RISKS Forum mailing list archives
Risks Digest 28.85
From: RISKS List Owner <risko () csl sri com>
Date: Wed, 12 Aug 2015 11:45:33 PDT
RISKS-LIST: Risks-Forum Digest Wednesday 12 August 2015 Volume 28 : Issue 85 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.85.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Why `Smart' Objects May Be a Bad Idea (Zeynep Tufekci) Web's Random Numbers Are Too Weak, Researchers Warn (Mark Ward) Widespread voting machine election fraud? (AmericaBlog) Google's Search Algorithm Could Steal the Presidency (Adam Rogers) Algorithms and Bias: Q&A With Cynthia Dwork (Claire Cain Miller) What Attorneys and Their Clients Need to Know About Windows 10 and Microsoft's New Privacy Policies (Corhon Law) A key reason the new Microsoft Windows 10 privacy policies are so problematic for existing Windows 7 users Nine Charged in Insider Trading Case Tied to Hackers (NYTimes) BMW servers overloaded by Google's ALPHABET Inc. announcement (LW) Russian Cyberattack Targets Pentagon E-mail Systems (NBCNews) ICANN hacked -- again! (TheHackerNews) Researchers find major security flaw with ZigBee smarthome devices (Engadget) DefCon ProxyHam Talk Disappears but Technology is No Secret (Sean Michael Kerner) 'Santa Ana police officers sue to quash video of pot shop raid' (Scott Schwebke) Facebook and Twitter accounts seen as property (ABQ) IBM Locks Up Cloud Processes With [Obvious] Patents (InfoWeek) Code 'transplant' could revolutionise programming (WiReD) How to make a possible break-in worse: Rover rolls over (David Lesher) Mobile phone security moves in slow motion (Beta Boston) Deterrence Considered Harmful (John Arquilla via Henry Baker) An AT&T problem allegedly caused outage on Verizon, Sprint, T-Mobile Under Pressure, Google Promises To Update Android Security Regularly (Ars) Controversial cybersecurity bill would do little to stop hackers (The Guardian) Self-driving cars (xkcd 1559 via Gene Wirchenko) Among the States, Self-Driving Cars Have Ignited a Gold Rush (NYTimes) Re: Fiat Chrysler Issues Recall Over Hacking (Ivan Jager) Re: Space Ship Two crash investigation results (Don Norman) Re: Windows 10 and Wifi Sense (Bob Frankston) Re: Siri's new voice, new name: Comey (Jeremy Epstein) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 11 Aug 2015 9:06:39 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Why `Smart' Objects May Be a Bad Idea (Zeynep Tufekci) [This is a lovely and quite incisive op-ed piece, and totally relevant for RISKS. PGN] Zeynep Tufekci, Why `Smart' Objects May Be a Bad Idea, *The New York Times* op-ed, 11 Aug 2015 A FRIDGE that puts milk on your shopping list when you run low. A safe that tallies the cash that is placed in it. A sniper rifle equipped with advanced computer technology for improved accuracy. A car that lets you stream music from the Internet. All of these innovations sound great, until you learn the risks that this type of connectivity carries. ... Hackers can empty the smart safe with a single USB stick, while erasing activity logs... Researchers managed to remotely manipulate a high-tech rifle, unbeknownst to the shooter... The Internet of Hacked Things ... ------------------------------ Date: Wed, 12 Aug 2015 13:23:21 -0400 (EDT) From: "ACM TechNews" <technews () hq acm org> Subject: Web's Random Numbers Are Too Weak, Researchers Warn (Mark Ward) Mark Ward, BBC News, 9 Aug 2015 via ACM TechNews Wednesday, August 12, 2015 The Linux-based Web server software that generates random numbers used to scramble or encrypt data should be stronger, suggests a study presented at the Black Hat security event in Las Vegas. The sources of data that some computers call on to generate random numbers often run dry, according to security analyst Bruce Potter and researcher Sasha Wood. The software generates strings of data used as "seed" for random numbers, and ideally the pool of data would possess a high degree of "entropy." However, Potter and Wood found the entropy of the data streams is often very low because the machines are not generating enough raw information for them. Moreover, the researchers warn the server security software does little to check whether a data stream has high or low entropy. The research exposed unknown aspects of encryption on millions of widely used servers. Potter and Wood describe the finding as "scary," and caution it could mean random numbers are more susceptible to well-known, brute-force attacks that leave personal data vulnerable. ------------------------------ Date: Thu, 6 Aug 2015 14:00:28 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Widespread voting machine election fraud? http://americablog.com/2015/08/mathematician-actual-voter-fraud-kansas-republicans.html ------------------------------ Date: Fri, 07 Aug 2015 08:03:12 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Google's Search Algorithm Could Steal the Presidency (Adam Rogers) Adam Rogers, *WiReD*, 6 Aug 2015 https://www.wired.com/2015/08/googles-search-algorithm-steal-presidency/ Imagine an election -- a close one. You're undecided. So you type the name of one of the candidates into your search engine of choice. (Actually, let's not be coy here. In most of the world, one search engine dominates; in Europe and North America, it's Google.) And Google coughs up, in fractions of a second, articles and facts about that candidate. Great! Now you are an informed voter, right? But a study published this week says that the order of those results, the ranking of positive or negative stories on the screen, can have an enormous influence on the way you vote. And if the election is close enough, the effect could be profound enough to change the outcome. [Apparently paywalled.] http://www.eurekalert.org/jrnls/pnas/1419828112.full.pdf In other words: Google's ranking algorithm for search results could accidentally steal the presidency. ``We estimate, based on win margins in national elections around the world,'' says Robert Epstein, a psychologist at the American Institute for Behavioral Research and Technology and one of the study's authors, ``that Google could determine the outcome of upwards of 25 percent of all national elections.'' Epstein's paper combines a few years' worth of experiments in which Epstein and his colleague Ronald Robertson gave people access to information about the race for prime minister in Australia in 2010, two years prior, and then let the mock-voters learn about the candidates via a simulated search engine that displayed real articles. One group saw positive articles about one candidate first; the other saw positive articles about the other candidate. (A control group saw a random assortment.) The result: Whichever side people saw the positive results for, they were more likely to vote for -- by more than 48 percent. The team calls that number the `vote manipulation power', or VMP. The effect held -- strengthened, even -- when the researchers swapped in a single negative story into the number-four and number-three spots. Apparently it made the results seem even more neutral and therefore more trustworthy. ------------------------------ Date: Wed, 12 Aug 2015 13:23:21 -0400 (EDT) From: "ACM TechNews" <technews () hq acm org> Subject: Algorithms and Bias: Q&A With Cynthia Dwork (Claire Cain Miller) Claire Cain Miller, *The New York Times*, 10 Aug 2015 In an interview, Microsoft Research scientist Cynthia Dwork describes how algorithms can learn to discriminate because they are programmed by coders who incorporate their biases. In addition, she says they are patterned on human behavior, so they reflect human biases. Dwork defines her research as "finding a mathematically rigorous definition of fairness and developing computational methods--algorithms--that guarantee fairness." She notes a study she co-authored found that "sometimes, in order to be fair, it is important to make use of sensitive information while carrying out the classification task. This may be a little counterintuitive: the instinct might be to hide information that could be the basis of discrimination." Dwork says fairness entails similar people are treated in a similar manner. "A true understanding of who should be considered similar for a particular classification task requires knowledge of sensitive attributes, and removing those attributes from consideration can introduce unfairness and harm utility," she notes. The development of a fairer algorithm would involve serious consideration about who should be treated similarly to whom, according to Dwork. She says the push to train algorithms to protect certain groups from discrimination is relatively young, but the Fairness, Accountability, and Transparency in Machine Learning workshop is a promising research area. ------------------------------ Date: Tue, 11 Aug 2015 10:43:16 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: What Attorneys and Their Clients Need to Know About Windows 10 and Microsoft's New Privacy Policies Corhon Law via NNSquad http://cohornlaw.com/what-attorneys-and-their-clients-need-to-know-about-windows-10-and-microsofts-new-privacy-policies/ In addition [to] killing what remained of privacy on the Internet, Microsoft also purports to require its users to give up important intellectual property rights: When you share Your Content with other people, you expressly agree that anyone you've shared Your Content with may, for free and worldwide, use, save, record, reproduce, transmit, display, communicate ... Your Content. If you do not want others to have that ability, do not use the Services to share Your Content." I have serious doubts about the enforceability of this provision - but users should be aware of it. ------------------------------ Date: Tue, 11 Aug 2015 12:08:40 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: A key reason the new Microsoft Windows 10 privacy policies are so problematic for existing Windows 7 users https://plus.google.com/+LaurenWeinstein/posts/EUU9G8ss1nQ The key factor is the change from expected state prior to the upgrade. When people bump up to W10, the default info sharing is utterly different -- vastly expanded -- from what they consider normal under W7. And even more to the point, now involves all manner of data that has traditionally been local under Windows. When you use a cloud-based service, you normally have made a conscious decision to do so, and then a variety of boilerplate comes into play to permit processing. But the 180 done by MS is dramatic. A law firm that may in the past have chosen to keep their data all local -- for whatever reason -- now would be in a very different ecosystem simply by accepting the W10 upgrade with its defaults. Very bad. ------------------------------ Date: Tue, 11 Aug 2015 19:14:06 -0400 From: Monty Solomon <monty () roscom com> Subject: Nine Charged in Insider Trading Case Tied to Hackers http://www.nytimes.com/2015/08/12/business/dealbook/insider-trading-sec-hacking-case.html The international scheme generated more than $100 million in illegal profits, and the S.E.C. is bringing a parallel lawsuit in the case. ------------------------------ Date: Tue, 11 Aug 2015 13:18:14 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: BMW servers overloaded by Google's ALPHABET Inc. announcement https://plus.google.com/+LaurenWeinstein/posts/aW53ypatwVy BMW reports that their alphabet.com site is overloaded (testing shows it to be currently unreachable) since Google's ALPHABET, Inc. announcement. BMW has asserted that not only do they not want to relinquish that domain, which they say is an active part of a subsidiary, but that they were not approached by Google to sell the domain or pre-informed in any way of the Google announcement. If BMW's statements in these regards are true, it strikes me as impolite and uncaring at best for Google to have not given BMW some sort of warning -- issues of wanting to surprise the world notwithstanding -- given that it was entirely predictable that an announcement like this would cause activity that would likely overwhelm BMW's servers unless proactive action were taken. ------------------------------ Date: Fri, 7 Aug 2015 11:53:19 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Russian Cyberattack Targets Pentagon E-mail Systems NBCNews, August 7, 2015 http://www.nbcnews.com/tech/security/cyberattack-pentagons-joint-staff-emails-take-system-offline-n405321 The Pentagon took its Joint Staff unclassified email system offline nearly two weeks ago, after detecting a "sophisticated cyberattack" by alleged Russian hackers, U.S. officials told NBC News on Thursday. According to the officials, the intrusion occurred sometime around July 25 and affected about 4,000 military and civilian personnel who work for the Joint Chiefs of Staff. ... ------------------------------ Date: Thu, 6 Aug 2015 13:30:36 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: ICANN hacked -- again! The Hacker News via NNSquad http://thehackernews.com/2015/08/icann-hacked.html ICANN (Internet Corporation for Assigned Names and Numbers) - the organisation responsible for allocating domain names and IP addresses for the Internet - has been hacked, potentially compromising its customers' names, email addresses, hashed passwords, and more. The US-administered non-profit corporation admitted on Wednesday that its server security was breached within the past week and that ... an "unauthorised person" gained access to usernames, email addresses, and encrypted passwords for profile accounts on ICANN.org public website. The organisation believes that the leaked information includes harmless information such as user preferences, public biographies, interests, newsletters, and subscriptions. "Fool me once, shame on you -- fool me twice, shame on me." ------------------------------ Date: Fri, 7 Aug 2015 19:59:03 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Researchers find major security flaw with ZigBee smart home devices Engadget via NNSquad http://www.engadget.com/2015/08/07/zigbee-security-flaw/ Manufacturers of smart home devices using the ZigBee standard are aiming for convenience at the expense of security, according to researchers from the Austrian security firm Cognosec. By making it easier to have smart home devices talk to each other, many companies also open up a major vulnerability with ZigBeee that could allow hackers to control your smart devices. And that could be a problem if you rely on things like smart locks or a connected alarm system for home security. Specifically, Cognosec found that ZigBee's reliance on an insecure key link with smart devices opens the door for hackers to spoof those devices and potentially gain control of your connected home. Every morning it's "I Got You Babe" on the radio. This is getting tiresome. ------------------------------ Date: Aug 7, 2015 8:54 PM From: "Hendricks Dewayne" <dewayne () warpspeed com> Subject: DefCon ProxyHam Talk Disappears but Technology is No Secret [Note: This item comes from friend Mike Cheponis. DLH]<via Dave Farber> Sean Michael Kerner, E-Week, 7 Aug 2015 http://www.eweek.com/security/def-con-proxyham-talk-disappears-but-technology-is-no-secret.html LAS VEGAS -- Part of the drama at any Black Hat or DefCon security conaference in any given year usually revolves around a talk that is canceled for some mysterious reason, typically over fears that it could reveal something truly disruptive. Such is the case in 2015 at DefCon with a talk called ProxyHam, which was supposed to reveal technology that could enable an attacker to wireless proxy traffic over long distances, hiding their true location. The original ProxyHam talk was also set to be accompanied by the sale of ProxyHam devices that could have enabled purchasers to conduct the wireless proxy attack at their leisure. Speculation around why the ProxyHam talk was canceled involved theories that the Federal Communications Commission got the talk canceled, though that has never officially been confirmed or denied. While the ProxyHam talk was canceled, it has been replaced, by a talk set to be delivered at 4 p.m. PT at DefCon and titled "HamSammich=E2=80=94long-= distance proxying over radio" in which security researchers Robert Graham, CEO of Errata Security, and David Maynor, chief scientist at Bastille Networks, will reveal how ProxyHam works and how it can be built using off-the-shelf technology today. In an exclusive video interview with eWEEKprior to the talk, Graham and Maynor detail the technology and its shortcomings, as well as suggestions for how an organization can attempt to protect itself from a ProxyHam-type risk."With ProxyHam, the idea was to take a little box, hide in a bar or a Starbucks, tap into their WiFi and then use a long-distance point-to-point link in order to tap in remotely from many miles away to the bar's WiFi network," Graham told eWEEK. The technique that ProxyHam uses involves the use of a Raspberry Pi device and a large antenna. The HamSammich approach does the same thing in terms of long-distance proxy, but with an off-the-shelf WiFi router and a 900MHz radio transmitter that, according to Graham and Maynor, can be used legally within the confines of FCC regulations. The promise of using 900MHz is that it's a piece of radio spectrum that is typically not monitored by organization. The challenge is that it generally requires line of sight, meaning that a proxied attacker could likely be easily located as well. Maynor noted that there was a backlash on social media when the original ProxyHam talk was canceled. "Our goal is to show that ProxyHam did not actually enhance security," Maynor said. "It does the exact opposite, causing more trouble than you can fix." Watch the full video discussion of how ProxyHam works with Graham and Maynor [...] ------------------------------ Date: Mon, 10 Aug 2015 10:34:25 -0700 From: Prashanth Mundkur <prashanth.mundkur () gmail com> Subject: 'Santa Ana police officers sue to quash video of pot shop raid' (Scott Schwebke) Santa Ana police officers sue to quash video of pot shop raid Scott Schwebke, OC Register, 3 Aug 2015 http://www.ocregister.com/articles/police-675722-officers-video.html SANTA ANA -- Three Santa Ana police officers want to quash a surveillance video that shows officers making derogatory comments about a disabled woman and possibly snacking on pot edibles during a recent raid of a medical marijuana dispensary. A lawsuit, filed last week in Orange County Superior Court by three unidentified police officers and the Santa Ana Police Officers Association, seeks to prevent Santa Ana Police Department internal affairs investigators from using the video as they sort out what happened during the May 26 raid of Sky High Collective. [...] Matthew Pappas, a lawyer for Sky High, pointed to the irony of police seeking to shoot down the use of video as evidence in an investigation when they routinely use videos to investigate other crimes. [...] The lawsuit argues that the video doesn't paint a fair version of events. The suit also claims the video shouldn't be used as evidence because, among other things, the police didn't know they were on camera. ``All police personnel present had a reasonable expectation that their conversations were no longer being recorded and the undercover officers, feeling that they were safe to do so, removed their masks.'' The dispensary also did not obtain consent of any officer to record them. ``Without the illegal recordings, there would have been no internal investigation of any officer.'' Pappas counters that the suit is baseless because the officers were aware the dispensary had video cameras and managed to disable most of them. ``They knew they were on video. ... Just because they missed one camera doesn't make it illegal.'' [...] [Is the pot calling the fettle back? PGN] ------------------------------ Date: Wed, 12 Aug 2015 08:50:36 -0700 From: Paul Saffo <psaffo () me com> Subject: Facebook and Twitter accounts seen as property (ABQ) http://www.abqjournal.com/608325/news/social-media-breaks-new-legal-ground.html excerpt: A Texas man used social media to promote his gun store, posting politically charged messages that criticized the president and promoted Second Amendment rights. But after losing ownership of his suburban Houston store in bankruptcy, Jeremy Alcede spent nearly seven weeks in jail for refusing a federal judge's order to share with the new owner the passwords of the business's Facebook and Twitter accounts, which the judge had declared property. Alcede's ultimately failed stand charts new territory in awarding property in bankruptcy proceedings and points to the growing importance of social media accounts as business assets. Legal experts say it also provides a lesson for all business owners who are active on social media. Bankruptcy Judge Jeff Bohm, who handled Alcede's case, acknowledged ``the landscape of social media is yet mostly uncharted in bankruptcy,'' and cited a 2011 New York bankruptcy court case that treated such accounts like subscriber lists, which ``provide valuable access to customers and potential customers.'' Villanova University School of Law professor Michael Risch said Facebook and Twitter accounts, among other social media platforms, are now seen as property by companies. ``I suspect that's what the judge was looking at, is this primarily an asset being used for business advertising to get customers to talk about what is going on with the company,'' said Risch, who specializes in Internet law. ------------------------------ Date: Aug 4, 2015 7:59 PM From: "Lauren Weinstein" <lauren () vortex com> Subject: IBM Locks Up Cloud Processes With [Obvious] Patents Information Week via NNSquad http://www.informationweek.com/cloud/infrastructure-as-a-service/ibm-locks-up-cloud-processes-with-patents/a/d-id/1321593 One is about scaling down a virtual machine as its traffic recedes, another deploys sensitive data to a secure server, and a third creates snapshots of virtual machines for rapid recovery in the event of a failed workload. These examples don't necessarily bring to mind a sense of blinding brilliance or original innovation, but these cloud operations can be patented. ------------------------------ Date: Tue, 11 Aug 2015 16:36:32 +0100 From: Martin Ward <martin () gkc org uk> Subject: Code 'transplant' could revolutionise programming (WiReD) A team of researchers have been able to automate "cargo cult programming": (https://en.wikipedia.org/wiki/Cargo_cult_programming) "Code has been automatically "transplanted" from one piece of software to another for the first time, with researchers claiming the breakthrough could radically change how computer programs are created. "The process, demonstrated by researchers at University College London, has been likened to organ transplantation in humans. Known as MuScalpel, it works by isolating the code of a useful feature in a 'donor' program and transplanting this "organ" to the right "vein" in software lacking the feature. Almost all of the transplant is automated, with minimal human involvement. ... "Like an organ that has been translated, there's a chance that features could be rejected by the new host. But when a code transplant fails the system can simply try again, potentially hundreds or even thousands of times." -- *WiReD*, Programming, 30 July 2015. http://www.wired.co.uk/news/archive/2015-07/30/code-organ-transplant-software-myscalpel Poor programmers have always written programs by chopping out bits of old programs and smooshing them together, fiddling with the result until it "sort of works" and then calling it "done". And creating a huge mess of security holes in the process! Now that this process can be automated, good programmers (who actually try to control complexity) will never be able to compete with the "productivity" of the computer-assisted cut-and-paste brigade. Dr Martin Ward STRL Principal Lecturer & Reader in Software Engineering martin () gkc org uk http://www.cse.dmu.ac.uk/~mward/ [Can you spell `malware'? PGN] ------------------------------ Date: Wed, 05 Aug 2015 21:37:55 -0400 From: David <wb8foz () panix com> Subject: How to make a possible break-in worse: Rover rolls over (David Lesher) Rover, the registrar run by Tucows had an event: i.e., "... there appears to have been a brief period of time when unauthorized access to one of our systems could have occurred." So they reset all the user account passwords & sent a note around. BUT: They sent the letter from a totally unrelated domain: <mcdlv.net> It appears to belong to something called "MailChimp.com". Plus the URL's embedded in that mail are from elsewhere: "list-manage1.com" And while their webpage is responding at http://www.hover.com, there is no note on the site's pages mentioning the break-in & mailing. And this is NOT a "too clueless to fail" multinational bank or such. A register's *whole existence* is to sell you on the personalization owning your domain brings you. Too bad they don't practice what they preach. When I reached them by phone, at a number I had in my records, the poor representative admitted she had *many* callers say just what I did. ------------------------------ Date: Thu, 6 Aug 2015 17:33:56 -0400 From: Monty Solomon <monty () roscom com> Subject: Mobile phone security moves in slow motion (Beta Boston) http://www.betaboston.com/news/2015/08/05/mobile-phone-security-moves-in-slow-motion/ ------------------------------ Date: Wed, 05 Aug 2015 09:04:53 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Deterrence Considered Harmful (on John Arquilla) FYI -- Finally, a cyberwar expert who admits that "deterrence" is a bankrupt strategy for stopping cyberattacks. However, Arquilla doesn't understand what "defense" is required in this case; he thinks the fighter pilots of the Battle of Britain will save the day in today's cyberwars. Nevertheless, perhaps Arquilla can stop the U.S. from hurling invectives that only underline the impotence of U.S. cyberstrategy and significantly destabilize the world's security. "The innocent are held hostage by the threat of nuclear holocaust" MAD = "mutual assured *disruption*" = "a less stable situation" "deterrence becomes problematic" "deterrence is in pretty poor shape" "The threat of retaliation with virtual weapons of mass disruption probably won't deter" "the virtual defenses of the leading cyberpowers puts the United States in last place" John Arquilla, Deterrence after Stuxnet, CACM, 4 Aug 2015 http://m.cacm.acm.org/blogs/blog-cacm/190371-deterrence-after-stuxnet/fulltext ------------------------------ Date: Wed, 5 Aug 2015 09:27:09 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: An AT&T problem allegedly caused outage on Verizon, Sprint, T-Mobile (Ars Technica) Ars via NNSquad http://arstechnica.com/information-technology/2015/08/an-att-problem-allegedly-caused-outage-on-verizon-sprint-and-t-mobile/ The four major wireless carriers in the US had an outage lasting about five hours in several states last night, and a report from Re/code says it was all caused by a hardware problem in AT&T's network. Although AT&T, Verizon Wireless, T-Mobile US, and Sprint each operate their own cell towers, in the states where the outage occurred they apparently all acquire backhaul from AT&T's network. Re/code reported that "several telecommunications industry sources" confirmed that AT&T's network caused the outage for all four carriers in parts of Tennessee, Alabama, Kentucky and Indiana. (Another report said Georgia was affected as well.) ------------------------------ Date: Wed, 5 Aug 2015 10:17:23 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Under Pressure, Google Promises To Update Android Security Regularly (NPR) NPR via NNSquad http://www.npr.org/sections/alltechconsidered/2015/08/05/429649509/under-pressure-google-promises-to-update-android-security-regularly?utm_medium=RSS&utm_campaign=news Google is making big promises to fix its Android operating system. The company recently came under sharp criticism after researchers found a major flaw in Android would let hackers take over smartphones, with just a text message. Now, Google tells NPR and writes in a blog post, it'll work with other phone makers to fix that bug. And, going one step further, Google is rolling out a brand new system to protect smartphones regularly (not just once in a while). Very glad to see Google moving forward decisively in this direction. Kudos to the teams. Reference: "Lauren's Blog: When Google Leaves Users Behind" - http://lauren.vortex.com/archive/001097.html (4/22/15) ------------------------------ Date: Wed, 5 Aug 2015 14:00:13 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Controversial cybersecurity bill would do little to stop hackers *The Guardian* via NNSquad http://www.theguardian.com/world/2015/aug/05/cybersecurity-cisa-bill-hackers-privacy-surveillance "Details are absolutely crucial especially when it comes to the sordid history the federal government has had protecting the kind of stuff you'd expect them to protect," Weinstein said. "I mean, how many examples do you need to have of the basic inability of the government to protect what you'd think would be the most sensitive information out there? We had a young guy clean out NSA with a thumb drive. Then they say they're going to ask for all this additional information and we're supposed to believe they're going to protect that." ------------------------------ Date: Tue, 04 Aug 2015 20:19:37 -0700 From: Gene Wirchenko <genew () telus net> Subject: Self-driving cars (xkcd 1559) Punch-line: ``I love self-driving cars.'' http://www.xkcd.com/1559/ ------------------------------ Date: Wed, 12 Aug 2015 01:01:02 -0400 From: Monty Solomon <monty () roscom com> Subject: Among the States, Self-Driving Cars Have Ignited a Gold Rush (NYT) Whether it is fuel savings, safer commutes or freed-up time behind the wheel, motorists have many reasons to embrace self-driving cars. But another group is just as eager to see these vehicles on the road: politicians. Lawmakers from California, Texas and Virginia are wooing the autonomous-car industry, along with the jobs and tax revenue that come with it. They are financing research centers, building fake suburbs for testing the cars and, perhaps most important, going light on regulation, all in an effort to attract a rapidly growing industry. The prize: a piece of the estimated $20 billion automakers and other companies will spend globally on development over the next five years, according to an analysis by Gartner. http://www.nytimes.com/2015/08/07/automobiles/self-driving-cars-ignite-gold-rush-among-states.html ------------------------------ Date: Thu, 6 Aug 2015 19:16:50 -0500 From: Ivan Jager <aij+ () mrph org> Subject: Re: Fiat Chrysler Issues Recall Over Hacking (Kessler, RISKS-28.84) Surely I'm not the only one that realizes a software update is not going to fix the fundamental problem that this recall is about. The safety problem to be fixed is not that "someone found one of the vulnerabilities in the entertainment system and is going public with it". The problem is that someone put a wireless modem on the CAN bus, which is safety critical. Patching the one vulnerability in the entertainment system is not going to solve the problem because there are almost certainly plenty of other vulnerabilities in the entertainment system. People who write entertainment systems tend to worry more about features, performance, and a pretty UI. They were almost certainly not expecting anyone's life to depend on the correctness of their code. It's kind of like they're saying, "See, your colander has a hole in it here and your design depends on it not having any holes." "Oh, OK, we'll just patch that one hole you pointed out." I realize Chrysler might want to receive telemetry from the ECU. I wouldn't mind too much if there was a one way connection so safety critical components could send information over the Internet, but there's no way they should be able to accept commands over the Internet. Something as simple as half an RS-232 interface should do to ensure one-way communications. (Connect TX and GND but ground RX.) Of course, that would cost a little more... I would say surely it would cost less than the loss of confidence when people realize how poorly designed the car is, but at this point I'm not sure consumers have much confidence left to lose. ------------------------------ Date: Wed, 5 Aug 2015 09:27:39 -0700 From: Don Norman <dnorman () ucsd edu> Subject: Re: Space Ship Two crash investigation results Thanks to Peter Ladkin for his appropriate and well-reasoned disagreement with Alister Macintyre's blame-finding description of the accident of SpaceShip Two (RISKS-28.84 and 28.82, respectively). Macintyre cast blame on people and organizations for the accident, but with zero evidence. This should not be permitted within RISKs. I was also sadly disappointed by *The NY Times* article about the report from the U.S. National Transportation Safety Board's public session (NTSB). NTSB clearly laid blame on the deficient human-factors design which permitted a simple slip (the technical term for one class of human error) by the co-pilot to lead to the tragedy. As NTSB properly pointed out, safety systems should never have a single point of failure. Where mechanical, electronic, or software systems are involved, elaborate care is taken to avoid single points of failure: Why do we allow it for human systems? I've been arguing this point for years. I am delighted NTSB finally understands. But I have further cause for disappointment. Although the NY Times reported the hearing fairly and accurately, they headlined it CCo-Pilot's Error Is Blamed for Crash of Space Plane. Here is what the Times reported that NTSB said: ``Would a single-point mechanical failure with catastrophic consequences be acceptable?'' Robert L. Sumwalt, one of the safety board members, asked the investigators Tuesday. It would not, answered Michael Hauf, part of the investigation team that spent nine months looking into the crash. ``So why would a single-point human failure be acceptable?'' Mr. Sumwalt asked. ``And it really should not be acceptable. The fact is, if you put all your eggs in the basket of a human to do it correctly -- and I don't mean this flippantly, because I've made plenty of mistakes -- humans will screw up anything if you give them enough opportunity. The mistake is often a symptom of a flawed system.'' The safety board laid the primary blame on Scaled Composites, the company that designed this part of the system, describing the probable cause as Scaled Composites's failure to consider and protect against the possibility that a single human error could result in a catastrophic hazard to the SpaceShipTwo vehicle. *The NY Times* article was excellent. But the headline writer ignored the article and entitled the piece Co-Pilot's Error Is Blamed for Crash of Space Plane. This propagates the myth that people are flawed, incompetent, etc. No folks, it is bad design, design that ignores decades of research on proper human factors. It ignores the article itself where the blame was (properly) NOT placed on the co-pilot but rather on the poor design. NY Times: Shame on your headline writer. Peter Ladkin: thank you. Don Norman, Prof. and Director, DesignLab, UC San Diego dnorman () ucsd edu designlab.ucsd.edu/ www.jnd.org <http://www.jnd.org/> ------------------------------ Date: 4 Aug 2015 18:55:53 -0400 From: "Bob Frankston" <bob2-53 () bob ma> Subject: Re: Windows 10 and Wifi Sense (RISKS-28.84) The real problem is that instead of coming to terms with the dangerous and failed idea of perimeter security we see increasing efforts to work around the borders only exacerbating problems. The complex schemes for trading bandwidth are another face of this tendency to pile on additional mechanisms rather than recognizing that bandwidth is a construct. Bandwidth is a real technical term but billing for it is far removed from the realities of a packet network. ------------------------------ Date: Tue, 4 Aug 2015 19:24:35 -0400 From: Jeremy Epstein <jeremy.j.epstein () gmail com> Subject: Re: Siri's new voice, new name: Comey Verizon has offered something very similar to the new Siri offering called "Premium Visual Voice Mail". It came bundled with my Samsung Galaxy 5 for a couple months, and then switched to $2.99/month. (I didn't take it.) It describes the advantages as "Voice Mail to Text: Discreetly read voice mails without listening to them". See http://www.verizonwireless.com/support/voice-mail-comparison/ for a comparison with the iPhone offering. Not endorsing the product or minimizing the risk, just noting that it's not really new. ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.85 ************************
Current thread:
- Risks Digest 28.85 RISKS List Owner (Aug 12)