RISKS Forum mailing list archives
Risks Digest 27.80
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 17 Mar 2014 16:56:13 PDT
RISKS-LIST: Risks-Forum Digest Monday 17 March 2014 Volume 27 : Issue 80 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.80.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Malaysia Airlines Flight MH370 network hacked? (Andrew Douglass) As the Web Turns 25, Its Creator Talks About Its Future (Nick Bilton) What the Internet of 2025 Might Look Like (Brian R. Fitzgerald) Cyberattacks Could Paralyze U.S., Former Defense Chief Warns (Patrick Thibodeau) "The Future of Internet Freedom" (Eric E. Schmidt and Jared Cohen) Worrying about NSA? Concentrate on Experian instead (George Sadowsky) NSA wants to infect **millions** of computers (Dan Gillmor) Who watches the watchers? (Henry Baker) Governor Christie's New Scandal: Verizon's Fiber-Optic-"Digital Bridge" Gate (Bruce Kushnick) Man called Bitcoin's father denies ties, leads LA car chase (Lauren Weinstein) Re: Anne Rice (David E. Ross) Re: TrustyCon and the RSA con NSA poll (the wharf rat) Re: Apple's GotoFail Security Mess (John Beattie) Re: Applied Systems Theory (George Ledin) Re: Threat Modeling: Designing for Security (Paul Edwards) BOOK: Rebecca Slayton: Arguments That Count (PGN) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 12 Mar 2014 14:23:39 -0400 From: Andrew Douglass <andrew () douglass org> Subject: Malaysia Airlines Flight MH370 network hacked? http://www.ibtimes.co.uk/malaysia-airlines-flight-mh370-could-jets-system-have-been-hacked-1439928 I'm hoping it's nonsense that such commingling would ever be approved in the first place. * The concern was that the passenger in-flight entertainment system would be connected to critical systems for managing the safety and maintenance of the aircraft. * Passenger seatback entertainment systems come with ethernet and USB ports, which would in theory enable access to a hacker to the critical computer systems. [There is still lots of speculation regarding this incident, and lots of definitude that may or may not eventually be determined. PGN] ------------------------------ Date: Wed, 12 Mar 2014 11:31:29 -0400 (EDT) From: "ACM TechNews" <technews () hq acm org> Subject: As the Web Turns 25, Its Creator Talks About Its Future (Nick Bilton) Nick Bilton, *The New York Times*, 11 Mar 2014 [Via ACM TechNews, Wednesday, March 12, 2014] The creators of the World Wide Web, including Sir Tim Berners-Lee, worry that companies could destroy the open nature of the Internet in their quest to make more money. The World Wide Web Foundation estimates that every minute, billions of connected users send each other hundreds of millions of messages, share 20 million photos, and exchange at least $15 million in goods and services. "I spent a lot of time trying to make sure people could put anything on the Web, that it was universal," Berners-Lee says. "Obviously, I had no idea that people would put literally everything on it." However, despite all of the advances brought about by the World Wide Web, he says people need to realize that a current battle around so-called network neutrality could permanently harm the future of the Web. "The Web should be a neutral medium. The openness of the Web is really, really important," Berners-Lee says. "It's important for the open markets, for the economy, and for democracy." He plans to spend the next year working with Web consortia to spread awareness of these issues. "It's possible that people end up taking the Web for granted and having it pulled out from underneath them," he says. http://bits.blogs.nytimes.com/2014/03/11/as-the-world-wide-web-turns-25-fear-about-its-future/ ------------------------------ Date: Wed, 12 Mar 2014 11:31:29 -0400 (EDT) From: "ACM TechNews" <technews () hq acm org> Subject: What the Internet of 2025 Might Look Like (Brian R. Fitzgerald) Brian R. Fitzgerald, *The Wall Street Journal*, 11 March 2014 [Via ACM TechNews, Wednesday, March 12, 2014] As the Internet approaches its 25-year anniversary, the Pew Research Center has released responses from science and technology experts about what the future Internet might look like. Pew had asked a group of experts in various fields what impact they thought the Internet would have in 2025 on social, political, and economic processes. Experts predict the Internet will be thoroughly embedded in homes and integrated into people's daily lives, with some noting a rise in wearable technology, massive open online courses, and business model changes. "We may literally be able to adjust both medications and lifestyle changes on a day-by-day basis or even an hour-by-hour basis, thus enormously magnifying the effectiveness of an ever more understaffed medical delivery system," predicts University of California, Berkeley software developer Aron Roberts. Massachusetts Institute of Technology senior research scientist David Clark says devices will become increasingly autonomous. "More and more, humans will be in a world in which decisions are being made by an active set of cooperating devices," Clark says. Google chief Internet evangelist and ACM president Vint Cerf says business models will need to adapt to the economics of digital communication and storage. He also says, "We may finally get to Internet voting, but only if we have really strong authentication methods available." http://blogs.wsj.com/digits/2014/03/11/what-the-internet-of-2025-might-look-like/ ------------------------------ Date: Wed, 12 Mar 2014 11:31:29 -0400 (EDT) From: "ACM TechNews" <technews () hq acm org> Subject: Cyberattacks Could Paralyze U.S., Former Defense Chief Warns (Patrick Thibodeau) Patrick Thibodeau, *Computerworld* 11 March 2014 [Via ACM TechNews, Wednesday, March 12, 2014] Former U.S. Secretary of Defense Leon Panetta on Tuesday said a large-scale cyberattack against U.S. infrastructure is "the most serious threat in the 21st century." Panetta emphasized the need for improved cyberdefense and public education about cyberattack risks and said a large-scale attack could "devastate our critical infrastructure and paralyze our nation." He compared the impact of a cyberattack to the damage caused by Hurricane Sandy. "We have to take steps to better defend ourselves against this threat," Panetta said. "The American people need to understand that that this is not about hacking and identity theft, it has the potential for a major attack on the United States." Meanwhile, the U.S. Justice Department's Richard Downing warned that international cybercriminals are becoming more involved with organized crime, which makes their activities harder to stop. Downing also said extradition difficulties and evidence gathering are obstacles to stopping cybercriminals, particularly in less technically-advanced countries. In addition, Georgetown University's Catherine Lotrionte estimated that losses from international intellectual property theft average about $300 billion a year. http://www.computerworld.com/s/article/9246886/Cyberattacks_could_paralyze_U.S._former_defense_chief_warns ------------------------------ Date: Wed, 12 Mar 2014 08:59:53 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: "The Future of Internet Freedom" (Eric E. Schmidt and Jared Cohen) The details aren't pretty. In Russia, the government has blocked tens of thousands of dissident sites; at times, all WordPress blogs and Russian Wikipedia have been blocked. In Vietnam, a new law called Decree 72 makes it illegal to digitally distribute content that opposes the government, or even to share news stories on social media. And in Pakistan, sites that were available only two years ago - like Tumblr, Wikipedia and YouTube - are increasingly replaced by unconvincing messages to "Surf Safely." http://bits.blogs.nytimes.com/2014/03/10/at-sxsw-snowden-speaks-about-n-s-a-spying/?hp A later version appeared as an op-ed in *The New York Times* on 12 Mar 2014. ------------------------------ Date: March 10, 2014 at 1:34:06 PM EDT From: George Sadowsky <george.sadowsky () gmail com> Subject: Worrying about NSA? Concentrate on Experian instead 14 Mar 2014 (via Dave Farber) Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records http://http://krebsonsecurity.com In October 2013, KrebsOnSecurity published an exclusive story detailing how a Vietnamese man running an online identity theft service bought personal and financial records on Americans directly from a company owned by Experian, one of the three major U.S. credit bureaus. Today's story looks deeper at the damage wrought in this colossal misstep by one of the nation's largest data brokers. Vietnamese national Hieu Minh Ngo pleaded guilty last week to running the ID theft service Superget.info. Last week, Hieu Minh Ngo, a 24-year-old Vietnamese national, pleaded guilty to running an identity theft service out of his home in Vietnam. Ngo was arrested last year in Guam by U.S. Secret Service agents after he was lured into visiting the U.S. territory to consummate a business deal with a man he believed could deliver huge volumes of consumers' personal and financial data for resale. But according to prosecutors, Ngo had already struck deals with one of the world's biggest data brokers: Experian. Court records just released last week show that Ngo tricked an Experian subsidiary into giving him direct access to personal and financial data on more than 200 million Americans. ------------------------------ Date: March 12, 2014 at 12:24:32 PM EDT From: Dan Gillmor <dan () gillmor com> Subject: NSA wants to infect **millions** of computers (via Dave Farber) Even paranoid people were underestimating the threat, it seems: https://firstlook.org/theintercept/article/2014/03/12/nsa-plans-infect-millions-computers-malware/ ------------------------------ Date: Tue, 11 Mar 2014 16:53:07 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Who watches the watchers? A.k.a. "Quis custodiet ipsos custodes?" -- a Latin phrase attributed to the Roman poet Juvenal. http://en.wikipedia.org/wiki/Quis_custodiet_ipsos_custodes%3F A version of Russell's Paradox states "The barber is a man in town who shaves all those, and only those, men in town who do not shave themselves." This "diagonalization" argument is also used to prove the undecidability of logical problems. http://en.wikipedia.org/wiki/Barber_paradox Clearly, Senator Feinstein, as one of the watchdogs of the intelligence agencies, has been just as shocked and surprised as the rest of us to find out how lawless and ungovernable these intelligence agencies have become. But the ancient Romans clearly understood the problem that the watchers all too easily become unwatchable. http://www.washingtonpost.com/world/national-security/transcript-sen-dianne-feinstein-says-cia-searched-intelligence-committee-computers/2014/03/11/200dc9ac-a928-11e3-8599-ce7295b6851c_story.html Feinstein: CIA searched Senate computers Transcript: Sen. Dianne Feinstein says CIA searched Intelligence Committee computers Sen. Dianne Feinstein on Tuesday morning accused the CIA of violating federal law, detailing how the agency secretly removed documents from computers used by the Senate Intelligence Committee. The following is a complete transcript of Feinstein's speech, courtesy of Federal News Service. Good morning. Over the past week, there have been numerous press articles written about the Intelligence Committee's oversight review of the detention and interrogation program of the CIA. Specifically, press attention has focused on the CIA's intrusion and search of the Senate Select Committee's computers, as well as the committee's acquisition of a certain internal CIA document known as the `Panetta Review.' I rise today to set the record straight and to provide a full accounting of the facts and history. Let me say up front that I come to the Senate floor reluctantly. Since January 15th, 2014, when I was informed of the CIA search of this committee's network, I've been trying to resolve this dispute in a discreet and respectful way. I have not commented in response to media requests for additional information on this matter, however the increasing amount of inaccurate information circulating now cannot be allowed to stand unanswered. The origin of this study, the CIA's detention and interrogation program, began operations in 2002, though it was not until September, 2006 that members of the intelligence committee, other than the chairman and the vice chairman were briefed. In fact, we were briefed by then-CIA Director Hayden only hours before President Bush disclosed the program to the public. A little more than a year later, on December 6th, 2007, a New York Times article revealed the troubling fact that the CIA had destroyed video tapes of some of the CIA's first interrogations using so-called enhanced techniques. We learned that this destruction was over the objections of President Bush's White House counsel and the director of national intelligence. After we read -- excuse me -- read about the tapes of the destruction in the newspapers, Director Hayden briefed the Senate Intelligence Committee. He assured us that this was not destruction of evidence, as detailed records of the interrogations existed on paper in the form of CIA operational tables describing the detention conditions and the day-to-day CIA interrogations. The CIA director stated that these cables were, quote, a more than adequate representation, end quote, of what would have been on the destroyed tapes. Director Hayden offered at that time, during Senator Jay Rockefeller's chairmanship of the committee, to allow members or staff review these sensitive CIA operational cables, that the videotapes -- given that the videotapes had been destroyed. Chairman Rockefeller sent two of his committee staffers out to the CIA on nights and weekends to review thousands of these cables, which took many months. By the time the two staffers completed their review into the CIA's early interrogations in early 2009, I had become chairman of the committee and President Obama had been sworn into office. The resulting staff report was chilling. The interrogations and the conditions of confinement at the CIA detentions sites were far different and far more harsh than the way the CIA had described them to us. As a result of the staff initial report, I proposed and then-Vice Chairman Bond agreed and the committee overwhelmingly approved that the committee conduct an expansive and full review of the CIA's detention and interrogation program. On March 5th, 2009, the committee voted 14-1 to initiate a comprehensive review of the CIA detention and interrogation program. Immediately, we sent a request for documents to all relevant executive branch agencies, chiefly among them the CIA. The committee's preference was for the CIA to turn over all responsive documents to the committee's office, as had been done in previous committee investigations. Director Panetta proposed an alternative arrangement, to provide literally millions of pages of operational cables, internal emails, memos and other documents pursuant to a committee's document request at a secure location in northern Virginia. We agreed, but insisted on several conditions and protections to ensure the integrity of this congressional investigation. Per an exchange of letters in 2009, then-Vice Chairman Bond, then-Director Panetta and I agreed in an exchange of letters that the CIA was to provide a, quote, stand-alone computer system, end quote, with a, quote, network drive segregated from CIA networks, end quote, for the committee that would only be accessed by information technology personnel at the CIA who would, quote, not be permitted to share information from the system with other CIA personnel, except as otherwise authorized by the committee, end quote. It was this computer network that notwithstanding our agreement with Director Panetta was searched by the CIA this past January -- and once before, which I will later describe. In addition to demanding that the documents produced for the committee be reviewed at a CIA facility, the CIA also insisted on conducting a multi-layered review of every responsive document before providing the document to the committee. This was to ensure the CIA did not mistakenly provide documents unrelated to the CIA's detention and interrogation program or provide documents that the president could potentially claim to be covered by executive privilege. While we viewed this as unnecessary, and raised concerns that it would delay our investigation, the CIA hired a team of outside contractors who otherwise would not have had access to these sensitive documents to read multiple times each of the 6.2 million pages of documents produced before providing them to fully cleared committee staff conducting the committee's oversight work. This proved to be a slow and very expensive process. The CIA started making documents available electronically to the committee's staff at the CIA leased facility in mid-2009. The number of pages ran quickly to the thousands, tens of thousands, the hundreds of thousands and then into the millions. The documents that were provided came without any index, without any organizational structure. It was a true document dump that our committee staff had to go through and make sense of. In order to piece together the story of the CIA's detention and interrogation program, the committee staff did two things that will be important as I go on. First, they asked the CIA to provide an electronic search tool so they could locate specific relevant documents for their search among the CIA-produced documents, just like you would use a search tool on the Internet to locate information. Second, when the staff found a document that was particularly important or that might be referenced in our file report, they would often print it or make a copy of the file on their computer so they could easily find it again. There are thousands of such documents in the committee's secure spaces at the CIA facility. Now, prior removal of documents by CIA. In early 2010, the CIA was continuing to provide documents and the committee staff was gaining familiarity with the information it had already received. In May of 2010, the committee staff noticed that the documents had been provided for the committee -- that had been provided for the committee's review were no longer accessible. Staff approached the CIA personnel at the off-site location, who initially denied that documents had been removed. CIA personnel then blamed information technology personnel, who were almost all contractors, for removing the documents themselves without direction or authority. And then the CIA stated that the removal of the documents was ordered by the White House. When the White -- when the committee approached the White House, the White House denied giving the CIA any such order. After a series of meetings, I learned that on two occasions CIA personnel electronically removed committee access to CIA documents after providing them to the committee. This included roughly 870 documents or page of documents that were removed in February 2010; and secondly, roughly another 50 that were removed in mid-May 2010. This was done without the knowledge or approval of committee members or staff, and in violation of our written agreements. Further, this type of behavior would not have been possible had the CIA allowed the committee to conduct the review of documents here in the Senate. In short, this was the exact sort of CIA interference in our investigation that we sought to avoid at the outset. I went up to the White House to raise the issue with the then- White House counsel. In May 2010, he recognized the severity of the situation and the great implications of executive branch personnel interfering with an official congressional investigation. The matter was resolved with a renewed commitment from the White House counsel and the CIA that there would be no further unauthorized access to the committee's network or removal of access to CIA documents already provided to the committee. On May 17th, 2010, the CIA's then-director of congressional affairs apologized on behalf of the CIA for removing the documents. And that as far as I was concerned put the incidents aside. This event was separate from the documents provided that were part of the internal Panetta review, which occurred later and which I will describe next. At some point in 2010, committee staff searching the documents that had been made available found draft versions of what is now called the internal Panetta review. We believe these documents were written by CIA personnel to summarize and analyze the materials that had been provided to the committee for its review. The Panetta review documents were no more highly classified than other information we had received for our investigation. In fact, the documents appeared based on the same information already provided to the committee. What was unique and interesting about the internal documents was not their classification level but rather their analysis and acknowledgment of significant CIA wrongdoing. To be clear, the committee staff did not hack into CIA computers to obtain these documents, as has been suggested in the press. [...] [This is a much longer item, but truncated for RISKS. PGN] ------------------------------ Date: Fri, 7 Mar 2014 14:24:03 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Governor Christie's New Scandal: Verizon's Fiber-Optic-"Digital Bridge" Gate (Bruce Kushnick) On March 7, 2014 at 3:28:16 PM, Bruce Kushnick (bruce () newnetworks com) wrote: Governor Christie's New Scandal: Verizon's Fiber-Optic-"Digital Bridge" Gate http://www.huffingtonpost.com/bruce-kushnick/the-contime-merger-do-we-_b_4839339.html It is now clear that while Governor Christie is embroiled in 'bridgegate', which is about clogging and blocking of traffic movement over a bridge, another scandal is brewing. Christie's New Jersey Board of Public Utilities is about to close the digital highways to 1/3 or 1/2 of the State's residential and business customers, not to mention harming schools, libraries, hospitals or the municipalities' services and economic growth in these areas. President Obama has announced plans for 'bridging the digital divide'. In this scandal, Governor Christie's State Commission, his Attorney General's Office and the state Consumer Rate Counsel are planning to allow Verizon to simply erase the laws and commitments to have 100% of Verizon New Jersey's territory upgraded, replacing the old copper wires with a fiber optic service capable of 45 Mbps in both directions -- and it was supposed to be done by the year 2010. That's right. Back in 1991, Verizon New Jersey claimed it would make New Jersey the first fully fiberized state with a plan called "Opportunity New Jersey". Customers paid Verizon about $15 billion dollars in excess phone charges (and tax perks) to do this construction for over two decades, not to mention additional rate increases along the way-- and these increase have been built into current rates for the last 2+ decades. And yet, on 29 Jan 2014, the NJ Board of Public Utilities (NJBPU) offered Verizon a stipulation agreement that will extinguish this commitment, which is only partially done. I'll get back to this. I wasn't suspicious until I started digging into why the NJBPU would take this ridiculous path. In fact, the State had actually woken up in 2012 and issued a 'show cause order', asking Verizon why two towns, Greenwich and Stow Creek, weren't already upgraded. And in 2013, the State ordered Verizon to do the work. But, what caught my eye was this -- two weeks before, on January 14th, 2014, a new President of the Board of Public Utilities was installed and she was not only chosen by Governor Christie, but is part of his cabinet. "Dianne Solomon was named by Governor Christopher J. Christie as President to the N.J. Board of Public Utilities (BPU) on January 14, 2014. President Dianne Solomon also serves as a member of the Governor's Cabinet. President Solomon was nominated by Governor Chris Christie to serve as Commissioner to the Board of Public Utilities on April 17, 2013, and confirmed by the New Jersey Senate on June 27, 2013." And all the State had to do was to just enforce the laws. All it had to say was - 'You didn't complete the job. Now upgrade 100% of your state territory or we'll audit the books and have you give back the money' Instead, we ask - Is it a coincidence that the State decided to erase the laws at this juncture? Does Governor Christie know about this or was it his decision? There's an underbelly to this. To read the rest of this article: http://www.huffingtonpost.com/bruce-kushnick/the-contime-merger-do-we-_b_4839339.html ------------------------------ Date: Thu, 6 Mar 2014 16:27:34 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Man called Bitcoin's father denies ties, leads LA car chase http://j.mp/1fbZgvV (Reuters, via NNSquad) A Japanese American man thought to be the reclusive multi-millionaire father of Bitcoin emerged from a modest Southern California home and denied involvement with the digital currency before leading reporters on a freeway car chase to the local headquarters of the Associated Press ... Newsweek included a photograph and a described a short interview, in which Nakamoto said he was no longer associated with Bitcoin and that it had been turned over to other people. The magazine concluded that the man was the same Nakamoto who founded Bitcoin ... He was mobbed by reporters and told them he was looking for someone who understood Japanese to buy him a free lunch... "I'm not involved in Bitcoin. Wait a minute, I want my free lunch first. I'm going with this guy," Nakamoto said, pointing at a reporter from AP... "I'm not in Bitcoin, I don't know anything about it," the man said again while walking down the street with several cameras at his heels ... You just can't make this stuff up -- even here in L.A. ------------------------------ Date: Thu, 06 Mar 2014 13:33:03 -0800 From: "David E. Ross" <david () rossde com> Subject: Re: Anne Rice (RISKS-27.79) I find it interesting that, of all people, Anne Rice opposes the use of pseudonyms. She wrote several erotic novels under the pseudonyms Anne Rampling and A. N. Roquelaure, presumably to hide the fact of her authorship. ------------------------------ Date: Thu, 6 Mar 2014 22:43:58 -0500 (EST) From: "the wharf rat" <wrat () panix com> Subject: Re: TrustyCon and the RSA con NSA poll (RISKS-27.79_ If 52% of the RSA conference attendees support NSA surveillance in its current form, it might just mean that the NSA has a lot of people attending the RSA conference. [Or more likely friends of the family? PGN] ------------------------------ Date: Thu, 13 Mar 2014 21:32:14 +0000 From: John Beattie <jkb () hignfy demon co uk> Subject: Re: Apple's GotoFail Security Mess (RISKS-27.76) http://catless.ncl.ac.uk/Risks/27.76.html#subj8 #GotoFail My compiler tells me when there is unreachable code. Why doesn't Apple's? Especially, why doesn't Apple's when it is being used to compile crypto code? I don't agree with Langley at Google: whoever was responsible for this was deeply unprofessional as a software engineer. ------------------------------ Date: Mon, 10 Mar 2014 12:42:28 -0700 From: George Ledin <ledin () sonoma edu> Subject: Re: Applied Systems Theory The Inside Risks article by Nancy Leveson and William Young (CACM, February 2014, Vol.57, No.2, pages 31-35) is an excellent overview of the systems-theoretic approach applied to the thorny problems of safety and security. William and Nancy frame the differences between the concepts of safety and security as rooted in the intents of the actions and the benevolence or malevolence of the actors. It is an ancient conceptual structure developed over centuries of experience. It is what distinguishes intentional torts (civil wrongs) from negligence. The difference is crisp, even if negligent behavior escalates to recklessness. Greater liability attaches depending on the seriousness level of the result. The issue at hand is action versus inaction, for there are consequences either way. The medieval but brilliant notion of scienter deals with how innocent or guilty is the actor's foreknowledge of the event. Put simply, safety is the (relative) freedom from the occurrence or risk of injury or loss. Security is the (relative) assurance that the danger of injury or loss is mitigated. Therefore security is the (relative) guarantee of safety. As Nancy and William state, an actor's purpose has limited relevance. The problem is the lack of remedies or, more succinctly, the immaturity of computer science, and, especially, software engineering. We are stuck somewhere between art (beautiful code) and pell-mell technological advance in response to perceived needs or just for the heck of it, with the latter ironically better done than the former. Never mind what for - that's for society to sort out. My own thinking about malware (malicious or malevolent, but also malformed, malignant and malappropriate) is that society gets what it deserves irrespective of consciousness or lack thereof. The fact that most software projects are examples of sloppiness, that security is almost always an afterthought, and that zero-day exploits are a given, says that we are complicit with the "bad guys" - whoever they are. They are teaching us a lesson - the same lesson, essentially, repeatedly, and we remain unlearned. Worse than unlearned: unbothered. Vulnerabilities or threats? Leveson and Young are correct. Focusing on vulnerabilities, threats can, and ought to, be tested. And retested. Knowing one's weaknesses has to be useful; benign neglect is so obviously imprudent. This was my message anent teaching viruses, worms, trojans, and other digital agents of devastation. It is, for obscure reasons, a message that continues to be ignored. There is a strange predilection toward a force majeure approach to best practices. When everyone is ignorant, ignorance is excusable. Off the hook thanks to acts of God. The holistic way recommended by the authors is destined, unfortunately, to be overlooked. There are only so many hours in our busy days. And as I said, thus far there are no remedies, the FTC does not know what to do, and a regulatory agency dedicated to digital security is a political impossibility. But let us keep trying. ------------------------------ Date: Sat, 8 Mar 2014 10:10:47 +1100 From: Paul Edwards <paule () cathicolla com> Subject: Re: Threat Modeling: Designing for Security (Shostack, RISKS-27.79)
When it comes to measuring and communicating threats, the most ineffective example in recent memory was the Homeland Security Advisory System -- which was a color-coded terrorism threat advisory scale. The system was rushed into use and its output of colors was not clear.
This movie is quite old, but still resonates on a number of levels: <http://www.zefrank.com/redalert/index_better.html> ------------------------------ Date: Mon, 17 Mar 2014 11:37:50 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: BOOK: Rebecca Slayton: Arguments That Count Rebecca Slayton Arguments That Count: Physics, Computing, and Missile Defense, 1949-2012 MIT Press, Cambridge Massachusetts and London England xi+325 pp. (including 179 references and a copious 21-page index) 2013 This book is a delightful and remarkably insightful exploration how the three topics in the subtitle were interrelated during the stated 63-year time span. It should be of considerable interest particularly to younger people who might be wondering how we got to where we are technologically, politically, economically, and otherwise (although some of us older folks have lived through it, and are still likely to find many new nuggets they did not know). The book will also be very valuable to nontechnical folks of all ages. It is very readable. It is also very well researched (although I found an error in the first full paragraph on Page 168: `ARPA' should be `NSA', relating to something in 1973). The table of contents lists these chapter titles: 1. Software and the Race against Surprise Attack 2. Framing an ``Appallingly Complex'' System 3. Complexity and the ``Art or Evolving Science'' of Software 4. ``No Technological Solution'' 5. What Crisi? Software in the ``Safeguard'' Debate 6. The Politics of Complex Technology 7. The Political Economy of Software Engineering 8. Nature and Technology in the Star Wars Debate 9. Conclusion: Complexity Unbound ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.80 ************************
Current thread:
- Risks Digest 27.80 RISKS List Owner (Mar 17)