RISKS Forum mailing list archives

Previous By Date Next
Previous By Thread Next

Risks Digest 28.82

From: RISKS List Owner <risko () csl sri com>
Date: Wed, 29 Jul 2015 16:38:31 PDT
RISKS-LIST: Risks-Forum Digest  Wednesday 29 July 2015  Volume 28 : Issue 82

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/28.82.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
*WashPost* Op-Ed on Crypto Disappeared (McConnell/Chertoff/Lynn)
Chertoff & Leiter disagree with Comey (Henry Baker)
Cyber "Defense" from Glass Houses (Henry Baker)
Android Stagefright Flaws Put 950 million devices at risk (ThreatPost)
Westpac missing out on $1m a day from computer deficiency (Dave Horsfall)
Office 365 outage (Jeremy Epstein)
Is There Such a Thing as `Ethical Cheating'? (NYTimes)
For Ransom, Bitcoin Replaces the Bag of Bills (Nathaniel Popper)
Spelling checkers don't catch everything, not even on Pluto (Thomas Koenig)
Problems Riddle System to Check Buyers of Guns (NTYimes)
Sweat the small stuff: anti-drones (ABC7 via Henry Baker)
Chinese Tourist's Drone Crashes Into Taipei 101 Skyscraper (Slashdot)
Don't bring your drone to New Zealand (Slashdot)
PanoptiCity, USA: Municipal Surveillance (Henry Baker)
"iPhone and Registration Please" (WiReD)
Costco Photo Center compromised (David Farber)
A Clinton Story Fraught With Inaccuracies: How It Happened and What Next?
  (NYTimes)
Fiat Chrysler Issues Recall Over Hacking (NYTimes)
Re: Hackers Remotely Kill a Jeep (David Lesher)
The hackable car (Michael Bacon)
Re: What's Wrong With the Internet (Dimitri Maziuk)
Re: Facebook blocked from challenging search warrants targeting its users
  (R. G. Newbury)
Re: For .sucks Web domains, currency seems to be paid in reputations
  (John Levine, Bob Frankston)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 29 Jul 2015 15:30:50 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: *WashPost* Op-Ed on Crypto Disappeared (McConnell/Chertoff/Lynn)

  [The following item appeared (briefly) on *The Washington Post* webpage,
  and then subsequently vanished.  The right to be *forgotten*?  NO.  The
  right to be *remembered*, even if someone else wanted it to disappear.
  This is an important statement.  I'm including it in its entirety, as a
  public interest.  (It also raises an interesting question of the copyright
  status for something that was unpublished.)
    As I noted long ago in the first round of crypto wars,
      ``The cat is out of the bag, and
      the genie won't go back in the closet.
  PGN]

https://www.techdirt.com/articles/20150729/09460731789/washington-post-publishes-then-unpublishes-opinion-piece-ex-intelligence-industry-brass-favor-strong-encryption.shtml

You have reached the cached page for
https://www.washingtonpost.com/opinions/the-need-for-ubiquitous-data-encryption/2015/07/28/3d145952-324e-11e5-8353-1215475949f4_story.html

Mike McConnell, Michael Chertoff and William Lynn 28 Jul 2015 at 8:01 PM
Why the fear over ubiquitous data encryption is overblown

  Mike McConnell was director of the National Security Agency under
  President Clinton and director of national intelligence under President
  George W. Bush.  Michael Chertoff was homeland security secretary under
  Bush.  William Lynn was deputy defense secretary under President Obama.

More than three years ago, as former national security officials, we penned
an op-ed to raise awareness among the public, the business community and
Congress of the serious threat to the nation's well-being posed by the
massive theft of intellectual property, technology and business information
by the Chinese government through cyberexploitation.  Today, we write again
to raise the level of thinking and debate about ubiquitous encryption to
protect information from exploitation.

In the wake of global controversy over government surveillance, a number of
U.S. technology companies have developed and are offering their users what
we call ubiquitous encryption -- that is, end-to-end encryption of data with
only the sender and intended recipient possessing decryption keys.  With
this technology, the plain text of messages is inaccessible to the companies
offering the products or services as well as to the government, even with
lawfully authorized access for public safety or law enforcement purposes.

The FBI director and the Justice Department have raised serious and
legitimate concerns that ubiquitous encryption without a second decryption
key in the hands of a third party would allow criminals to keep their
communications secret, even when law enforcement officials have
court-approved authorization to access those communications.  There also
are concerns about such encryption providing secure communications to
national security intelligence targets such as terrorist organizations and
nations operating counter to U.S. national security interests.

Several other nations are pursuing access to encrypted communications.  In
Britain, Parliament is considering requiring technology companies to build
decryption capabilities for authorized government access into products and
services offered in that country.  The Chinese have proposed similar
approaches to ensure that the government can monitor the content and
activities of their citizens.  Pakistan has recently blocked BlackBerry
services, which provide ubiquitous encryption by default.

We recognize the importance our officials attach to being able to decrypt a
coded communication under a warrant or similar legal authority.  But the
issue that has not been addressed is the competing priorities that support
the companies' resistance to building in a back door or duplicated key for
decryption.  We believe that the greater public good is a secure
communications infrastructure protected by ubiquitous encryption at the
device, server and enterprise level without building in means for government
monitoring.

First, such an encryption system would protect individual privacy and
business information from exploitation at a much higher level than exists
today.  As a recent MIT paper explains, requiring duplicate keys introduces
vulnerabilities in encryption that raise the risk of compromise and theft by
bad actors.  If third-party key holders have less than perfect security,
they may be hacked and the duplicate key exposed.  This is no theoretical
possibility, as evidenced by major cyberintrusions into supposedly secure
government databases and the successful compromise of security tokens held
by the security firm RSA.  Furthermore, requiring a duplicate key rules out
security techniques, such as one-time-only private keys.

Second, a requirement that U.S. technology providers create a duplicate key
will not prevent malicious actors from finding other technology providers
who will furnish ubiquitous encryption.  The smart bad guys will find ways
and technologies to avoid access, and we can be sure that the `dark Web'
marketplace will offer myriad such capabilities.  This could lead to a
perverse outcome in which law-abiding organizations and individuals lack
protected communications but malicious actors have them.

Finally, and most significantly, if the United States can demand that
companies make available a duplicate key, other nations such as China will
insist on the same.  There will be no principled basis to resist that legal
demand.  The result will be to expose business, political and personal
communications to a wide spectrum of governmental access regimes with
varying degrees of due process.

Strategically, the interests of U.S. businesses are essential to protecting
U.S. national security interests.  After all, political power and military
power are derived from economic strength.  If the United States is to
maintain its global role and influence, protecting business interests from
massive economic espionage is essential.  And that imperative may outweigh
the tactical benefit of making encrypted communications more easily
accessible to Western authorities.

History teaches that the fear that ubiquitous encryption will cause our
security to go dark is overblown.  There was a great debate about encryption
in the early 1990s.  When the mathematics of public key encryption were
discovered as a way to provide encryption protection broadly and cheaply to
all users, some national security officials were convinced that if the
technology were not restricted, law enforcement and intelligence
organizations would go dark or deaf.

As a result, the idea of escrowed key[s], known as Clipper Chip, was
introduced.  The concept was that unbreakable encryption would be provided
to individuals and businesses, but the keys could be obtained from escrow by
the government under court authorization for legitimate law enforcement or
intelligence purposes.

The administration and Congress rejected the Clipper Chip based on the
reaction from business and the public.  In addition, restrictions were
relaxed on the export of encryption technology.  But the sky did not fall,
and we did not go dark and deaf.  Law enforcement and intelligence officials
simply had to face a new future.  As witnesses to that new future, we can
attest that our security agencies were able to protect national security
interests to an even greater extent in the 1990s and into the new century.

Today, with almost everyone carrying a networked device on his or her
person, ubiquitous encryption provides essential security.  If law
enforcement and intelligence organizations face a future without assured
access to encrypted communications, they will develop technologies and
techniques to meet their legitimate mission goals.

------------------------------

Date: Sun, 26 Jul 2015 12:32:13 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: Chertoff & Leiter disagree with Comey

FYI -- [The remarks below were transcribed by me, and haven't shown up
anywhere Googleable, so they can't be edited away.]

Speaking at the Aspen Security Forum (aka The Deep Security State Pep
Rally), where US security officials rub shoulders with the fawning press and
with future Beltway Bandit employers, Third Circuit Judge and Secretary of
Homeland Security Michael Chertoff and Counterterrorism Director Michael
Leiter surprised many by going offscript and disagreeing with FBI Comey's
"going dark" stance.

Chertoff quotes:

"We do not historically organize our society to make it maximally easy for
   law enforcement even with court orders to get information."
"We're not quite as dark sometimes as we fear we are."
"Requiring people to build a vulnerability may be a strategic mistake."

Leiter quotes:

"We undermine our national security by having that back door."
"You have to have a law which addresses reality, and not what you hope
reality will be."

The press greeted Chertoff's and Leiter's remarks with heedless disregard.
https://en.wikipedia.org/wiki/Michael_Chertoff
https://en.wikipedia.org/wiki/Michael_Leiter
https://www.youtube.com/watch?v=M7Ev-Wx3VT8

58.5 minute video

"Cooperation and Conflict in the Relationship between Government and
Industry in Cyberspace"

Chertoff, speaking at around 15:50

"I'm going to take a position -- that is probably going to be a little
surprising to people here, given the fact that I've spent a lot of my career
in the security area -- and I want to be very clear about what the issue is
here.  The issue is presented, assuming that there is a court order to get a
communication, but it's an encrypted communication, and if there is no
duplicate key or back door, the only people who can decrypt it are the
sender and the recipient.  Now you can make them do it, the court can order
them to do it, [but] if you either can't get hold of them or they refuse,
then the question is what is the government do and that's the issue that
they're worried about.  I think that it's a mistake to require companies
that are making hardware and software to build a duplicate key or back door,
even if you hedge it with the notion that there's going to be a court order,
and I say that for a number of reasons.  I've given it quite a bit of
thought, and I'm working with s ome companies in this area, too."

"First of all there is when you do require a duplicate key, or some other
form of back door, there is an increased risk and increased
vulnerability. you can manage that to some extent, but it doesn't prevent
you from certain kinds of encryption, so you're basically making things less
secure for ordinary people."

"The second thing is that the really bad people are going to find apps and
tools that are going to allow them to encrypt everything without a back
door.  And these apps are multiplying all the time.  The idea that you're
going to build to stop this -- particularly given a global environment -- I
think is a pipe dream.  So what will wind up happening is people who are
legitimate actors will be taking somewhat less secure communications and the
bad guys will still not be able to be decrypted."

"The third thing is what are we going to tell other countries, when other
countries say great, we want to have a duplicate key too, here in Beijing,
or Moscow or someplace else.  The companies are not going to have a
principled basis to refuse to do that.  So that's going to be a strategic
problem for us."

"Finally, I guess I have a couple of overarching comments.  One is we do not
historically organize our society to make it maximally easy for law
enforcement even with court orders to get information.  We often make
tradeoffs and we make it more difficult.  If that were not the case, then
why wouldn't the government simply say all these [smartphones] have to be
configured so they're constantly recording everything that we say and do and
then when you get a court order it gets turned over and we wind up
convicting ourselves.  So, I don't think socially we do that.  And I also
think that experience shows we're not quite as dark sometimes as we fear we
are.  In the 90's when encryption first became a big deal, there was a
debate about a Clipper Chip, that would be embedded in devices or whatever
your communications equipment was to allow court ordered interception.
Congress ultimately and the President did not agree to that.  And it dawned
on the people in the community afterward, you know what, we collected more
than ever.  We found ways to deal with that issue, so it's a little bit of a
long winded answer but I think on this one strategically requiring people to
build a vulnerability may be a strategic mistake."

Michael Leiter, speaking at around 19:30

"I'm close to Mike [Chertoff], but I'm not all the way there and I think
some of his arguments, as brilliant as he is, don't quite hold water.  There
are, you know, there are lots of situations where we force companies to make
a decision about where they're going to be doing business.  And if you
choose to do business in -- let's say Russia -- and Russians don't really
have a rule of law and they say please provide me with all of your data, the
company can make a choice; they can do business in Russia, and comply, or
they can not do business in Russia.  Now that's a pretty strong statement to
basically stop American companies, but American companies may have to make
that choice.  They may have to make a choice even though they're technology
companies, about where they operate, I know the companies we work for make
that choice all the time and then you can actually still do pretty well for
your shareholders and your businesses.  So I don't think all those..."

"The place where I come down really is technologically this is a problem.
And it's a problem because we are clearly going to a world where end-to-end
encryption with temporary keys that disappear immediately after any
communication occurs, that is the future.  There is no way around that; we
are not going to stop that.  And, because of that, for the technology
issues, I don't think there is a long term way to preserve the US
government's ability to intercept or get access to those.  And I also do
think that societally, we have to accept that the degree to which we
undermine our national security by having that back door or front door,
depending upon how you define it, is very real.  We have seen that because
of the cyberthreat.  So I tend to think that both technology and the balance
of these probably falls on the side of -- you can try to design it now, but
reality is going to overtake you and it's a funny thing that when technology
and law conflict, law's not going to change th at technology for long, it's
going to overtake it.  And you have to have a law which addresses reality,
and not what you hope reality will be."

------------------------------

Date: Mon, 27 Jul 2015 10:37:05 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: Cyber "Defense" from Glass Houses

FYI -- At the Aspen Security Forum last week, there was a lot of
swashbuckling talk about cyber "defense".

However, after listening to multiple hours of these talks, I *never once*
heard about any effort to "harden" today's computers and networks from
attack.

The entire U.S. Government's attitude towards attacks such as Sony or OPM is:

1) attribute; and
2) retaliate.

In other words, cyber "defense" isn't "defensive" at all; it's simply more
offensive, but reactive rather than proactive.

Leaving aside the significant risks of mis-attribution and mis-retaliation,
shouldn't the U.S. be engaged in a "sprint" to secure our glass houses from
rocks instead of whining about end-to-end encryption?

What possible gain can the U.S. obtain from a cyber war in which we and
North Korea (or ISIL, or ...) both reduce each other electronically to the
1950's?

Once again, in our asymmetric world, people who live in glass houses
shouldn't be throwing rocks -- especially at those who don't live in glass
houses.

https://www.youtube.com/user/AspenInstitute/videos?sort=dd&view=0&shelf_id=7

https://www.youtube.com/watch?v=KopyWcBUBPw

Beyond the Build: Leveraging the Cyber Mission Force

Streamed live on Jul 23, 2015

Adm. Mike Rogers, the head of the National Security Agency and Cyber Command
discusses cyber warfare, cyber terrorism, and cybercrime, and how we can
best "defend" ourselves against what most experts believe will be the cyber
equivalent someday soon of Pearl Harbor.

------------------------------

Date: Mon, 27 Jul 2015 09:44:49 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Android Stagefright Flaws Put 950 million devices at risk

ThreatPost via NNSquad
https://threatpost.com/android-stagefright-flaws-put-950-million-devices-at-risk/113960

  An attacker in possession of their target's phone number could send an MMS
  or even a Google Hangouts message to an affected device that triggers the
  vulnerability before the victim has a chance to open the message. In some
  cases, the attack would delete the MMS in question, leaving behind only a
  notification that a message was sent ... There are some mitigations, for
  example, in Google Hangout settings, a user is able to request that MMS
  messages are not automatically downloaded.  "Older devices don't have that
  option, older devices are more exposed and at risk," Drake said, adding
  that exploits against Ice Cream Sandwich and Gingerbread are much easier
  to develop and put those versions at extreme risk. "They don't have the
  hardening measures Android has these days."

Apparently, here we go again. And unfortunately, very large percentages of
Android users are on older devices that neither Google nor carriers can or
will appropriately update. In fact, even getting Google to make official
statements and provide official "from the horse's mouth" help center
reference pages about such situations -- and possible mitigations or
workarounds -- is often simply impossible.

Google: I *realize* that this is hard stuff. I *understand* that the
openness of the Android ecosystem makes this difficult. But the continuing
status quo of security issues piling up on older devices that are still
being routinely used by vast numbers of users is simply untenable. At the
very least these users need to be directly informed and helped *by Google*
-- not left to pick up bits and pieces of often inaccurate information from
third party media and various Google adversaries. It's bad for consumers,
and it's bad for Google!

------------------------------

Date: Tue, 28 Jul 2015 15:03:53 +1000 (EST)
From: Dave Horsfall <dave () horsfall org>
Subject: Westpac missing out on $1m a day from computer deficiency

http://www.smh.com.au/it-pro/interest-rate-computer-glitch-costs-westpac-over-1m-a-day-20150728-gilh37

``Westpac Banking Corp is losing over $1 million a day because its computer
  systems do not allow it to charge property investors and owner occupiers
  different interest rates.''

In short, the heavy use of investing in properties in Australia is driving
first-time buyers out of the market, and so the major banks are trying to
throttle it back by charging higher rates for investors than for owner
occupiers.  Westpac, however is alone amongst the "big four" by being unable
to do so because of "technical problems."  Apparently it will take "several
months" for "senior members of the IT team" to change the system.

I'm finding it difficult to shed a tear over the bank's plight, but I guess
that their motives are to make it easier for first-time buyers.

------------------------------

Date: Tue, 28 Jul 2015 06:13:34 -0700
From: Jeremy Epstein <jeremy.j.epstein () gmail com>
Subject: Office 365 outage

I haven't seen this reported anywhere, but on 27 Jul 2015, there was a
pretty significant Office 365 outage that hit some organizations.
Centralizing in the cloud adds risk, as well as benefit.

Here's Microsoft's explanation - via an email, not an official pronouncement
on their web site.

  "As part of our ongoing work to improve customer experience, an update
  that was intended to improve federation for users who have Microsoft
  consumer accounts in addition to their Office 365 accounts was deployed to
  the Organization Identity infrastructure. However, this update caused
  impact for some customers who used the same email name for both services."

It basically knocked offline everyone in my government agency.  And they've
been less than forthcoming about whether any emails were lost, when
backlogged emails were delivered, etc.

Among the organizations affected (that I found reporting about the problem
at downdetector.com) were Lincoln Center, UCSD, Vantage Health Plan, UNM,
Vanderbilt, etc.  So it wasn't regional.

------------------------------

Date: Sun, 26 Jul 2015 18:13:14 -0400
From: Monty Solomon <monty () roscom com>
Subject: Is There Such a Thing as `Ethical Cheating'?

When the news broke last week that hackers had breached Ashley Madison, the
dating website that helps married people find out-of-wedlock romance, the
Internet responded with a lot of snark and not much sympathy.

We read Twitter so you don92t have to, and the take-away is this: if you
cheat and get caught, you are getting what you deserve; and, if you cheat
and get caught because you entered your personal information into a
cheaters' dating website whose marketing tagline is Life is short. Have an
affair -- you really are getting what you deserve.

But married daters looking for someone to defend their honor have at last
found a spokesman: Brandon Wade, 45, the founder of the new website
OpenMinded.com, which caters to individuals and couples looking for others
with whom to engage in what Mr. Wade calls `ethical cheating'.  This
involves telling a spouse that you are going to be unfaithful, or including
the spouse in new, outside-the-marriage relationships, he said.

http://www.nytimes.com/2015/07/27/fashion/ethical-cheating-open-minded-dot-com.html

------------------------------

Date: Sun, 26 Jul 2015 10:31:52 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: For Ransom, Bitcoin Replaces the Bag of Bills (Nathaniel Popper)

Nathaniel Popper, *The New York Times*, 26 Jul 2015

Hackers seizing sites and files demand virtual currency.  Victims are told
to pay more than $20,000 in Bitcoin.  One group of attackers in Russia and
Ukraine collected about $16.5M in Bitcoin in just over a month.  One Bitcoin
is apparently worth about $290 at the moment.   [PGN-ed]

------------------------------

Date: Mon, 27 Jul 2015 22:54:46 +0200
From: Thomas Koenig <tkoenig () netcologne de>
Subject: Spelling checkers don't catch everything, not even on Pluto

A quick reminder that spelling checkers do not catch everything.
A recent NASA press release about New Horizons contained the sentence

  "Ultraviolent sunlight chemically converts hazes into tholins, the dark
  hydrocarbons that color Pluto's surface"

It was fixed in the meantime on the NASA web site, but other sites still
carry it.  Of course, instead of a simple error, it could also be a Douglas
Adams quote...

------------------------------

Date: Tue, 28 Jul 2015 00:11:26 -0400
From: Monty Solomon <monty () roscom com>
Subject: Problems Riddle System to Check Buyers of Guns

http://www.nytimes.com/2015/07/28/us/problems-riddle-system-to-check-buyers-of-guns.html

The one system that gun rights and gun control advocates both agree on, the
National Instant Criminal Background Check System, has major gaps.

------------------------------

Date: Sun, 26 Jul 2015 15:06:51 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: Sweat the small stuff: anti-drones

FYI -- ".50-caliber gun", "30-kilowatt laser", "anti-tank missile",
"tube-launched drone that can carry an explosive charge the size of a hand
grenade", "shotgun might suffice"

"doing so in a city could risk harming innocent bystanders"

You think ?

These cures may be worse than the disease...

I wonder if this current anti-drone testing program has anything to do with
panga boats found in the same area.  (Autonomous panga boats may be used for
smuggling drugs into the U.S.)

http://abc7.com/archive/9220658/

Immigration agents investigate panga boat near Point Mugu Rock

August 27, 2013 12:00:00 AM PDT

POINT MUGU STATE PARK, VENTURA COUNTY -- Agents with U.S. Immigration and
Customs Enforcement are investigating a panga boat abandoned about 100 feet
south of Point Mugu Rock [very close to Point Mugu Naval Base].

http://www.independent.com/news/2013/mar/14/panga-runners-land-vandenberg/

http://nypost.com/2015/07/25/military-operation-black-dart-to-tackle-nightmare-drone-scenario/

Military exercise Black Dart to tackle nightmare drone scenario

By Richard Whittle

July 25, 2015 | 4:00pm

Sweat the small stuff.

That's the unofficial motto for this year's edition of the military exercise
Black Dart, a two-week test of tactics and technologies to combat hostile
drones that begins Monday on the Point Mugu range at Naval Base Ventura
County in California.

The military categorizes Unmanned Aircraft Systems (UAS) by size and
capability, from Group 5 drones that weigh more than 1,320 pounds and can
fly above 18,000 feet like the Reaper, down to Group 1, mini- and
micro-drones less than 20 pounds that fly lower than 1,200 feet.  Previous
Black Darts have covered threats to troops overseas and targets at home
posed by drones of all sizes.

But small drones are this year's focus, said the director of this 14th
edition of Black Dart, Air Force Maj. Scott Gregg, because of worrisome
incidents since the last exercise.  [...]

  [Very long item truncated for RISKS.  PGN]

------------------------------

Date: Sun, 26 Jul 2015 21:14:53 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Chinese Tourist's Drone Crashes Into Taipei 101 Skyscraper

 (Slashdot via Werner U)
<http://tech.slashdot.org/story/15/07/25/1622200/chinese-tourists-drone-crashes-into-taipei-101-skyscraper>
<http://en.yibada.com/articles/48013/20150724/chinese-tourist-faces-nt-1-5-million-fine-crashing-drone.htm>

A Chinese tourist has been hit with a fine of $48,000 (NT $1.5 Million)
after his drone crashed into the Taipei 101 skyscraper. The tourist,
30-year-old Yan Yungfan, *was supposedly attempting to film Taipei's
cityscape on Tuesday morning with a remotely controlled Phantom 3 UAV when
he lost control of the drone, causing it to hit the side of Taipei 101 at
around the 30th floor. No one was injured in the incident and only minor
damage was sustained by the building's glass windows, but the video
immediately became a viral sensation after it was uploaded online. Taipei
101 said in a statement that there have been three incidents of drones
crashing around the building since mid-June, with the first two cases taking
place on June 15 and June 20.* No injuries have resulted from these crashes,
but I wouldn't want to get hit by a 3-pound object falling from that height.

------------------------------

Date: Mon, 27 Jul 2015 11:59:48 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Don't bring your drone to New Zealand

<http://yro.slashdot.org/story/15/07/24/1625252/dont-bring-your-drone-to-new-zealand>

Personal drones are changing the way some people experience vacations.
Instead of toting along a camcorder or a 35mm DSLR, people are starting pack
a GoPro and, increasingly, a drone on which to mount it. This is fine if
you're going to a drone-friendly country, but be warned that your drone will
get you into big trouble in Thailand (where all use of drones by the public
is banned outright) and now in New Zealand, where strict new laws regarding
the operation of drones (and even tiny toys like the 20g Cheerson CX10) come
into effect on August 1. Under these new rules, nobody can operate a drone
or model aircraft without getting the prior consent of the owner over which
property it is intended to fly -- and (this is the kicker) also the
permission of the occupiers of that property. So you can effectively forget
about flying down at the local park, at scenic locations or just about any
public place. Even if you could manage to get the prior permission of the
land-owner, because we're talking "public place," you'd also have to get the
permission of anyone and everyone who was also in the area where you
intended to fly.  Other countries have produced far more sane regulations --
such as limiting drone and RC model operators to flying no closer than 30m
from people or buildings -- but New Zealand's CAA have gone right over the
top and imposed what amounts to a virtual death-sentence on a hobby that has
provided endless, safe fun for people of all ages for more than 50 years. Of
course if you are prepared to pay a $600 fee to become "Certified" by CAA
then the restrictions on where you can fly are lifted and you don't need
those permissions.

<http://www.slate.com/articles/technology/future_tense/2015/02/thailand_drone_regulations_why_you_should_care.html>
<http://www.stuff.co.nz/technology/gadgets/70493842/drone-operators-may-need-flying-permits-under-new-rules.html>

------------------------------

Date: Mon, 27 Jul 2015 07:25:03 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: PanoptiCity, USA: Municipal Surveillance

FYI -- Ubiquitous surveillance beyond the Stasi's wettest dreams.

Every streetlight is now a surveillance camera; garbage trucks video your
trash in RFID-equipped containers.

What next?  A wifi system that spies on you?

http://www.rt.com/usa/seattle-mesh-network-disabled-676/

"Seattle police deactivate [wifi] surveillance system after public outrage"

Perhaps a sewer system that spies on you, too?

http://edition.cnn.com/2005/TECH/06/28/spark.toilet/index.html

"Clever toilet checks on your health"

https://www.aclu.org/blog/free-future/building-mass-surveillance-infrastructure-out-light-bulbs

Building a Mass Surveillance Infrastructure Out of Light Bulbs
By Chad Marlow, Advocacy and Policy Counsel, ACLU
July 23, 2015 | 10:30 PM

For almost a quarter century, General Electric's corporate slogan was GE: We
Bring Good Things To Life.  Well, based upon a report in Sunday's The New
York Times, the company may want to dig up that old slogan, repurpose it a
bit, and roll it out as GE: We Bring Mass Surveillance To Lights.

http://www.nytimes.com/2015/07/20/technology/a-light-bulb-goes-on-over-the-mall.html

  [Truncated for RISKS.  PGN]

------------------------------

Date: Sat, 25 Jul 2015 16:02:54 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: "iPhone and Registration Please" (WiReD, Jun 2015)

Drivers license on your phone, what could go wrong with that?
http://contentviewer.adobe.com/s/Wired/5857345fd35d4d1f9a1f00273013f68a/WI0615_10_Folio/3030_2306AP_phoneid.html
http://tinyurl.com/ongxg7b

------------------------------

Date: Sat, 25 Jul 2015 17:40:54 -0400
From: "David Farber" <farber () gmail com>
Subject: Costco Photo Center compromised

http://www.costcophotocenter.com/account/default.aspx

"As a result of recent reports suggesting that there may have been a
security compromise of the third party vendor that hosts
Costcophotocenter.com, we are temporarily suspending access to the site. We
take the security of our members' data seriously, which is why we are taking
this precautionary step. This decision does not affect any other Costco
website or our in-store operations, including in-store photo centers.

"This situation is affecting multiple online photo sites. We are diligently
working to determine when we can re-enable the site, but in all likelihood
that will not occur until early August. We will update this statement when
we have more information." [...]

------------------------------

Date: Tue, 28 Jul 2015 00:28:03 -0400
From: Monty Solomon <monty () roscom com>
Subject: A Clinton Story Fraught With Inaccuracies: How It Happened and What
  Next? (NYTimes)

http://publiceditor.blogs.nytimes.com/2015/07/27/a-clinton-story-fraught-with-inaccuracies-how-it-happened-and-what-next/

A front-page story, corrected multiple times, raises bigger questions.

------------------------------

Date: Tue, 28 Jul 2015 00:33:24 -0400
From: Monty Solomon <monty () roscom com>
Subject: Fiat Chrysler Issues Recall Over Hacking

http://www.nytimes.com/2015/07/25/business/fiat-chrysler-recalls-1-4-million-vehicles-to-fix-hacking-issue.html

The news that two researchers had hacked into a Jeep Cherokee, set in motion
a nine-day flurry of activity by the automaker and the safety agency that
culminated in the recall of 1.4 million vehicles.

------------------------------

Date: Mon, 27 Jul 2015 22:08:42 -0400
From: David Lesher <wb8foz () panix com>
Subject: Re: Hackers Remotely Kill a Jeep (RISKS-28.80)

Wired reports that Jeep has announced:

  [owners will] be sent a USB drive with a software update they can install
  through the port on their vehicle's dashboard.

....and of course, people with RISKy minds immediately latched on the minor
issue of how will owners know which USB key to trust, and which to call
HazMat to remove...? Good Question.

{Jeep would far rather owners go to their dealers for a patch; it's far
cheaper for the company, but..}

Why should I spend money on individual USB keys & postage? I'm already
making dastardly plans to go after the nation's Jeep dealers & their
collection of diagnostic and upgrade computers. I've yet to meet an
automotive service manager who keeps up to date with Krebs & RISKS; much
less spell "Kaspersky"....

PS: How many cars are in the motor pools at Langely and Ft. Meade? Who
maintains/upgrades those - the lowest bidder? Just wait until they start
silently turning into mobile TOR routers & Bitcoin miners...

------------------------------

Date: Sun, 26 Jul 2015 06:40:30 +0100
From: Michael Bacon <michaelbacon () tiscali co uk>
Subject: The hackable car (RISKS-28.81)

Call me old-fashioned, but I prefer that the steering wheel be mechanically
connected to the steered wheels, and that the brake pedal be hydraulically
(or mechanically) connected to the brakes.  Putting electronics in the path
creates potential for "brain fade" -- as evidenced by the technological
marvels that are Formula One Grand Prix cars.

It used to be that the most dangerous component in a vehicle was the nut
behind the wheel, now it's the systems builder and the hacker 5,000 miles
away.

Expletives aside, among the last words on many Cockpit Voice Recorders
recovered after aircraft accidents are: "Why is it doing that?"  The
increasing insertion of flawed software into basic vehicle control systems
brings strong potential for these to be the last words uttered by many
drivers in the future.

I'll stick to my "old clunker", thank you, and avoid that risk.

------------------------------

Date: Sun, 26 Jul 2015 14:06:33 -0500
From: Dimitri Maziuk <dmaziuk () bmrb wisc edu>
Subject: Re: What's Wrong With the Internet (Emerson, RISKS-28.81)

Oh good. Now we just need someone to explain to IETF how a session layer
would make a lot of things from distributed programming to firewalls without
"deep inspection" to bittorrent to google chrome's connection pooling
irrelevant. And how a presentation layer would put encryption someplace less
silly than "socket layer" and would also take care of "magic quotes" and the
rest of unicode-related mess. And they'll listen.

------------------------------

Date: Mon, 27 Jul 2015 09:41:43 -0400
From: "R. G. Newbury" <newbury () mandamus org>
Subject: Re: Facebook blocked from challenging search warrants targeting its
  users (RISKS-28.81)

And all Facebook needs to do, is amend its Terms of Service to add a
provision (on, I suggest, an opt-in basis) which appoints FB with Power of
Attorney to respond to, and dispute any search warrant which the Attorney
receives, aimed at the customer.

QED.  FB has standing to dispute the warrant, NOT as FB, but as the
customer.

Ignorant, stupid ruling.

Geoffrey Newbury Barrister and Solicitor Suite 106, 150 Lakeshore Road West
Mississauga, Ontario, L5H 3R2  1-905-271-9600  newbury () mandamus org

------------------------------

Date: 25 Jul 2015 21:19:35 -0000
From: "John Levine" <johnl () iecc com>
Subject: Re: For .sucks Web domains, currency seems to be paid in
  reputations (BetaBoston)

In article <15.CMM.0.90.4.1437849994.risko () chiron csl sri.com16253> you write:

http://www.betaboston.com/news/2015/07/23/sleazy-internet-domain-sucks-up-the-bucks/


This was a rather bad article, sloppy and poorly researched.


Do I need to point out again that what really sucks is the idea that you
can't own your identity ...


Um, the point of .sucks is that it's not for you, it's for people to
complain about you.  This point also appears to elude all of the
trademark lawyers whining about it, and it eluded ICANN who
predictably panicked when they got the lawyers' letter and asked the
FTC and Canadian OCA to give them an excuse to shut down .sucks (with
whom they had just signed a long term contract), but it did not elude
either the FTC or the OCA, neither of whom had any sympathy at all.

It's true that .sucks is a shakedown, but only for the insecure and
pretentious.  I blogged about it at http://jl.ly/ICANN/ultvanity.html

------------------------------

Date: 25 Jul 2015 17:27:36 -0400
From: "Bob Frankston" <bob19-0501 () bobf frankston com>
Subject: Re: For .sucks Web domains, currency seems to be paid in reputations   (BetaBoston)

I agree that .sucks is an extreme case with its own characteristics. But
it's still part of the larger problem of a rent-seeking organization that
prevent us from having stable relationships between end points. Both in
leasing names and leasing addresses.

------------------------------

Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string `notsp' at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 28.82
************************
Previous By Date Next
Previous By Thread Next

Current thread: