a controversial
    <http://www.pcworld.com/article/2919...-mackeeper-celebrates-difficult-birthday.html>
    software created by Ukrainian company ZeoBIT, now owned by Kromtech
    Alliance Corp.

    As discovered by Braden Thomas, the flaw in MacKeeper's URL handler
    implementation allows arbitrary remote code execution when a user visits a
    specially crafted webpage.

    The first reports
    <http://www.thesafemac.com/serious-mackeeper-vulnerability-found/> on this
    vulnerability suggested that no malicious MacKeeper URLs had been spotted
    in the wild yet. Well, not anymore.

    Since the proof-of-concept was published, it took just days for the first
    instances to be seen in the wild.

    The attack this post discusses can be carried out via a phishing email
    containing a malicious URL.

    Once clicked, the users running MacKeeper will be presented with a dialog
    that suggests they are infected with malware, prompting them for a password
    to remove this. The actual reason is so that the malware could be executed
    with the admin rights.

    The webpage hosted by the attackers in this particular case has the
    following format:

    <!doctype html>
    <html>
    <body>
    <script>
    window.location.href=
    'com-zeobit-command:///i/ZBAppController/performActionWithHelperTask:
    arguments:/[BASE_64_ENCODED_STUB]';
    </script>
    </body>
    </html>

    where [BASE_64_ENCODED_STUB], once decoded, contains..., and the prompt
    message displayed to the user is:

    *"Your computer has malware that needs to be removed"*

    As a result, once the unsuspecting user clicks the malicious link, the
    following dialog box will pop up:

    <snip-image-snip>

    Once the password is specified, the malware will be downloaded and executed
    (it is a 'dropper) which will dump an embedded executable and launch it.
    The dropper will ... update the *LaunchAgents* in order to enable an
    auto-start for the created executable.

    *Backdoor functionality*

    The embedded executable is a bot that allows remote access.

    It can perform the following actions: ....

    The bot collects system information such as: ...Availability of any VPN
    connections.
    ...

    *Configuration*

    The bot keeps its execution parameters in a encoded configuration (config)
    section...
    ...it parses and distinguishes a number of configuration parameters...
    ...Config parameters...are used to randomise URL parameters (demonstrated
    below)

    *Network Communications*

    The bot checks if it's connected to the Internet by...
    If not, it keeps checking in a loop until the computer goes online.

    The data transferred over the network is encrypted with ..

    The bot then constructs a blob that consists of...

    <snip-stuff-snip>

    *Conclusion*

    It's quite interesting to see how little time it took the attackers to
    weaponise a published proof-of-concept exploit code.

    One might wonder how the attackers know if the targeted users are running
    MacKeeper.

    In its press release
    <http://www.prweb.com/releases/2015/03/prweb12579604.htm>, MacKeeper
    claimed that is has surpassed 20 million downloads worldwide.

    Hence, the attackers might simply be 'spraying' their targets with the
    phishing emails hoping that some of them will have MacKeeper installed,
    thus allowing the malware to be delivered to their computers and executed.

    ------------------------------

    Date: Wed, 1 Jul 2015 17:03:00 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Windows 10 will share your Wi-Fi key with your friends' friends

    *The Register* via NNSquad
    http://www.theregister.co.uk/2015/06/30/windows_10_wi_fi_sense/

    In an attempt to address the security hole it has created, Microsoft
    offers a kludge of a workaround: you must add _optout to the SSID (the
    name of your network) to prevent it from working with Wi-Fi Sense. (So if
    you want to opt out of Google Maps and Wi-Fi Sense at the same time, you
    must change your SSID of, say, myhouse to myhouse_optout_nomap.
    Technology is great.) Microsoft enables Windows 10's Wi-Fi Sense by
    default, and access to password-protected networks are shared with
    contacts unless the user remembers to uncheck a box when they first
    connect. Choosing to switch it off may make it a lot less useful, but
    would make for a more secure IT environment.

    ------------------------------

    Date: Thu, 02 Jul 2015 18:17:42 +0000
    From: mctaylor <mcta...@mctaylor.com>
    Subject: DVD drive in PC fire hazard

    I was forwarded an internal advisory that discusses a potential fire hazard,
    namely with HP 6005 small form factor (SFF) desktop computers. Six cases
    (out of a large number of units in use) within the organization were
    identified where the users noticed smoke coming from inside the systems, and
    upon investigation in each case it was due to the DVD power connector (12V)
    melting.

    I thought this might be slightly novel, as it is the first case I am
    aware of, where an internal power connector posed a fire risk.

    ------------------------------

    Date: Thu, 2 Jul 2015 10:53:09 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Embracing the Internet of Things Means Managing Privacy Risks
    With Care (HuffPost)

    http://www.huffingtonpost.com/alexander-howard/embracing-the-internet-of_b_7715268.html

    Someday, perhaps we'll be able to request our data from data brokers, just
    as we do credit reports, and log onto dashboards that empower consumers
    with better privacy tools, just as they do at Google. In the meantime,
    consumers have to hope that hardware and software makers are adopting FTC
    recommendations for "privacy by design and proceed with caution.

    ------------------------------

    Date: Fri, 3 Jul 2015 09:12:07 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Russian parliament adopts law forcing search engines to remove
    search results upon request (USNews)

    USNews via NNSquad, 3 Jul 2015
    Russian parliament adopts law forcing search engines to remove search results upon request
    http://www.usnews.com/news/business...ment-votes-to-adopt-controversial-privacy-law

    Lawmakers in the Russian parliament on Friday voted for a bill forcing
    online search engines to remove search results about a specific person at
    that person's request. The Russian State Duma voted overwhelmingly for
    the controversial law that critics say could be used to block information
    critical of the government or government officials. Though similar to one
    recently adopted by the European Union, the Russian law is more sweeping,
    extending the right of removal to public figures and information that is
    considered in the public interest. Under the new law, a person can
    request that search engines like Google remove the search results of their
    name if the information about them is "no longer relevant" without
    specifying which links they want removed.

    Yep, RTBF is the best friend of crooked politicians and tyrants. A vast
    censorship regime, using search engines as the unwilling instruments of
    its terror.

    ------------------------------

    Date: Sat, 4 Jul 2015 14:57:25 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Researcher Who Reported E-voting Vulnerability Targeted
    by Police Raid in Argentina

    Slashdot via NNSquad
    http://it.slashdot.org/story/15/07/...rability-targeted-by-police-raid-in-argentina

    Police have raided the home of an Argentinian security professional who
    discovered and reported several vulnerabilities in the electronic ballot
    system (Google translation of Spanish original) to be used next week for
    elections in the city of Buenos Aires. The vulnerabilities (exposed SSL
    keys and ways to forge ballots with multiple votes) had been reported to
    the manufacturer of the voting machines, the media, and the public about a
    week ago. There has been no arrest, but his computers and electronics
    devices have been impounded (Spanish original). Meanwhile, the
    information security community in Argentina is trying to get the media to
    report this notorious attempt to "kill the messenger."

    ------------------------------

    Date: Fri, 3 Jul 2015 23:02:12 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Harvard announces data breach

    https://www.bostonglobe.com/metro/2...data-breach/pqzk9IPWLMiCKBl3IijMUJ/story.html

    ------------------------------

    Date: Fri, 3 Jul 2015 23:20:05 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Cisco leaves its Unified CDM software open to hackers

    http://www.computerworld.com/articl...its-unified-cdm-software-open-to-hackers.html

    ------------------------------

    Date: June 26, 2015 at 5:11:25 PM EDT
    From: Dan Gillmor <d...@gillmor.com>
    Subject: New MOOC: MediaLIT: Overcoming Information Overload

    We're about to launch a massive open online course (MOOC) on media/news
    literacy in the digital age. The title is "MediaLIT: Overcoming Information
    Overload". We do that by becoming active users, not passive consumers, of
    media in a variety of ways.

    The free course runs for seven weeks beginning July 6, and features a lot of
    different material including video interviews with some of the most
    interesting people I know in the media and digital worlds. Among them are
    Jimmy Wales, Margaret Sullivan (NY Times public editor), Brian Stelter
    (CNN), Len Downie (former executive editor of the Washington Post), Lawrence
    Krauss (physicist), Baratunde Thurston (author, comedian, etc.), Amanda
    Palmer (musician and author) and many others.

    The course is a joint project of ASU Online and is running on the edX
    platform, the MOOC initiative started by Harvard and MIT.

    Here's a link to the registration page:
    https://www.edx.org/course/media-lit-overcoming-information-asux-mco425x

    ------------------------------

    Date: Mon, 17 Nov 2014 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
    if possible and convenient for you. The mailman Web interface can
    be used directly to subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks
    Alternatively, to subscribe or unsubscribe via e-mail to mailman
    your FROM: address, send a message to
    risks-...@csl.sri.com
    containing only the one-word text subscribe or unsubscribe. You may
    also specify a different receiving address: subscribe address= ... .
    You may short-circuit that process by sending directly to either
    risks-s...@csl.sri.com or risks-un...@csl.sri.com
    depending on which action is to be taken.

    Subscription and unsubscription requests require that you reply to a
    confirmation message sent to the subscribing mail address. Instructions
    are included in the confirmation message. Each issue of RISKS that you
    receive contains information on how to post, unsubscribe, etc.

    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines.

    => .UK users may contact <Lindsay....@newcastle.ac.uk>.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you NEVER send mail!
    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
    *** NOTE: Including the string `notsp' at the beginning or end of the subject
    *** line will be very helpful in separating real contributions from spam.
    *** This attention-string may change, so watch this space now and then.
    => ARCHIVES: ftp://ftp.sri.com/risks for current volume
    or ftp://ftp.sri.com/VL/risks for previous VoLume
    http://www.risks.org takes you to Lindsay Marshall's searchable archive at
    newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
    is no longer maintained up-to-date except for recent election problems.
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 28.75
    ************************
     
  19. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,420
    334
    258
    Apr 3, 2007
    Tampa
    Risks Digest 28.76

    RISKS List Owner

    Jul 9, 2015 1:22 AM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Wednesday 8 July 2015 Volume 28 : Issue 76

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/28.76.html>
    The current issue can be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Modal design leads to death of Marine (Steve Golson)
    Man killed by a factory robot in Germany; human error blamed (Ars via
    Richard I Cook)
    TransAsia flight: Shutdown Wrong Engine! (PGN)
    NYSE troubles predicted (Alister Wm Macintyre)
    "Technical issues" @ NYSE, UA, other places (Alister Wm Macintyre)
    United grounded (PGN)
    Is Cyber-Armageddon Upon Us? 3 Glitches Today Have Some Saying Yes
    (WiReD)
    Why back doors are a bad idea (PGN)
    More on Keys Under Doormats (PGN)
    Senate Judiciary "Going Dark" site is untrusted! (Henry Baker)
    FBI, Justice Dept. Take Encryption Concerns to Congress (Privacy)
    Hackers take over German missile battery in Turkey (Mark Thorson )
    Screen Addiction Is Taking a Toll on Children (NYTimes)
    Senior Tech: A Tablet for Aging Hands Falls Short (NYTimes)
    Facing a Selfie Election, Presidential Hopefuls Grin and Bear It (NYTimes)
    Days of Our Digital Lives (NYTimes)
    Chicago's 'cloud tax' makes Netflix and other streaming services more
    expensive (The Verge)
    Cyber "Deterrence" considered harmful & mad (Henry Baker)
    NZ Harmful Digital Communications Bill (Richard A. O'Keefe)
    Some heads-up to consider for RISKS (found at Slashdot)
    Early adopters of Apple Music find playlists, album art, and
    metadata corrupted (mike)
    "OpenSSL tells users to prepare for a high severity flaw"
    (Lucian Constantin)
    Senate advances secret plan forcing Internet services to report
    terror activity (Ars)
    Matt Bonner Blames New iPhone 6 for Injury, Poor Shooting
    (Kyle Newport)
    Re: Windows 10 will share your Wi-Fi key with your friends' friends
    (Bob Frankston)
    Leap Second Causes Sporadic Outages Across the Internet (Cade Metz)
    Re: "Leap Second Problem" and "Growing opposition to the Leap Second"
    (David E. Ross)
    Re: DVD drive in PC fire hazard (Henry Baker)
    Re: Overcoming Information Overload (Mark E. Smith)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Thu, 02 Jul 2015 10:56:39 -0400
    From: Steve Golson <sgo...@trilobyte.com>
    Subject: Modal design leads to death of Marine

    Marine Corps MV-22 Osprey tilt-rotor attempted to take off while in
    maintenance mode, which reduces power by 20%. One crew member was lost at
    sea.
    http://www.sandiegouniontribune.com/news/2015/jun/30/osprey-crash-at-sea-command-investigation/

    The aircraft controls didn't warn them they were about to take off in
    maintenance mode, nor did their flight manuals explain the dangers.

    After starting the engines, the pilots thought it odd that both hung up
    for about 15 seconds before spooling normally. They also discussed the
    fact that the exhaust deflector was set to ON instead of AUTO as
    usual. But the aircraft seemed fine otherwise, so they assumed a harmless
    software update was to blame.

    RISK 1: not knowing what mode your system is in

    RISK 2: assuming something unusual is due to "a harmless software update"

    ------------------------------

    Date: Thu, 2 Jul 2015 08:45:49 +0200
    From: Richard I Cook MD <rico...@gmail.com>
    Subject: Man killed by a factory robot in Germany; human error blamed

    http://arstechnica.com/business/2015/07/man-killed-by-a-factory-robot-in-germany/

    On Wednesday, Volkswagen said that a 22-year-old external contractor for the
    company had been killed by a robot at a production factory in Baunatal,
    Germany. Heiko Hillwig, a VW spokesperson speaking to the AP about the
    incident, said that the robot grabbed the worker and crushed him against a
    metal plate. The worker died later at a nearby hospital due to complications
    from his injuries.
    <http://hosted.ap.org/dynamic/storie...LING?SITE=TXWIC&SECTION=HOME&TEMPLATE=DEFAULT>

    Hillwig told the AP, ``initial conclusions indicate that human error was to
    blame.'' He added that the contractor was helping set up the robot and was
    inside the metal safety cage that usually separates personnel from the
    metal-manipulating robots. Another worker was present when the incident
    occurred, but because he was behind the barrier, he was unharmed. Ars has
    reached out to Volkswagen but has not yet received a response.

    According to the Financial Times ``A Volkswagen spokesman stressed that the
    robot was not one of the new generation of lightweight collaborative robots
    that work side-by-side with workers on the production line and forgo safety
    cages.''
    http://www.ft.com/intl/fastft/353721/worker-killed-volkswagen-robot-accident

    German newspaper HNA reported that the robot in question is used to build
    electric engines for Volkswagen, and the FT noted rather bleakly that the
    robot suffered no damage in the accident.

    No further details were given by Volkswagen because prosecutors have
    launched an investigation into the incident.

    The story gained some morbid attention earlier today when a Financial Times
    employment reporter named Sarah O'Connor tweeted the story, not realizing
    the connection between her name and character who has a similar name (Sarah
    Connor) in the Terminator series. Her tweet was retweeted more than 3,500
    times <https://twitter.com/sarahoconnor_/status/616282747200479232> and she
    received an influx of messages making jokes about the news. ``Feeling really
    uncomfortable about this inadvertent Twitter thing I seem to have kicked
    off,'' she tweeted later today. "Somebody died. Let's not forget.''

    ------------------------------

    Date: Thu, 2 Jul 2015 22:11:08 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: TransAsia flight: Shutdown Wrong Engine!

    Interim report on the ATR Crash in Taipei in Feb 2015 finally published: On
    4 Feb 2015, TransAsia Airways flight GE 235, an ATR72-600, registration
    B-22816, took off from Taipei Songshan Airport for Kinmen, Taiwan.
    http://www.asc.gov.tw/main_en/docaccident.aspx?uid=343&pid=296&acd_no=191

    Evidently one of the two engines failed, the Captain accidentally shut down
    the working one. He was heard to say on the CVR: ``Wow, pulled back the wrong
    side throttle.''

    That failure mode should be familiar to long-time RISKS readers!

    ------------------------------

    Date: Wed, 8 Jul 2015 17:40:54 -0500
    From: "Alister Wm Macintyre \(Wow\)" <macwh...@wowway.com>
    Subject: NYSE troubles predicted

    NYSE suspended trading for approx 4 hours Wed July-8 starting 11.30 am due
    to a "technical issue" not yet explained. DHS says there is no evidence of
    cyber mischief, but then we remember when there was that in the past, it
    took them 2 years to figure out what happened. Anonymous sent a note late
    Tues nite about anticipating a problem at NYSE for Wednesday. How often are
    there notes like this.? A coincidence?

    http://www.msn.com/en-us/news/itinsider/anonymous-issued-cryptic-tweet-on-ev
    e-of-nyse-suspension/ar-AAcIPjz?ocid=iehpo


    ------------------------------

    Date: Wed, 8 Jul 2015 18:09:41 -0500
    From: "Alister Wm Macintyre \(Wow\)" <macwh...@wowway.com>
    Subject: "Technical issues" @ NYSE, UA, other places

    11.32 am Wed July-8 NYSE went down for "technical issues", officially not
    believed related to cyber mischief.

    WSJ went down at about same time, I not yet seen an explanation.

    United Airlines got grounded a few hours earlier because of a "network
    connectivity issue."

    By 1.30 pm, WSJ was back in business.
    3.10 pm NYSE was back in operation.

    http://www.msn.com/en-us/news/us/nyse-resumes-trading/ar-AAcIGgj?ocid=iehp

    Before the facts come out about any incident, "Technical Issues" is what the
    general public is usually told.

    When the SONY Breach chaos began, Nov-24, the official line was an "IT
    problem."

    Top executives at SONY had been told on Nov-21 by the perpetrators that this
    was coming, if they did not comply with the perpetrator demands, so Nov-24
    may have been a shock to SONY management, but not really a surprise.
    Several people has warned the CEO, months in advance, that The Interview
    would lead to North Korea hacking them, but their reaction to this news was
    merely to edit the trailer to be less offensive to NK, until the movie
    actually came out.

    For lots of gory details on SONY behind the scenes, see the cover story of
    July-1 Fortune magazine.

    ------------------------------

    Date: Wed, 8 Jul 2015 11:45:29 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: United grounded

    http://www.komonews.com/news/national/FAA-All-US-United-Continental-flights-grounded-312486921.html

    http://www.washingtonpost.com/busin...b51974-2588-11e5-b72c-2b7d516e1e0e_story.html

    CNN has officially called it a set of unrelated `whacky technical problems'.

    http://www.theguardian.com/business/live/2015/jul/08/new-york-stock-exchange-wall-street

    ------------------------------

    Date: Thu, 9 Jul 2015 11:03:59 +1200
    From: "Dave Farber" <da...@farber.net>
    Subject: Is Cyber-Armageddon Upon Us? 3 Glitches Today Have Some Saying Yes
    (WiReD)

    http://www.wired.com/2015/07/cyberarmageddon-upon-us-3-glitches-today-saying-yes/?mbid=nl_7815

    ------------------------------

    Date: Tue, 7 Jul 2015 22:26:07 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Why back doors are a bad idea

    http://takingnote.blogs.nytimes.com/2015/07/07/why-a-back-door-to-the-internet-is-a-bad-idea/

    ------------------------------

    Date: Tue, 7 Jul 2015 22:31:43 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: More on Keys Under Doormats

    [There were a few errors in the MIT archival URL. A Corrected copy is at
    www.crypto.com/papers/Keys_Under_Doormats_FINAL.pdf
    thanks to Matt Blaze. PGN]

    http://www.theguardian.com/world/20...ncrypted-data-are-unprincipled-and-unworkable

    Nicole Perlroth in the Wednesday print edition:
    http://www.nytimes.com/2015/07/08/t...rnment-access-to-encrypted-communication.html

    http://www.wsj.com/articles/technology-experts-hit-back-at-fbi-on-encryption-1436316464

    ------------------------------

    Date: Wed, 08 Jul 2015 08:15:46 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Senate Judiciary "Going Dark" site is untrusted!

    The Senate Judiciary Committee is holding "Going Dark" hearings today, but
    their own HTTPS web site is "Untrusted" by Firefox!

    Isn't this the very definition of "delicious irony"?

    "This Connection is Untrusted"

    "You have asked Firefox to connect securely to www.judiciary.senate.gov, but
    we can't confirm that your connection is secure."

    "Normally, when you try to connect securely, sites will present trusted
    identification to prove that you are going to the right place. However,
    this site's identity can't be verified."

    "What Should I Do?"
    "If you usually connect to this site without problems, this error could mean
    that someone is trying to impersonate the site, and you shouldn't continue."

    Cody M. Poplin, 8 Jul 2015
    http://www.lawfareblog.com/live-senate-hearings-going-dark
    Live: Senate Hearings on "Going Dark"

    ------------------------------

    Date: Wed, 8 Jul 2015 09:35:15 -0700
    From: PRIVACY Forum mailing list <pri...@vortex.com>
    Subject: FBI, Justice Dept. Take Encryption Concerns to Congress

    http://www.nytimes.com/aponline/2015/07/08/us/politics/ap-us-fbi-encryption.html

    Vermont Sen. Patrick Leahy, the panel's senior Democrat, expressed
    wariness about facilitating law enforcement's access to encrypted
    material, saying he wasn't sure how much that would help. "Strong
    encryption would still be available from foreign providers," Leahy said.
    "Some say that any competent Internet user would be able to download
    strong encryption technology, or install an app allowing encrypted
    communications -- regardless of restrictions on American businesses."

    ------------------------------

    Date: Wed, 8 Jul 2015 12:49:36 -0700
    From: Mark Thorson <e...@sonic.net>
    Subject: Hackers take over German missile battery in Turkey

    Ridiculous that this should even be possible.
    The missile battery is not on the Internet, is it?

    http://www.thelocal.de/20150707/german-missiles-taken-over-by-hackers

    ------------------------------

    From: Monty Solomon <mo...@roscom.com>
    Date: Tue, 7 Jul 2015 08:38:56 -0400
    Subject: Screen Addiction Is Taking a Toll on Children (NYTimes)

    American youths are plugged in and tuned out of the real world for many more
    hours of the day than experts consider healthy for normal development.
    http://well.blogs.nytimes.com/2015/07/06/screen-addiction-is-taking-a-toll-on-children/

    ------------------------------

    Date: Sun, 5 Jul 2015 10:44:26 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Senior Tech: A Tablet for Aging Hands Falls Short

    http://well.blogs.nytimes.com/2015/06/30/senior-tech-a-tablet-for-aging-hands-fall-short/

    The AARP RealPad promises ``no confusion and no frustration'' for older
    adults. Starting with the on button, it delivers the opposite.

    ------------------------------

    Date: Sat, 4 Jul 2015 19:44:04 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Facing a Selfie Election, Presidential Hopefuls Grin and Bear It

    http://www.nytimes.com/2015/07/05/u...n-presidential-hopefuls-grin-and-bear-it.html

    The Selfie Election
    http://nyti.ms/1NE67AX

    ------------------------------

    Date: Sat, 4 Jul 2015 22:34:46 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Days of Our Digital Lives (NYTimes)

    http://www.nytimes.com/2015/07/05/o...ens-davidowitz-days-of-our-digital-lives.html

    Minute by minute, just what are we searching for?

    ------------------------------

    Date: Wed, 1 Jul 2015 23:01:29 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Chicago's 'cloud tax' makes Netflix and other streaming services
    more expensive (The Verge)

    *The Verge* via NNSquad
    http://www.theverge.com/2015/7/1/8876817/chicago-cloud-tax-online-streaming-sales-netflix-spotify

    Today, a new "cloud tax" takes effect in the city of Chicago, targeting
    online databases and streaming entertainment services. It's a puzzling
    tax, cutting against many of the basic assumptions of the web, but the
    broader implications could be even more unsettling. Cloud services are
    built to be universal: Netflix works the same anywhere in the US, and
    except for rights constraints, you could extend that to the entire
    world. But many taxes are local -- and as streaming services swallow up
    more and more of the world's entertainment, that could be a serious
    problem.

    ------------------------------

    Date: Tue, 07 Jul 2015 09:14:01 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Cyber "Deterrence" considered harmful & mad

    The U.S. seems intent on doubling down on the inappropriate application of
    nuclear deterrence theory to "cyber deterrence".

    The concept of nuclear deterrence depends upon the concept of "mutually
    assured destruction" (MAD). No destruction, no assured, no mutual, no
    deterrence. *Cyber deterrence is a contradiction in terms; there is no
    deterrence in cyberspace.*

    The U.S. has done its part in guaranteeing the "mutual" part; the U.S. has
    left itself wide open to "cyber" attack, because it has no defenses. As
    Adm. Winnefeld admits, the U.S.--with the largest collection of
    sophisticated networks--has far more to lose than anyone else.

    Deterrence is a feedback system; the signaling has to go both ways. But if
    the signaling is ignored, the feedback is useless. It is the equivalent of
    adjusting a thermostat that isn't connected to the air conditioning system.

    As has been stated many times before, appropriate destruction requires
    proper attribution, but in the "cyber" case, attribution remains highly
    dubious. Hitting back at the wrong target will simply create more enemies.

    The time has come for computer scientists to speak up against the whole
    concept of "cyber deterrence", because it is ineffective and dangerous.
    Because it is ineffective, no one is going to be deterred, and therefore any
    reliance on "deterrence" instead of defense will encourage rather than
    discourage such an attack.

    WWI started as a result of inappropriate signaling among the Great Powers
    in 1914. Let's not repeat this mistake in the 21st Century.

    https://en.wikipedia.org/wiki/Deterrence_theory
    https://en.wikipedia.org/wiki/World_War_I

    37-minute talk by Adm. James Winnefeld regarding, among other things, "cyber
    deterrence".



    ADM James A. Winnefeld, Vice Chairman of the Joint Chiefs of Staff at the
    Army Cyber Institute May 14, 2015.

    ------------------------------

    Date: Thu, 2 Jul 2015 18:41:25 +1200
    From: "Richard A. O'Keefe" <o...@cs.otago.ac.nz>
    Subject: NZ Harmful Digital Communications Bill

    We've all experienced or heard stories about cyberbullying
    and the like. My own daughter has had nastygrams and death
    threats through electronic media. There are risks of doing
    nothing, and risks of over-reacting. I heard today that
    New Zealand's "Harmful Digital Communications Bill" passed
    at the end of last month.

    http://parliamenttoday.co.nz/2015/06/harmful-digital-communications-bill-passes/

    Metadata:

    http://www.parliament.nz/en-nz/pb/l...LL12843_1/harmful-digital-communications-bill
    Text:
    http://legislation.govt.nz/bill/government/2013/0168/latest/whole.html

    This has been in the works for several years.
    It has been officially reviewed for consistency with our Bill
    of Rights Act (BORA), and found acceptable.

    (http://www.justice.govt.nz/policy/c...of-rights/harmful-digital-communications-bill)

    However, it's still controversial, although the hooraw about
    changing the flag has distracted attention from it.
    http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11473451

    There must be some people reading comp.risks who could comment on this
    more competently than I, but here are some things I notice.

    "digital communication
    (a) means any form of electronic communication; and
    (b) includes any text message, writing, photograph, picture, recording,
    or other matter that is communicated electronically."

    So anything said over a landline phone, CB radio, amateur, or
    marine radio counts as "digital communication" even if it is all
    analogue. Wouldn't "electronic communication" have done?

    "The purpose of this Act is to
    (a) deter, prevent, and mitigate harm caused to individuals by digital
    communications; and
    (b) provide victims of harmful digital communications with a quick and
    efficient means of redress."

    However, "harm means serious emotional distress" and
    "posts a digital communication [means]
    (a) means transfers, sends, posts, publishes, disseminates, or
    otherwise communicates by means of a digital communication
    (i) any information, whether truthful or untruthful, about the
    victim; or
    (ii) an intimate visual recording of another individual; and
    (b) includes an attempt to do anything referred to in paragraph (a)
    so it would seem that a mobile phone service that transfers a message
    from one person to another might be covered by "transfer". Deciding
    what to do about "hosts" and trying to get it right apparently caused
    a lot of trouble in drafting. They clearly didn't *intend* ISPs or
    phone companies to be affected, provided there's a straightforward
    complaints process.

    Truthfulness is not an issue? If Miss A says to Miss B, "stay away from Mr
    C, he put his last girlfriend in the hospital", and Mr C says this hurt his
    feelings, Miss A could be facing up to NZD 50,000 in fines or 2 years in
    prison, *even it is true*.

    Thinking from a computing perspective, we already have laws about
    defamation, and we can't expect what seems like haphazard patching to
    produce anything but buggy consequences. Several other acts are amended by
    this one, and again, programming has me wondering about the ability of the
    "Legislation IDE" to find *all* the legislation that needs patching.

    There are 10 principles.

    1. A digital communication should not disclose sensitive
    personal facts about an individual.
    2. A digital communication should not be threatening,
    intimidating, or menacing.
    3. A digital communication should not be grossly offensive
    to a reasonable person in the position of the affected
    individual.
    4. A digital communication should not be indecent or obscene.
    5. A digital communication should not be used to harass an
    individual.
    6. A digital communication should not make a false allegation.
    7. A digital communication should not contain a matter that is
    published in breach of confidence.
    8. A digital communication should not incite or encourage
    anyone to send a message to an individual for the purpose
    of causing harm to the individual.
    9. A digital communication should not incite or encourage
    an individual to commit suicide.
    10. A digital communication should not denigrate an
    individual by reason of his or her colour, race, ethnic
    or national origin, religion, gender, sexual orientation,
    or disability.

    So *if* I were to tell you that my dog is so smart she has a degree from
    MIT, principle 6 would get me.

    It just occurred to me that I'm on the SUmOfUs.org mailing list, and have
    signed a lot of their petitions. If a board member of [name your favourite
    predatory company] should claim to have suffered "serious emotional
    distress" as a result of receiving one of these petitions, principle 5 might
    or might not get me, but principle 8 would certainly get SumOfUs.org, should
    they ever be subject to NZ law.

    There are oddball features, like someone is to be appointed to be or run an
    Approved Agency for dealing with complaints under the Act, but "is not to be
    regarded as being employed in the service of the Crown..."

    Much of the Act is administrative, but a District Court (which typically
    deals with things like minor assault, unpaid fines, &c) may be orders
    (paraphrased):
    - to take down or disable material
    - to tell people to stop doing whatever they've been doing
    - to order a correction to be published
    - to give a right of reply to the affected individual
    - to demand an apology.

    It also creates an offence basically, deliberately posting material that
    does harm someone and could have been expected to.

    An order to take material down because it upsets someone comes, or could
    come, quite close to the right to be forgotten.

    ------------------------------

    Date: Sat, 4 Jul 2015 00:04:09 +0200
    From: Werner U <wer...@gmail.com>
    Subject: Some heads-up to consider for RISKS (found at Slashdot)

    *Windows 10 Shares Your Wi-Fi Password With Contacts*
    tech.slashdot.org/story/15/07/01/2121252/windows-10-shares-your-wi-fi-password-with-contacts?sbsrc=md

    (July 1, Slashdot) *The Register reports that Windows 10 will include,
    defaulted on, "Wi-Fi Sense
    <http://www.theregister.co.uk/2015/06/30/windows_10_wi_fi_sense/>" which
    shares wifi passwords with Outlook.com contacts, Skype contacts and, with
    an opt-in, Facebook friends. This involves Microsoft storing the wifi
    passwords entered into your laptop which can then be used by any other
    person suitably connected to you. If you don't want someone's Windows 10
    passing on your password, Microsoft has two solutions; only share passwords
    using their Wi-Fi Sense service, or by adding "_optout" to your SSID.*

    *Senator Demands Answers on FBI's Use of Zero Days, Phishing*
    threatpost.com/senator-demands-answers-on-fbis-use-of-zero-days-phishing/113593

    (July 2,Threatpost) Sen. Charles Grassley (R-Iowa) , chairman of the
    powerful Senate Judiciary Committee, has sent a letter to FBI Director James
    Comey asking some pointed questions about the bureau's use of zero-day
    vulnerabilities, phishing attacks, spyware, and other controversial tools (a
    list of highly specific questions about the way the FBI uses remote
    exploitation capabilities and spyware tools). The letter
    <https://www.grassley.senate.gov/sit...load/FBI, 06-12-15, use of spyware letter.pdf>
    is related to a current effort by the Department of Justice to get more
    leeway in the way that its agencies use spyware tools in criminal
    investigations.

    *Government Illegally Spied On Amnesty International*
    yro.slashdot.org/story/15/07/02/2053222/uk-government-illegally-spied-on-amnesty-international

    (July 2, Slashdot)
    *A court has revealed that the UK intelligence agency, GCHQ, illegally
    spied on human rights organization Amnesty International
    <http://amnesty.org.uk/press-release...on-amnesty-international#.VZRD7VrIjak.twitter>.
    It is an allegation that the agency had previously denied, but an email
    from the Investigatory Powers Tribunal backtracked on a judgment made in
    June which said no such spying had taken place. The email was sent to
    Amnesty International yesterday, and while it conceded that the
    organization was indeed the subject of surveillance
    <http://betanews.com/2015/07/02/uk-government-illegally-spied-on-amnesty-international/>,
    no explanation has been offered. It is now clear that, for some reason,
    communications by Amnesty International were illegally intercepted, stored,
    and examined. What is not clear is when the spying happened, what data was
    collected and, more importantly, why it happened.*

    *Samsung Faces Lawsuit In China Over Smartphone Bloatware*
    tech.slashdot.org/story/15/07/03/1424207/samsung-faces-lawsuit-in-china-over-smartphone-bloatware

    *(July 3, Slashdot) Samsung is being sued in China for installing too many
    apps onto its smartphones
    <http://www.shanghaidaily.com/metro/...lawsuits-over-preinstalled-apps/shdaily.shtml>.
    The Shanghai Consumer Rights Protection Commission is also suing Chinese
    vendor Oppo, demanding that the industry do more to rein in bloatware
    <http://thestack.com/samsung-oppo-lawsuit-smartphone-bloatware-030715>. The
    group said complaints are on the rise from smartphone users who are
    frustrated that these apps take up too much storage and download data
    without the user being aware. Out of a study of 20 smartphones, Samsung and
    Oppo were found to be the worst culprits. A model of Samsung's Galaxy Note
    3 contained 44 pre-installed apps that could not be removed from the
    device, while Oppo's X9007 phone had 71. Firefox 39 Released, Bringing
    Security Improvements and Social Sharing* (
    news.slashdot.org/story/15/07/03/1426226/firefox-39-released-bringing-security-improvements-and-social-sharing
    )
    *(July 3, Slashdot) **Today Mozilla announced the release of Firefox 39.0
    <https://blog.mozilla.org/blog/2015/07/02/new-sharing-features-in-firefox/>
    ,
    which brings an number of minor improvements to the open source browser.
    (Full release notes
    <https://www.mozilla.org/en-US/firefox/39.0/releasenotes/>.) They've
    integrated Firefox Share with Firefox Hello, which means that users will be
    able to open video calls through links sent over social media. Internally,
    the browser dropped support for the insecure SSLv3
    <http://it.slashdot.org/story/14/10/15/000239/google-finds-vulnerability-in-ssl-30-web-encryption>
    and disabled use of RC4
    <http://yro.slashdot.org/story/13/03/14/1839239/cryptographers-break-commonly-used-rc4-cipher>
    except where explicitly whitelisted. The SafeBrowsing malware detection now
    works for downloads on OS X and Linux. (Full list of security changes,)
    https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox39
    The Mac OS X version of Firefox is now running Project Silk
    <https://hacks.mozilla.org/2015/01/project-silk/>, which makes animations
    and scrolling noticeably smoother. Developers now have access to the
    powerful Fetch API
    <https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API>, which should
    provide a better interface for grabbing things over a network.*

    ------------------------------

    Date: Tue, 7 Jul 2015 10:47:18 -0600
    From: mike <mike...@hotmail.com>
    Subject: Early adopters of Apple Music find playlists, album art, and
    metadata corrupted

    One risk of jumping onto a new product release is the possibility of side
    effects that damage or destroy your data -- as some Apple Music enrollees
    are discovering. On the Apple discussion forum and elsewhere users are
    complaining that thru some unexplained mechanism their existing playlists
    and album art are being corrupted by Apple Music. Playlists that have taken
    hours to compile become useless. Also there are reports that user meta-data
    describing the song (genre, artist, notes, etc.) is replaced by meta-data
    from Apple music. See https://discussions.apple.com/thread/7104745

    ------------------------------

    Date: Tue, 07 Jul 2015 12:56:36 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "OpenSSL tells users to prepare for a high severity flaw"
    (Lucian Constantin)

    Lucian Constantin. InfoWorld, 7 Jul 2015
    Patches will be released on July 9 for a high severity vulnerability
    in OpenSSL's widely used cryptographic library
    http://www.infoworld.com/article/29...sers-to-prepare-for-a-high-severity-flaw.html

    ------------------------------

    Date: Tue, 7 Jul 2015 16:35:28 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Senate advances secret plan forcing Internet services to report
    terror activity (Ars)

    Ars Technica via NNSquad
    http://arstechnica.com/tech-policy/...-internet-services-to-report-terror-activity/

    Senator Dianne Feinstein (D-CA), who sponsored the Internet services
    provision, did not return a call seeking comment. The legislation is
    modeled after a 2008 law, the Protect Our Children Act. That measure
    requires Internet companies to report images of child porn, and
    information identifying who trades it, to the National Center for Missing
    and Exploited Children. That quasi-government agency then alerts either
    the FBI or local law enforcement about the identities of online child
    pornographers. The bill, which does not demand that online companies
    remove content, requires Internet firms that obtain actual knowledge of
    any terrorist activity to "provide to the appropriate authorities the
    facts or circumstances of the alleged terrorist activity," wrote The
    Washington Post, which was able to obtain a few lines of the bill
    text. The terrorist activity could be a tweet, a YouTube video, an
    account, or a communication.

    Actual child porn is fairly obvious. Terror activity is a much more nebulous
    concept, and I suspect a significant percentage of the blowhard statements
    from idiot trolls in posting comments could be theoretically swept into this
    category. I suspect what's actually going on here is that this is a
    preliminary to trying to push through legislation banning strong encryption
    by these services, trying to turn Internet services into monitoring agents
    for the government.

    ------------------------------

    Date: Wed, 8 Jul 2015 13:48:35 -0600
    From: Jim Reisert AD1C <jjre...@alum.mit.edu>
    Subject: Matt Bonner Blames New iPhone 6 for Injury, Poor Shooting

    Bleacher Report -- Kyle Newport -- Jul 6, 2015
    http://bleacherreport.com/articles/2516427-matt-bonner-blames-new-iphone-6-for-injury-poor-shooting

    Matt is quoted in the article:

    ``I hate to make excuses, I was raised to never make excuses, but I went
    through a two-and-a-half month stretch where I had really bad tennis elbow,
    and during that stretch it made it so painful for me to shoot I'd almost be
    cringing before I even caught the ball like, this is going to kill.'' [...]

    Everybody is going to find this hilarious, but here's my theory on how I got
    it. When the new iPhone came out it was way bigger than the last one, and I
    think because I got that new phone it was a strain to use it, you have to
    stretch further to hit the buttons, and I honestly think that's how I ended
    up developing it."

    ------------------------------

    Date: 8 Jul 2015 17:11:51 -0400
    From: "Bob Frankston" <bob...@bob.ma>
    Subject: Re: Windows 10 will share your Wi-Fi key with your friends' friends
    (RISKS-28.75)
    万能钥匙 (http://www.lianwifi.com/) provides app
    used by hundreds of millions of Chinese to share Wi-Fi keys. I haven't used
    it because it's an APK not vetted in the Android store but I understand the
    value and the need for a tool to avoid wasting time negotiating past all
    those Wi-Fi agree screens other annoyances present even if there is no
    charge.

    At some point we need to face up to the fact that this whole idea of Wi-Fi
    security is a debacle as well as a security risk. Microsoft's approach may
    be problematic because it seems to had more complexity but it does address a
    real need for "just works" connectivity.

    ------------------------------

    Date: Wed, 1 Jul 2015 23:24:42 -0600
    From: Jim Reisert AD1C <jjre...@alum.mit.edu>
    Subject: Leap Second Causes Sporadic Outages Across the Internet (Cade Metz)

    Cade Metz -- WiReD -- 07.01.15 -- 1:08 pm

    Yesterday's leap second caused sporadic outages in more than 2,000 networks
    that link machines across the Internet, according to a company that tracks
    the performance of online services.

    Doug Madory, the director of Internet analysis at the New Hampshire-based
    Dyn Inc., says the outages occurred just after midnight Coordinated
    Universal Time, when the leap second was added. Because no single Internet
    service provider was responsible for the outage, Madory says, the leap
    second was almost certainly the culprit.

    http://www.wired.com/2015/07/leap-second-causes-sporadic-outages-across-internet/

    ------------------------------

    Date: Wed, 1 Jul 2015 09:42:18 -0700
    From: "David E. Ross" <da...@rossde.com>
    Subject: Re: "Leap Second Problem" and "Growing opposition to the Leap Second"
    (RISKS-28.74)

    Back in 1969, I was a software tester for a system that handled leap-seconds
    seamlessly, a system that remained in use until the early 1990s (more than
    20 years). We had no problems with leap-seconds. Internally, all time-tags
    were in TAI (atomic time), which does not have leap-seconds. This, of
    course, simplified the accurate computation of intervals between two events.
    All inputs and displays used a small software routine that converted UTC to
    TAI and vice-versa with the insertion or removal of appropriate
    leap-seconds.

    The problem today is that a seven years went by (1999-2006) with no
    leap-seconds. Then, only one leap second occurred between 2006 and 2012, on
    1 January 2009 (one in a six-year interval). That is, there were only two
    leap-seconds in a 13-year period. Programmers, testers, and others involved
    in computer systems became complacent, lazy, and possibly ignorant of
    fundamental physical processes that are causing the earth's rotation to
    slow.

    No, the leap-second is not a problem. The problem lies in systems that were
    designed without regard for a phenomenon that occurred 22 times from 1972 to
    1999, 27 years during which no serious opposition was expressed against
    leap-seconds.

    ------------------------------

    Date: Tue, 07 Jul 2015 07:17:36 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Re: DVD drive in PC fire hazard (mctaylor, RISKS-28.75)

    My 17" HP Windows laptop fries its own hard drive, because it's located
    right next to a very hot GPU. However, it has a completely empty bay on the
    other side that is about 20-25 degrees C cooler. I got a short SATA
    extender cable & relocated the hard drive to this cooler bay. I then
    started running Ubuntu, because it runs 10-15 degrees C cooler than Windows.

    As best I can tell, once-mighty HP has lost all of its lustre, and all
    of its excellent engineers have left for greener pastures.

    ------------------------------

    Date: Wed, 8 Jul 2015 02:53:28 +0800
    From: "Mark E. Smith" <mym...@gmail.com>
    Subject: Re: Overcoming Information Overload

    Over time I've developed my own methods of overcoming information overload.

    1. I have no interface with mainstream or commercial media. I don't own a
    TV, don't listen to my hand-cranked radio except for a single jazz station,
    and don't read newspapers or magazines. I have no cell phone, my landline is
    used only for my dial-up Internet connection, and I'm no longer a registered
    voter. Therefore my only contact with stories planted by the CIA,
    corporations, or political operatives, is if they are exposed and/or
    commented on by somebody in my personal network.

    2. For topics that interest me I keep abreast by subscribing to list-serves
    dedicated to those specific topics and following people who have
    demonstrated an ability to keep themselves informed and to inform others
    about these topics on Twitter. For example, I subscribe to two list-serves
    about Fukushima and follow several people on Twitter who are knowledgeable
    about and only or primarily Tweet about Fukushima.

    3. I subscribe through RSS feeds or by email notification to websites that
    specialize in topics of interest to me, such as natural health cures,
    pollution, technology risks, countries under attack by NATO, indigenous
    struggles, sexism, racism, etc., and follow people with similar interests,
    experience, and expertise on Twitter. So I get daily or frequent updates
    from or about Iraq, Syria, Afghanistan, Pakistan, Libya, Somalia, Yemen,
    Palestine, Sudan, Venezuela, Mexico, Ecuador, Russia, etc., and news about
    government or paramilitary attacks on indigenous peoples, people of color,
    and on women and children everywhere, plus news of the latest pharmaceutical
    and health industry scandals and natural health breakthroughs.

    4. To save time, I filter emails that don't interest me, and I block more
    than 90% of the people who try to follow me on Twitter, after checking their
    profiles to make sure they have nothing to say that I consider of
    informational value.

    5. I don't use social media other than Twitter, which ensures that
    everything I read is concise and succinct, due to the character limit on
    Tweets.

    While Dan Gillmor's notice of the MediaLit MOOC is certain to be of value to
    many who have not already worked out a system of their own, as soon as I saw
    that it included voices from the mainstream media, I knew it would not be of
    sufficient value to me to give it any more time than this response, which I
    hope might save others some time.

    ------------------------------

    Date: Mon, 17 Nov 2014 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
    if possible and convenient for you. The mailman Web interface can
    be used directly to subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks
    Alternatively, to subscribe or unsubscribe via e-mail to mailman
    your FROM: address, send a message to
    risks-...@csl.sri.com
    containing only the one-word text subscribe or unsubscribe. You may
    also specify a different receiving address: subscribe address= ... .
    You may short-circuit that process by sending directly to either
    risks-s...@csl.sri.com or risks-un...@csl.sri.com
    depending on which action is to be taken.

    Subscription and unsubscription requests require that you reply to a
    confirmation message sent to the subscribing mail address. Instructions
    are included in the confirmation message. Each issue of RISKS that you
    receive contains information on how to post, unsubscribe, etc.

    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines.

    => .UK users may contact <Lindsay....@newcastle.ac.uk>.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you NEVER send mail!
    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
    *** NOTE: Including the string `notsp' at the beginning or end of the subject
    *** line will be very helpful in separating real contributions from spam.
    *** This attention-string may change, so watch this space now and then.
    => ARCHIVES: ftp://ftp.sri.com/risks for current volume
    or ftp://ftp.sri.com/VL/risks for previous VoLume
    http://www.risks.org takes you to Lindsay Marshall's searchable archive at
    newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
    is no longer maintained up-to-date except for recent election problems.
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 28.76
    ************************
     
  20. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,420
    334
    258
    Apr 3, 2007
    Tampa
    Risks Digest 28.77

    RISKS List Owner

    Jul 11, 2015 4:34 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Saturday 11 July 2015 Volume 28 : Issue 77

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/28.77.html>
    The current issue can be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Outages continue: USDA; Amazon (Alister Wm Macintyre)
    When Computers Go Down, It's Not Always a Hack (takingnote)
    An Offline NYSE. Makes Barely a Ripple in a Day's Trading (NYTimes)
    Moxie Marlinspike (WSJ)
    The Massive OPM Hack Actually Hit 25 Million People (WiReD)
    OpenSSL Patches Critical Certificate Forgery Bug (SlashDot)
    Hackdoors & Crypto Wars (Eric Geller via Henry Baker)
    Senator: OPM Hack Gave China a Spy Recruiting Database (Ben Sasse via
    Henry Baker)
    Privacy risks in healthcare (PGN)
    EFF report on the Going Dark Senate hearing (PGN)
    Cyber criminals adopt recently patched zero-day exploit in a flash
    (Lucian Constantin)
    Map of Cyber Attacks (Norsecorp via Alister Wm Macintyre)
    India's Supreme Court May Ban Porn Viewing, Even in Private Homes (HuFfpost)
    Facing a Selfie Election, Presidential Hopefuls Grin (NYTimes)
    Your next selfie could be your last, Russia warns (Amar Toor)
    Re: NZ Harmful Digital Communications Bill (Macintyre, O'Keefe)
    Leap Second Causes Sporadic Outages Across the Internet (Brian Inglis,
    Bob Frankston)
    Re: Samsung is being sued in China (Wols)
    Ada Lovelace and Babbage (PGN)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Thu, 9 Jul 2015 14:31:53 -0500
    From: "Alister Wm Macintyre \(Wow\)" <macwh...@wowway.com>
    Subject: Outages continue: USDA; Amazon

    [More on `business as usual', as noted in RISKS-28.76. PGN]

    The US Dept of Agriculture (USDA) had an outage, for about an hour.
    http://www.marketwatch.com/story/usda-website-back-online-after-outage-2015-07-09-11103195

    There is speculation that WSJ went down 8 Jul because it was overloaded when
    people found out about NYSE down, then went there for more info.

    When we see something in the news, like some kind of disaster, and we go
    looking for more info or updates, it can seem like there is an epidemic of
    that kind of story.

    But many of them might not be at well known places.

    There were 4 Internet outages in progress, as I type this e-mail, impacting
    360 websites. One of the more well known places is Amazon. Its outage
    started 9 Jul. 2 of the outages in North-Central Asia. There were over
    2,000 web sites with outages in the past 24 hours.
    http://www.outageanalyzer.com/

    Outages can hit just about anyone.
    http://blogs.wsj.com/digits/tag/outage/

    Breaches continue at a high rate, and GAO has a report on a lack of
    cybersecurity within the U.S. banking industry, and by bank regulators.
    http://www.bankinfosecurity.com/gao-bank-risk-analysis-comes-up-short-a-8376

    The FBI announces that it prevented multiple ISIL terrorist attacks from
    occurring on July-4.
    http://www.msn.com/en-us/news/us/fb...spired-attacks-on-july-4/ar-AAcLwOv?ocid=iehp

    ------------------------------

    Date: Thu, 9 Jul 2015 09:29:59 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: When Computers Go Down, It's Not Always a Hack (takingnote)

    http://takingnote.blogs.nytimes.com/2015/07/08/when-computers-go-down-its-not-always-a-hack/

    We're too quick to blame hackers for failures like the one that disrupted
    trading on the New York Stock Exchange.

    ------------------------------

    Date: Thu, 9 Jul 2015 08:00:27 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: An Offline NYSE. Makes Barely a Ripple in a Day's Trading (NYTimes)

    As the stoppage on Wednesday showed, the modern world of stock trading is
    much quicker, more complex and reliant on sophisticated computers -- and in
    many cases able to adapt.
    http://www.nytimes.com/2015/07/09/b...-makes-barely-a-ripple-in-a-days-trading.html

    ------------------------------

    Date: Fri, 10 Jul 2015 13:02:50 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Moxie Marlinspike

    Dreadlocked programmer has spooked the FBI by creating a tool the police
    cannot crack. (Matt Green's students at Johns Hopkins could not break it.)
    http://www.wsj.com/articles/moxie-marlinspike-the-coder-who-encrypted-your-texts-1436486274?mod=LS1

    ------------------------------

    Date: Thu, 9 Jul 2015 14:46:33 PDT
    From: Peter G. Neumann" <neu...@csl.sri.com>
    Subject: The Massive OPM Hack Actually Hit 25 Million People

    http://www.wired.com/2015/07/massive-opm-hack-actually-affected-25-million/

    "The team has now concluded with high confidence that sensitive
    information, including the Social Security Numbers (SSNs) of 21.5 million
    individuals, was stolen from the background investigation databases," OPM
    wrote in the statement. "This includes 19.7 million individuals that
    applied for a background investigation, and 1.8 million non-applicants,
    predominantly spouses or co-habitants of applicants." The stolen
    information includes about 1.1 million fingerprints as well as findings
    that investigators obtained from interviews conducted with neighbors,
    friends and family members for background checks. Such information can be
    highly sensitive since it can include knowledge about the drug and
    criminal history of someone undergoing a background check as well as their
    sexual orientation and relationships.

    Lauren Weinstein added:
    And the FBI says "trust us with your encrypted communications." Uh huh.

    ------------------------------

    Date: Fri, 10 Jul 2015 03:43:06 +0200
    From: Werner U <wer...@gmail.com>
    Subject: OpenSSL Patches Critical Certificate Forgery Bug (SlashDot)

    <http://it.slashdot.org/story/15/07/09/152257/openssl-patches-critical-certificate-forgery-bug>

    msm1267 <http://it.slashdot.org/%7Emsm1267> writes: *The mystery OpenSSL
    <http://openssl.org/> patch released today addresses a critical certificate
    validation issue where anyone with an untrusted TLS certificate can become
    a Certificate Authority
    <https://threatpost.com/openssl-patches-critical-certificate-validation-vulnerability/113703>.
    While serious, the good news according to the OpenSSL Project is that few
    downstream organizations have deployed the June update where the bug was
    introduced.* From the linked piece: *The vulnerability allows an attacker
    with an untrusted TLS certificate to be treated as a certificate authority
    and spoof another website. Attackers can use this scenario to redirect
    traffic, set up man-in-the-middle attacks, phishing schemes and anything
    else that compromises supposedly encrypted traffic. [Rich Salz, one of the
    developers] said there are no reports of public exploits.*

    ------------------------------

    Date: Fri, 10 Jul 2015 13:59:18 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Hackdoors & Crypto Wars (Eric Geller)

    FYI -- Outstanding (but long) article on the whole encryption debate.
    Probably the best single article to read to understand the history & current
    state of the debate. HB
    [It is extraordinarily well written, concise, and comprehensive.
    But I had to dramatically prune it for RISKS. PGN]

    A question that comes to mind: "Why is Comey & the FBI & the Obama
    Administration pushing so hard on this? The FBI & the White House certainly
    have access to computer scientists who have told them it isn't a workable
    idea, so it is odd that Comey would go so far out on this particular limb."

    My only answer is that Google/Apple/Facebook are extremely rich potential
    sources of campaign contributions, and sometimes it takes fear to open up
    those pocketbooks -- look how Dodd-Frank opened up the wallets of the banks!
    Once the right candidates have been safely elected, President Obama is then
    free to add to his legacy by vetoing this "hackdoor" nonsense.

    Follow the link to follow the links in the original article.

    https://www.dailydot.com/politics/encryption-crypto-war-james-comey-fbi-privacy/
    The rise of the new Crypto War
    By Eric Geller
    Jul 10, 2015, 7:00am CT | Last updated Jul 10, 2015, 2:41pm CT

    James B. Comey, Jr., the seventh director of the Federal Bureau of
    Investigation, is afraid of the dark.

    ``The law hasn't kept pace with technology, and this disconnect has created
    a significant public safety problem,'' Comey said in an Oct. 16, 2014,
    speech at the Brookings Institution, an influential Washington, D.C., think
    tank. He called the problem `going dark'.

    As more and more criminals presumably go dark by encrypting their phones and
    email accounts, federal agents are finding it increasingly difficult to
    intercept their communications. The spread of easy-to-use encryption
    software and the eagerness with which tech companies promote it have deeply
    troubled the FBI. But on that unusually warm October day, Comey also wanted
    to vent about another frustration: He felt that the bureau's proposed
    solution was being distorted.

    ``There is a misconception that building a lawful intercept solution into a
    system requires a so-called backdoor, one that foreign adversaries and
    hackers may try to exploit. But that isn't true. We aren't seeking a
    backdoor approach. We want to use the front door, with clarity and
    transparency, and with clear guidance provided by law.''

    He only used the word twice, but by strenuously denying that he wanted one,
    Comey had set off a fierce debate about the secret law-enforcement
    data-access portals known as backdoors. In the months that followed, Comey,
    his deputies at the FBI, and his counterparts at other agencies would face
    relentless questioning and criticism from skeptical members of Congress,
    exasperated security researchers, and outraged privacy groups. Despite
    Comey's protestations, many feared that the agency once known for its
    disturbing reach and systemic abuses of power in the era of J. Edgar Hoover
    was seeking a return to that fearsome omniscience in the digital age.

    The debate over backdoors has pitted Comey and other national-security
    officials against America's biggest tech companies, which have fired off
    letter after letter warning the government not to undermine encryption and
    the increasingly powerful security tools built into their products. It has
    strained relations between an obscure but important government technical
    body and the security industry that used to consider it a trusted partner.
    And it has infuriated the cryptography experts and civil-liberties activists
    who have spent decades beating back government efforts to weaken the
    encryption that is now vital to all aspects of online life. [...]

    Crypto Wars ...
    Backdoors ...
    CALEA ...
    The return of the Crypto Wars ...
    Universally derided ... letter to President Obama ...
    Keys Under Doormats report ...
    Divided government ...
    Eroding trust ...
    Heartbleed as a harbinger ...
    Private-sector pressure ...
    The murky way forward ...

    As CALEA-era arguments rear their heads again -- the same words coming out
    of new mouths -- Cindy Cohn sounded like a veteran military commander
    reluctantly gearing up once more. ``We think the government was wrong then,
    and they're wrong now. But we may have to spend a lot of energy to fight a
    war that we already won.''

    ------------------------------

    Date: Fri, 10 Jul 2015 12:40:47 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Senator: OPM Hack Gave China a Spy Recruiting Database?

    "most of the people responsible for safeguarding this information had
    essentially no background in IT" OK. Hire the best Beltway Bandit security
    firms that revolving door lobbyists can suggest. Check!

    "government needs to stop the bleeding ... every sensitive database ... must
    be immediately secured" OK. Strong encryption with Perfect Forward Secrecy.
    Load "every sensitive database in every government agency" into Apple iOS 8.
    Check!

    "Our government must completely reevaluate its cyber doctrine" OK.
    Immediately fire all those "cyber warriors" who thought that "deterrence"
    would work. Check!

    "playing defense is a losing game" Since deterrence obviously isn't working
    (and will never work), wouldn't "stopping the bleeding" include "playing
    defense" ? If you're not sure who to shoot at, perhaps your best strategy
    is to immediately put up better defenses ? The last time the U.S. started
    cyber shooting, the stray cyberbullets landed back in the U.S. as STUXNET
    mutant malware.

    "we need to send a clear message" OK. To whom should we send this message,
    and what should it say? I humbly suggest: "Pretty please, Mr. Lone Wolf (or
    whoever you are), we in the U.S. live in a glass house, so we can't throw
    stones at you, but we really, really dislike what you've been doing, and
    wish that you would stop -- at least long enough for us to install some
    stronger glass."

    "We have to deter attacks from ever happening" Obviously, these spies were
    neither shaken nor deterred.

    Author: Senator Ben Sasse, 9 Jul 2015.
    https://www.wired.com/2015/07/senator-sasse-washington-still-isnt-taking-opm-breach-seriously/
    The OPM Hack May Have Given China a Spy Recruiting Database
    As a newly elected Senator, I am here to tell you a hard truth: Washington
    does not take cybersecurity seriously. ...
    China may now have the largest spy-recruiting database in history.

    Bottom line: If you have any family or friends who work for the government
    and put your name down on an SF-86, a foreign government might well know a
    lot more about you and your kids than you'd like.

    [Excellent item... Read it in full, and hope that Senator Sasse gets
    listened to in the Senate! PGN]

    ------------------------------

    Date: Fri, 10 Jul 2015 17:12:11 PDT
    From: Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Privacy risks in healthcare

    This week, GAO Director of Information Security Gregory Wilshusen said at a
    House Science, Space, and Technology Subcommittee hearing that he isn't
    aware of any actions being taken to address the privacy risks (security
    flaws) of healthcare.gov data warehouse system, which includes SSNs,
    financial account information, and other personal information.

    http://science.house.gov/hearing/su...mmittee-oversight-hearing-opm-data-breach-tip

    Recent Healthcare Information and Management Systems Society Cybersecurity
    Survey says that 67% of the respondents reported a significant security
    incident. http://www.himss.org/2015-cybersecurity-survey

    ------------------------------

    Date: Fri, 10 Jul 2015 16:17:57 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: EFF report on the Going Dark Senate hearing

    https://www.eff.org/deeplinks/2015/07/top-five-takeaways-todays-hearings-encryption

    ------------------------------

    Date: Thu, 09 Jul 2015 10:27:14 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Cyber criminals adopt recently patched zero-day exploit in a
    flash" (Lucian Constantin)

    Lucian Constantin, InfoWorld, 29 Jun 2015
    It only took four days for a recently patched vulnerability in Flash
    Player to start being used in large-scale attacks
    http://www.infoworld.com/article/29...ntly-patched-zero-day-exploit-in-a-flash.html

    ------------------------------

    Date: Thu, 9 Jul 2015 16:44:07 -0500
    From: "Alister Wm Macintyre \(Wow\)" <macwh...@wowway.com>
    Subject: Map of Cyber Attacks

    Places where most cyber attacks were made today Jul 9:

    * USA
    * Mil/Gov
    * France
    * Russia
    * Ecuador
    * Liechtenstein
    * Singapore
    * Cyprus

    Places from which most cyber attacks originated today July-9:

    * China
    * USA
    * Russia
    * Bulgaria
    * Singapore
    * Mil/Gov
    * Netherlands
    * Canada

    See the map for more details.
    (Above listed from most attacks to smaller #s.)
    http://map.norsecorp.com/

    ------------------------------

    Date: Fri, 10 Jul 2015 11:51:32 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: India's Supreme Court May Ban Porn Viewing, Even in Private Homes

    HuffPost via NNSquad
    http://www.huffingtonpost.com/van-winkles/indias-supreme-court-may_b_7772084.html

    The land that gave us the Kama Sutra is having trouble with pornography.
    As the Times of India reported, India's Supreme Court is unhappy with the
    federal government's inaction in combating widespread Internet porn.
    Taking matters into its own hands, the Court is considering a blanket ban
    on all porn.

    Good luck with that, guys.

    ------------------------------

    Date: Thu, 09 Jul 2015 16:28:10 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Facing a Selfie Election, Presidential Hopefuls Grin

    "For security teams on the campaigns, all this close contact between
    candidates and strangers can be a challenge, but in some ways it is easier
    to monitor than a traditional rope line. That is because selfies keep
    people's hands up where they can be seen."

    http://www.nytimes.com/2015/07/05/u...n-presidential-hopefuls-grin-and-bear-it.html

    ...and of course, nobody requesting a selfie, holding an electronic
    gadget up to a candidate's head could have an explosive inside it. IED,
    indeed.

    Gabriel Goldberg, Computers and Publishing, Inc. ga...@gabegold.com
    3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433

    ------------------------------

    Date: Thu, 9 Jul 2015 10:01:15 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Your next selfie could be your last, Russia warns (Amar Toor)

    Amar Toor, *The Verge*, 8 Jul 2015
    Interior ministry launches public safety campaign after at least 100 have
    been injured in the name of selfies
    http://www.theverge.com/2015/7/8/8911197/russia-selfie-safety-campaign

    ------------------------------

    Date: Thu, 9 Jul 2015 13:35:08 -0500
    From: "Alister Wm Macintyre \(Wow\)" <macwh...@wowway.com>
    Subject: Re: NZ Harmful Digital Communications Bill (Re: O'Keefe)

    In trying to solve some problems, legislators often have the (unintended ?)
    consequences of creating new ones.

    Is my understanding now correct, that this law may have exempted some hosts
    of the digital data (phone company, computer owners, TV News) but not the
    people making the statements that cause offense, annoyance, hurt feelings
    etc., where there are no exceptions, based on type of person making the
    unwanted statements, such as politicians, civil servants, people in other
    nations?

    The US Supreme Court has declared that corporations are real people, so
    press releases, advertising, billing practices etc., by corporations, might
    be offensive to some people. If companies are not real people under NZ law,
    then maybe their feelings are not covered by this law.

    I wear a hearing aid. Does that mean that any communications I hear,
    arrived digitally?

    Stories in newspapers and magazines typically come from computer word
    processing, and modern electronic printing systems. Does that make them
    digital?

    Is info via a photo copy machine, fax machine, digital communications?

    If all of the above is yes, then New Zealand can now impose heavy fines &
    jail time, for many former legal activities:

    * Just about anything reported on police radio, or in police & DA records is
    offensive to the accused suspects, and offending anyone is now a crime.
    So police may need to return to systems they used before there was police
    radio.

    * Judges will need to be careful not to allow the introduction of evidence
    which went thru modern technology, like phone logs, because any suspect is
    offended by all evidence against them, but only non-digital now is legal
    to use against them.

    * Any courts, which in the past, used microphone for anyone testifying, so
    that there is a digital record, will need to stop doing that, because it
    is a digital communication of something which may offend the accused.
    Court rooms may need to be rearranged to help any hard of hearing on the
    jury.

    * Anyone who reports a crime or suspected crime (hurting terrorist's
    feelings is now a crime). Be careful when using 911 or 999.

    * Doctor inform a patient about a medical condition, which upsets the
    patient. No matter that they need to know the truth so that they can get
    proper treatment. (Hurting anyone feelings is now a crime, if the info
    involves digital communications.)

    * Conduct normal business communications of the kind of data used to
    identify your customer, such as their credit cards. (it is now a crime to
    communicate that data if anything digital is involved). Nowadays that
    info is almost always communicated electronically from retailer into
    banking system.

    * Fire an employee? That can upset the fired person. You better not have
    anything about this on the company's computers. Limit the info to pen and
    paper and verbal. If the fired person appeals to NZ equivalent of
    unemployment compensation or improper firing bureau, and it asks for info,
    the reply will need to be by snail mail. Avoid photocopy machine or fax
    machine, because that's digital communications.

    * Bill collectors will be a thing of the past. I don't think they can
    function without computer records, robo calls.

    * If Donald Trump ever visits NZ, he will be jailed for his remarks about
    Mexico (offensive to Mexicans, and others). His defense that his remarks
    are true, is irrelevant. The law does not say it is illegal or legal to
    say things which can be proven to be true or false, it says that if you
    make ANY remarks which are offensive to ANYONE, over any communication
    channel which by any interpretation can be called digital, even analog
    signals, that is illegal.

    * Any politician who opens his or her mouth, especially in an election, or
    debating the nation's business, probably offends someone. Did NZ
    politicians think to exempt themselves, as is common in USA?

    * In the USA, apartment leases frequently refer to laws about tenant rights,
    then insist that as a condition of getting this apartment, the tenant
    waives all those legal rights. Thus the landlord has an unfettered right
    to harass, annoy, offend any tenant. Does NZ have a similar system, where
    business contracts can absolve people of their legal rights?

    Many things posted anywhere on the Internet, lists like RISKS, no doubt
    offends someone. Lists may need to scrub NZ subscribers from their
    membership.

    ------------------------------

    Date: Fri, 10 Jul 2015 17:20:42 +1200
    From: "Richard A. O'Keefe" <o...@cs.otago.ac.nz>
    Subject: Re: NZ Harmful Digital Communications Bill

    I did provide a link to the text of the act, but basically, yes.
    "an online content host"
    - must make it easy for people to complain about specific content
    If you don't do that, you're not protected.
    - must respond to a complaint within 48 hours
    - must communicate with "the author of the specific content"
    "as soon as practicable" (but within the 48 hours)
    - if the author doesn't respond with 48 hours, the content must
    be removed.

    > The US Supreme Court has declared that corporations are real people ...

    Under British law, companies (and ships) have been legal persons
    for centuries. NZ law is a branch of Common Law. However, this
    Act specifically defines "individual means a natural person".
    So yes, companies are not covered by this law.
    But the owners, officers, and employees of a company ARE.

    I AM NOT A LAWYER. So when I say that
    4 "defendant ... means a person against whom an order is sought or made"
    does not say "natural person" or "individual", so it looks to *me* as
    if the defendant *can* be a juridical person, why, that opinion's
    worth every penny you paid for it.

    > I wear a hearing aid. Does that mean that any communications ...

    I think that would have to be tested in court.
    "Digital communication -- (a) means any form of electronic
    communication"; whether a hearing aid is a form of electronic
    communication, especially if the other person is unaware of it,
    is an interesting question.

    This law has been in development for *years*; it's about 18 months
    since it left first draft status and entered Parliament for debate.

    As for stories in newspapers and magazines, a magazine I used to buy
    regularly has just this month ceased print distribution and now exists
    only on line, and the daily newspaper I read is also on line, every
    story. So it hardly matters how the print version would be classified;
    there is definitely a version which is communicated electronically to
    the general public.

    > If all of the above is yes, then New Zealand can now impose heavy fines &
    jail time, for many former legal activities.

    In principle, yes. Part of the Act is in force now, and the rest will
    commence when they get around to it but no later than 2 years; they've got
    to set up a new "Approved Agency" to receive complaints.

    Harassment (Harassment Act, 1997, see
    http://www.legislation.govt.nz/act/public/1997/0092/latest/DLM417078.html
    and defamation were already illegal. In particular, 4(1)(d) making contact
    with [the victim] (whether by telephone, correspondence, or in any other
    way);

    4(1)(e) giving offensive material to [the victim], or leaving it where it
    will be found by, given to, or brought to the attention of, that person:

    4(1)(f) acting in any other way (i) that causes [the victim] to fear for his
    or her safety; and (ii) that would cause a reasonable person in [the
    victim]'s particular circumstances to fear for his or her safety.

    would seem to cover a lot of it, except that just as the Harmful Digital
    Communications Act is too broad, the Harassment Act is too narrow:
    harassment has to be "a pattern of behaviour". Apparently one of the
    triggers for the development of the new Act was a case in which some clearly
    nasty behaviour was held not to be harassment because it only happened once.
    So the new act amends the Harassment Act to say that "doing any specified
    act to the other person that is *one continuing act* [such as placing
    offensive material about someone online] carried out over any period" also
    counts as harassment, and 4(1)(e) also now includes putting material on
    line.

    But I would still have thought that cyberbullying should have been covered
    as "a pattern of behaviour" under the original Harassment Act.

    > Just about anything reported on police radio, or in police & DA records is
    offensive to the accused suspects, and offending anyone is now a crime. ...

    Section 13 "Threshold for proceedings" does put some extremely vague
    limits on the seriousness of the alleged offence, and section
    19 "Orders that may be made by court" says that
    19 (5) In decided whether or not to make an order, and the form of an
    order, the court MUST take into account ...
    (b) the purpose of the communicator ...
    ...
    (g) whether the communication is in the public interest ..."

    The response to an initial complaint is either to dismiss the case
    or to order that the offensive behaviour stop; the criminal offence
    is to disobey such an order.

    > Judges will need to be careful not to allow the introduction of evidence
    which went thru modern technology, like phone logs, because any suspect is
    offended by all evidence against them, but only non-digital now is legal to
    use against them.

    I suspect that 19 (5) (b and g) come into play here again. But once again,
    I am not a lawyer, and my interpretation is not to be relied on.

    > Doctor inform a patient about a medical condition, which upsets the
    patient.

    I thought of that one too.

    > If Donald Trump ever visits NZ, he will be jailed for his remarks ...

    it says that if you make ANY remarks which are offensive to ANYONE, over any
    communication channel which by any interpretation can be called digital,
    even analog signals, that is illegal.

    If he kept on making such remarks after a court order to stop, yes.

    As it happens, such remarks have probably been illegal for years.
    Human Rights Act 1993, section 63, Racial harassment.
    (1) It shall be unlawful for any person to use language (whether
    written or spoken), or visual material, or physical behaviour,
    that --
    (a) expresses hostility against, or brings into contempt or
    ridicule, any other person on the ground of the colour, race, or
    ethnic or natural originals of that person; and
    (b) is hurtful or offensive to that other person (whether or not
    that is conveyed to the first-mentioned person) and
    (c) is either repeated, or of such a significant nature, that it
    has a detrimental effect on that other person in respect of any
    of the areas into which this subsection is applied by subsection (2).
    I'll spare you subsection (2), but since Trump wants to keep Mexicans
    out of the country ("access to places") or at least out of jobs
    ("employment, which term includes unpaid work"), I think it's pretty
    clear that what he said was definitely illegal however disseminated.

    The Human Rights Act replaced the Race Relations Act 1971, which
    I believe said something similar.

    > Any politician who opens his or her mouth, especially in an election,...
    Did NZ politicians think to exempt themselves, as is common in USA?

    Perhaps the "public interest" provision? We may have to wait for
    a case to decide that...


    I repeat that I am not a lawyer. I have heard an expert say with
    respect to *consumer protection* laws that you can't sign away your
    rights. Ah. Residential Tenancies Act 1986, section 11(3):
    Any purported waiver by a tenant of any right or power
    conferred upon tenants by this Act shall be of no effect.
    Other business contracts are governed by other acts, but at least
    in the case of getting an apartment, such a waiver might scare the
    tenant but is "of no effect" if it goes to law. Indeed, the title
    of section 11 is "Act generally to apply despite contrary provisions".
    However, the landlord can waive *his* rights and powers.

    > Many things posted anywhere on the Internet, lists like RISKS, no doubt
    offends someone. Lists may need to scrub NZ subscribers from their
    membership.

    > New Zealand law does not bind people outside New Zealand.

    We don't have the numbers, the wealth, or the military power to lean on
    other countries the way, for example, the USA has leaned on the NZ legal
    system. So the RISKS Digest has nothing to fear.

    ------------------------------

    Date: Thu, 9 Jul 2015 07:21:03 -0600
    From: Brian Inglis <Brian....@systematicsw.ab.ca>
    Subject: Leap Second Causes Sporadic Outages Across the Internet (R-28.76)

    Outages of Amazon AWS US EC2, Experian, HipChat, Instagram, Jobvite, Match,
    Netflix, Pinterest, Reddit, Tinder, Yelp, and Zions Bank were initially
    blamed on the leap second by Amazon, who later corrected their diagnosis:
    The root cause of this issue was an external Internet service provider
    incorrectly accepting a set of routes for some AWS addresses from a
    third-party who inadvertently advertised these routes.

    https://blog.thousandeyes.com/route-leak-causes-amazon-and-aws-outage analysis:

    ``the root cause of this was not related to the fiber cuts, but in fact a
    route leak from Axcelx (AS33083), a data center provider in Boston. All of
    Amazon's prefixes originating in AS14618 were affected to some degree."

    Axcelx admits:
    "Our sincere apologies to everyone who experienced a route leak via AS33083
    of AWS. We have a new prefix-list facing Hibernia."

    A large chunk of AWS US EC2 node traffic appears to have been misrouted via
    Hibernia Networks to Axcelx black hole. This failure highlighting the lack
    of BGP routing security could provide fodder for wider future DoS attacks or
    diversions for competitive or malicious reasons. See
    http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/
    (part 2 of 3)

    ------------------------------

    Date: 9 Jul 2015 09:23:58 -0400
    From: "Bob Frankston" <bob...@bob.ma>
    Subject: Re: [risks 28.76] Re: "Leap Second Problem" and "Growing opposition
    to the Leap Second" (RISKS-28.74)

    "Complacent, lazy" -- there is a real risk in using a moral framing and
    short-circuiting critical thinking. Closely related is using ones implicit
    context and use cases and proof by example.

    In this case we have an intrinsic problem in representation that makes
    TimeSpan(1 minute) undefined. A source of the problem is the implicit
    assumption that there is a single kind of "time". I don't want to belabor
    the issue on this list beyond pointing out that we can have a stable base
    representation and, as with time zones, we can have explicit variations that
    have an adjust for the Earth's wobble. Other uses of "time" require
    different approaches.

    I encounter the problem of moral framing in connectivity policy which I see
    as a structural problem but that's another topic ...

    ------------------------------

    Date: Thu, 09 Jul 2015 15:11:51 +0100
    From: Wols Lists <antl...@youngman.org.uk>
    Subject: Re: Samsung is being sued in China (Werner U in RISKS-28.76)

    > Out of a study of 20 smartphones, Samsung and Oppo were found to be the
    > worst culprits. A model of Samsung's Galaxy Note 3 contained 44
    > pre-installed apps that could not be removed from the device, while Oppo's
    > X9007 phone had 71.

    I have/had a Samsung Galaxy Ace. I've renewed my contract and got a new
    phone in the last month or so. Why? Because, with only a few apps of my
    own choice installed, the phone is now so overloaded with bloatware that
    updates fail with "insufficient space on device". And that's with pretty
    much everything that CAN be moved, moved onto the 16Gb SD card.

    ------------------------------

    Date: Sat, 11 Jul 2015 11:01:39 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Ada Lovelace and Babbage

    This morning, my wife and I went into the Chilmark Library to see the art
    works of a childhood friend. On the New Books shelf, I stumbled onto a
    very new book -- just published this month (July 2015):

    The Thrilling Adventures of LOVELACE and BABBAGE
    The (Mostly) True Story of the First Computer
    by Sydney Padua

    The third of three title pages looks something like this, with old fonts and
    many font sizes that I cannot begin to reproduce in ASCII:

    !!!! Triumphant Debut of !!!!
    ADA
    Countess of Lovelace,
    the Secret Origin!
    WITH the Celebrated and Ingenious Mechanician, Professor
    CHARLES BABBAGE
    and his
    Wonderful Calculating Machine
    The Tragical Conlusion Marvelously Averted by the Formation of
    A POCKET UNIVERSE
    to Be the Scene of Diverse Amusing & Thrilling Adventures
    With Humourous CUTS and Other PICTORIAL Embellishments!

    Sydney Padua has drawn on documents from Ada and Babbage, done some
    extraordinarily good research, augmented an amazingly clever presentation
    with extensive footnotes and some diagrams never previously published. For
    those of you not familiar with the early history of computing, this might be
    a good place to start. The first thirty pages are straight historical
    stuff, apparently very true to historical records -- up to a brief
    relatively unhappy ending. However, from there on Padua has provided a
    delightful alternative (his)story.

    We have observed many times in The Risks Forum that some things don't change
    very rapidly. Many elements of hardware were present in Babbage's notion of
    the Difference Engine in the mid-1800s, and many elements of programming
    were present in Ada Lovelace's then-contemporary would-be software
    constructions.

    Cheers! Peter

    ------------------------------

    Date: Mon, 17 Nov 2014 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
    if possible and convenient for you. The mailman Web interface can
    be used directly to subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks
    Alternatively, to subscribe or unsubscribe via e-mail to mailman
    your FROM: address, send a message to
    risks-...@csl.sri.com
    containing only the one-word text subscribe or unsubscribe. You may
    also specify a different receiving address: subscribe address= ... .
    You may short-circuit that process by sending directly to either
    risks-s...@csl.sri.com or risks-un...@csl.sri.com
    depending on which action is to be taken.

    Subscription and unsubscription requests require that you reply to a
    confirmation message sent to the subscribing mail address. Instructions
    are included in the confirmation message. Each issue of RISKS that you
    receive contains information on how to post, unsubscribe, etc.

    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines.

    => .UK users may contact <Lindsay....@newcastle.ac.uk>.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you NEVER send mail!
    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line.
    *** NOTE: Including the string `notsp' at the beginning or end of the subject
    *** line will be very helpful in separating real contributions from spam.
    *** This attention-string may change, so watch this space now and then.
    => ARCHIVES: ftp://ftp.sri.com/risks for current volume
    or ftp://ftp.sri.com/VL/risks for previous VoLume
    http://www.risks.org takes you to Lindsay Marshall's searchable archive at
    newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    <http://the.wiretapped.net/security/info/textfiles/ri