RISKS Forum mailing list archives
Risks Digest 29.48
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 25 Apr 2016 12:57:35 PDT
RISKS-LIST: Risks-Forum Digest Monday 25 April 2016 Volume 29 : Issue 48 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/29.48.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Newcastle servers downed by water-main flood early last week (Lindsay Marshall) 55-million Philippine voters' personal information exposed (PGN) Personal info of 93.4-million Mexicans exposed on Amazon ( Marc Rotenberg) Bucking the Trend on Voting Rights (NYTimes editorial) The E.U.'s Dangerous Data Rules (Daphne Keller and Bruce D. Brown) Night-vision goggles case cause plane crash (WashPost) U.S. carriers mum on 60 Minutes report on vulnerability in SS7 (FierceWireless via Geoff Goodfellow) U.S. Cyberwar aims to cripple ISIS operations (David Sanger) FBI admits it paid $1.3m to hack into that iPhone (*The Guardian* via danny burstein) Facebook bug bounty hunter find bug -- and exploit in progress (Peter Houppermans) Kindle Unlimited Scam (Ann Christy via Charles B. Weinstock) If Emoji Are the Future of Communication Then We're Screwed (NYMag) Hacker: This is how I broke into Hacking Team (CSOonline via Monty Solomon) The big picture on software backdoors (Mark Thorson) Air Force blames deadly crash on goggles case (CNN via Monty Solomon) The Burr-Feinstein Proposal Is Simply Anti-Security (Electronic Frontier Foundation via David Farber) No Phones for You! Chic Businesses Are Abandoning Landlines (NYT) Windows Users - Apple and Govt say to remove Quicktime from your PC (Chris J Brady) Re: BMW's car-sharing service launches--and almost lands Ars a ticket (Richard Bos) Re: Bank Back Stabbing (Alister Wm Macintyre) Re: Man accidentally deletes his entire company with one line of bad code: *NOT TRUE* (Martin Ward, John Levine, Rick Steeves, Matt Bishop) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 19 Apr 2016 19:31:28 +0000 From: Lindsay Marshall <Lindsay.Marshall () newcastle ac uk> Subject: Newcastle servers downed by water-main flood early last week [Please pass the word on to any of your friends and colleagues who would normally be reading RISKS via the UK redistribution on catless.ncl.ac.uk, courtesy of Lindsay Marshall. Lindsay noted to me that catless was on a very old Newcastle server, and presumably will be rebooted -- eventually. Lindsay has been our heroic maintainer of the risks.org RISKS repository and its redistribution of RISKS issues to the UK for years and years. However, this outage is way beyond his responsibility, and is agonizing. Meanwhile, you can read RISKS as comp.risks or at risks () ftp sri com. PGN] [Lindsay responded to my query: "It was a water main. But our big machine room has always been deep underground."] ------------------------------ Date: Fri, 22 Apr 2016 14:41:54 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: 55-million Philippine voters' personal information exposed The Philippines' Commission on Elections' entire database of of 55-million Philippine voters was breached, initially on 27 Mar 2016. Trend Micro reported it on 6 Apr, with subsequent items in *The Register* and *The Guardian*. *The New York Times* reported it on 22 Apr. http://www.nytimes.com/aponline/2016/04/22/world/asia/ap-as-philippines-election-hacking-.html?emc=eta1 ------------------------------ Date: Fri, 22 Apr 2016 15:06:05 -0400 From: Marc Rotenberg <rotenberg () epic org> Subject: Personal info of 93.4-million Mexicans exposed on Amazon "This incident clearly erodes the confidence of citizens in a of government bodies. Some citizens might decide to never provide data again to the Instituto Nacional Electoral, the next time their ID expires," Guzman adds, noting that although it's a relief that financial and bank information were not leaked, "the information could still be used for criminal purposes, since the location[s] of citizens are available." * * * With this leak, Mexico now joins a list of countries where almost the entire population has had their personal information leaked or breached, as 93.4 million represents over 72% of Mexico's estimated population. Belize, Greece, Israel, Philippines, and Turkey have also experienced leaks of the majority of their population's personal information. And of course, let's not forget that Chris Vickery had also discovered 191 million U.S. voters -- data leaking due to a similarly misconfigured database. http://www.databreaches.net/personal-info-of-93-4-million-mexicans-exposed-on-amazon/ ------------------------------ Date: Mon, 25 Apr 2016 12:01:00 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Bucking the Trend on Voting Rights (*The New York Times*) Lead editorial, *The New York Times*, 25 Apr 2016, relating to Virginia Governor Terry McAuliffe restoring voting rights to more than 200,000 people who have completed their sentences for felony convictions. This reverses Virginia's previous lifetime ban on voting. [PGN-ed] Final paragraph: Congress should amend the Voting Rights Act to restore preclearance and apply it to all jurisdictions with a recent history of discriminatory voting practices. And state officials who are not busy trying to disenfranchise people should be following Mr McAuliffe's example, and working to make it easier for people to vote. ------------------------------ Date: Mon, 25 Apr 2016 12:01:00 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: The E.U.'s Dangerous Data Rules (Keller/Brown) Daphne Keller and Bruce D. Brown The E.U.'s Dangerous Data Rules Op-Ed, *The New York Times*, 25 Apr 2016 Can Europe protect privacy without creating *splinternets*? Important op-ed. Here's the final paragraph: Privacy is a real issue, and shouldn't be ignored in the Internet age. But applying those national laws to the Internet needs to be handled with more nuance and concern. These developments should not be driven only by privacy regulators. State departments, trade and justice ministries and telecom regulators in France and other European countries should be demanding a place at the table. So should free-expression advocates. One day, international agreements may sort this all out. But we shouldn't Balkanize the Internet in the meantime. Once we've erected barriers online, we might not be able to tear them down. ------------------------------ Date: Tue, 19 Apr 2016 09:44:39 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Night-vision goggles case cause plane crash (WashPost) https://www.washingtonpost.com/news/checkpoint/wp/2016/04/19/night-vision-goggle-case-cause-of-plane-crash-that-killed-14-air-force-says/ ------------------------------ Date: Tue, 19 Apr 2016 09:12:53 -1000 From: the keyboard of geoff goodfellow <geoff () iconia com> Subject: U.S. carriers mum on 60 Minutes report on vulnerability in SS7 A follow-up article on yesterday's article: http://www.fiercewireless.com/story/us-carriers-mum-60-minutes-report-vulnerability-ss7/2016-04-19 ------------------------------ Date: Mon, 25 Apr 2016 12:01:00 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: U.S. Cyberwar aims to cripple ISIS operations (David Sanger) David Sanger, *The New York Times* front page, 25 Apr 2016 A New Line of Attack: Using Secret Weapons to Infiltrate Computer Networks ------------------------------ Date: Thu, 21 Apr 2016 17:55:01 -0400 (EDT) From: danny burstein <dannyb () panix com> Subject: FBI admits it paid $1.3m to hack into that iPhone (*The Guardian*) *The Guardian* FBI admits it paid $1.3m to hack into San Bernardino shooter's iPhone The FBI paid about $1.3m for software to hack into the iPhone of San Bernardino gunman Syed Farook, director James Comey told a London audience on Thursday. The staggering price illustrates the growth of the so-called "exploit market" for digital spy tools and cyber weapons as governments increasingly use hacker tricks for law enforcement and war. Prices for such software are rarely disclosed, although anything in the seven-figure range is extremely expensive. https://www.theguardian.com/technology/2016/apr/21/fbi-apple-iphone-hack-san-bernardino-price-paid [Yes, the alleged cost is staggering, However, perhaps the FBI is including all sorts of secondary costs, or having paid multiple sources for multiple exploits, or simply not understanding that the vulnerability that they actually exploited was well known in various communities, and could have have been acquired for free from certain sources! PGN] ------------------------------ Date: Fri, 22 Apr 2016 12:53:25 +0200 From: Peter Houppermans <peter () houppermans net> Subject: Facebook bug bounty hunter find bug -- and exploit in progress In short, a bug bounty hunter (someone looking to find bugs to take advantage of a reward program) was examining Facebook and eventually found a way in, only to discover that someone was already in the specific system. Facebook proclaimed this to be residue left by another bounty hunter (making the later one a hunter-gatherer?), a statement I have some problems with as I personally would clear out malware as fast I'd discover it. The story is summarised here, including a link to the rather interesting writeup of the technical details: http://www.theregister.co.uk/2016/04/22/i_hacked_facebook_and_found_someone_had_beaten_me_to_it/ ------------------------------ Date: Tue, 19 Apr 2016 11:34:26 -0400 From: "Charles B. Weinstock" <weinstock () conjelco com> Subject: Kindle Unlimited Scam According to Ann Christy, scammers are gaming the Amazon Kindle Unlimited system by publishing fake books with many pages, and tricking people into downloading them because: 1. They are free to download during the first five days of publication, and 2. They use click farms to force the books to the top of the Kindle Unlimited bestseller list. http://www.annchristy.com/ku-scammers-on-amazon-what-you-need-to-know/ The books themselves encourage the reader to go to the last page of the book to be entered into a contest or some such. This causes Amazon to believe that the entire book was read and results in a maximum payout to the scammer. (Authors earn royalties on Kindle Unlimited books based on the number of pages read -- apparently as measured by the last page read.) Since the Kindle Unlimited royalty pool is fixed across all books this means that authors of legitimate books are getting less than they should because the scammers are taking thousands of dollars out of the pool. ------------------------------ Date: Mon, 18 Apr 2016 22:13:46 -0400 From: Monty Solomon <monty () roscom com> Subject: If Emoji Are the Future of Communication Then We're Screwed http://nymag.com/following/2016/04/people-often-disagree-about-what-emoji-mean.html Investigating the Potential for Miscommunication Using Emoji http://grouplens.org/blog/investigating-the-potential-for-miscommunication-using-emoji/ *Blissfully happy* or *ready to fight*: Varying Interpretations of Emoji http://grouplens.org/site-content/uploads/Emoji_Interpretation.pdf ------------------------------ Date: Mon, 18 Apr 2016 21:40:59 -0400 From: Monty Solomon <monty () roscom com> Subject: Hacker: This is how I broke into Hacking Team http://www.csoonline.com/article/3057980/security/hacker-this-is-how-i-broke-into-hacking-team.html http://pastebin.com/raw/0SNSvyjJ ------------------------------ Date: Mon, 18 Apr 2016 22:48:09 -0700 From: Mark Thorson <eee () sonic net> Subject: The big picture on software backdoors Consider this. http://smbc-comics.com/comics/1460904126-20160417.png ------------------------------ Date: Wed, 20 Apr 2016 01:00:31 -0400 From: Monty Solomon <monty () roscom com> Subject: Air Force blames deadly crash on goggles case http://www.cnn.com/2016/04/19/politics/us-air-force-plane-crash-afghanistan/index.html ------------------------------ Date: Thu, 21 Apr 2016 15:10:34 -0400 From: "David Farber" <dfarber () me com> Subject: [IP] The Burr-Feinstein Proposal Is Simply Anti-Security | Electronic Frontier Foundation https://www.eff.org/deeplinks/2016/04/burr-feinstein-proposal-simply-anti-security ------------------------------ Date: Wed, 20 Apr 2016 22:05:20 -0400 From: Monty Solomon <monty () roscom com> Subject: No Phones for You! Chic Businesses Are Abandoning Landlines (NYT) Many phone numbers these days merely lead to automated voice mail with directions to a website. And some businesses have abandoned phones altogether. http://www.nytimes.com/2016/04/21/fashion/phones-businesses-landline.html ------------------------------ Date: Thu, 21 Apr 2016 00:25:25 +0000 (UTC) From: Chris J Brady <chrisjbrady () yahoo com> Subject: Windows Users - Apple and Govt say to remove Quicktime from your PC The company releasing the info is Trend Micro/DV Labs as part of their "Zero Day Initiative". http://blog.trendmicro.com/urgent-call-action-uninstall-quicktime-windows-today/http://zerodayinitiative.com/about/ but the actual flaw was discovered by Steven Seeley of Source Incite -- according to the credit line in the reports: http://zerodayinitiative.com/advisories/ZDI-16-241/ http://zerodayinitiative.com/advisories/ZDI-16-242/ The Department of Homeland Securityâs U.S. Computer Emergency Readiness Team (US-CERT) is a clearing house for computer security information, and is simply passing along the information from the Zero Day Initiative advisories https://www.us-cert.gov/ncas/alerts/TA16-105A And for completeness, here is the link to the Wall Street Journal article: http://www.wsj.com/articles/windows-users-its-time-to-dump-apples-quicktime-1461007437 ------------------------------ Date: Tue, 19 Apr 2016 16:47:33 GMT From: raltbos () xs4all nl (Richard Bos) Subject: Re: BMW's car-sharing service launches--and almost lands Ars a ticket (Ars, RISKS-29.47) Erm... no. Reading the article, it's clear that it wasn't the service that led to the traffic violation, it was *the journalist blindly following the satnav* that did it. It would've resulted in a (almost) ticket, regardless of whether this happened in a shared Beamer or the author's private Ford. There is a RISKS lesson here, certainly, but it's an old one and it has nothing to do with ReachNow specifically: when you turn on your satnav, do not turn off your brain. ------------------------------ Date: Mon, 25 Apr 2016 14:43:10 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: Re: Bank Back Stabbing (RISKS-29.47) [Fin: Uh...and just whose rating would that be? I can hand out stars, too, and will be more than happy to if you send me the names of the institutions. - Fin] fin () nym hush com asked a question about what rating system I was using for the due diligence, in my "Bank Back stabbing" post, for which I plan additional future installments, after I have cooled down enough from my anger with recent incidents, to describe with clarity and conciseness, to best of my ability. In the USA, banks are regulated by the FDIC government organization, which awards stars for a variety of adherence to best practices and level of risk of default, such as having enough money to sustain obligations, diversity of investments across different industry sectors . what we laymen call SAFE and SECURE, from both a financial perspective and a cyber perspective. One star means it has one foot in the grave. Five stars is the best. Via Internet search, we can find sites which list banks in our area, and what their FDIC ratings are, and other info. It is not as well organized for other kinds of financial institutions, some of which have better insurance funds than the FDIC. There are also both government, and better-business-bureau type resources which tell us what kinds of complaints other consumers have had against institutions, and how they were resolved. I don't care if there are a lot of complaints. I care that they are resolved swiftly, politely, and with justice. Then after finding high star, or equivalent, institutions, which apparently behave in a civilized way, my next due diligence interests include rate competitiveness, and ease of access to their services. Alister Wm Macintyre (Al Mac) https://www.linkedin.com/in/almacintyre Panama Papers group: https://www.linkedin.com/groups/8508998 ------------------------------ Date: Tue, 19 Apr 2016 08:56:12 +0100 From: Martin Ward <martin () gkc org uk> Subject: Re: Man accidentally deletes his entire company with one line of bad code: *NOT TRUE* (RISKS-29.47) As you probably know by now, this story is now claimed to be a hoax by the original forum poster. The Independent has this update: "Since this story was posted, Mr Marsala has claimed that his original post was a hoax and written as a marketing stunt, but that it had happened to a client of his in 2006. Contacted by The Independent, Mr Marsala said that the post was guerilla [*] marketing for another, unnamed, company." ServerFault has deleted the original question. The real RISK is that these days, anyone can post anything to just about any popular forum and have it taken up and printed by the major news networks without any checking or verification. As if to illustrate this point, one of the sidebars to this story is a link to the story "Women considered to write better code than men as long as they don't reveal their gender, study suggests" http://www.independent.co.uk/life-style/gadgets-and-tech/news/women-better-code-men-github-study-a6870836.html This story reports on a paper "authored by a group of six students from California Polytechnic State University and North Carolina State University, [which] has been published online, *but is not yet peer-reviewed.*" (my emphasis). So: some students wrote a paper, put it on a web site, and it gets picked up by major news networks: before it has even been peer-reviewed. "A lie can travel halfway around the world before the truth can get its boots on" (Incorrectly attributed to Mark Twain: but the truth is still trying to catch up with the incorrect attribution!) Dr Martin Ward STRL Principal Lecturer & Reader in Software Engineering martin () gkc org uk http://www.cse.dmu.ac.uk/~mward/ [* "300-pound guerilla my dreams?" (in British currency) PGN] ------------------------------ Date: 18 Apr 2016 23:56:08 -0000 From: "John Levine" <johnl () iecc com> Subject: Re: Man accidentally deletes his entire company with one line of bad code: *NOT TRUE* (RISKS-29.47) The reason it sounded too good to be true is that it was. It's a hoax. http://www.repubblica.it/tecnologia/2016/04/15/news/cancella_l_azienda_per_sbaglio_la_disavventura_tecnologica_di_marco_marsala-137693154/ http://www.nydailynews.com/news/national/man-deleted-entire-company-hoax-article-1.2604511 ------------------------------ Date: Mon, 18 Apr 2016 20:13:53 -0400 From: Rick Steeves <risks () corwyn net> Subject: Re: Man accidentally deletes his entire company with one line of bad code: *NOT TRUE* (RISKS-29.47) And news that even RISKS users can fall for a hoax: http://www.pcworld.com/article/3057235/data-center-cloud/that-man-who-deleted-his-entire-company-with-a-line-of-code-it-was-a-hoax.html (really, someone who claims the original error, and then follows it up with then claiming that he got the if / of command reversed when attempting a recovery was a good clue). ------------------------------ Date: Tue, 19 Apr 2016 21:01:08 -0700 From: Matt Bishop <mabishop () ucdavis edu> Subject: Re: Man accidentally deletes his entire company with one line of bad code: *NOT TRUE* (RISKS-29.47) According to Snopes, this is a hoax: see http://www.snopes.com/man-deletes-company-code/ ... From that: "Marsala admitted to making up the scenario in order to promote his small company, which (naturally) provides outsourced server management services." Not sure that's how I'd go about promoting a server management company ... ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 29.48 ************************
Current thread:
- Risks Digest 29.48 RISKS List Owner (Apr 25)