RISKS Forum mailing list archives
Risks Digest 27.33
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 6 Jun 2013 11:43:19 PDT
RISKS-LIST: Risks-Forum Digest Thursday 6 June 2013 Volume 27 : Issue 33 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.33.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Re: BA plane's emergency landing at LHR caused by maintenance error (Clive Page) Data protection in the EU: the certainty of uncertainty (Cory Doctorow) NSA collecting phone records of millions of Americans daily (Paul Owen via Dave Farber) "In digital era, privacy must be a priority. Is it just me, or is secret blanket surveillance obscenely outrageous" (Al Gore) "The BYOD Mobile Security Threat Is Real" (Tom Kaneshige via Gene Wirchenko) Re: The Hazards of Gambling (FriedBadger) Re: Risks of spreadsheets -- and leap seconds (Bob Frankston) Re: Apple says you can't use the iTunes/App Store ... abroad (Steve Wildstrom) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 05 Jun 2013 19:04:44 +0100 From: Clive Page <usenet () page2 eu> Subject: Re: BA plane's emergency landing at LHR caused by maintenance error Regarding the BA plane which took off with both engine cowls unlatched. The bit of the story that frightened me most was from one of the BBC accounts which said: ``Last July Airbus said there had been 32 reported fan cowl door detachment events, but none of the cases resulted in a fire.'' This suggests to me that maintenance crews are not paying anything like enough attention to this. If the cowl comes loose it might, as in this case, cause a fire and an emergency landing. But it could even be worse. A lump of metal falling from a preceding plane is now thought to have caused the Concorde disaster at Paris some years ago. ------------------------------ Date: Wed, 5 Jun 2013 9:37:27 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Data protection in the EU: the certainty of uncertainty (Cory Doctorow) Cory Doctorow, *The Guardian*'s technology blog, 5 Jun 2013 "As I write this, the European Parliament is involved in a world-beatingly gnarly wrangle over the new General Data Protection Regulation.'' http://www.guardian.co.uk/technology/blog/2013/jun/05/data-protection-eu-anonymous Cory's blog item on the relative ease of de-identifying supposed anonymizations should be no surprise to RISKS readers. It is a very nice assessment of some of the risks. Ed Felten (Princeton) and Seth David Schoen (EFF) are quoted, among others. It is very well worth your reading, as it opens up some gigantic cans of worms (although quite unlike the Diet of Worms). PGN ------------------------------ Date: Wed, 5 Jun 2013 19:53:05 -0400 From: dfarber <dave () farber net> Subject: NSA collecting phone records of millions of Americans daily Revealed: NSA collecting phone records of millions of Americans daily Paul Owen, *The Guardian*, 6 Jun 2013 http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order Under the terms of the order, the numbers of both parties on a call are handed over, as is location data and the time and duration of all calls. The National Security Agency is currently collecting the telephone records of millions of US customers of Verizon, one of America's largest telecoms providers, under a top secret court order issued in April. The order, a copy of which has been obtained by the Guardian, requires Verizon on an "ongoing, daily basis" to give the NSA information on all telephone calls in its systems, both within the US and between the US and other countries. The document shows for the first time that under the Obama administration the communication records of millions of US citizens are being collected indiscriminately and in bulk -- regardless of whether they are suspected of any wrongdoing. The secret Foreign Intelligence Surveillance Court (Fisa) granted the order to the FBI on April 25, giving the government unlimited authority to obtain the data for a specified three-month period ending on July 19. Under the terms of the blanket order, the numbers of both parties on a call are handed over, as is location data, call duration, unique identifiers, and the time and duration of all calls. The contents of the conversation itself are not covered. The disclosure is likely to reignite longstanding debates in the US over the proper extent of the government's domestic spying powers. Under the Bush administration, officials in security agencies had disclosed to reporters the large-scale collection of call records data by the NSA, but this is the first time significant and top-secret documents have revealed the continuation of the practice on a massive scale under President Obama. The unlimited nature of the records being handed over to the NSA is extremely unusual. Fisa court orders typically direct the production of records pertaining to a specific named target who is suspected of being an agent of a terrorist group or foreign state, or a finite set of individually named targets. The Guardian approached the National Security Agency, the White House and the Department of Justice for comment in advance of publication on Wednesday. All declined. The agencies were also offered the opportunity to raise specific security concerns regarding the publication of the court order. The court order expressly bars Verizon from disclosing to the public either the existence of the FBI's request for its customers' records, or the court order itself. "We decline comment," said Ed McFadden, a Washington-based Verizon spokesman. The order, signed by Judge Roger Vinson, compels Verizon to produce to the NSA electronic copies of "all call detail records or 'telephony metadata' created by Verizon for communications between the United States and abroad" or "wholly within the United States, including local telephone calls". The order directs Verizon to "continue production on an ongoing daily basis thereafter for the duration of this order". It specifies that the records to be produced include "session identifying information", such as "originating and terminating number", the duration of each call, telephone calling card numbers, trunk identifiers, International Mobile Subscriber Identity (IMSI) number, and "comprehensive communication routing information". The information is classed as "metadata", or transactional information, rather than communications, and so does not require individual warrants to access. The document also specifies that such "metadata" is not limited to the aforementioned items. A 2005 court ruling judged that cell site location data -- the nearest cell tower a phone was connected to -- was also transactional data, and so could potentially fall under the scope of the order. While the order itself does not include either the contents of messages or the personal information of the subscriber of any particular cell number, its collection would allow the NSA to build easily a comprehensive picture of who any individual contacted, how and when, and possibly from where, retrospectively. It is not known whether Verizon is the only cell-phone provider to be targeted with such an order, although previous reporting has suggested the NSA has collected cell records from all major mobile networks. It is also unclear from the leaked document whether the three-month order was a one-off, or the latest in a series of similar orders. The court order appears to explain the numerous cryptic public warnings by two US senators, Ron Wyden and Mark Udall, about the scope of the Obama administration's surveillance activities. For roughly two years, the two Democrats have been stridently advising the public that the US government is relying on "secret legal interpretations" to claim surveillance powers so broad that the American public would be "stunned" to learn of the kind of domestic spying being conducted. Because those activities are classified, the senators, both members of the Senate intelligence committee, have been prevented from specifying which domestic surveillance programs they find so alarming. But the information they have been able to disclose in their public warnings perfectly tracks both the specific law cited by the April 25 court order as well as the vast scope of record-gathering it authorized. Julian Sanchez, a surveillance expert with the Cato Institute, explained: "We've certainly seen the government increasingly strain the bounds of 'relevance' to collect large numbers of records at once -- everyone at one or two degrees of separation from a target -- but vacuuming all metadata up indiscriminately would be an extraordinary repudiation of any pretence of constraint or particularized suspicion." The April order requested by the FBI and NSA does precisely that. The law on which the order explicitly relies is the so-called "business records" provision of the Patriot Act, 50 USC section 1861. That is the provision which Wyden and Udall have repeatedly cited when warning the public of what they believe is the Obama administration's extreme interpretation of the law to engage in excessive domestic surveillance. In a letter to attorney general Eric Holder last year, they argued that "there is now a significant gap between what most Americans think the law allows and what the government secretly claims the law allows." "We believe," they wrote, "that most Americans would be stunned to learn the details of how these secret court opinions have interpreted" the "business records" provision of the Patriot Act. Privacy advocates have long warned that allowing the government to collect and store unlimited "metadata" is a highly invasive form of surveillance of citizens' communications activities. Those records enable the government to know the identity of every person with whom an individual communicates electronically, how long they spoke, and their location at the time of the communication. Such metadata is what the US government has long attempted to obtain in order to discover an individual's network of associations and communication patterns. The request for the bulk collection of all Verizon domestic telephone records indicates that the agency is continuing some version of the data-mining program begun by the Bush administration in the immediate aftermath of the 9/11 attack. The NSA, as part of a program secretly authorized by President Bush on 4 October 2001, implemented a bulk collection program of domestic telephone, Internet and e-mail records. A furore erupted in 2006 when USA Today reported that the NSA had "been secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth" and was "using the data to analyze calling patterns in an effort to detect terrorist activity." Until now, there has been no indication that the Obama administration implemented a similar program. These recent events reflect how profoundly the NSA's mission has transformed from an agency exclusively devoted to foreign intelligence gathering, into one that focuses increasingly on domestic communications. A 30-year employee of the NSA, William Binney, resigned from the agency shortly after 9/11 in protest at the agency's focus on domestic activities. In the mid-1970s, Congress, for the first time, investigated the surveillance activities of the US government. Back then, the mandate of the NSA was that it would never direct its surveillance apparatus domestically. At the conclusion of that investigation, Frank Church, the Democratic senator from Idaho who chaired the investigative committee, warned: "The NSA's capability at any time could be turned around on the American people, and no American would have any privacy left, such is the capability to monitor everything: telephone conversations, telegrams, it doesn't matter." Additional reporting by Ewen MacAskill and Spencer Ackerman ------------------------------ Date: Thu, 6 Jun 2013 08:57:55 -0400 From: David Farber <farber () gmail com> Subject: Al Gore "In digital era, privacy must be a priority. Is it just me, or is secret blanket surveillance obscenely outrageous" Al Gore, 6 Jun 2013, http://t.co/KONSBtTWjc The former vice president slammed the overreach of the NSA's surveillance powers on Twitter. ------------------------------ Date: Wed, 05 Jun 2013 11:26:44 -0700 From: Gene Wirchenko <genew () telus net> Subject: "The BYOD Mobile Security Threat Is Real" (Tom Kaneshige) Tom Kaneshige, *CIO*, 30 May 2013 Cloud storage, text messaging, poor accountability and the "Bad Leaver" open the doors to data breaches in a BYOD environment, says a cyber-crime expert in this CIO.com interview. http://www.cio.com/article/734231/The_BYOD_Mobile_Security_Threat_Is_Real ------------------------------ Date: Wed, 05 Jun 2013 10:29:10 +0100F From: spam trap <nospam.1.friedbadger () spamgourmet com> Subject: Re: The Hazards of Gambling (Drewe, RISKS-27.32)
If the Government takes money off rich people and gives it to poor people, this may seem to be "fairer" and reduce inequality,
It does. A previous poster has eloquently explained this.
but it rewards people who rely on welfare and punishes those who provide for themselves
I would not use the term 'reward' or 'punish'. People on low incomes who rely on benefits are often struggling to afford the basics. Many are not able to find well-paid work. OTOH taking a little from the wealthiest will not hurt them.
(hence in the UK a lifetime on welfare is quite a popular career option).
This is a myth often spread by certain elements in the media. In truth the majority of benefits goes to those who do work but are on low-incomes. Describing a lifetime on welfare as a 'popular' career option is insulting to the majority who would get a (better) job if they could. ------------------------------ Date: Tue, 4 Jun 2013 20:43:28 -0400 From: "Bob Frankston" <bob2-39 () bobf frankston com> Subject: Re: Risks of spreadsheets -- and leap seconds (Kaiser, RISKS-27.32) Hidden dependencies are a risk with any program. And then we get dependencies on the bug. We get away with this because if typically doesn't matter in a world that isn't very precise. I wonder how many financial instruments depended on the 1-2-3 bug which treated 2000 as a leap year. I happened to be well-aware of the problem because my very first program in 1963 calculated leap years on an IBM 1620. We often get away with accepting these problems because proportionality rules in the analog arena. And typically the models we are using are indeed in the analog domain. But when we operate in the digital domain we can run into trouble. (I posted related comments about big data as http://rmf.vc/IPBigData). This is why I keep complaining about the leap second. In the analog world it's just a pesky second but in the digital world we don't round "1/2/2020 23:59:59" because we know that that is really 1/2/2020 though using epoch+seconds it might not be. For that matter essentially none of the date/times in databases for the last 40 years are correct since they just pretend leap seconds don't exist. They can't because time function simply don't have the information to do interval calculations. ------------------------------ Date: Wed, 5 Jun 2013 07:47:31 -0400 From: Steve Wildstrom <steve () wildstrom com> Subject: Re: Apple says you can't use the iTunes/App Store ... abroad (R-27.32) This has to do with content licensing issues and the blame falls on the content owners, not Apple. In a sense, it is related to the DVD zone problem. Content owners license Apple to distribute movies and other content on a country-by-country basis. To comply with the terms of these agreements, Apple has to limit sales to the customer's home country, thus the ToS restrictions. And the EU doesn't help here; licensing, like much else, is still on a national basis. Steve Wildstrom www.wildstrom.com/steve ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.33 ************************
Current thread:
- Risks Digest 27.33 RISKS List Owner (Jun 06)