RISKS Forum mailing list archives
Risks Digest 27.71
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 23 Jan 2014 16:00:29 PST
RISKS-LIST: Risks-Forum Digest Thursday 23 January 2014 Volume 27 : Issue 71 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.71.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Medical "scribes" ease doctor's data entry burden (Ed Ravin) No Girls, Blacks, or Hispanics Take AP Computer Science Exam in Some States (Liana Heiten) How the Chinese Internet ended up at a house in Cheyenne, Wyoming (Brian Fung) Dewayne Hendricks <dewayne () warpspeed com> FBI snatches Google Glass off the face of innocent AMC movie-goer (Rob Jackson) Google Glass-wearing movie patron questioned by Homeland Security agents as potential pirate (Adi Robertson) 'Sex with Glass' is getting either sex or Glass wrong (Adi Robertson via Monty Solomon) `Smart' computer-based systems in your homes (Wendy M. Grossman) The Malware That Duped Target Has Been Found (Lauren Weinstein) Target Hackers Wrote Partly in Russian, Displayed High Skill (Danny Yadron Connect) Neiman Marcus stores reportedly hacked (Krebs via Bob Gezelter) White hat hacker says he found 70,000 records on Healthcare.gov through a Google search (Adrianne Jeffries via Monty Solomon) "NSA Devises Radio Pathway Into Computers" (Sanger/Shanker) And this time it was real SPAM? from Fridge! (Steve Lamont) Risks of the Internet of Things (Robert Schaefer) Mobile apps store credentials in the clear (Bob Gezelter) Software licensing as information leak? (Stuart Levy) What happens when your car comes pre-equipped with monitoring (Bob Gezelter) Warning: I recommend removing your credit/debit cards from NSI (Lauren Weinstein) Re: Backdoor in popular wireless routers/DSL modems (Martin Ward) USENIX Security submissions due 27 Feb 2014 (Kevin Fu) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 12 Jan 2014 21:08:26 -0500 From: Ed Ravin <eravin () panix com> Subject: Medical "scribes" ease doctor's data entry burden Meet the medical scribe, who follows the doctor around and does the data entry required by all the electronic health records systems that have been adopted by medical care providers in recent years. Apparently no one budgeted for all the time needed to type stuff in, creating a new job opportunity in the health care field: Physicians who use [medical scribes] say they feel liberated from the constant note-taking that modern electronic health records systems demand. Indeed, many of those doctors say that scribes have helped restore joy in the practice of medicine, which has been transformed -- for good and for bad -- by digital record-keeping. ... For decades, physicians pinned their hopes on computers to help them manage the overwhelming demands of office visits. Instead, electronic health records have become a disease in need of a cure, as physicians do their best to diagnose and treat patients while continuously feeding the data-hungry computer. Full article is here: http://www.nytimes.com/2014/01/14/health/a-busy-doctors-right-hand-ever-ready-to-type.html *The NY Times* notes that the 70% adoption rate of electronic health records in hospitals and doctors' offices is partly due to "tens of billions of federal incentive payments". They don't mention that the companies that make the medical records systems have lobbied Congress and the public for those types of incentives. Newt Gingrich comes to mind as one of their more prominent (and probably more influential) paid lobbyists. ------------------------------ Date: Wed, 15 Jan 2014 11:49:12 -0500 (EST) From: "ACM TechNews" <technews () hq acm org> Subject: No Girls, Blacks, or Hispanics Take AP Computer Science Exam in Some States (Liana Heiten) Liana Heiten, *Education Week* 10 Jan 2014 [via ACM TechNews, 15 Jan 2014] No female, African American, or Hispanic students took the Advanced Placement (AP) computer science exam in some states in 2013, according to Georgia Institute of Technology computing outreach director Barbara Ericson, who compiled state comparisons of College Board data. In Mississippi and Montana, no students in any of the three categories took the AP computer science exam last year, although the College Board notes that Mississippi only administered one of the exams and Montana only administered 11. Eleven states had no African-American students taking the exam, and eight states had no Hispanic students taking the test. Among the 30,000 students who took the exam last year, less than 20 percent were female, about 3 percent were African American, and 8 percent were Hispanic, according to the College Board website. Females, African Americans, and Hispanics also had lower pass rates than white males on the exam, Ericson says. AP computer science courses "are more prevalent in suburban and private schools than in urban, poor schools," says Ericson, noting that only 17 states currently accept computer science as a core math or science credit. The College Board is committed to increasing access to rigorous computing courses and is working with national organizations, nonprofits, and the private sector to expand access, says spokesperson Deborah Davis. http://blogs.edweek.org/edweek/curriculum/2014/01/girls_african_americans_and_hi.html ------------------------------ Date: January 22, 2014 at 3:47:45 PM EST From: Dewayne Hendricks <dewayne () warpspeed com> Subject: How the Chinese Internet ended up at a house in Cheyenne, Wyoming (Brian Fung) [Note: This item comes from friend Steve Goldstein. DLH][via Dave Farber] How the Chinese Internet ended up at a house in Cheyenne, Wyoming Brian Fung, *The Washington Post*, 22 Jan 2014 <http://www.washingtonpost.com/blogs/the-switch/wp/2014/01/22/that-time-the-chinese-internet-found-itself-at-a-tiny-house-in-cheyenne-wyoming/> It's not clear how it happened, but for several hours on Tuesday thousands if not millions of Chinese Internet users were being dumped at the door of a tiny, brick-front house on 2710 Thomes Ave. in Cheyenne, Wyo. The users' Internet traffic, bound initially for Chinese social networking sites and search engines, was redirected due to a mysterious error in the country's domain name system, *The New York Times* reports. At first, some speculated the malfunction in the traffic-routing machinery might have been a cyberattack. Others said that China's Great Firewall -- the collection of human and technological censors that blocks Web sites deemed undesirable by the government -- simply made a tactical error. "Either it was an intentional DNS [domain name system] hack or the unintentional result of the Great Firewall, but I haven't seen any technical analysis of what was more likely," Adam Segal, a scholar on China and cybersecurity at the Council on Foreign Relations, told me. The true nature of the mix-up may still be unclear, but there's a growing consensus for the latter explanation. To get around the Great Firewall, many Chinese (and expats, too) use services that route Web traffic through a foreign IP address, effectively making it look like the traffic isn't coming from inside China. One of these services, Sophidea, happens to be registered at the very address in Wyoming that bore the brunt of all that traffic. So the prevailing theory is that in trying to block Chinese traffic going to Sophidea, the Great Firewall's operators accidentally diverted more traffic there instead. According to a Chinese anti-virus software company, the Times reports, about 75 percent of China's domain name system servers were affected by the roughly eight-hour malfunction, during which Web browsers failed to load .com, .net and .org Internet addresses. As for the Wyoming house itself, it's not a bit unlike the wardrobe from C.S. Lewis's "Chronicles of Narnia." It may look small on the outside, but it technically houses around 2,000 corporate entities and people. A 2011 Reuters report says the place is filled with numbered mailboxes and serves as the headquarters for Wyoming Corporate Services, a business that helps set up shell companies that exist only on paper. [...] ------------------------------ Date: January 21, 2014 at 7:26:11 AM EST From: Dewayne Hendricks <dewayne () warpspeed com> Subject: FBI snatches Google Glass off the face of innocent AMC movie-goer (Rob Jackson) [via David Farber] [Note: This item comes from friend David Isenberg. DLH] Rob Jackson, Phandroid, 20 Jan 2014 FBI snatches Google Glass off the face of innocent AMC movie-goer <http://phandroid.com/2014/01/20/fbi-google-glass-movie/> Love it or hate it, Google Glass has been the cause for a lot of excitement lately. Last week it was pronounced legal to wear but not use while driving in the state of California. Shortly after, Glass was making waves again with the launch of an app called `Sex with Glass', allowing participants to essentially create their own sex tapes with the facial tech. Apparently, the FBI felt left out of all the fun. At an AMC theater in Easton Mall in Columbus, Ohio, one Google Glass Explorer went to see Jack Ryan: Shadow Recruit, but got a rude awakening instead. An hour into the movie he was approached by a federal agent who, without hesitation, snatched the Google Glass off the man's face and removed him from the theater. Outside there were 5 to 10 officers and agents who proceeded to allegedly badger and question him for over 3 hours, suggesting he was illegally recording the movie. Let's get a few facts out of the way: * It's probably not smart to bring a recording device into a movie theater, but let's not forget mostly everyone takes a mobile phone into a theater that is perfectly capable of recording. * The man's Google Glass were the prescription version, so he essentially needed them on to see the movie (maybe he should have worn other glasses). * The man had his Google Glass powered off in advance to avoid any misunderstandings. The authorities eventually let the man go, but not without hours of intimidation and a frightening story that has him shaking -- literally -- even a day after the event. A Movie Association representative compensated the Glass Explorer with 2 free movie tickets for his night of troubles. The authorities certainly have the right to remove a patron from the theater suspected of recording the screen, but should wearing Google Glass be suspicion enough? The Explorer cooperated with the authorities, but considering his rights and his innocence, would you have acted differently or pursued a better outcome? As Google Glass and other wearable tech become more prevalent, you can bet we'll hear a lot more of these stories popping up across the world. ... ------------------------------ Date: Tue, 21 Jan 2014 23:39:32 -0500 From: Monty Solomon <monty () roscom com> Subject: Google Glass-wearing movie patron questioned by Homeland Security agents as potential pirate (Adi Robertson) Adi Robertson, 21 Jan 2014 Wearing Google Glass recently proved perilous for a movie patron in Columbus, Ohio. On Monday, The Gadgeteer posted a frightening story apparently from a member of the Glass Explorer program. An hour into watching Jack Ryan: Shadow Recruit wearing his prescription version of Glass, he said, he'd been abruptly pulled from the theater and interrogated at length by "feds," who accused him of attempting to pirate the movie by recording it. What followed was over an hour of the "feds" telling me I am not under arrest, and that this is a "voluntary interview", but if I choose not to cooperate bad things may happen to me (is it legal for authorities to threaten people like that?). [...] They wanted to know who I am, where I live, where I work, how much I'm making, how many computers I have at home, why am I recording the movie, who am I going to give the recording to, why don't I just give up the guy up the chain, 'cause they are not interested in me. Over and over and over again. After going through the photos on his device, the man says, the officers concluded that there'd been a misunderstanding, and theater owner AMC called a man from the "Movie Association," who gave him free passes to see the film again. But the man described himself as shaken by the incident, especially because he'd worn Glass to the theater before and had no trouble. The story initially seemed too dramatic to be true, but both AMC and the Department of Homeland Security's Immigration and Customs Enforcement division have confirmed it. [...] http://www.theverge.com/2014/1/21/5331748/google-glass-wearing-movie-patron-questioned-for-piracy ------------------------------ Date: Tue, 21 Jan 2014 23:44:52 -0500 From: Monty Solomon <monty () roscom com> Subject: 'Sex with Glass' is getting either sex or Glass wrong (Adi Robertson) Adi Robertson, 20 Jan 2014 Eager to tap the largely unexplored market for erotic Google Glass experiences, a team of hackathon participants have somehow created both an intriguing app and a weird, depressing commentary on gender. Called Sex with Glass, the app shares some DNA with James Deen's parody video: assuming that you and your partner are both participating in a closed beta that requires purchase of a $1,500 headset, you can both don the fragile prototypes and have extremely cautious intercourse while watching a live camera feed from the other person's viewpoint. There are a few other commands ("Okay Glass, play Marvin Gaye" and "Okay Glass, give me ideas") and a few dirty puns, but these are all distractions from the main event. Afterwards, it promises to "put all the footage together" into a video, which will disappear five hours after being constructed. http://www.theverge.com/2014/1/20/5328772/sex-with-google-glass-app-is-getting-either-sex-or-glass-wrong ------------------------------ Date: Thu, 16 Jan 2014 13:52:36 +0000 From: "Wendy M. Grossman" <wendyg () pelicancrossing net> Subject: `Smart' computer-based systems in your homes Obvious points: 1. NEST has apparently failed to learn from many decades of computer programming experience that you don't roll out an upgrade to all your customers until you've done a thorough small-scale test and you always ensure you have a readily applicable rollback method. See also CompuServe UK, c. 1991, AT&T... 2. Despite the scathing comments from one poster, problems for the entire category are quite clear: how "smart home" components will be patched, who will be liable for failures, and how to cope when critical elements fail if you've taken out all the fallbacks. Plus the fact that "smart" systems that learn from your past behavior are ignoring a lesson dunned into all of us with respect to financial investments: past performance is no guarantee of future behavior. www.pelicancrossing.net Twitter: @wendyg ------------------------------ Date: Thu, 16 Jan 2014 17:13:54 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: The Malware That Duped Target Has Been Found "The malicious program used to compromise Target and other companies was part of a widespread operation using a Trojan tool known as Trojan.POSRAM, according to a new report released Thursday about an operation that investigators have dubbed Kaptoxa." [literally more like Kartocha, PGN] http://j.mp/LmaJCc (Wired via NNSquad) [Late count seems to be 110 million customers' records implicated. The identity of the alleged culprit(s) remains unclear, despite some initial reports. PGN] ------------------------------ Date: Tue, 21 Jan 2014 20:56:36 -0500 From: Monty Solomon <monty () roscom com> Subject: Target Hackers Wrote Partly in Russian, Displayed High Skill (Danny Yadron Connect) Danny Yadron Connect, *Wall Street Journal*, 16 Jan 2014 Hacking Campaign Appears Broad, Sophisticated and Against Many Retailers The holiday data breach at Target Corp. appeared to be part of a broad and highly sophisticated international hacking campaign against multiple retailers, according to a report prepared by federal and private investigators that was sent to financial-services companies and retailers. The report offers some of the first details to emerge about the source of the attack that compromised 40 million credit- and debit-card accounts and personal data for 70 million people. It also provided further evidence the attack on Target during peak holiday shopping was part of a concerted effort by skilled hackers. Parts of the malicious computer code used against Target's credit-card readers had been on the Internet's black market since last spring and were partly written in Russian, people familiar with the report said. Both details suggest the attack may have ties to organized crime in the former Soviet Union, former U.S. officials said. ... http://online.wsj.com/news/articles/SB1000142405270230441910457932490260242686 2 ------------------------------ Date: Sat, 11 Jan 2014 10:22:29 -0700 From: "Bob Gezelter" <gezelter () rlgsc com> Subject: Neiman Marcus stores reportedly hacked There has been a reported surge in fraudulent credit card activity connected with cards used at Neiman Marcus stores in the Dallas, Texas area. According to a company spokesperson, a forensics firm and the Secret Service are presently investigating. Reportedly, the breach has been confirmed, but details remain undisclosed. The original report can be found at: http://krebsonsecurity.com/2014/01/hackers-steal-card-data-from-neiman-marcus/ Bob Gezelter, http://www.rlgsc.com ------------------------------ Date: Tue, 21 Jan 2014 23:42:45 -0500 From: Monty Solomon <monty () roscom com> Subject: White hat hacker says he found 70,000 records on Healthcare.gov through a Google search (Adrianne Jeffries) White hat hacker says he found 70,000 records on Healthcare.gov through a Google search Adrianne Jeffries, *The Verge*, 21 Jan 2014 The federal health insurance marketplace at Healthcare.gov still has major security issues according to some experts, including a flaw that allows user records to show up in Google results. At least 70,000 records with personal identifying information including first and last names, addresses, and user names are accessible by using an advanced Google search and then tweaking the resulting URLs, according to David Kennedy, founder of the security firm TrustedSec. Kennedy notes that he never modified any URLs, just that he noticed that it was possible. Kennedy first testified about the issue before a Congressional committee in November, he says, but it still hasn't been resolved. It's just one of several issues he's identified with the site, and it's actually one of the easier ones to fix: Kennedy estimates it would take just a few days to hide the records. ... http://www.theverge.com/2014/1/21/5331756/white-hat-hacker-says-he-found-70000-records-on-healthcare-gov ------------------------------ Date: Wed, 15 Jan 2014 11:49:12 -0500 (EST) From: "ACM TechNews" <technews () hq acm org> Subject: "NSA Devises Radio Pathway Into Computers" (Sanger/Shanker) David E. Sanger, Thom Shanker, *The New York Times*, 14 Jan 2014 [via ACM TechNews, 15 Jan 2014] The U.S. National Security Agency (NSA) has embedded software within nearly 100,000 computers worldwide, enabling the United States to monitor those machines and set up a digital pathway for launching cyberattacks. The software uses technology that employs a covert channel of radio waves that can be sent from tiny circuit boards and USB cards inserted secretly into the computers. The transceivers can share information with an NSA field station or hidden relay station up to eight miles away, which communicates back to the agency's Remote Operations Center. The transceiver also is capable of malware transmission. The system addresses the challenge of infiltrating computers that adversaries have tried to render invulnerable to surveillance or cyberattack by keeping them disconnected from the Internet. "What's new here is the scale and the sophistication of the intelligence agency's ability to get into computers and networks to which no one has ever had access before," says the Center for Strategic and International Studies' James Lewis. Officials and experts stress that the bulk of these software implants are defensive, used solely for surveillance and as an early warning system for cyberattacks targeting the United States. http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html ------------------------------ Date: Mon, 20 Jan 2014 17:36:06 -0800 From: spl () tirebiter org (Steve Lamont) Subject: And this time it was real SPAM? from Fridge! Fridge sends spam emails as attack hits smart gadgets http://www.bbc.co.uk/news/technology-25780908 A fridge has been discovered sending out spam after a web attack managed to compromise smart gadgets. The fridge was one of more than 100,000 devices used to take part in the spam campaign. Uncovered by security firm Proofpoint, the attack compromised computers, home routers, media PCs and smart TV sets. The attack is believed to be one of the first to exploit the lax security on devices that are part of the "Internet of things". The spam attack took place between 23 Dec 2013 and 6 Jan 2014, said Proofpoint in a statement. In total, it said, about 750,000 messages were sent as part of the junk mail campaign. The emails were routed through the compromised gadgets. About 25% of the messages seen by Proofpoint researchers did not pass through laptops, desktops or smartphones, it said. [...] See also http://www.proofpoint.com/about-us/press-releases/01162014.php ------------------------------ Date: Thu, 16 Jan 2014 09:24:07 -0500 From: Robert Schaefer <rps () haystack mit edu> Subject: Risks of the Internet of Things Trust Me (I'm a kettle) by Charlie Stross and The kettle of doom by Matthew Squair These two links are by way of the critical safety mailing list (highly recommended) and are about the risks of the Internet of things. http://www.antipope.org/charlie/blog-static/2013/12/trust-me.html http://criticaluncertainties.com/2013/12/20/the-kettle-of-doom/ The original article on kettles as a trojan horse bearing malware comes from an October 2013 report in *The Register*. http://www.theregister.co.uk/2013/10/29/dont_brew_that_cuppa_your_kettle_could_be_a_spambot/ "The possibilities are endless: it's the dark side of the Internet of things. If you'll excuse me now, I've got to go wallpaper my apartment in tinfoil ..." robert schaefer Atmospheric Sciences Group MIT Haystack Observatory Westford, MA 01886 email: rps () haystack mit edu voice: 781-981-5767 www: http://www.haystack.mit.edu ------------------------------ Date: Fri, 17 Jan 2014 03:06:41 -0700 From: "Bob Gezelter" <gezelter () rlgsc com> Subject: Mobile apps store credentials in the clear Reportedly, version 2.6.1 of the Starbucks iOS app stores the user's Starbucks loyalty credentials en clair in the device file system. This exposes the credentials to theft if the device is imaged, lost (or if the computing device being used to backup the device is compromised). Generically, it is a poor practice to save login credentials in forms that can be compromised. Mobile developers should take care, this class of vulnerability often is implemented as a "feature" to enable easier use, it is a serious vulnerability on many fronts and should not be done. More care is needed to protect information that can be translated into real money. For that matter, with the increasing forensic use of digital footprints, the ability to effectively steal someone's digital identifier provides the ability to create a trail of someone being where they have not been. The original report can be found at: http://seclists.org/fulldisclosure/2014/Jan/64 Bob Gezelter, http://www.rlgsc.com ------------------------------ Date: Fri, 10 Jan 2014 18:02:33 -0600 From: Stuart Levy <stuartnlevy () gmail com> Subject: Software licensing as information leak? Our group uses several kinds of commercial software, under license control. "Floating" licensing is convenient -- some number of licenses are made available, and a central server parcels them out, ensuring that at-most-N are in use at once, but possibly by a larger set of machines. The server knows when & where an instance of the licensed program is started and finishes, but not more than that. We're now looking at some software which chose a different vendor's scheme. For their floating licensing, they hooked up with a company that distributes an across-the-board software management solution. The design is for enterprise system administrators to be able to track *all* software installed on *any* monitored machine -- and select some subset of packages as "interesting". Interesting software can be usage-tracked, and optionally flagged as being under a variety of kinds of license control. It seems to be a well-designed system. But... In order to do this, when you install the software on any client machine, it scans the entire machine for any sort of graphical app, and reports the full list of programs to the central server. A server administrator can see the list of programs installed on any client computer. My Mac had 536 (!) entries. Also: whenever you invoke any app -- not just one that's under license control, but anything -- the central server is notified (in clear text over the network) of what app you ran, where, by whom, and for how long. It logs the invocation in a database, even if the app isn't listed as "interesting", presumably for future reference in case it becomes interesting later. This bugs me. I hope it bugs you. We'd been considering getting this floating-license setup for some software that students would use, to allow them to put it on their own laptops and develop freely. If it worked like other licensing systems, that'd be fine. But if it's going to reveal everything they've installed on their personal machines and when they run it, then -- even if we trust the people running the server (us) -- maybe we shouldn't use this vendor's floating license scheme after all. That's easy for me to say. If I were a student, I wouldn't be given that choice. ------------------------------ Date: Sat, 11 Jan 2014 10:35:30 -0700 From: "Bob Gezelter" <gezelter () rlgsc com> Subject: What happens when your car comes pre-equipped with monitoring An interesting question. What happens when your car comes pre-equipped with monitoring? Who has access to the data and for what purposes? New generation cars are being equipped with instrumentation and audio-visual recording technologies. The "goal" is to improve the car and better understand what was happening prior to an accident. However, the information will be recorded regardless. Who has access to this information and under what safeguards is a serious question. Consider audio recording. Should a manufacturer be able to download audio contents from a vehicle at any time? What is privacy? Your mumblings while in transit? Conversations with your business colleagues? Your spouse? Your date? Even in the context of accident reconstruction, safeguards are needed. What about the legal question (e.g., recording people without their consent and without notice). A complex topic, to be sure. *The NY Times* article can be found at: http://www.nytimes.com/2014/01/11/business/the-next-privacy-battle-may-be-waged-inside-your-car.html I previously discussed some of these issues in a blog article on the use of GPS data entitled "GPS Recorders and Law Enforcement Accountability" (August 2010) at http://www.rlgsc.com/blog/ruminations/gps-and-law-enforcement-accountability.html. Bob Gezelter, http://www.rlgsc.com ------------------------------ Date: Wed, 22 Jan 2014 09:13:30 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Warning: I recommend removing your credit/debit cards from NSI Warning: I recommend removing your credit/debit cards from all Network Solutions/Web.com accounts http://j.mp/1dPevzH (Google+ via NNS) I am attempting to verify this rather incredible story. In the meantime, if you have any credit or debit cards on file with Network Solutions or any other Web.com company, I recommend immediately removing them from your account profiles. In fact, even if this particular story turns out not to be true, I'd make the same recommendation given their ongoing shady practices that are already confirmed. Reference: "Network Solutions Auto-Enroll: $1,850": http://j.mp/1dPf3Wh (inessential) "To help recapture the costs of maintaining this extra level of security for your account, your credit card will be billed $1,850 for the first year of service on the date your program goes live. After that you will be billed $1,350 on every subsequent year from that date. If you wish to opt out of this program you may do so by calling us at 1-888-642-0265." [Apparently public outrage has led NSI to reverse this policy to be opt-in, not opt-out. PGN] ------------------------------ Date: Wed, 22 Jan 2014 17:39:48 +0000 From: Martin Ward <martin () gkc org uk> Subject: Re: Backdoor in popular wireless routers/DSL modems (Baker, RISKS-27.70) If the bad guys have physical access to the router in your home, then you have bigger things to worry about than them plugging a USB stick into your router! Dr Martin Ward STRL Principal Lecturer and Reader in Software Engineering ------------------------------ Date: Tue, 21 Jan 2014 22:57:18 -0500 From: Kevin Fu <kevinfu () umich edu> Subject: USENIX Security submissions due 27 Feb 2014 A reminder that the submission deadline for USENIX Security is Feb 27th, 2014. Don't be late! I've added some new topics such as the "public good" category while keeping traditional technical topics as the continues to grow. https://www.usenix.org/sites/default/files/sec14_cfp_011514.pdf https://www.usenix.org/conference/usenixsecurity14/call-for-papers Kevin Fu, Associate Professor, EECS Department, The University of Michigan kevinfu () umich edu, http://spqr.eecs.umich.edu/, 616-594-0385 ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.71 ************************
Current thread:
- Risks Digest 27.71 RISKS List Owner (Jan 23)