RISKS Forum mailing list archives
Risks Digest 27.45
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 30 Aug 2013 11:18:04 PDT
RISKS-LIST: Risks-Forum Digest Friday 30 August 2013 Volume 27 : Issue 45 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.45.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Super Puma helicopter endured rapid dive before crash (PGN) Shutdown at Nasdaq Is Traced to Software (Michael J. de la Merced via Matthew Kruk) Text a driver in New Jersey, and you could see your day in court (Lauren Weinstein) Why the children of tomorrow are the NSA's biggest nightmare (Charles Stross via Paul Saffo) iOS and Android Weaknesses Allow Stealthy Pilfering of Web Credentials (Dan Goodin via ACM TechNews) "Android random number flaw implicated in Bitcoin thefts" (Paul Ducklin via Gene Wirchenko) Sensitive data left on hard drives (Richard A. O'Keefe) "Report: NSA broke into UN video teleconferencing system" (Lucian Constantin via Gene Wirchenko) Facebook considers adding profile photos to facial recognition database (Lauren Weinstein) More garbage from Facebook (Vindu Goel via Matthew Kruk) "The end of Groklaw and our online privacy?" (Pamela Jones via Monica Goyal via Gene Wirchenko) HuffPo Edward Snowden Impersonated NSA Officials: Report (Sharon Kramer via Dave Farber) It's just Metadata? But it may be wrongly interpreted! (Donald B. Wagner) Re: In ACLU lawsuit, scientist demolishes NSA's `It's just metadata' (Marshall Clow) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 30 Aug 2013 5:13:18 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Super Puma helicopter endured rapid dive before crash, says report A Super Puma helicopter crashed on 23 Aug 2013 off Shetland, killing four passengers after an alarming and rapid descent into the North Sea. Fourteen passengers survived, largely because the crash occurred near land. The black box voice and flight-data recorder has now been recovered from the tail section, and accident investigators have released their preliminary findings. "The evidence currently available suggests that the helicopter was intact and upright when it entered the water. It then rapidly inverted and drifted northwards towards Garths Ness. The helicopter was largely broken up by repeated contact with the rocky shoreline." The article notes that this is the fifth accident involving Super Pumas in the past four years, although this one appears unrelated to the previous ones. The British have discontinued all Super Puma flights (disrupting oil workers, both offshore and onshore), although the Norwegians have not. [Source: *The Guardian*, 29 Aug 2013, PGN-ed] http://gu.com/p/3tc5k ------------------------------ Date: Fri, 30 Aug 2013 01:36:03 -0600 From: "Matthew Kruk" <mkrukg () gmail com> Subject: Shutdown at Nasdaq Is Traced to Software (Michael J. de la Merced) Michael J. de la Merced, Shutdown at Nasdaq Is Traced to Software, DealBook -- A Financial News Service of *The New York Times*, 29 Aug 2013 [PGN-ed] http://dealbook.nytimes.com/2013/08/29/nasdaq-blames-a-surge-of-data-for-trading-halt/?nl=todaysheadlines&emc=edit_th_20130830 Though the Nasdaq market calls itself home for the stocks of the world's biggest technology companies, the exchange acknowledged on 29 Aug 2013 that a three-hour halt in trading arose from a problem with its software. The Nasdaq OMX Group released preliminary findings that provided the clearest official insight into what caused the trading halt, being called in trading circles as the "flash freeze." While stock prices were little affected when the exchange reopened late in the afternoon of Aug. 22, the episode reignited concerns about the fragility of modern markets and their dependence on intricate software systems. In particular, a series of attempts by a market operated by the NYSE Euronext to connect with the Nasdaq system that reports the prices of recent trades generated a surge of data. That led to a failure of Nasdaq's backup systems, forcing the market to go offline to fix the problem. [...] ------------------------------ Date: Thu, 29 Aug 2013 09:23:47 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Text a driver in New Jersey, and you could see your day in court "On Tuesday, three appeals court judges agreed with it -- in principle. They ruled that if the sender of text messages knows that the recipient is driving and texting at the same time, a court may hold the sender responsible for distraction and hold him or her liable for the accident." http://j.mp/17oKTlS (CNN via NNSquad) Even the theoretical concept of holding the person at the other end of an electronic communication (hell, even another person just talking in the same vehicle) responsible for a driver's stupidity is beyond ludicrous. ------------------------------ Date: Fri, 30 Aug 2013 05:54:06 -0700 From: Paul Saffo <paul () saffo com> Subject: Why the children of tomorrow are the NSA's biggest nightmare (Charles Stross) Charles Stross, Spy Kids, *Foreign Policy*, 28 Aug 2013 A sci-fi visionary on why the children of tomorrow are the NSA's biggest nightmare [PGN-ed] http://www.foreignpolicy.com/articles/2013/08/28/spy_kids_nsa_surveillance_next_generation In the 21st century, the U.S. National Security Agency (and other espionage agencies) face a storm of system-wide problems that I haven't seen anybody talking about. The problems are sociological, and they threaten to undermine the way the Western security state operates. The big government/civil service agencies are old. The NSA's roots stretch back to the State Department's "Black Chamber" (officially dissolved by Secretary of State Henry Stimson in 1929 with the immortal words "Gentlemen do not read each other's mail"). The CIA is a creation of the late 1940s. J. Edgar Hoover's FBI was established as the Bureau of Investigation in 1908. These organizations are products of the 20th-century industrial state, and they are used to running their human resources and internal security processes as if they're still living in the days of the "job for life" culture. Potential spooks-to-be were tapped early (often while at school or university), vetted, and then given a safe sinecure along with regular monitoring to ensure they stayed on the straight-and-narrow all the way to the gold watch and pension. Because that's how we all used to work, at least if we were civil servants or white-collar paper-pushers back in the 1950s. But outside the walled garden of the civil service, things don't work that way anymore. A major consequence of the 1970s resurgence of neoliberal economics was the deregulation of labor markets and the deliberate destruction of the job-for-life culture (partly because together they were a powerful lever for dislodging unionism and the taproots of left-wing power in the West, and partly because a liquid labor market made entrepreneurial innovation and corporate restructuring easier). Government departments may be structured on old-fashioned lines, but their managers aren't immune to outside influences and they frequently attempt reforms, in the name of greater efficiency, that shadow the popular private-sector fads of the day. One side effect of making corporate restructuring easier was the rush toward outsourcing, and today around 70 percent of the U.S. intelligence budget is spent on outside contractors. And it's a big budget -- well over $50 billion a year. Some chunks go to heavy metal (the National Reconnaissance Office is probably the biggest high-spending agency you've never heard of: it builds spy satellites), but a lot goes to people. People to oil the machines. People who work for large contracting organizations. Organizations that increasingly rely on contractors rather than permanent labor to retain "flexibility." Here's the problem: The organizations are now running into outside contractors who grew up in the globalized, liquid labor world of Generation X and Generation Y, with Generation Z fast approaching. [...] If I were in charge of long-term planning for human resources in any government department, I'd be panicking. Even though it's already too late. [This is a long but pithy article, pruned extensively for RISKS, although I kept the concluding paragraph above. PGN] ------------------------------ Date: Wed, 28 Aug 2013 11:43:52 -0400 From: ACM TechNews <technews () HQ ACM ORG> Subject: iOS and Android Weaknesses Allow Stealthy Pilfering of Web Credentials (Dan Goodin) Dan Goodin, Ars Technica, 27 Aug 2013 via ACM TechNews, Wednesday, August 28, 2013 Microsoft and Indiana University researchers have found an architectural weakness in both the iOS and Android mobile operating systems that makes it possible for hackers to steal sensitive user data and login credentials for popular email and storage services. The researchers, in a paper to be presented at the ACM Special Interest Group on Security, Audit and Control's (SIGSAC) Computer and Communications Security Conference in November, found that both operating systems fail to ensure that browser cookies, document files, and other sensitive content from one Internet domain are off-limits to scripts controlled by a second address without explicit permission. The same-origin policy is a basic security mechanism enforced by desktop browsers, but the protection is absent from many iOS and Android apps. The researchers demonstrated the threat by creating several hacks that carry out cross-site scripting and cross-site request forgery attacks. "The problem here is that iOS and Android do not have this origin-based protection to regulate the interactions between those apps and between an app and another app's Web content," says Indiana University professor XiaoFeng Wang. The researchers created a proof-of-concept app called Morbs that provides OS-level protection across all apps on an Android device. Morbs works by labeling each message with information about its origin that could make it easier for developers to specify and enforce security policies based on the sites where sensitive information originates. http://arstechnica.com/security/2013/08/ios-and-android-weaknesses-allow-stealthy-pilfering-of-website-credentials/ ------------------------------ Date: Thu, 29 Aug 2013 11:55:27 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Android random number flaw implicated in Bitcoin thefts" (Paul Ducklin) Paul Ducklin, Sophos Naked Security, 12 Aug 2013, with comments Filed Under: Android, Cryptography, Data loss, Featured, Google http://nakedsecurity.sophos.com/2013/08/12/android-random-number-flaw-implicated-in-bitcoin-thefts/ ------------------------------ Date: Thu, 29 Aug 2013 17:59:05 +1200 From: "Richard A. O'Keefe" <ok () cs otago ac nz> Subject: Sensitive data left on hard drives Dax Roberts completed a PhD in another department of this university this year. 100 second-hand hard drives were bought. 24 of these still contained private information, 13 of them just plug it in and turn it on and it's there. Four of the 24 were from high schools (none in the Otago region). [Source: the *Otago Daily Times*, 11 May 2013] http://www.odt.co.nz/campus/university-otago/256516/computers-worth-data-left-hard-drives ------------------------------ Date: Wed, 28 Aug 2013 12:38:15 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Report: NSA broke into UN video teleconferencing system" (Lucian Constantin) Lucian Constantin, IDG News Service, InfoWorld, 26 Aug 2013 The agency reportedly cracked the system's encryption to snoop on internal UN communications http://www.infoworld.com/d/security/report-nsa-broke-un-video-teleconferencing-system-225585 ------------------------------ Date: Thu, 29 Aug 2013 21:49:12 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Facebook considers adding profile photos to facial recognition DB "Facial recognition technology has been a sensitive issue for technology companies, raising concerns among some privacy advocates and government officials. Tag suggest, which the company introduced in 2011, is not available in Europe due to concerns raised by regulators. Google's social network, Google+, also employs similar technology, but requires user consent. And it has banned third-party software makers from using facial recognition technology in apps designed for its Glass wearable computer." http://j.mp/1fnmQGM (Guardian) ------------------------------ Date: Fri, 30 Aug 2013 01:41:16 -0600 From: "Matthew Kruk" <mkrukg () gmail com> Subject: More garbage from Facebook (Vindu Goel) Vindu Goel, Facebook to Update Privacy Policy, but Adjusting Settings Is No Easier, *The New York Times*, 29 Aug, 2013 [PGN-ed] Facebook announced Thursday that it planned to enact changes to its privacy policies on Sept. 5. But the social network's famously difficult privacy controls will not become any easier to navigate. Mostly, the new data use policy and statement of rights and responsibilities lay out more clearly the things that Facebook already does with your personal information, Ed Palmieri, the company's associate general counsel for privacy, said in an interview. "The updates that we are showing in the red lines are our way to better explain the products that exist today," he said. [...] The old policy explicitly stated, "You can use your privacy settings to limit how your name and profile picture may be associated with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us." Facebook's new language starts with the opposite position. "You give us permission to use your name, and profile picture, content, and information in connection with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us," the company said. "If you have selected a specific audience for your content or information, we will respect your choice when we use it." Mr. Palmieri said the two versions amount to the same thing. It brings to mind Humpty Dumpty in Lewis Carroll's "Through the Looking Glass." As he told young Alice, "When I use a word, it means just what I choose it to mean - neither more nor less." http://bits.blogs.nytimes.com/2013/08/29/facebook-to-update-privacy-policy-but-adjusting-settings-is-no-easier/?nl=todaysheadlines&emc=edit_th_20130830 ------------------------------ Date: Thu, 29 Aug 2013 11:45:48 -0700 From: Gene Wirchenko <genew () telus net> Subject: "The end of Groklaw and our online privacy?" (Pamela Jones via Monica Goyal) Monica Goyal, *IT Business*, 28 Aug 2013 http://www.itbusiness.ca/blog/the-end-of-groklaw-and-our-online-privacy/42250 opening paragraph: "My personal decision is to get off of the Internet to the degree it's possible. I'm just an ordinary person. But I really know, after all my research and some serious thinking things through, that I can't stay online personally without losing my humanness, now that I know that ensuring privacy online is impossible. I find myself unable to write. I've always been a private person. That's why I never wanted to be a celebrity and why I fought hard to maintain both my privacy and yours." Pamela Jones, Groklaw in her last post. ------------------------------ From: Sharon Kramer <SNK1955 () aol com> Date: Aug 29, 2013 2:04 PM Subject: HuffPo Edward Snowden Impersonated NSA Officials: Report (via Dave Farber] FYI. If private sector employee, Edward Snowden, could impersonate NSA honchos for the purpose of exposing system flaws and security breaches harmful to the public; then who else could and may have done this for less honorable purposes? Are there several people who knew how to do this and we may never know what info got into the wrong hands? [Sharon Kramer, San Diego, via Dave Farber] Edward Snowden Impersonated NSA Officials: Report "Edward Snowden, the former government contractor who leaked information on the National Security Agency's surveillance programs, impersonated NSA officials in order to obtain files, NBC News reported Thursday. While working for Booz Allen Hamilton, the technology consulting firm that contracted for the NSA, Snowden reportedly used his access as a system administrator to borrow the electronic identities of officials with higher security clearances via NSAnet, the agency's intranet. Snowden reportedly used the identities obtain 20,000 documents containing information on the agency's controversial programs. 'Every day, they are learning how brilliant [Snowden] was, an anonymous former intelligence official told NBC, `'This is why you don't hire brilliant people for jobs like this. You hire smart people. Brilliant people get you in trouble.'' <http://www.huffingtonpost.com/2013/08/29/edward-snowden-impersonated-nsa_n_3837459.html?utm_hp_ref=3Dpolitics> <http://investigations.nbcnews.com/_news/2013/08/29/20234171-snowden-impersonated-nsa-officials-sources-say?lite> <http://www.huffingtonpost.com/2013/06/24/edward-snowden-booz-allen-hamilton_n_3491203.html> <http://investigations.nbcnews.com/_news/2013/08/29/20234171-snowden-impersonated-nsa-officials-sources-say?lite>. ------------------------------ Date: Thu, 29 Aug 2013 11:00:35 +0200 From: "Donald B. Wagner" <zapkatakonk1943.6.22 () gmail com> Subject: It's just Metadata? But it may be wrongly interpreted! A 24-year-old Danish man was recently denied entry to the U.S. with his family. He has no criminal record, no known political activities and no known connection to terrorism, but what he did have was a phone number that once belonged to a man with known terrorist ties. http://cphpost.dk/international/dane-denied-entry-us-wrong-phone-number Much more in Danish: http://politiken.dk/search/?q=3DTobias%20Linde%20Schanz dr.phil. Donald B. Wagner, Jernbanegade 9B, DK-3600 Frederikssund Denmark, Tel. +45-3331 2581 http://donwagner.dk [Incidentally, there is a fairly comprehensive article on the pluses and minuses of metadata by Jaron Lanier, The Meta Question: What is the NSA doing with your metadata? *The Nation*, 15 Jul 2013, along with subsequent some diverse comments online. PGN] http://www.thenation.com/article/174776/meta-question ------------------------------ Date: Wed, 28 Aug 2013 19:43:38 -0700 From: Marshall Clow <mclow.lists () gmail com> Subject: Re: In ACLU lawsuit, scientist demolishes NSA's `It's just metadata' (RISKS-27.44) There's an easy way for Mr. Obama and the NSA to convince people that the "metadata" that they collect has no privacy implications. They can publish theirs. Publish the "metadata" for all phone calls made to or from the White House and the NSA, whether they be landlines, wireless, or VOIP. Put it on a website with a search engine, and update the data (at least) every day. Marshall Clow, Idio Software mclow.lists () gmail com ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.45 ************************
Current thread:
- Risks Digest 27.45 RISKS List Owner (Aug 30)