RISKS Forum mailing list archives
Risks Digest 31.38
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 24 Aug 2019 15:57:08 PDT
RISKS-LIST: Risks-Forum Digest Saturday 24 August 2019 Volume 31 : Issue 38 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/31.38> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: 16 Million Americans Will Vote on Hackable Paperless Machines (MIT TechReview) Moscow's blockchain voting system cracked a month before election (ZDNet) Judge Bars Georgia From Using Current Voting Technology in 2020 (CNet) Employees connect nuclear plant to the Internet so they can mine cryptocurrency" (Catalin Cimpanu) Patrick Byrne (Rob Slade) Why the U.S. Disaster Agency Is Not Ready for Catastrophes (Scientific American) Backdoor code found in 11 Ruby libraries (Catalin Cimpanu) "Unpatchable security flaw found in popular SoC boards" (Catalin Cimpanu) Hospital website hijacked by 'pirates' (Sonoma News) MoviePass exposed thousands of unencrypted customer card numbers (Tech Crunch) Hong Kong protesters warn of Telegram feature that can disclose their identities (Catalin Cimpanu) Researcher publishes second Steam zero day after getting banned on Valve's bug bounty program (Catalin Cimpanu) This trojan malware being offered for free could cause hacking spike (ZDNet) Users of Adult Website Exposed By Data Breach (Infosecurity) Ransomware Attacks Are Testing Resolve of Cities Across America (NYT) Ransomware Attack Hits 23 Texas Towns, Authorities Say (NYTimes) Phishing spam is getting better ... (Rob Slade) A credit card never needed cleaning instructions... then Apple came along (Gene Wirchenko) Want To Know What's In Your Sweat? There's A Patch For That (npr.org) Playing God: Japan temple puts faith in robot priest "with AI. It's changing Buddhism" (AFP) Re: Contingency plan for compromised fingerprint database (Edwin Slonim) Re: Facial recognition errors (Arthur T.) Re: Electric car charging stations may be portals for power grid cyberattacks (Kelly Bert Manning) Re: Shoot out the headlines first, ask questions later: Climate change ... (Kelly Bert Manning, Amos Shapir) Re: Password policy (Dmitri Maziuk) Noise about Quiet Skies program (Richard Stein) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 21 Aug 2019 12:25:08 -0400 From: ACM TechNews <technews-editor () acm org> Subject: 16 Million Americans Will Vote on Hackable Paperless Machines (MIT TechReview) Patrick Howell O'Neill, Technology Review, 13 Aug 2019 via ACM TechNews, Wednesday, August 21, 2019 A study by researchers at New York University found that at least 16 million Americans in eight states will vote on completely paperless machines in the 2020 U.S. elections, despite a strong consensus among cyberosecurity and national security experts that paper ballots and vote audits are necessary to ensure election security. While the states in question are not historically battleground states, some are likely to be more closely contested than usual. Said U.S. Senator Ron Wyden of Oregon, "Congress needs to set mandatory federal election security standards that outlaw paperless voting machines and guarantee every American the right to vote with a hand-marked paper ballot." Wyden cited experts as requiring hand-marked paper ballots and post-election audits to defend against hacking. "Vendors should recognize that fact or get out of the way." https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-212c5x21d479x070202& ------------------------------ Date: Wed, 21 Aug 2019 8:45:41 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Moscow's blockchain voting system cracked a month before election (ZDNet) A French security researcher has found a critical vulnerability in the blockchain-based voting system Russian officials plan to use next month for the 2019 Moscow City Duma election. Pierrick Gaudry, an academic at Lorraine University and a researcher for INRIA, the French research institute for digital sciences, found that he could compute the voting system's private keys based on its public keys. This private keys are used together with the public keys to encrypt user votes cast in the election. MOSCOW BLOCKCHAIN VOTING SYSTEM ENCRYPTION BROKEN IN 20 MINUTES Gaudry blamed the issue on Russian officials using a variant of the ElGamal encryption scheme that used encryption key sizes that were too small to be secure. This meant that modern computers could break the encryption scheme within minutes. "It can be broken in about 20 minutes using a standard personal computer, and using only free software that is publicly available," Gaudry said in a report published earlier this month. "Once these [private keys] are known, any encrypted data can be decrypted as quickly as they are created," he added. https://www.zdnet.com/article/moscows-blockchain-voting-system-cracked-a-month-before-election/ ------------------------------ Date: Fri, 23 Aug 2019 12:26:16 -0400 From: ACM TechNews <technews-editor () acm org> Subject: Judge Bars Georgia From Using Current Voting Technology in 2020 (CNet) Laura Hautala, CNet 15 Aug 2019) via ACM TechNews, 23 Aug 2019 U.S. District Judge Amy Totenberg has ordered Georgia not to use its paperless voting machines, election management software, or servers for the 2020 election, requiring the state to implement a new voting system in time for the presidential primaries. Georgia is currently acquiring new electronic voting machines and vote-counting software. The court order will prevent the state from relying on its paperless voting machines and election management software if the replacement infrastructure is not ready in time; should this happen, Georgia may have to fall back on paper ballots. Attorney David Cross said the order ``is a big win for all Georgia voters and those working across the country to secure elections and protect the right to vote.'' https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-2135bx21d58ax070501& ------------------------------ Date: Fri, 23 Aug 2019 10:27:27 -0700 From: Gene Wirchenko <gene () shaw ca> Subject: Employees connect nuclear plant to the Internet so they can mine cryptocurrency" (Catalin Cimpanu) By Catalin Cimpanu for Zero Day | 22 Aug 2019 The Ukrainian Secret Service is investigating the incident as a potential security breach. https://www.zdnet.com/article/employees-connect-nuclear-plant-to-the-internet-so-they-can-mine-cryptocurrency/ ------------------------------ Date: Fri, 23 Aug 2019 10:26:14 -0700 From: Rob Slade <rmslade () shaw ca> Subject: Patrick Byrne Patrick Byrne says that he helped the "Deep State" investigations. He also says that the FBI ordered him to pursue a relationship with Russian (spy? agent? dupe?) Maria Butina. Oh. And he also wanted to change Overstock from a "cheap furniture" company to a "blockchain" company. So caveat emptor ... ------------------------------ Date: Tue, 20 Aug 2019 20:12:47 -0700 From: Richard Stein <rmstein () ieee org> Subject: Why the U.S. Disaster Agency Is Not Ready for Catastrophes (Scientific American) https://www.scientificamerican.com/article/why-the-u-s-disaster-agency-is-not-ready-for-catastrophes/ "The Federal Emergency Management Agency has wasted more than $3 billion and misused thousands of its employees by responding to hundreds of undersized floods, storms and other events that states could have handled on their own, an investigation by E&E News shows." As noted in http://catless.ncl.ac.uk/Risks/31/36#subj12, nations and localities are struggling to plan prioritized disaster response allocation. FEMA-level response dilution, partially driven by climate change, threatens US resilience -- a portentous sign of bad risk mitigation planning at a strategic level. ------------------------------ Date: Tue, 20 Aug 2019 12:25:03 -0700 From: Gene Wirchenko <gene () shaw ca> Subject: Backdoor code found in 11 Ruby libraries (Catalin Cimpanu) Catalin Cimpanu for Zero Day | 20 Aug 2019 RubyGems staff have removed 18 malicious Ruby library versions that have been downloaded 3,584 times since July 8. https://www.zdnet.com/article/backdoor-code-found-in-11-ruby-libraries/ selected text: Maintainers of the RubyGems package repository have yanked 18 malicious versions of 11 Ruby libraries that contained a backdoor mechanism and were caught inserting code that launched hidden cryptocurrency mining operations inside other people's Ruby projects. The individual behind this scheme was active for more than a month, and their actions were not detected. Things changed when the hacker managed to gain access to the RubyGems account of one of the rest-client developers, which he used to push four malicious versions of rest-client on RubyGems. ------------------------------ Date: Tue, 20 Aug 2019 12:29:28 -0700 From: Gene Wirchenko <gene () shaw ca> Subject: "Unpatchable security flaw found in popular SoC boards" (Catalin Cimpanu) Catalin Cimpanu for Zero Day | 20 Aug 2019 Xilinx Zynq UltraScale+ SoCs are normally used in automotive, aviation, consumer electronics, industrial, and military components. https://www.zdnet.com/article/unpatchable-security-flaw-found-in-popular-soc-boards/ opening text: Security researchers have discovered an unpatchable security flaw in a popular brand of system-on-chip (SoC) boards manufactured by Xilinx. The vulnerable component is Xilinx's Zynq UltraScale+ brand, which includes system-on-chip (SoC), multi-processor system-on-chip (MPSoC), and radio frequency system-on-chip (RFSoC) products used inside automotive, aviation, consumer electronics, industrial, and military components. Two bugs found, but one is unpatchable ------------------------------ Date: Wed, 21 Aug 2019 11:46:45 -0400 From: Monty Solomon <monty () roscom com> Subject: Hospital website hijacked by 'pirates' (Sonoma News) https://www.sonomanews.com/home/a1/9924307-181/hospital-website-hijacked-by-pirates ------------------------------ Date: Wed, 21 Aug 2019 11:49:19 -0400 From: Monty Solomon <monty () roscom com> Subject: MoviePass exposed thousands of unencrypted customer card numbers (Tech Crunch) https://techcrunch.com/2019/08/20/moviepass-thousands-data-exposed-leak/ ------------------------------ Date: Fri, 23 Aug 2019 10:29:02 -0700 From: Gene Wirchenko <gene () shaw ca> Subject: Hong Kong protesters warn of Telegram feature that can disclose their identities (Catalin Cimpanu) Catalin Cimpanu for Zero Day | 23 Aug 2019 Message shared on discussion boards sparks panic among protesters. https://www.zdnet.com/article/hong-kong-protesters-warn-of-telegram-feature-that-can-disclose-their-identities/ ------------------------------ Date: Fri, 23 Aug 2019 10:31:22 -0700 From: Gene Wirchenko <gene () shaw ca> Subject: Researcher publishes second Steam zero day after getting banned on Valve's bug bounty program (Catalin Cimpanu) Catalin Cimpanu for Zero Day | 21 Aug 2019 Valve gets heavily criticized for mishandling a crucial bug report. https://www.zdnet.com/article/researcher-publishes-second-steam-zero-day-after-getting-banned-on-valves-bug-bounty-program/ Valve has responded to the publication of this second Steam zero-day. Due to the length of the response, we chose to cover it as a separate article. Original story below. A Russian security researcher has published details about a zero-day in the Steam gaming client. This is the second Steam zero-day the researcher has made public in the past two weeks. However, while the security researcher reported the first one to Valve and tried to have it fixed before public disclosure, he said he couldn't do the same with the second because the company banned him from submitting further bug reports via its public bug bounty program on the HackerOne platform. ------------------------------ Date: Fri, 23 Aug 2019 10:32:48 -0700 From: Gene Wirchenko <gene () shaw ca> Subject: This trojan malware being offered for free could cause hacking spike (ZDNet) Danny Palmer | 21 Aug 2019 NanoCore RAT can steal passwords, payment details, and secretly record audio and video of Windows users. https://www.zdnet.com/article/cybersecurity-this-trojan-malware-being-offered-for-free-could-cause-hacking-spike/ A new version of a powerful form of trojan malware is being offered on the dark web for free, with one cybersecurity company warning this could lead to a rise in attacks targeting passwords, bank details and other personal information, even by crooks with limited technical skills. ------------------------------ Date: Wed, 21 Aug 2019 11:50:23 -0400 From: Monty Solomon <monty () roscom com> Subject: Users of Adult Website Exposed By Data Breach (Infosecurity) https://www.infosecurity-magazine.com/news/users-of-adult-website-exposed-by/ ------------------------------ Date: Thu, 22 Aug 2019 14:30:15 -1000 From: geoff goodfellow <geoff () iconia com> Subject: Ransomware Attacks Are Testing Resolve of Cities Across America (NYT) At the public library in Wilmer, Tex., books were checked out not with the beeps of bar code readers but with the scratches of pen on notebook paper. Out on the street, police officers were literally writing tickets -- by hand. When the entire computer network that keeps the small town's bureaucracy afloat was recently hacked, Wilmer was thrown into the digital Dark Ages. This has been the summer of crippling ransomware attacks. Wilmer -- a town of almost 5,000 people just south of Dallas -- is one of 22 cities across Texas that are simultaneously being held hostage for millions of dollars <https://www.nytimes.com/2019/08/20/us/texas-ransomware.html?module=inline> after a sophisticated hacker, perhaps a group of them, infiltrated their computer systems and encrypted their data. The attack instigated a statewide disaster-style response that includes the National Guard and a widening F.B.I. inquiry. More than 40 municipalities have been the victims of cyberattacks this year, from major cities such as Baltimore, Albany and Laredo, Tex., to smaller towns including Lake City, Fla. Lake City is one of the few cities to have paid a ransom demand -- about $460,000 in Bitcoin, a cryptocurrency -- because it thought reconstructing its systems would be even more costly. (https://www.nytimes.com/2019/07/07/us/florida-ransom-hack.html?module=inline) In most ransomware cases, the identities and whereabouts of culprits are cloaked by clever digital diversions. Intelligence officials, using data collected by the National Security Agency and others in an effort to identify the sources of the hacking, say many have come from Eastern Europe, Iran and, in some cases, the United States. The majority have targeted small-town America, figuring that sleepy, cash-strapped local governments *are the least likely to have updated their cyberdefenses or backed up their data*... https://www.msn.com/en-us/news/technology/ransomware-attacks-are-testing-resolve-of-cities-across-america/ar-AAGapHU https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html ------------------------------ Date: Tue, 20 Aug 2019 16:17:57 -0400 From: Monty Solomon <monty () roscom com> Subject: Ransomware Attack Hits 23 Texas Towns, Authorities Say (NYTimes) The state declined to say which towns were affected by the coordinated cyberattack. But one expert said it could signal more such attacks in the future. https://www.nytimes.com/2019/08/20/us/texas-ransomware.html ------------------------------ Date: Tue, 20 Aug 2019 12:30:12 -0700 From: Rob Slade <rmslade () shaw ca> Subject: Phishing spam is getting better ... Gloria asked me to have a look at an email message "from" our bank. Other than addressing her as an "esteemed" customer, it looked pretty good. No problems with spelling or grammar. A security warning at the bottom. The head office address for the bank. When I looked at the headers, there were only a few, very small, indications of possible problems. It was sent from a domain that was not owned by the bank, but a lot of companies are outsourcing a lot of IT functions, so that wasn't exactly definitive. It had a couple of headers indicative of spam filtering. About the only thing that solidly demonstrated a problem was the verification link in the body of the message, but that a) won't be visible to most, and b) isn't a really strong indication unless you really know how to read URLs. (Now if banks start outsourcing account verification ...) ------------------------------ Date: Fri, 23 Aug 2019 10:39:25 -0700 From: Gene Wirchenko <gene () shaw ca> Subject: A credit card never needed cleaning instructions... then Apple came along Apple warns its credit card doesn't like leather or denim or other cards. [Just in case there is someone on the planet who does not know how special Apple is ... . I go to my optometrist's office every so often for a fresh cloth. I think they may have given me fewer instructions than Apple does.] By Adrian Kingsley-Hughes for Hardware 2.0 | 22 Aug 2019 Yes, Apple went and published care instructions for its new credit card. https://www.zdnet.com/article/a-credit-card-never-needed-cleaning-instructions-then-apple-came-along/ I used to think that the $999 XDR monitor stand was the most Apple thing Apple ever made. But then the company came out with a credit card that needed its own care instructions. Yes, care instructions. For a credit card. Apple goes into great detail on how to keep your flashy laser-etched titanium Apple Card looking its finest. Store it in "a wallet, pocket, or bag made of soft materials," don't store it with another credit card because it might become scratched, and give it the occasional clean with a "soft, slightly damp, lint-free microfiber cloth." Chris Duckett, ZDNet, 22 Aug 2019 Apple warns its credit card doesn't like leather or denim or other cards White titanium card is afraid of most things people use to carry ID and coinage, like wallets and pockets. https://www.zdnet.com/article/apple-warns-its-credit-card-doesnt-like-leather-or-denim/ Oh dear, that card appears to be on a hard surface. Apple has detailed a number of things that its newly launched titanium credit card should be kept away from. A support note from Cupertino, spotted by AppleInsider, says the card should be kept away from leather and denim to avoid discoloration, and also away from hard surfaces, to avoid scratching its white finish. Users are warned not to use household cleaners on the card, nor compressed air and aerosols, nor any solvents, or ammonia, or anything abrasive to clean it. ------------------------------ Date: Tue, 20 Aug 2019 19:54:16 -0700 From: Richard Stein <rmstein () ieee org> Subject: Want To Know What's In Your Sweat? There's A Patch For That (npr.org) https://www.npr.org/sections/health-shots/2019/08/20/752378580/want-to-know-whats-in-your-sweat-there-s-a-patch-for-that "The patch the Berkeley scientists designed collects sweat at the surface of the skin and analyzes it in real-time using a custom printed circuit board that transmits the collected data wirelessly to a mobile phone." Obvious risk here -- streaming perspiration chemistry to a phone or Internet-connected widget for analysis. If there's too much sodium or potassium detected in perspiration, does this imply that a custom replenishment fluid must be ingested to re-balance blood chemistry? How is the replenishment molarity calibrated for an athlete in competition? This device represents the next step in the pharmaceutical athletic games. Should that IV be shaken or stirred? ------------------------------ Date: Tue, 20 Aug 2019 14:28:11 -1000 From: the keyboard of geoff goodfellow <geoff () iconia com> Subject: Playing God: Japan temple puts faith in robot priest "with AI. It's changing Buddhism" (AFP) A 400-year-old temple in Japan is attempting to hot-wire interest in Buddhism with a robotic priest it believes will change the face of the religion -- despite critics comparing the android to "Frankenstein's monster." The android Kannon, based on the Buddhist deity of mercy, preaches sermons at Kodaiji temple in Kyoto, and its human colleagues predict that with artificial intelligence it could one day acquire unlimited wisdom. "This robot will never die, it will just keep updating itself and evolving," priest Tensho Goto told AFP. "That's the beauty of a robot. It can store knowledge forever and limitlessly. "With AI we hope it will grow in wisdom to help people overcome even the most difficult troubles. It's changing Buddhism," added Goto. ... https://news.yahoo.com/playing-god-japan-temple-puts-faith-robot-priest-043640106.html ------------------------------ Date: Tue, 20 Aug 2019 07:54:51 +0300 From: Edwin Slonim <eslonim () minols com> Subject: Re: Contingency plan for compromised fingerprint database (R 31 37) My contingency plan is to use a different finger. Even if all 10 fingers are eventually compromised, assuming the access control locks out after n tries where (n << 10) I should be ok :-) In Risks 31.37 Anthony Thorn <anthony.thorn () atss ch> wrote: You can change a compromised password, but your fingerprint is not only fixed, but shared across all applications which use fingerprint recognition. What is your contingency plan? ------------------------------ Date: Tue, 20 Aug 2019 02:23:08 -0400 From: "Arthur T." <risks201908.10.atsjbt () xoxy net> Subject: Re: Facial recognition errors (RISKS-31.37)
Facial recognition software mistook 1 in 5 California lawmakers for criminals, says ACLU
A better headline and subhead for the original story might be: Software Set At 80% Confidence Level Works Correctly 80% Of The Time; Software Used With Default Values Rather Than Recommended Values Doesn't Work Well Amazon does seem disingenuous with its claim that the software should be used at the 99% confidence level when matching faces, while shipping with the default set to 80%. As we've seen here, many users who should know better never change from default settings. Note that the 80% default value didn't appear in the linked story, but in another on the same topic that I had read earlier: <https://yro.slashdot.org/story/19/08/13/2046220/amazons-facial-recognition-misidentified-1-in-5-california-lawmakers-as-criminals>. [Sarcastically, Geoffrey Newbury and Phil Martel each suggested: So the software actually had an 80% failure rate? Might that suggest that 5 out of 5 were actually criminals?] PGN] ------------------------------ Date: Tue, 20 Aug 2019 12:58:43 -0400 From: Kelly Bert Manning <bo774 () freenet carleton ca> Subject: Re: Electric car charging stations may be portals for power grid cyberattacks (RISKS-31.37) I did not see what types of charging stations were involved. The flip side is that reversing flow and drawing power from e-vehicles has been proposed has been proposed as a way to smooth out demand spikes and to store surplus wind and solar power when they are parked plugged in. I have to speculate that this risk involves Level 3 or higher stations. With the demise of the last gas station in downtown Vancouver BC, and the proliferation of "free" (TANSTAAFL) or pay to use fast charging stations at parking lots and underground garages this might be a risk, but not likely for 110 or 220 volt charging stations. I did not bother to install a level 2 charger for our plug in hybrid because it charges from the carport plug in 5.5 hours with about the same draw as a major kitchen appliance. Other protection in the electric distribution system could put them offline before a large section goes down. Canadian wiring specs require the top and bottom sockets of kitchen counter outlets, and adjacent outlets, to be on separate circuits. You need at least 4 circuits to wire a kitchen according to code if you have 2 or more kitchen outlets. Don't Grid Controllers in the UK have TVs in the control rooms to monitor Football (Soccer in Canadian & USA English) games because so many fans tend to plug in electric kettles during long pauses and ad breaks? Pumped Hydro Electric Storage generators in Wales and elsewhere can be spun up to meet those demand surges when the operators see a break coming. We don't need electric cars to experience this type of power demand surge. In Canada the equivalent is the Hockey Game Flush, as thousands of fans flush toilets, creating a risk of municipal water lines collapsing or having infiltration due to sharp drops in water pressure. System ops watch the game, ready to start turbo boost pumps during breaks and stop them at the end of the break. ------------------------------ Date: Tue, 20 Aug 2019 13:30:32 -0400 From: Kelly Bert Manning <bo774 () freenet carleton ca> Subject: Re: Shoot out the headlines first, ask questions later (RISKS-31.37) Rushing into print or digital publication of new startling results from recently deployed or newly developed instruments is a known risk in Climate Research. Someone rushed into print with an "Oceans are Cooling" paper, based on comparing early Argo Buoy data with older XBT data. With the wisdom of hindsight the Argo data had a Cold bias and the XBT data had a Warm bias. Longer term study revealed the bias in both instruments. https://earthobservatory.nasa.gov/features/OceanCooling Instrument Bias also came up when Anthony Watt enlisted an army of fans to create a list of "poorly sited" weather stations which they felt gave a warm bias to the NOAA conclusion of a warming trend in the Continental USA. NOAA repeated the analysis, excluding those stations, and got a slightly stronger warming trend. Be careful what you ask for. https://en.wikipedia.org/wiki/Anthony_Watts_(blogger)#Surface_Stations_project ------------------------------ Date: Wed, 21 Aug 2019 11:17:55 +0300 From: Amos Shapir <amos083 () gmail com> Subject: Re: Shoot out the headlines first, ask questions later (RISKS-31.37) Before joining the celebrations of the "Ha ha, no global warming! We can go on burning as much carbon as we like!" crowd, please see the following article (in French): https://www.lci.fr/planete/les-records-de-chaleur-au-groenland-remis-en-cause-par-des-climatosceptiques-en-quoi-ils-se-trompent-2129437.html It points out that the post in "What's up with that" relies on an error in a single station on a single day, ignoring thousands of measurements over the past few months. Also check out my post in Quora: https://www.quora.com/Is-global-warming-a-hoax/answer/Amos-Shapir-1 which includes two maps to demonstrate the current situation in Greenland. ------------------------------ Date: Tue, 20 Aug 2019 12:50:34 -0500 From: Dimitri Maziuk <dmaziuk () bmrb wisc edu> Subject: Re: Password policy (Goldberg, RISKS-31.37) I'm pretty sure this made RISKS at least once before: https://xkcd.com/936/ Evidently none of the password security expert policy writes ever heard of xkcd. (Incidentally I recently tried "oh, not again!" for a linux account password and it worked.) ------------------------------ Date: Mon, 19 Aug 2019 22:49:04 -0700 From: Richard Stein <rmstein () ieee org> Subject: Noise about Quiet Skies program (Thorson, RISKS-30.86)
"Federal air marshals have begun following ordinary US citizens not suspected of a crime or on any terrorist watch list and collecting extensive information about their movements and behavior under a new domestic surveillance program that is drawing criticism from within the agency."
"As an ordinary citizen," Mark's submission provoked my "spider sense" to file a FOIA request with TSA. I finally received a response to my petition dated 19AUG2019: "This letter is in response to your Freedom of Information Act (FOIA) request to the Transportation Security Administration (TSA) dated October 11, 2018, seeking access to the following records about yourself: "1. All Federal Air Marshall Service 'Quiet Skies' records collected, reported, and collated that pertain to international or domestic travel. To include dates/times of collection, transport vehicle/flight or bus/train or ship, and itemize detail of collected records include purpose/reason/justification for data capture based on air marshal prerogative. "2. A list of federal and state agencies that have approved direct/indirect access to these records and include dates/time/purpose for access. "Your request has been processed under the FOIA, 5 U.S.C. 552, and the Privacy Act, 5 U.S.C 552a. A search was conducted within the TSA and no records responsive to your request were located." Guess the skies are safe to fly after all? While a sample size of 1 does not prove much, the TSA response suggests that citizens of "sufficient interest" merit air marshal tracking and attention. What constitutes "sufficient interest" was not a petition subject, and therefore not disclosed. ------------------------------ Date: Mon, 14 Jan 2019 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00 Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 31.38 ************************
Current thread:
- Risks Digest 31.38 RISKS List Owner (Aug 24)