RISKS Forum mailing list archives
Risks Digest 27.44
From: RISKS List Owner <risko () csl sri com>
Date: Wed, 28 Aug 2013 11:36:26 PDT
RISKS-LIST: Risks-Forum Digest Wednesday 28 August 2013 Volume 27 : Issue 44 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.44.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: *NY Times* Site is Disrupted in Attack by Hackers (Haughney/Perlroth via Dewayne Hendricks) NSA intimidation expanding surveillance state (Bruce Schneier via Dewayne Hendricks) In ACLU lawsuit, scientist demolishes NSA's `It's just metadata' (Joe Mullin via Dewayne Hendricks) In ACLU lawsuit, scientist demolishes NSA's `It's just metadata' (Emin Gun Sirer) Cry wolf: Early warning for an earthquake (ishikawa) More risks of CableWiFi (Bob Frankston) REVIEW: Hacking Exposed Mobile: Security Secrets & Solutions (Ben Rothke) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: August 28, 2013 2:21:50 AM EDT From: Dewayne Hendricks <dewayne () warpspeed com> Subject: *NY Times* Site is Disrupted in Attack by Hackers (Haughney/Perlroth) Hristine Haughney and Nicole Perlroth, *The New York Times*. 27 Aug 2013, (via Dave Farber) http://www.nytimes.com/2013/08/28/business/media/hacking-attack-is-suspected-on-times-web-site.html *The New York Times* Web site was unavailable to readers on Tuesday afternoon after an online attack on the company's domain name registrar. The attack also forced employees of The Times to take care in sending e-mails. The hacking was just the latest of a major media organization, with *The Financial Times* and *The Washington Post* also having their operations disrupted within the last few months. It was also the second time this month that the Web site of The New York Times was unavailable for several hours. Marc Frons, chief information officer for The New York Times Company, issued a statement at 4:20 p.m. on Tuesday warning employees that the disruption -- which appeared to be affecting the Web site well into the evening -- was ``the result of a malicious external attack.'' He advised employees to ``be careful when sending e-mail communications until this situation is resolved.'' In an interview, Mr. Frons said the attack was carried out by a group known as ``the Syrian Electronic Army, or someone trying very hard to be them.'' The group attacked the company's domain name registrar, Melbourne IT. The Web site first went down after 3 p.m.; once service was restored, the hackers quickly disrupted the site again. Shortly after 6 p.m., Mr. Frons said that ``we believe that we are on the road to fixing the problem.'' The Syrian Electronic Army is a group of hackers who support President Bashar al-Assad of Syria. Matt Johansen, head of the Threat Research Center at White Hat Security, posted on Twitter that he was directed to a Syrian Web domain when he tried to view The Times's Web site. Until now, The Times has been spared from being hacked by the S.E.A., but on 15 Aug, the group attacked The Washington Post's Web site through a third-party service provided by a company called Outbrain. At the time, the S.E.A. also tried to hack CNN. Just a day earlier, The Times's Web site was down for several hours. The Times cited technical problems and said there was no indication the site had been hacked. The S.E.A. first emerged in May 2011, during the first Syrian uprisings, when it started attacking a wide array of media outlets and nonprofits and spamming popular Facebook pages like President Obama's and Oprah Winfrey's with pro-Assad comments. Their goal, they said, was to offer a pro-government counter-narrative to media coverage of Syria. The group, which also disrupted *The Financial Times* in May, has consistently denied ties to the government and has said it does not target Syrian dissidents, but security researchers and Syrian rebels say they are not convinced. They say the group is the outward-facing campaign of a much quieter surveillance campaign focused on Syrian dissidents and are quick to point out that Mr. Assad once referred to the S.E.A. as ``a real army in a virtual reality.'' ... Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/> ------------------------------ Date: Tuesday, August 27, 2013 From: Dewayne Hendricks <dewayne () warpspeed com> Subject: NSA intimidation expanding surveillance state (Bruce Schneier) Bruce Schneier, Aug 27 2013 NSA intimidation expanding surveillance state We need protection from intelligence-gathering run amok (via Dave Farber) http://www.usatoday.com/story/opinion/2013/08/27/nsa-snowden-russia-obama-column/2702461/ If there's any confirmation that the U.S. government has commandeered the Internet for worldwide surveillance, it is what happened with Lavabit earlier this month. Lavabit is -- well, was -- an e-mail service that offered more privacy than the typical large-Internet-corporation services that most of us use. It was a small company, owned and operated by Ladar Levison, and it was popular among the tech-savvy. NSA whistleblower Edward Snowden among its half-million users. Last month, Levison reportedly received an order -- probably a National Security Letter -- to allow the NSA to eavesdrop on everyone's e-mail accounts on Lavabit. Rather than "become complicit in crimes against the American people," he turned the service off. Note that we don't know for sure that he received a NSL -- that's the order authorized by thePatriot Act that doesn't require a judge's signature and prohibits the recipient from talking about it -- or what it covered, but Levison has said that he had complied with requests for individual e-mail access in the past, but this was very different. So far, we just have an extreme moral act in the face of government pressure. It's what happened next that is the most chilling. The government threatened him with arrest, arguing that shutting down this e-mail service was a violation of the order. There it is. If you run a business, and the FBI or NSA want to turn it into a mass surveillance tool, they believe they can do so, solely on their own initiative. They can force you to modify your system. They can do it all in secret and then force your business to keep that secret. Once they do that, you no longer control that part of your business. You can't shut it down. You can't terminate part of your service. In a very real sense, it is not your business anymore. It is an arm of the vast U.S. surveillance apparatus, and if your interest conflicts with theirs then they win. Your business has been commandeered. ... Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/> ------------------------------ Date: Aug 27, 2013 5:18 PM From: "Dewayne Hendricks" <dewayne () warpspeed com> Subject: In ACLU lawsuit, scientist demolishes NSA's `It's just metadata' (Joe Mullin) Joe Mullin, Arstechnica, 27 Aug 2013 In ACLU lawsuit, scientist demolishes NSA's ``It's just metadata'' excuse The power of metadata: Addiction, sex, and accusations can all be discovered. http://arstechnica.com/tech-policy/2013/08/in-aclu-lawsuit-scientist-demolishes-nsa-its-just-metadata-excuse/ When the scandal about the National Security Agency (NSA) leaks first broke, one of the government's talking points quickly became that its giant database of domestic phone calls was simply "metadata." "Nobody is listening to your telephone calls," said President Barack Obama a few days after the program became public. "That's not what this program's about... by sifting through this so-called metadata, they may identify potential leads with respect to folks who might engage in terrorism." Privacy activists noted that the "metadata" held plenty of private information. Just six days after the Snowden NSA leaks revealed that the government was collecting essentially all telephone call "metadata," the ACLU filed a new lawsuit challenging the practice as unconstitutional. Yesterday, the ACLU filed a declaration by Princeton Computer Science Prof. Edward Felten to support its quest for a preliminary injunction in that lawsuit. Felten, a former technical director of the Federal Trade Commission, has testified to Congress several times on technology issues, and he explained why "metadata" really is a big deal. Storage and data-mining have come a long way in the past 35 years, Felten notes, and metadata is uniquely easy to analyze -- unlike the complicated data of a call itself, with variations in language, voice, and conversation style. "This newfound data storage capacity has led to new ways of exploiting the digital record," writes Felten. "Sophisticated computing tools permit the analysis of large datasets to identify embedded patterns and relationships, including personal details, habits, and behaviors." There are already programs that make it easy for law enforcement and intelligence agencies to analyze such data, like IBM's Analyst's Notebook. IBM offers courses on how to use Analyst's Notebook to understand call data better. Unlike the actual contents of calls and e-mails, the metadata about those calls often can't be hidden. And it can be incredibly revealing -- sometimes more so than the actual content. Knowing who you're calling reveals information that isn't supposed to be public. Inspectors general at nearly every federal agency, including the NSA, "have hotlines through which misconduct, waste, and fraud can be reported." Hotlines exist for people who suffer from addictions to alcohol, drugs, or gambling; for victims of rape and domestic violence; and for people considering suicide. Text messages can measure donations to churches, to Planned Parenthood, or to a particular political candidate. Felten points out what should be obvious to those arguing "it's just metadata" -- the most important piece of information in these situations is the recipient of the call. [...] Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/> ------------------------------ Date: August 28, 2013 8:20:27 AM EDT From: Emin Gun Sirer <egs () systems cs cornell edu> Subject: In ACLU lawsuit, scientist demolishes NSA's `It's just metadata' Here's my take on why the term "metadata" is a red herring, invented to distract the public. Metadata is in the eye of the beholder by Emin Gun Sirer http://hackingdistributed.com/2013/08/02/metadata/ The intelligence community has been harping on the word "metadata" to try to underscore that the information they collected is not quite "data", is not subject to the same limits, and is not quite as bad. I want to put an end to this charade, by way of an analogy. Clearly, what constitutes data versus metadata is determined not by any intrinsic property of the data itself, but by the questions that that data is meant to answer. Let's examine what it is that the intelligence community wants to do with phone call records and online activity logs to see if it fits any kind of meta designation. The contents of phone conversations are clearly important. If our goal is to stop an immediate attack, a voice that says "attack at dawn" is what we want to catch. And this is the imaginary scenario that the intelligence community will play up. But if our goal is to investigate a network, to find out who is related to whom by what degree, and what their usual communication activities are, then the call log "metadata" is very much the actual data we seek. It is not one-step removed; it is the very thing and the only thing we want. If we're doing anomaly detection or community discovery or determining some kind of a simplistic color-coded terror alert level, we'd be able to do our analyses solely with metadata. The "meta" designation is really an attempt to denigrate the value of the data at stake, to insinuate that this data is one step removed from that which we want, and to subtly insist that it should therefore be subject to less scrutiny. Yet metadata is often far more valuable than so-called data itself. Take, for instance, the NSA's current predicament following Snowden's leaks. What Snowden leaked was information about the information that the NSA collected. Since NSA calls that information "metadata," this makes Snowden's leaks meta-metadata. I don't need to belabor how damaging the leak was for the NSA. And going further, here's the NSA's response to a FOIA request, explaining why revealing the presence or absence of some metadata (which would be metametadata) would cause grave harm to the United States, because it would reveal information about the capabilities of the NSA. We're veering off to cubic-meta territory here. There have been narrow legalistic arguments between legal scholars about the privacy guarantees over call records. While it's futile to try to keep lawyers from discussing arcane legalistic definitions, these discussions all miss the point. Simply put, the public finds it creepy for the government to track their lives, their interactions and their overall behavior at that scale and in that fashion. Jane Average can turn a blind eye towards evil, unwarranted or even illegal activities on occasion, especially if they take place overseas, but a domestic creeper is a hard sell to families. So the intelligence community, which never met-a-data that it didn't want to collect, should drop the whole metadata charade. The discussion should not be about legalistic definitions. It should be whether or not collecting this particular information, for the particular purpose of massively cross-linking and analyzing it, at this massive scale, is at odds with our values. ------------------------------ Date: Wed, 28 Aug 2013 13:37:20 +0900 From: ishikawa <ishikawa () yk rim or jp> Subject: Cry wolf: Early warning for an earthquake In Japan, due to the large number of earthquakes and the potential damage to the social infrastructure and people's lives, many sensors on land, and on the sea bed have been installed to allow a government agency to detect the tremor as it happens and, before the the vibration through earth's crust reaches populated cities, send early warnings by radio and wire. How is such warning useful? It can help organizations or people to take preventive actions such as: * speeding trains can hit the brake automatically before the tremor causes danger, * drivers of cars can slow down after hearing the notice on the radio or seeing it on the billboard, if they are lucky, and most importantly, * people can take safety positions (or at least not taken by surprise when the tremor hits.) The early warning is given only for large earthquakes and gives 10-20 seconds of time of preparation (of course, it depends how far you are from the epicenter), has been sent over TV. Lately the frequency of such warnings have shot up after the big earthquake in March, 2011. Obviously the geophysically there are more large earthquakes than before especially in the eastern part of Japan. On August 8th, the agency in charge of the warning sent out such an early warning over TV, and these days, they are sent to mobile phones as well. At the office, during a conversation, I notice the strange beep sound from my mobile phone (the unit was configured to receive the signal automatically by default. I didn't know this) and thought I must have set up wrong alarm or something. Then a few moments later everybody's mobile began sending out this sound in the office, and eventually some units gave out audio warning well. And when I look at the phone's screen, it displays the early warning of a really big earthquake in western part of Japan. I looked at the watch and thought it would be 40 seconds before it hit our office in Tokyo assuming the tremor traveled at 10km/sec approximately. (Actually the so called primary wave travels 5-7 km/sec. so 100-120 seconds are more like it.) I was on the seventh floor of a building. Not the best place to be when a big tremor comes. 40 seconds passed, but nothing happened. People's tension eased up gradually. Eventually, it was determined that the signal was a false alarm indeed. What happened was: According to an explanation released two days later, a sensor detected a vibration (which seems to have been caused by a true but very weak tremor) in one place, but at the same instance, an ocean-floor sensor placed not far (approx. 100km) detected a noise and the system as a whole regarded this noise as part of a large earthquake that just occurred, and thus sent out the warning to a wide-area after deducing the strength of the earthquake. After three weeks, people's reactions which I culled from some blog postings (not very scientific) are - oh boy, somebody screwed up royally :-) (To date, nobody filed an official suit for financial damage caused by false alarm, etc.) - it is a good thing that some train services, etc. indeed stop quickly. (Some wonder why some services did NOT stop!) - If the false alarm of this scale occurs two more times, maybe people don't bother to take notice anymore. I agree with the second sentiment. It is not usually possible to test this scheme in such a wide-scale realistic manner. Thanks to the false alarm, we got a real-world drill! I am afraid of the third scenario which is likely to happen :-( It is true organizations in charge of the large scale infrastructure are taking this earthquake warning seriously: for example, national railway system was the first to introduce such automatic braking of speeding trains in the 1980's and it has already proved useful. A Shinkansen bullet-train train slowed down enough due to such early warning of a big earthquake and despite the wheels got off track, the train remained upright and intact and nobody got hurt (this happened in 2004. The first such derailment incident for Shinkansen.) Thanks to this warning, Shinkansen train did not get derailed even during the big earthquake in 2011. Railway companies do learn. But ordinary people may not take these warnings seriously enough if false alarms continue. And people injured in such situations need medical care/help which compound the already jammed traffic routes in such situations. There are these things that people can do in the 10-20 seconds after the warning and the tremor comes. A simple move like trying to stay away from loose furniture or move away from loose structures hanging from the ceiling can avoid many injuries. Or, get out of the elevator car quickly by punching all floor buttons and exit immediately as soon as the car stops. This will save rescue people to visit every building to save people being trapped in the car. Many Japanese elevators stop when big earthquakes hit them.) Or open the entrance door of the office or home so that it will stay open even if the door frame get warped due to the strong vibration. This will save people from being trapped in a room or office, etc. On and on, there are things people can learn to do. But if people come to disregard the warning, that is tough. September 1st is an 90th anniversary of the Great Kanto Earthquake that devastated Tokyo/Yokohama area in 1923. To be honest, I thought the alarm sent out on August 8th was a god-sent opportunity for a serious drill of this anniversary as an after-thought. But not many people are as lenient of false alarms. We need to learn to cope with such false alarms of highly useful ICT systems. But how often such false alarms can be tolerated is a matter of discussion, I suppose. The straight explanation of the false alarm of the agency in charge seemed to help people's acceptance of the error in this case. (If only we could have some kind of real-world drill(s) of nuclear power stations losing power, etc. before the March 11, 2013 earthquake.) ------------------------------ Date: 28 Aug 2013 10:07:58 -0400 From: "Bob Frankston" <Bob19-0501 () bobf frankston com> Subject: More risks of CableWiFi Recently I noted a Risk of Xfinity (AKA CableWiFi) in that your connection can get captured by an access point that isn't fully functioning or weak. With Cox announcing the availability of their Wi-Fi service I realize there seems to be yet another sets of risks in a simple denial of service by spoofing SSIDs or MAC addresses. Of course it would also be easy to listen in on any conversation that doesn't use end-to-end encryption because too many apps and protocols still presume we can trust "providers" of the pipe. These are not fundamental risks in themselves as much as a risk of using old paradigms (in this case - the railroad metaphors for speech as a service) and treating the engineering heuristic of layering as if it were a necessary design principle. There are many similar examples as when we try to solve the problem of extending GPS rather than recognizing the goal of providing location information needn't depend on a signal for a satellite. More at http://rmf.vc/DNCableWiFi ------------------------------ Date: Tue, 27 Aug 2013 22:19:10 -0400 From: Ben Rothke <brothke () hotmail com> Subject: REVIEW: Hacking Exposed Mobile: Security Secrets & Solutions Little did anyone know that when the first Hacking Exposed books came out over 15 years ago, that it would launch a set of sequels on topics from Windows, Linux, web development, to virtualization and cloud computing, and much more. It was a series that launched a generation of script kiddies, in addition to security experts. In 2013, the newest edition is Hacking Exposed Mobile Security Secrets & Solutions. In this edition, authors Neil Bergman, Mike Stanfield, Jason Rouse & Joel Scambray provide an extremely detailed overview of the security and privacy issues around mobile devices. The authors have decades of experience in the various mobile topics and bring that to every chapter. Full review at http://www.rsaconference.com/blogs/410/rothke/hacking-exposed-mobile-security-secrets-solutions ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.44 ************************
Current thread:
- Risks Digest 27.44 RISKS List Owner (Aug 28)