RISKS Forum mailing list archives
Risks Digest 30.22
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 3 Apr 2017 11:21:03 PDT
RISKS-LIST: Risks-Forum Digest Monday 3 April 2017 Volume 30 : Issue 22 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.22> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 1 Apr 2017 15:07:37 -0700 From: Clay Jackson <clayj () nwlink com> Subject: Automated Weather Observation failure closes airport http://www.tri-cityherald.com/latest-news/article141439099.html What happens when there are no human controllers available? ------------------------------ Date: Sat, 1 Apr 2017 21:52:36 -0400 From: Monty Solomon <monty () roscom com> Subject: Galaxy S8 face recognition already defeated with a simple picture https://arstechnica.com/gadgets/2017/03/video-shows-galaxy-s8-face-recognition-can-be-defeated-with-a-picture/ ------------------------------ Date: Sat, 1 Apr 2017 14:00:40 -0400 From: Monty Solomon <monty () roscom com> Subject: FAKE NEWS!! The best and worst April Fools' Day stories https://www.theguardian.com/theguardian/2017/apr/01/fake-news-the-best-and-worst-april-fools-day-stories ------------------------------ Date: Sat, 1 Apr 2017 21:14:01 -0400 From: Monty Solomon <monty () roscom com> Subject: April Fools' Day pranks 2017 -- a complete list of all of the day's Internet hoaxes (The Washington Post) April Fools' Day pranks 2017 -- a complete list of all of the day's Internet hoaxes https://www.washingtonpost.com/news/the-intersect/wp/2017/03/31/an-updated-and-depressing-list-of-all-the-april-fools-pranks-on-the-internet/ ------------------------------ Date: Sat, 01 Apr 2017 09:14:28 -0700 From: "EFFector List" <editor () eff org> Subject: Lawmakers confuse 'oversight' and 'overlook' (EFF's EFFector) EFFector Vol. 30, No. 7 April 1, 2017 editor () eff org A Publication of the Electronic Frontier Foundation ISSN 1062-9424 effector: n, Computer Sci. A device for producing a desired change. EFF Updates * Surveillance Oversight Committees Confused `Oversight' and `Overlook' The bipartisan leaders of the House and Senate Intelligence Committees apologized during a press conference this morning for failing to provide rigorous supervision of the intelligence community, blaming past years' inaction on a fundamental misunderstanding of the word *oversight*. House Intelligence Chairman Devin Nunes: ``It was merely a miscommunication. We had mixed up the word *oversee* and the word *overlook*. We thought we were supposed to overlook the mistakes of the intelligence community, not provide oversight.'' Senate Intelligence Committee Richard Burr said, ``We unequivocally condone the privacy invasions committed by U.S. intelligence agencies. Oh shoot, I mean condemn.'' https://www.eff.org/pages/04/01 * European Union Announces Plan for Privacy Wall Around U.S. European Union Commissioner for Justice Vera Jourova announced plans today to permanently protect Europeans' data from U.S. government spying with the newest transnational data agreement: Privacy Wall. Once approved by the European Commission, the EU will begin constructing a thirty-foot wall around the United States. Only U.S. tech companies that comply with EU privacy restrictions and prohibit U.S. government access to their data will be given fiber optic grappling hooks to transport Europeans' data across the Atlantic, over the wall, and back to their U.S.-based servers. U.S. lawmakers appeared unfazed by U.S. companies' complaints that Privacy Wall will effectively kill their business abroad, but they responded to alarm bells raised by officials in the intelligence community who are concerned about losing generalized access to Europeans' data. https://www.eff.org/pages/04/01 * In Major Mix-Up, Oscars for Best Film Goes to Most Torrent-ed Movie The Academy Awards suffered an astounding embarrassment this week when presenters Alfonso Ribeiro and Mayim Bialik incorrectly handed out the Oscar for Best Film to the most-frequently torrent-ed movie of 2016, Deadpool, instead of the actual winner, Moonlight. Hollywood is blaming the mistake on accounting firm PricewaterhouseCoopers, which is responsible for guarding the envelopes containing names of both Oscars winners and TorrentFreak's list of most frequently torrent-ed films. Having been left off the list of Best Film nominees all together, Deadpool director Tim Miller and lead actor Ryan Reynolds were not in attendance at Sunday night's Oscars, giving Kanye West time to take the stage and correct the mistake. https://www.eff.org/pages/04/01 * FBI Seeks Technical Backdoor to Un-Mute iPhones Frustrated by silence on conference calls, the FBI is asking Apple to provide a backdoor so that the agency can un-mute iPhones across the world without the iPhone users' consent. ``It's incredibly frustrating when you're waiting for someone to chime in on a conference call, and they're still on mute,'' FBI Director Jim Comey said at a press conference today. Comey appeared unmoved by arguments from technology and civil liberties advocates that creating a backdoor into all iPhones would undermine the privacy and security of tens of millions of technology users around the world. ``Our work to protect this country's national security is too important to wait the seconds it takes for our analysts to unlock and un-mute their phones,'' Comey said. When asked if the FBI was seeking a similar accommodation from Android-developer Google, Comey at first laughed, but quickly sobered and asked ``wait, people still use Android?'' https://www.eff.org/pages/04/01 * EFF Releases Surveillance Self Defense for In-Person Meetings EFF is out with an updated Surveillance Self Defense guide today that includes, for the first time, security tips for in-person meetings. Highlights include recommendations for verifying a person's identity, evading facial recognition systems, and circumventing censorship. For instance, you should have anyone you meet print off their public PGP key on red paper, fold that paper into the shape of a flower, and pin that paper flower to their label. Additionally, the guide recommends drawing Kiss-style shapes on your face with eyeliner to protect yourself from facial recognition technology and constantly carrying around a bullhorn so you can shout louder than anyone trying to limit your free speech. https://www.eff.org/pages/04/01 * EFF Gives Posthumous Lifetime Achievement Pioneer Award to Perfect 10 EFF is awarding a 2017 Pioneer Award to recently-defunct men's magazine and prodigious copyright-litigation-loser, Perfect 10. EFF established the Pioneer Awards in 1992 to recognize leaders on the electronic frontier who are extending freedom and innovation in the realm of information technology. The awards celebrate those who have contributed substantially to the health, growth, accessibility, or freedom of computer-based communications. Perfect 10 is receiving a posthumous lifetime achievement Pioneer Award this year for its cutting-edge strategy of losing copyright lawsuits in order to advance the doctrine of fair use. After losing cases against Amazon, Google, CCBill, and Megaupload, Perfect 10 was finally liquidated in March of this year to satisfy a litigation debt to yet another victorious defendant, Giganews. We salute Perfect 10âs dozen-year campaign to help make the Internet more free by consistently losing in court. Bravo! https://www.eff.org/pages/04/01 * Intelligence Community Unveils Emotional Vulnerabilities Program Director of National Intelligence Dan Coats today revealed a new program by which the U.S. Intelligence Community will, when appropriate, disclose information about emotional vulnerabilities it discovers in the course of its national security work. Building off of the widely celebrated success of the vulnerabilities equities process (which still exists, we think?), U.S. intelligence agencies will begin sharing and sometimes publishing information about the personality quirks it discovers as it conducts surveillance of law-abiding Americans. âWe hope to make the country more secure by letting people know that their roommate has arachnophobia, their brother is addicted to tanning beds, and their mother has a fear of being abandoned by her children,â said Coats after flinching away from a pigeon that wasn't even flying toward the DNI. https://www.eff.org/pages/04/01 miniLinks White House Supports Day without a (Internet) Troll Following the success of the Day Without a Woman general strike in March, the White House has thrown its support behind today's Day without a Troll Strike, during which all Internet trolls will disappear from comment sections and forums online. https://www.eff.org/pages/04/01 Comcast to Assimilate with the Borg Looking to increase its market share, nationwide reach, and overall reputation for evil, the Borg has announced that it is assimilating broadband giant Comcast. âThis merger will benefit consumers and boost broadband competition, and the federal government should quickly approve it,â Comcast's David Cohen said in a statement. âPlus, resistance is futile.â https://www.eff.org/pages/04/01 White House Releases Diceware Passphrase List In an attempt to demonstrate President Donald Trump's tech savvy, the White House has released a list of suggested words to use when attempting to create a secure passphrase. "Our list has the best words," said White House Press Secretary Sean Spicer. "Words like tremendous, disaster, MAGA, big-league, low-energy, beautiful, and winning. Sad!" https://www.eff.org/pages/04/01 ~ FBI Director Acknowledges Secure Backdoors Are Impossible FBI Director Jim Comey said today that his agency, agreeing with technical experts, has officially concluded that it is impossible to create a backdoor into encrypted technologies without undermining users' security. Nope, even that's too ridiculous for an April Fool's newsletter. https://www.eff.org/pages/04/01 815 Eddy Street, San Francisco, CA 94109-7701, United States ------------------------------ Date: Sun, 2 Apr 2017 18:52:13 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: The Future of Free Speech, Trolls, Anonymity and Fake News Online http://www.pewinternet.org/2017/03/29/the-future-of-free-speech-trolls-anonymity-and-fake-news-online/ ------------------------------ Date: Sun, 2 Apr 2017 11:39:30 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: Why Tug on ATMs (Krebs) https://krebsonsecurity.com/2017/03/why-i-always-tug-on-the-atm/ [This item is a very nice warning about one of the clever ATM skimmer augmentations: real ATMs with a Fake Camera-based Appendage. PGN] ------------------------------ Date: Sat, 1 Apr 2017 19:16:30 +0100 From: A Michael W Bacon <amichaelwbacon () gmail com> Subject: Re: Risks from falsified Data (RISKS-30.20,21) There were reports that, at the start of the Falklands War, the French government declined to disclose the codes that would cause Exocet missiles (that they had sold to the Argentine airforce) to abort/self-destruct. After HMS Sheffield was severely damaged (and scuttled as a war grave of 20 dead sailors), they disclosed the codes. No warship was hit after then, only a requisitioned civilian RoRo vessel that lacked the technology to communicate with the in-bound missiles. SS Atlantic Conveyor was hit by two Exocets, killing 12 crewman and badly injuring many others in the ensuing fires. Eight years later, there were reports that, in Operation Desert Storm ("Gulf War I"), the Bloodhound ground-to-air missile system sold by Britain to the Iraqis was mysteriously unable to hit Coalition aircraft transmitting a particular IFF code. There were also reports of Bloodhound missiles, launched against RAF aircraft, turning around after launch and hitting the launchers instead. When I was "tidying up" in Kuwait after the war had ended, I was informed (by a reliable source) that British crews at least had been told they could ignore launch indications and were not to waste missiles on the launchers. The missile system had been "chipped". ------------------------------ Date: Mon, 3 Apr 2017 15:10:44 +0000 From: David Alexander <David.Alexander () paconsulting com> Subject: Re: Risks from falsified Data (BBC, RISKS-30.20) With regard to the mention of the item on the BBC website that that discusses an alternative and much more subtle version of Malware making changes to data which while being too small to notice immediately result in system failure, I have a real-world example. Many years ago I was asked to investigate why a relatively small financial accounting system dealing with regular payments contained an increasing number of discrepancies from the paper records. It turned out that the organisation in question had hired a programmer with a habit of getting themselves fired from jobs without checking any of their references first. Sure enough, they managed to get fired from this job too. Said programmer had written a cron job which was set to start a (fairly well hidden) script if the programmer either had their user account deleted or they didn't log in for 3 months. The program generated 4 random numbers of 3 digits, two single digit numbers and the last of 2 digits for example 894, 6, 2 & 74. This would change every 894th instance of a 6 into a 2, then the job would sleep for 74 days and run itself again, generating 4 new random numbers. It kept no record of its actions. This is insidious, as there is no traceability, other than who set it up and when it first ran (based on the date that the programmer was fired). We had no way of knowing for certain how many times it ran or what it changed. By the time anyone realised that the variances were something more than keyboard input errors it had been running long enough for the subtle but incremental effects to be present in the Father and Son backup tapes. A copy of the records had to be recovered from the Grandfather tape and a lot of data had to be manually checked and re-entered from paper copies of the records to bring it up to date. To my knowledge this incident never went public, hence my reluctance to name names or places, and it was at least 20 years ago (and before the Computer Misuse Act came into effect) so I couldn't be 100% certain of the finer points - I've slept since then. ------------------------------ Date: Sat, 1 Apr 2017 19:04:43 -0400 (EDT) From: Kelly Bert Manning <Kelly.Manning () ncf ca> Subject: Re: Fake Sleuths: Web Gets It Wrong This also happened after the Boston Marathon bombing. Based on Brown Skin and dark hair, Reddit users piled onto a witch hunt that misidentified missing, already dead (4 weeks), Brown University student Sunil Tripathi as one of the bombers. http://www.cjr.org/analysis/sunil_tripathi_was_already_dead.php "He was wrongly accused on Reddit, convicted on Twitter, and vilified on Facebook" Someone using a scanner to monitor Police Radio heard "Last name: Mulugeta, M-U-L-U-G-E-T-A, M as in Mike, Mulugeta." in a context that had nothing to do with the bombing and decided that "Mike Mulgeta" was one of the bombers. https://www.theatlantic.com/technology/archive/2013/04/-bostonbombing-the-anatomy-of-a-misinformation-disaster/275155/ http://www.dailymail.co.uk/news/article-3035378/It-beast-Moderator-Reddit-s-Boston-Bombers-thread-tells-millions-users-descended-subreddit-days-attack-identified-wrong-suspect.html https://en.wikipedia.org/wiki/Sunil_Tripathi News media then piled on by the 100s, trying to contact Tripathi's family for sound bites and surrounding his parent's home. http://www.imdb.com/title/tt4087340/ So what triggers people to get it so wrong? Bruce Schneier talks of people overestimating unfamiliar risks while underestimating familiar risks. Were people trying to reduce their anxiety level by trying to convert a vague nebulous risk to a (mis)identified risk? This gave them Tripathi and his family as a target for their outrage. Did venting that outrage that make them feel better? Some people crave attention. Coming up with a name in an incident such as this gets them attention, but for all the wrong reasons. ------------------------------ Date: Sat, 1 Apr 2017 19:22:39 +0100 From: Wols Lists <antlists () youngman org uk> Subject: Re: NASA Fireworks (Seifried, RISKS-30.21) What on earth was NASA doing in possession of ITAR data? Unless, of course, they needed permission to send arms into space? ------------------------------ Date: Sun, 2 Apr 2017 14:27:11 +1000 From: Bruce Hunter <brucer.hunter () gmail com> Subject: Re: NASA fireworks - collateral damage? The interesting aspect of this report is that it is an excellent example of where security countermeasures (in this case patches) can conflict with safety controls (in this case the fire alarm system). Standards are starting to recognise, not only the importance of protecting control systems and functional safety from cyber attack, but also managing the risk of incompatibility between safety functions and cybersecurity countermeasures. The evolving ISA/IEC 62443 series does give good guidance that try and address the gulf of understanding between the safety and security domains. Balancing diverse risks is becoming and interesting but challenging need for safety-related systems. ------------------------------ Date: Sun, 2 Apr 2017 15:08:30 -0400 (EDT) From: Kelly Bert Manning <Kelly.Manning () ncf ca> Subject: Re: Self-checkout at grocery stores and elsewhere Some people responded that they wanted store clerks to keep their jobs. That is a valid personal action based on reasoning from personal ethical principles. However, how many of us could afford to make as many phone calls or send as much email or text if every connection still had to be manually connected at the network switch centre and along the path? Others commented that check out clerks are more efficient than most individuals. Your checkout clerk may vary. Also, as usual, "it depends". Most supermarkets have a multi-server multi-queue setup. Picking the wrong queue is a prescription for time out of your life that you will never get back, although some local supermarkets, Walmarts, Canada Tires and Home Depots have a blend of both multi queue and single queue and attended or self serve checkouts. (multiserver, single queue - Wendy's or most banks) (multi queue multi server - classic MacDonald's and most supermarkets and other stores) I am immune compromised. Waiting until a self serve checkout is unused avoids close association with people in line and with the clerk. Depending on the time of day / week that can be zero queue time, while check outs with attendants rarely have no queue. Stores close tills and redirect staff to other work if queues stop forming. At a local drug store recently I was subjected to a memorised pitch for one of their loyalty points cards, despite saying repeatedly "no, not interested, the answer was no" as the rote pitch went on and on. I then pointed out that she was being disrespectful of my time and the time of the people waiting in the queue. Afterward, I contacted the chain to complain, pointing out that assuming that I didn't get the message the first 10 times in recent years is hardly a compliment, that I didn't shop there often enough to make it worth my time, and that this experience made me less likely to shop there in the future. The clerks often repeat the pitch for each customer, even when they have heard it already while waiting in the queue. Credit Bureaus such as Equifax point out that credit and discounts are often a trade off of privacy versus cost and credit. Higher credit risk involves higher prices, discount cards require you to pay with personal information, in addition to cash. My response to Equifax was that my wife and I make a point of not having mortgage, auto loan, or other debt to preserve our privacy. Only people who use credit should have their information profile collected or released by Credit / Personal Information Reporting Bureaus. Cash should be sufficient payment for goods and services. Customers should not have to pay with personal information such as names, phone numbers and personal purchase profiles, in addition to cash. unless there is a Regulatory or Statutory Requirement to obtain the personal information. I have Asperger's Syndrome. I find the tendency of clerks to engage in banter annoying, confusing, and disrespectful of the time of the people being served, and the customers waiting in line. It detracts from the clerk's efficiency and interferes with their ability to make the correct change. Why do they often fail to enter the cash received correctly? Why can't they just give you the change amount shown on the till and the receipt, rather than trying to do arithmetic in their head because they don't realise that the amount is displayed for them and that they are making a mistake by trying to compute change amounts in their head? One time I went to buy some juice when I had laryngitis. When I failed to respond to "how are you" with the mandatory, non-optional, socially conventional response of "fine thanks, how are you" the clerk stood there doing nothing and staring at me, holding up me and the people in line behind we. My laryngitis was quite evident when I responded that "I have laryngitis and I think that it is unprofessional of you to insist on chatting when people are waiting in line". People on the Autism Spectrum often have to be told that the "how are you" "fine thanks how about you" thing is a non optional, mandatory, social convention, and that people will often get annoyed if you actually tell them how you are. ------------------------------ Date: Mon, 3 Apr 2017 10:11:06 -0400 From: Joseph Brennan <brennan () columbia edu> Subject: Re: US Congress rapes privacy, they are next I doubt the ISPs will be dumb enough to sell the data. Google and Facebook don't sell theirs. It's the crown jewels. If the ISPs follow that model they will place ads on behalf of the advertisers, based on the data, which the ISPs will keep to themselves. But what liability is on the ISPs when this data is inevitably breached? Nothing? ------------------------------ Date: Tue, 10 Jan 2017 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.22 ************************
Current thread:
- Risks Digest 30.22 RISKS List Owner (Apr 03)