RISKS Forum mailing list archives
Risks Digest 27.95
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 24 May 2014 21:39:50 PDT
RISKS-LIST: Risks-Forum Digest Saturday 24 May 2014 Volume 27 : Issue 95 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.95.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: "Adobe Creative Cloud crash shows that no cloud is too big to fail" (Serdar Yegulalp via Gene Wirchenko) Public utility compromised after brute-force attack, DHS says" (Jeremy Kirk via GW) "Microsoft acknowledges more errors, 80070371 and 80071A91, when installing Windows 8.1 Update/KB 2919355" (Woody Leonhard via GW) "Hackers hit eBay database containing personal info" (Loek Essers via GW) "'Do not track'? Oh what the heck, go ahead" (Zach Miners via GW) "Mozilla plans semi-silent updates to tug laggards onto the newest Firefox" (Gregg Keizer via GW) "What questions should we be asking about the eBay breach?" (Claudiu Popa via GW) "Firefox will get DRM copy protection despite Mozilla's concerns" (Jeremy Kirk via GW) "Privacy takes a beating in the FBI's kangaroo court" (Robert X. Cringely via GW) "U.S. charges Chinese Army members with cyber espionage" (Serdar Yegulalp via GW) "Another privacy threat: DNS logging and how to avoid it" (Woody Leonhard via GW) Use of license-plate photo databases is raising privacy concerns (Robert Faturechi via Jim Reisert) California approves test of self-driving cars on public roads (Megan Geuss) Comcast, Time Warner Cable still have the angriest customers (Ars Technica via NNSquad) Technocreep, by Thomas P. Keenan (PGN) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 19 May 2014 11:31:43 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Adobe Creative Cloud crash shows that no cloud is too big to fail" (Serdar Yegulalp) Serdar Yegulalp | InfoWorld, 16 May 2014 Adobe's ID services went down for over 24 hours, leaving Creative Cloud users -- and a great many others -- locked out of their software and accounts http://www.infoworld.com/t/cloud-computing/adobe-creative-cloud-crash-shows-no-cloud-too-big-fail-242674 selected text: A problem with Adobe Creative Cloud locked users of Adobe's software out of their programs -- and a good deal else on top of that -- for more than 24 hours starting Wednesday night. But every other Adobe service that used Adobe's ID system was also affected, as noted by The Register's Alistair Dibbs. At least one "national [UK] newspaper" wasn't able to publish its Adobe DPS tablet edition on Thursday because of the outage. The breadth and duration of Adobe's service interruption ranks as further evidence that no cloud infrastructure is too big or too important to fail. Dropbox went down for 16 hours in January of 2013, and Google Drive experienced a similar 17-hour meltdown of its own in March. One estimate has put the cost of major-league cloud outages at some $71 million since 2007, but failures like Adobe's -- where a single piece of failing infrastructure brings down multiple systems --have most likely driven that estimate far higher. ------------------------------ Date: Thu, 22 May 2014 14:26:45 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Public utility compromised after brute-force attack, DHS says" (Jeremy Kirk) Jeremy Kirk, InfoWorld, 21 May 2014 The utility, which was not identified, used a simple password system and had been compromised before http://www.infoworld.com/d/security/public-utility-compromised-after-brute-force-attack-dhs-says-242881 ------------------------------ Date: Mon, 19 May 2014 11:28:23 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Microsoft acknowledges more errors, 80070371 and 80071A91, when installing Windows 8.1 Update/KB 2919355" (Woody Leonhard) Woody Leonhard | InfoWorld, 16 May 2014 There's confirmation of two more bugs and a Stop 0x7B 'Blue Screen' as Microsoft re-issues the patch, changing metadata but no programs http://www.infoworld.com/t/microsoft-windows/microsoft-acknowledges-more-errors-80070371-and-80071a91-when-installing-windows-81-updatekb-2919355-2426 ------------------------------ Date: Thu, 22 May 2014 14:25:01 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Hackers hit eBay database containing personal info" (Loek Essers) Loek Essers, InfoWorld, 21 May 2014 Users are asked to change passwords after attackers compromised employee log-in credentials http://www.infoworld.com/d/security/hackers-hit-ebay-database-containing-personal-info-242910 ------------------------------ Date: Thu, 22 May 2014 14:23:18 -0700 From: Gene Wirchenko <genew () telus net> Subject: "'Do not track'? Oh what the heck, go ahead" (Zach Miners) Zach Miners, InfoWorld, 22 May 2014 The browser privacy system is in tatters, and most websites either don't honor DNT or interpret it in different ways http://www.infoworld.com/d/applications/do-not-track-oh-what-the-heck-go-ahead-242965 ------------------------------ Date: Fri, 23 May 2014 11:16:57 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Mozilla plans semi-silent updates to tug laggards onto the newest Firefox" (Gregg Keizer) Gregg Keizer, Computerworld, InfoWorld. 19 May 2014 Will likely kick off process in June to get more Firefox users on the latest version with the new Australis UI http://www.infoworld.com/d/applications/mozilla-plans-semi-silent-updates-tug-laggards-the-newest-firefox-242695 opening text: Mozilla is preparing nearly-silent upgrades to get customers stuck on older versions of Firefox onto the newest edition, according to notes on the company's website and its bug-tracking database. The plan is to start upgrading older Windows editions beginning with the next stable release, Firefox 30, which is slated to ship June 10. "In the next weeks we will [be] implementing a project to get users on older versions of Firefox back onto the latest version," said Benjamin Smedberg on a Mozilla developers planning discussion thread. "We've confirmed ... that about 2% of Firefox profiles are getting 'stuck' on older versions in each release cycle, at least back to Firefox 22." On his LinkedIn profile, Smedberg identifies himself as a Mozilla engineering manager. Smedberg said that Mozilla didn't know why some of its users continue to run outdated versions of Firefox. But with Firefox's background update mechanism, those users had to have explicitly switched off or at least restricted updates. [much more omitted.] Well, let me answer that for you, Mr. Smedberg. 1) I like to know what is running on my system. I program, and if an update causes a problem, I would at least like to know that there was an update. Consequently, I prefer to update manually. 2) I installed version 29. I detest the new interface and went back to version 28. 3) I do not like the frequent nagging (multiple times per day) to "upgrade" to 29.1. Does anyone know of a good browser that is not intrusive? I would like one that runs NoScript or an equivalent. I have used Firefox since version 0.94, but there are other browsers. ------------------------------ Date: Thu, 22 May 2014 10:11:20 -0700 From: Gene Wirchenko <genew () telus net> Subject: "What questions should we be asking about the eBay breach?" Claudiu Popa, *IT Business*, 21 May 2014 http://www.itbusiness.ca/blog/what-questions-should-we-be-asking-about-the-ebay-breach/48903 selected text: Shortly after the eBay press release hit the wire, the media started calling to ask for my feedback on the whys and the hows of this latest debacle. With that firmly in mind, eBay's response was still entirely inadequate. The press release, not addressed at the public but at the media, simply indicated that a few employee accounts were used to gain access to a database of user information. That information included personal addresses, emails, phone numbers, dates of birth, names and um -- don't worry: no financial information. No passwords either, since they were encrypted. There are plenty of positive, responsible, respectful ways to announce that you dropped the ball on security. This announcement is not one of them, unless it's just for the purpose of summarily complying with legislation. ------------------------------ Date: Mon, 19 May 2014 11:24:02 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Firefox will get DRM copy protection despite Mozilla's concerns" (Jeremy Kirk) Jeremy Kirk, InfoWorld, 15 May 2014 The company opposes DRM but has little choice lest users be cut off from popular content services, Mozilla's CTO says http://www.infoworld.com/d/applications/firefox-will-get-drm-copy-protection-despite-mozillas-concerns-242555 selected text: Mozilla will upgrade its Firefox browser with copyright protection technology, fearing a loss of users if they can't play protected content from services like Netflix, Hulu and Amazon. The organization has long opposed DRM (Digital Rights Management) technologies, which seek to prevent unauthorized sharing of content under copyright protection. Critics say DRM also prevents legal uses of content, such as a person moving it between two of their own devices. DRM can also potentially leak users' private information, Gal wrote. Many DRM systems "fingerprint" a device, collecting identifying information so they can prevent content from being played on a different device. ------------------------------ Date: Thu, 22 May 2014 14:18:16 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Privacy takes a beating in the FBI's kangaroo court" (Robert X. Cringely) Robert X. Cringely, InfoWorld, 22 May 2014 The Feds ran roughshod over Lavabit, forcing it to shut down and proving that in the privacy wars, the government is fighting to win -- and fighting dirty http://www.infoworld.com/t/cringely/privacy-takes-beating-in-the-fbis-kangaroo-court-242939 ------------------------------ Date: Mon, 19 May 2014 15:04:53 -0700 From: Gene Wirchenko <genew () telus net> Subject: "U.S. charges Chinese Army members with cyber espionage" (Serdar Yegulalp) Serdar Yegulalp, InfoWorld, 19 May 2014 Five members of the Chinese Army have been indicted for allegedly hacking U.S. firms and stealing trade secrets http://www.infoworld.com/t/cyber-crime/us-charges-chinese-army-members-cyber-espionage-242754 ------------------------------ Date: Wed, 21 May 2014 11:26:08 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Another privacy threat: DNS logging and how to avoid it" (Woody Leonhard) Woody Leonhard | InfoWorld, 21 May 2014 With AT&T now turning your DNS logs into a money-making proposition, it's time to look at alternatives http://www.infoworld.com/t/internet-privacy/another-privacy-threat-dns-logging-and-how-avoid-it-242879 ------------------------------ Date: Mon, 19 May 2014 15:00:42 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Use of license-plate photo databases is raising privacy concerns (Robert Faturechi) Robert Faturechi, *Los Angeles Times*, 16 May 2014 "A growing number of cameras -- hundreds around Los Angeles, thousands nationwide -- are engaged in a simple pursuit: Taking pictures of license plates. The digital photos, automatically snapped by cameras mounted on cars and street poles and then tagged with time and location, are transmitted to massive databases running on remote computer servers. Cops can then search those databases to track the past whereabouts of drivers. Law enforcement officials say the data collection is invaluable for tracking down stolen cars and catching fugitives. But such databases are also being built by private firms, which can sell access to anyone willing to pay, such as lenders, repo workers and private investigators. That is raising worries among privacy advocates and lawmakers, who say the fast-growing industry is not only ripe for conflicts of interest but downright invasive." http://www.latimes.com/business/la-fi-law-enforcement-contractors-20140518-story.html ------------------------------ Date: May 21, 2014 at 6:46:10 AM EDT From: Dewayne Hendricks <dewayne () warpspeed com> Subject: California approves test of self-driving cars on public roads (Megan Geuss) Megan Geuss, Ars Technica, 20 May 2014 (Via Dave Farber) Regulations take effect mid-September; rules for the public may come this December. <http://arstechnica.com/cars-2/2014/05/california-approves-rules-for-testing-self-driving-cars-in-california/> On Tuesday, the California Department of Motor Vehicles (DMV) officially approved rules to allow the testing of autonomous vehicles on public roads. The rules will take effect September 16, 2014. The move has been a long time coming, with the DMV promising back in December 2013 that it would post regulations for public use of self-driving cars and then holding a public hearing in January to address concerns about them. These new rules will set a statewide standard for all manufacturers. (Although Google has been running pilot programs in Mountain View and elsewhere, it's not the only company pursuing an automated vehicle -- Nvidia told Ars last week that Audi has plans to incorporate a ``cruise control for stop-and-go traffic'' feature in one of its cars come 2015.) Bryant Walker Smith, a fellow at the Center for Automotive Research at Stanford (CARS), told Ars that the new rules could change how manufacturers proceed with their testing. ``The DMV has a really, really difficult task, and I was impressed with the thoughtfulness of their approach,'' he said. ``I would say that anyone who is reading these documents will have to read very closely.'' According to the adopted regulatory text that the California DMV posted on Tuesday, a manufacturer which wants to test autonomous vehicles has to apply for a testing permit, certify its drivers to test the cars, and secure a $5 million insurance or safety bond. The testing permit must be renewed after one year or else it expires. During the tests, an operator must remain in the driver's seat at all times and must obtain an ``Autonomous Vehicle Testing (AVT) Program Test Vehicle Operator Permit'' from the DMV. To obtain such a permit, the operator must go through a training program put together by the manufacturer and approved by the DMV, which includes ``defensive driver training, including practical experience in recovering from hazardous driving scenarios'' as well as ``instruction that matches the level of the autonomous test vehicle driver's experience operating the specific type of automated driving system technology with the level of technical maturity of the automated system.'' ... ------------------------------ Date: Mon, 19 May 2014 21:11:03 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Comcast, Time Warner Cable still have the angriest customers (Ars Technica via NNSquad) http://arstechnica.com/business/2014/05/comcast-time-warner-cable-still-have-the-angriest-customers-survey-finds/ "Merging cable giants are the worst-rated companies in the worst-rated industry." At least they're consistent. ------------------------------ Date: Fri, 23 May 2014 15:34:26 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Technocreep, by Thomas P. Keenan Thomas P. Keenan Technocreep: The Surrender of Privacy and the Capitalization of Intimacy OR Books, 2014 (http://www.orbooks.com/catalog/technocreep/) Throughout this book, it is clear that creeps are creeping with increasing creepiness. Every chapter in this book is a self-contained gem, full of timely and important thoughts that relate to the present time and to our future. Sensor Creep and Tracking Creep are very ominous. Government Creep is especially pithy: ``One of the creepiest aspects of technology is that you never really know who or what to believe anymore.'' Thomas P. Keenan has done a wonderful job in threading so many seemingly disparate ideas into the single notion of `creep'. Indeed, creeping is generally thought of as going forward; however, in many of his examples, we may actually be creeping (if not lurching) backward. This book is an must read for everyone interested in RISKS -- technologists, legislators and government officials, ordinary citizens, and even luddites. As an aside, I note that The Internet of Things (IOT, or IoT if you prefer) -- perhaps one of the very biggest opportunities for creep of all -- might eventually create an Identity (ID) something akin to a URL for almost any object you can possibly imagine, including you personally. If Technocreep ever realizes the total dis-anthropomorphization of the human race by treating people as Things, we may all have idiotically become ID-IOTs. ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.95 ************************
Current thread:
- Risks Digest 27.95 RISKS List Owner (May 24)