RISKS Forum mailing list archives
Risks Digest 30.49
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 7 Nov 2017 14:35:53 PST
RISKS-LIST: Risks-Forum Digest Tuesday 7 November 2017 Volume 30 : Issue 49 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/30.49> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Airports Worldwide Are Hit by Delays After Software Outage (NYTimes) NYPD claims to have incompetent sysadmins (Ed Ravin) AirBnB monopolizing and forcing incorrect currency conversions (Toby Douglass) To Survive the Streets, Robocars Must Learn to Think Like Humans (WiReD) Palestinian Man Arrested After Facebook Auto-Translates 'Good Morning' as 'Attack Them' (Gizmodo) Fixing cities' data privacy potholes (Insights) Apple's Machine Learning Engine Could Surface Your iPhone's Secrets (WiReD) A Bug in a Popular Maritime Platform Left Ships Exposed (WiReD) Corrected monitor resolution, pinup model no longer slim (Dan Jacobson) Risks of being interrupted while using Siri to comment online (NYTimes via David Tarabar) Denver Art Museum warns donors, members, employees after sensitive data breach (John Wenzel) Even lower chances of winning the lottery (Jeremy Epstein) Researchers Devise 2FA System That Relies on Taking Photos of Ordinary Objects (Bleeping Computer) Technology seeks to preserve fading skill: Braille literacy (WashPo) Fundamental problems with the Infineon crypto library (Ars via PGN) Taser Company Ignored SEC Emails Because They Were In a Spam Folder (Bloomberg via Gabe Goldberg, Lauren Weinstein) USS John S McCain (Dick Mills) Stuxnet-style code signing is more widespread than anyone thought (Ars Technica) Medical device security (Mark Thorson) Inside story: How Russians hacked the Democrats emails (WashPo) Estonia freezes resident ID cards due to security flaw (Engadget) The 2020 census is in big trouble. Here's how we got here (ThinkProgress) Hackers prey on home buyers, with hundreds of millions of dollars at stake (WashPo) Re: North Korea hacking Sony (Michael Bacon) Re: Wikipedia deletions: make my day (Denis Bloodnok) Re: UK Banks, etc. to check account-holders' residence eligibility (Peter Houppermans, Tom Gardner) Google exec: Our society is in real jeopardy (Gerhard Eschelbeck) Susan Landau: Listening In: Cybersecurity in an Insecure Age (PGN) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 29 Sep 2017 04:35:39 -0400 From: Monty Solomon <monty () roscom com> Subject: Airports Worldwide Are Hit by Delays After Software Outage (NYTimes) https://www.nytimes.com/2017/09/28/business/airport-check-in-computer.html A ``network issue'' affected programs used by several major carriers, delaying flights and causing other problems for travelers. ------------------------------ Date: Fri, 20 Oct 2017 00:32:29 -0400 From: Ed Ravin <eravin () panix com> Subject: NYPD claims to have incompetent sysadmins The NYC Police Department has in the past gone to great lengths to avoid disclosing information to the public. Their latest defense seems to be that they don't know how to manage their systems or databases -- they told a judge that they "lack the technical capacity" to answer the public records request, and that they don't know how to make a backup copy of their data. The creation of this particular database system for civil asset forfeiture records reportedly cost the city $25.5 million back in 2009. https://www.courthousenews.com/no-forfeiture-database-backup-millions-line-nypd-admits/ ------------------------------ Date: Sun, 22 Oct 2017 01:51:23 +0100 From: Toby Douglass <toby_public () winterflaw net> Subject: AirBnB monopolizing and forcing incorrect currency conversions AirBnB detect the currency of payment cards and force charges to be in that currency; users are no longer permitted to chose between AirBnB with their conversion rate, and their bank, with its conversion rate. The detection mechanism is not perfect, and is incorrectly asserting Revolut (a FinTech) Mastercards, which are multi-currency, are denominated in GBP. (It's probably not unreasonable to suspect other multi-currency cards are incorrectly detected. Presumably there are also other causes of failure, which are wholly unknown to me.) This means that AirBnB are in the cases where currency detection goes wrong forcing an unnecessary currency conversion, which adds about 5% to the cost of a booking. For a booking of about 1000 euro this 5% is about a 50% addition to the service charge levied by AirBnB. It seems clear then why AirBnB have taken this step to remove from its users choice in this matter. The possibility of the computing risk in this case -- incorrect card currency detection -- must have been considered, and so the problem faced by a user in that situation was perceived and understood, but the cost of this risk to users (and so, indirectly, also to AirBnB) are obviously much less than the benefit to the AirBnB and so this risk has been accepted. ------------------------------ Date: Sat, 21 Oct 2017 23:41:31 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: To Survive the Streets, Robocars Must Learn to Think Like Humans (WiReD) ``We call it the freezing robot problem,'' says Anca Dragan, who studies autonomy in UC Berkeley's electric engineering and computer sciences department. ``Anything the car could do is too risky, because there is some worst-case human action that would lead to a collision.'' Expect a thaw. Researchers like Dragan are tackling the challenges of interpreting --and predicting -- human behavior to make self-driving cars safer and more efficient, but also more assertive. After all, if every machine screeches to a stop for every unpredictable human, we'll have soon millions of terrified robots choking the streets. www.wired.com/story/self-driving-cars-freezing-robot-problem/ Humans ... think? Author must not have been on the road lately. ------------------------------ Date: Mon, 23 Oct 2017 15:40:57 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Palestinian Man Arrested After Facebook Auto-Translates 'Good Morning' as 'Attack Them' (Gizmodo) https://gizmodo.com/palestinian-man-arrested-after-facebook-auto-translates-1819782902 A Palestinian construction worker was arrested by Israeli police after Facebook incorrectly translated the text of one of his posts. Haaretz reports that the man uploaded a picture from his job at a construction site with the text "good morning" in Arabic. When officers used Facebook's automatic translation service to read the post, the text was mistranslated as "attack them" in Hebrew and "hurt them" in English. According to Haaretz, Arabic speakers said the "English transliteration used by Facebook is not an actual word in Arabic but could look like the verb 'to hurt' -- even though any Arabic speaker could clearly see the transliteration did not match the translation." No Arabic-speaking officers reportedly saw the post prior to the man's arrest. He was released after several hours of questioning. ------------------------------ Date: Thu, 26 Oct 2017 14:06:59 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Fixing cities' data privacy potholes (Insights) Fun with big data How in the world was it OK to just hand that over to anybody who asked for it, Matis wondered? "If anyone can get this information, thats getting into Big Brother," Matis mused. "If I was trying to look at what my spouse is doing, [I could]. To me, that is something that is kind of scary. Why do they allow people to release this without a law enforcement reason? Searching it or accessing the information should require a warrant." https://insights.hpe.com/articles/fixing-cities-data-privacy-potholes-1710.html ------------------------------ Date: Thu, 26 Oct 2017 20:50:41 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Apple's Machine Learning Engine Could Surface Your iPhone's Secrets Of the many new features in Apple's iOS 11 -- which hit your iPhone a few weeks ago -- a tool called Core ML stands out. It gives developers an easy way to implement pre-trained machine learning algorithms, so apps can instantly tailor their offerings to a specific person's preferences. With this advance comes a lot of personal data crunching, though, and some security researchers worry that Core ML could cough up more information than you might expect -- to apps that you'd rather not have it. Core ML boosts tasks like image and facial recognition, natural language processing, and object detection, and supports a lot of buzzy machine learning tools like neural networks and decision trees. And as with all iOS apps, those using Core ML ask user permission to access data streams like your microphone or calendar. But researchers note that Core ML could introduce some new edge cases, where an app that offers a legitimate service could also quietly use Core ML to draw conclusions about a user for ulterior purposes. https://www.wired.com/story/core-ml-privacy-machine-learning-ios/ ------------------------------ Date: Mon, 30 Oct 2017 00:33:07 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: A Bug in a Popular Maritime Platform Left Ships Exposed Ah, the high seas. Nothing around you but salt air, water for miles, and web connectivity from satellites. Peace and quiet. But researchers at the security consulting firm IOActive say that software bugs in the platforms ships use to access the Internet could expose data at sea. And these vulnerabilities hint at larger threats to international maritime infrastructure. A report published Thursday outlines two flaws in the AmosConnect 8 web platform, which ships use to monitor IT and navigation systems while also facilitating messaging, email, and web browsing for crewmembers. Compromising AmosConnect products, developed by the Inmarsat company Stratos Global, would expose extensive operational and personal data, and could even undermine other critical systems on a ship meant to be isolated. It's low-hanging fruit, says Mario Ballano, principal security consultant at IOActive who conducted the research. ``The software that they're using is often 10 to 15 years old, it was meant to be implemented in an isolated way. So other software in these environments probably suffer from similar vulnerabilities, because the maritime sector originally didn't have connection over the Internet. But now things are changing.'' https://www.wired.com/story/bug-in-popular-maritime-platform-isnt-getting-fixed/ ------------------------------ Date: Fri, 27 Oct 2017 22:13:12 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: Corrected monitor resolution, pinup model no longer slim Today I corrected the resolution on my down-the-hill neighbor's monitor to 1024x768. Finally, characters were no longer blurred and the browser was no longer hanging off the edge. However he now had to face the reality that the pinup model on his home screen that he stares at all day was very much no longer as slim as she formerly seemed. [That's the "Zaftig" Transformation. It can do wonders for skinny pinups. PGN] ------------------------------ Date: Sat, 28 Oct 2017 06:33:12 -0400 From: David Tarabar <dtarabar () acm org> Subject: Risks of being interrupted while using Siri to comment online Christine McMorrow was in the middle of using her iPhone's voice-to-text feature to comment on a *New York Times* story this week. As she paused from ranting on the newspaper's website to take the call on the house phone, little did she know that her iPhone never stopped recording her voice. The contents of her private conversation were accidentally transcribed directly into the story's comment box, and then inadvertently posted to the Times' website. <https://mobile.nytimes.com/2017/10/26/reader-center/nyt-comments-section.html> http://www.bostonglobe.com/metro/2017/10/27/mass-woman-comment-new-york-times-article-went-viral-here-story-behind/6NsrsKKl0jTk0Vfq7qypvN/story. ------------------------------ Date: Mon, 30 Oct 2017 17:15:34 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Denver Art Museum warns donors, members, employees after sensitive data breach (John Wenzel) John Wenzel, *The Denver Post*, 30 Oct 2017 A phishing scam in June led to the compromised email inboxes, officials said http://www.denverpost.com/2017/10/30/denver-art-museum-data-breach-800/ The Denver Art Museum warned 800 people this month of a data breach that included sensitive personal and financial information about its donors, customers, and current and former employees, according to a letter obtained by *The Denver Post*. The letter, dated 9 Oct, informed recipients of the "data security incident" over the summer, as well as the museum's discovery of the breach on 13 Sep, which triggered a forensic investigation by an unnamed third-party firm. The unauthorized access began on or about 5 Jun, and ended on or about 27 Jun, the letter said. The breach occurred through an email phishing scam and affected two of the museum's email inboxes, said Andrea Fulton, chief marketing officer for the Denver Art Museum. "We have no evidence that anybody's data has been compromised," Fulton said. "None of our big databases were impacted. It's simply content that was in a couple of email inboxes." ------------------------------ Date: Tue, 31 Oct 2017 12:21:30 -0400 From: Jeremy Epstein <jeremy.j.epstein () gmail com> Subject: Even lower chances of winning the lottery An upgrade to software used to run the Virginia lottery meant that a few hundred tickets were sold that could not win the main jackpot. The selection criteria changed during the upgrade (and the price per ticket went from $1 to $2), and for a short period of time tickets were sold that met the old rules but not the new ones, and hence could not win. They could still win the other prizes, just not the jackpot. Although the normal odds of winning the lottery are near-zero, reducing them to actual zero is a (microscopically small) RISK. https://www.washingtonpost.com/local/no-chance-of-winning-big-jackpot-in-virginia-mega-millions-for-some-players/2017/10/31/1d6914b0-be2b-11e7-8444-a0d4f04b89eb_story.html [microscopic? Not if anyone who actually had the winning combination tried to sue the state -- and won!] ------------------------------ Date: Tue, 31 Oct 2017 16:48:46 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Researchers Devise 2FA System That Relies on Taking Photos of Ordinary Objects (Bleeping Computer) Scientists from Florida International University and Bloomberg have created a custom two-factor authentication (2FA) system that relies on users taking a photo of a personal object. The act of taking the photo comes to replace the cumbersome process of using crypto-based hardware security keys (e.g., YubiKey devices) or entering verification codes received via SMS or voice call. The new system is named Pixie, and researchers argue it is more secure than the aforementioned solutions. https://www.bleepingcomputer.com/news/security/researchers-devise-2fa-system-that-relies-on-taking-photos-of-ordinary-objects/ What could go wrong? "What do you mean you threw away that crumpled beer can? IT WAS MY PASSWORD". Then there's this: This is because the system doesn't restrict users and they can choose anything they want as their login trinket, from their watch to parts of their body, and from clothing objects to furniture. Users should be careful not to choose perishable objects like food, because once it's gone, users will most likely get locked out of their account. Too bad Anthony Weiner's in jail, he could test it. ------------------------------ Date: Tue, 31 Oct 2017 22:38:36 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Technology seeks to preserve fading skill: Braille literacy via NNSquad https://www.washingtonpost.com/national/technology-seeks-to-preserve-fading-skill-braille-literacy/2017/11/01/f4d1a072-bec4-11e7-9294-705f80164f6e_story.html For nearly a century, the National Braille Press has churned out millions of pages of Braille books and magazines a year, providing a window on the world for generations of blind people. But as it turns 90 this year, the Boston-based printing press and other advocates of the tactile writing system are wrestling with how to address record low Braille literacy. Roughly 13 percent of U.S. blind students were considered Braille readers in a 2016 survey by the American Printing House for the Blind, another major Braille publisher, located in Louisville, Kentucky. That number has steadily dropped from around 30 percent in 1974, the first year the organization started asking the question. ------------------------------ Date: Wed, 1 Nov 2017 11:48:37 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Fundamental problems with the Infineon crypto library Attacks on RSA keys generated by the Infineon crypto library. https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/ https://crocs.fi.muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf ------------------------------ Date: Sat, 21 Oct 2017 23:50:40 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Taser Company Ignored SEC Emails Because They Were In a Spam Folder Check your spam box. It could be the SEC. That's the lesson learned this week by Axon Enterprise Inc., the company best known for its Taser stun guns. Late Thursday, Axon announced that ``due to miscommunication issues,'' the company has just become aware of SEC requests regarding its previous financial reports and is now scrambling to respond. The stock fell as much as 7 percent, its biggest drop in more than two months. What happened? Axon's internal email filters are to blame. The SEC sent its initial comment on Aug. 10 and follow-up requests only to Axon's new CFO Jawad Ahsan, and they were quarantined in a spam filter. Dougherty & Co. analyst Jeremy Hamblin in a note to clients, called the incident "embarrassing, but nothing to be concerned about.'' https://www.bloomberg.com/news/articles/2017-10-20/pesky-spam-filter-is-behind-taser-maker-ghosting-the-sec That's not the lesson, it's the symptom. ------------------------------ Date: Sat, 21 Oct 2017 07:28:19 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Taser Company Ignored SEC Emails Because They Were In a Spam Folder The fundamental problem with spam folders, of course, is that they tend to be ignored by recipients, or only haphazardly inspected -- sometimes at very long intervals. False positive emails end up in spam unread, with no indication to the sender that they likely were not seen -- and may never be seen. My policy on my servers has long been to do a hard reject on suspected spam, that should result in an immediate error returned to the sender. That error points at a URL that explains my policy, and provides another URL that can be used to push a brief "hey, you're blocking me and I'm not spam!" message through to me in those rare instances to request unblocking/whitelisting. Some sites that do this sort of real time response don't offer any way to communicate when there's a false positive -- they just say stuff like "spam, go away!" That's hopelessly ignorant and antisocial since false positives DO happen. One oddity is that sometimes a false positive person will send me their note and say something like "how dare you accuse me of suspected spam" (that's what my error messages says, "suspected" spam). I always reply asking if they would have preferred their email disappear into a black hole spam folder without their ever knowing it hadn't been seen? That always ends the argument. Re: https://www.bloomberg.com/news/articles/2017-10-20/pesky-spam-filter-is-behind-taser-maker-ghosting-the-sec ------------------------------ Date: Thu, 2 Nov 2017 14:15:50 -0400 From: Dick Mills <dickandlibbymills () gmail com> Subject: USS John S McCain http://s3.amazonaws.com/CHINFO/USS+Fitzgerald+and+USS+John+S+McCain+Collision+Reports.pdf The USS Fitzgerald case seems to be mostly human error, but the USS John S McCain case includes significant elements of poor ergonomics in the computers. Extracts from the report: At 0519, the Commanding Officer noticed the Helmsman (the watchstander steering the ship) having difficulty maintaining course while also adjusting the throttles for speed control. In response, he ordered the watch team to divide the duties of steering and throttles, maintaining course control with the Helmsman while shifting speed control to another watchstander known as the Lee Helm station ... The CO had only ordered speed control shifted. Because he did not know that steering had been transferred to the Lee Helm, the Helmsman perceived a loss of steering. ... Additionally, when the Helmsman reported loss of steering, the Commanding Officer slowed the ship to 10 knots and eventually to 5 knots, but the Lee Helmsman reduced only the speed of the port shaft as the throttles were not coupled together (ganged). The starboard shaft continued at 20 knots for another 68 seconds before the Lee Helmsman reduced its speed. The combination of the wrong rudder direction, and the two shafts working opposite to one another in this fashion caused an un-commanded turn to the left (port) into the heavily congested traffic area in close proximity to three ships, including the ALNIC. So, to gain operational flexibility it seems that the KISS principle (Keep It Simple Stupid) has been egregiously ignored. There were 8 stations to which control could be transferred via pull-down menus and pop-ups. On top of that there are multiple operating modes that change the capabilities of those stations. A minimum of 24 crew would have to be trained on all the details. [Remember the Einstein version of the KISS principle: Everything should be made as simple as possible, *but no simpler*. PGN] Few RISKS readers have commanded a ship at sea, but almost all have flown on an airliner. Imagine if 8 other stations on the plane or on the ground were able to take control away from the pilot such that the pilot doesn't even know if he is in control or not. I am a technologist but also a blue water sailor. I am so KISS that I rejected a steering wheel in favor of an old fashioned tiller because complex steering can fail at sea. I also have a grandson in the US Navy. Now, I'm very worried about his safety. There used to be "the Navy way" of doing things. That meant that any seaman with minimal training could perform critical tasks. Apparently, that no longer applies. ------------------------------ Date: Sat, 4 Nov 2017 22:00:17 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Stuxnet-style code signing is more widespread than anyone thought (Ars Technica) Forgeries undermine the trust millions of people place in digital certificates. https://arstechnica.com/information-technology/2017/11/evasive-code-signed-malware-flourished-before-stuxnet-and-still-does/ ------------------------------ Date: Thu, 2 Nov 2017 13:03:07 -0700 From: Mark Thorson <eee () dialup4less com> Subject: Medical device security Based on my experiences as a patient, I'd say hospitals are among the least competent institutions to handle new technology. It's a target-rich environment and it will probably take a major intrusion resulting in deaths before the industry gets serious about security. https://www.statnews.com/2017/11/02/medical-devices-security-hospitals/ ------------------------------ Date: Sat, 4 Nov 2017 22:06:57 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Inside story: How Russians hacked the Democrats emails (WashPo) https://www.washingtonpost.com/business/technology/inside-story-how-russians-hacked-the-democrats-emails/2017/11/03/2f1caea6-c0fb-11e7-9294-705f80164f6e_story.html ------------------------------ Date: November 4, 2017 at 10:58:16 PM EDT From: Lauren Weinstein <lauren () vortex com> Subject: Estonia freezes resident ID cards due to security flaw (Engadget) via NNSquad https://www.engadget.com/2017/11/04/estonia-freezes-resident-id-cards-security-flaw/ Estonia's residents use their mandatory national IDs to access pretty much anything, from online banking to online voting. So, it was a huge blow to the program when experts found a security flaw in the IDs' chip that makes it easy for bad players to impersonate and steal the identities of all 760,000 affected individuals. That might not sound like a huge number, but that's half the small country's population. Now, the country has blocked most of its residents from accessing all its online services for a weekend, so it can go in and and fix the vulnerability. All ID cards issued from the beginning of the program in October 2014 to October 25th, 2017 will be frozen until their owners apply for updated certificates with the fix. They can do that online, but the online service kept crashing over the past week, leading people to flock to police stations and other government offices to get their IDs updated. For now, only medical professionals and the most frequent users will be able to apply for updated certificates online, but Estonia will open up the system to the public again on Monday. ------------------------------ Date: Fri, 3 Nov 2017 16:45:58 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: The 2020 census is in big trouble. Here's how we got here (ThinkProgress) Years of funding shortfalls and stalled IT projects have placed the census in a precarious position. https://thinkprogress.org/census-it-programs-stalled/ Skimping on every ten years must-do project -- what could go wrong? Of course, leadership gaps and botched estimates never help. ------------------------------ Date: Sat, 4 Nov 2017 21:51:53 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Hackers prey on home buyers, with hundreds of millions of dollars at stake (WashPo) https://www.washingtonpost.com/realestate/hackers-prey-on-home-buyers-with-hundreds-of-millions-of-dollars-at-stake/2017/10/30/0379dcb4-bd87-11e7-97d9-bdab5a0ab381_story.html New to me. Though, somewhat related, I keep hearing radio commercials for some sort of "Lifelock for home titles" (my term, not theirs) preventing bogus registration/transfers and mortgages. That seems about as credible as Lifelock (that is, not). Though I wonder about this: Days or sometimes weeks before the settlement, the scammer poses as the title or escrow agent whose email accounts they've hijacked and instructs the home buyer to wire the funds needed to close -- often hundreds of thousands of dollars, sometimes far more -- to the criminals' own bank accounts, not the title or escrow company's legitimate accounts. The criminals then withdraw the money and vanish. ...since funds are often wired by mortgage lenders, I'd hope (!) they pay attention to where funds go. ------------------------------ Date: Fri, 20 Oct 2017 08:47:23 +0100 From: Michael Bacon -- Grimbaldus <michael.bacon () grimbaldus com> Subject: Re: North Korea hacking Sony (NYTimes, RISKS-30.48) To quote from the linked article: Once North Korea counterfeited crude $100 bills to try to generate hard cash. Now intelligence officials estimate that North Korea reaps hundreds of millions of dollars a year from ransomware, digital bank heists, online video game cracking, and more recently, hacks of South Korean Bitcoin exchanges. One former British intelligence chief estimates the take from its cyberheists may bring the North as much as $1 billion a year, or a third of the value of the nation's exports. The North Korean cyberthreat crept up on us, said Robert Hannigan, the former director of Britain's Government Communications Headquarters, which handles electronic surveillance and cybersecurity. ``Because they are such a mix of the weird and absurd and medieval and highly sophisticated, people didn't take it seriously, how can such an isolated, backward country have this capability? Well, how can such an isolated backward country have this nuclear ability?" Surely this is asking something of the wrong question, and sadly, typically so of governments? The main issue is not how N Korean got so good at hacking, it's how the West got so bad at security! ------------------------------ Date: Fri, 20 Oct 2017 17:22:53 +0100 From: Denis Bloodnok <qymf8h () fyvzl net> Subject: Re: Wikipedia deletions: make my day (Jacobson, RISKS-30.48) Dan Jacobson writes:
I mentioned to my Mom about the endless deletion attempts on Wikipedia, https://en.wikipedia.org/wiki/Wikipedia:Articles_for_deletion/Peace_and_World_Affairs_Center_of_Evanston
Dan seems to have inexplicably forgotten to mention that he originally created this article, which might have unfortunately led the RISKS reader to suppose this was a disinterested observation on the deletion process from an unbiased observer.
They even tired to delete https://en.wikipedia.org/wiki/Wikipedia:Articles_for_deletion/Triscuit
He also seems to have failed to mention that the mysterious "they" here was one person who politely withdrew the deletion proposal after a few comments. Is there no end to their iniquity? I've said in the past that Wikipedia's a bit of a sausage factory under the surface, but I'm not sure these are the most trenchant criticisms of the process RISKS has ever featured. ------------------------------ Date: Fri, 20 Oct 2017 09:57:46 +0200 From: Peter Houppermans <peter () houppermans net> Subject: Re: UK Banks, etc. to check account-holders' residence eligibility (Youngman, RISKS-30.48) There is another side effect: it actively legitimises banks to acquire more personal data (to then presumably lose to hackers who got bored reading through what they had already stolen from Equifax). Apropos Equifax: I wonder how certain is the company of the integrity of own its data now. We're only focusing on the loss and possible abuse, but I imagine there's more you can do when you have that kind of months long open door access. ------------------------------ Date: Fri, 20 Oct 2017 09:33:45 +0100 From: Tom Gardner <tggzzz () blueyonder co uk> Subject: Re: UK Banks, etc. to check account-holders' residence eligibility My mother has already suffered from a similar problem. When her husband died she was 89 had been driving cars without accident for 50 years. We tried to get insurance for her to continue to drive her car, but no company would insure her. Why not? Because the "all driver" comprehensive insurance had been in her husband's name so the companies had no record of her, and they would not insure a "new" 89 year old driver. So I tried to get insurance for her car in my name and to add her as a named driver, but you can't insure a car you don't own. The only solution was for me to take ownership of her car and insure it in my name, which presents different risks. Seven years later she doesn't drive any more, but we've kept her driving licence up to data since it is the only form of photo ID she possesses. (My driving licence doesn't have a photo, which occasionally flummoxes youngsters in banks.) ------------------------------ Date: Thu, 19 Oct 2017 16:40:20 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Google exec: Our society is in real jeopardy (Gerhard Eschelbeck) via NNSquad http://www.cnn.com/2017/10/19/opinions/cyber-attacks-opinion-eschelbeck/index.html Gerhard Eschelbeck is the vice president of privacy and security at Google. He published the "Laws of Vulnerabilities," is one of the inventors of the Common Vulnerability Scoring System (CVSS), and holds numerous patents in the field of managed network security. ------------------------------ Date: Sun, 5 Nov 2017 10:56:18 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Susan Landau: Listening In: Cybersecurity in an Insecure Age 240 pages, Yale University Press, 28 Nov 2017 https://www.amazon.com/Listening-Cybersecurity-Insecure-Susan-Landau/dp/0300227442. *A cybersecurity expert and former Google privacy analyst's urgent call to protect devices and networks against malicious hackers* New technologies have provided both incredible convenience and new threats. The same kinds of digital networks that allow you to hail a ride using your smartphone let power grid operators control a country's electricity -- and these personal, corporate, and government systems are all vulnerable. In Ukraine, unknown hackers shut off electricity to nearly 230,000 people for six hours. North Korean hackers destroyed networks at Sony Pictures in retaliation for a film that mocked Kim Jong-un. And Russian cyberattackers leaked Democratic National Committee emails in an attempt to sway a U.S. presidential election. And yet despite such documented risks, government agencies, whose investigations and surveillance are stymied by encryption, push for a weakening of protections. In this accessible and riveting read, Susan Landau makes a compelling case for the need to secure our data, explaining how we must maintain cybersecurity in an insecure age. "Susan Landau is eminently qualified to guide readers to deeper understanding of risks and threats that accompany an increasingly connected world. Our online appetites are growing and our presence attracts hacking and surveillance among other uses we may not have authorized or even anticipated. Must read." Vint Cerf, Internet pioneer "Susan Landau manages to harness the sprint of our online era and provides a lasting framework for how to manage, protect, and even master our digital footprint." Juliette Kayyem, former Assistant Secretary, United States Department of Homeland Security "Encryption is essential to our online security, but it also makes the job of law enforcement harder. In Listening In, Landau gives us an authoritative and unflinching look at this challenge and confronts the urgent question of security in the digital age." Matt Olsen, Former Director, National Counterterrorism Center "Susan Landau has performed a remarkable feat of public service with *Listening In*: she simplifies the complex contemporary debate around privacy and security trade-offs in a way that welcomes anyone with an interest in these topics to engage with them -- and she demonstrates why everyone should." Jonathan Zittrain, author of *The Future of the Internet -- and How to Stop It* [See Susan's website: https://privacyink.org ] ------------------------------ Date: Tue, 10 Jan 2017 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 30.49 ************************
Current thread:
- Risks Digest 30.49 RISKS List Owner (Nov 07)