RISKS Forum mailing list archives
Risks Digest 27.82
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 29 Mar 2014 19:14:39 PDT
RISKS-LIST: Risks-Forum Digest Saturday 29 March 2014 Volume 27 : Issue 82 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.82.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Reconsidering Malaysian MH 370 (PGN) A prosecution trend to watch out for: liking a Facebook post (Privacy Surgeon) Smart key, pretty dumb: Chevy Volt (Tim Duncan) Carmaker Misled Grieving Families on a Lethal Flaw (NYT) CASL destined to be challenged on grounds it violates Charter rights: lawyers (Brian Jackson via Gene Wirchenko) NSA: Fixing Internet vulnerabilities compromises national security (Henry Baker) Police Keep Quiet About Cell-Tracking Technology (Jack Gillum via Monty Solomon) Can You Trust 'Secure' Messaging Apps? (Molly Wood via Monty Solomon) Previewing e-mail in Outlook can lead to malware infection (Lewis Morgan via Gene Wirchenko) Third-Party Hotel Booking Sites Can Mislead Consumers (Alina Tugend via Monty Solomon) Obama to Call for End to N.S.A.'s Bulk Data Collection (Charlie Savage via Monty Solomon) Turkey Moves To Block Twitter At The IP Level (Lauren Weinstein) Turkey blocks Google's DNSs (tkalama) Closing the Gap to Human-Level Performance in Face Verification (Taigman et al. via Monty Solomon) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 26 Mar 2014 17:01:07 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Reconsidering Malaysian MH 370 Understanding of the saga of Malaysian MH 370 is still considerably murky. The currently plausible seems to be that the plane apparently suffered some sort of electrical technological failure with fire and intense smoke, or perhaps human-aided catastrophic failure mode that might have eventually led to the incapacitation of the crew (and presumably everyone on board) -- despite all of the aircraft's would-be modular redundancy. In its last few hours, the autopilot had evidently been enabled (only a single button push is required to continue on the existing course), and the plane apparently then continued to fly without any crew member's assistance until it ran out of fuel somewhere in the south Indian Ocean. Even with the limited radar and electronic tracking, computation of the exact location of its demise is subject to many real-time variables (winds, altitude, temperature, and so on) in a very remote area. Very little seems known about the reasons for and effects of the earlier large changes in direction (an initial zig and then zag) and altitude (up and then down). There are still many unanswered questions -- as to the cause, the reasons for the initial zig-zag (perhaps the pilot frantically tried to head toward an emergency landing on the nearest island with a landing strip), how the crew became disabled, and whether the sequence of unanticipated events unfolded, with perhaps some combination of inadvertent and/or malicious human actions involved. It appears that unanticipated accidental causes, possibly with together pilot inability to cope with overwhelming circumstances, are sufficient to explain most of what happened, although the possibility of some malicious human actions is still not out of the question. The Malaysian government and other geopolitical forces certainly contributed to the overall confusion. In response, some people have suggested that black-box data should be transmitted in real time to reliable remote repositories (truly cloud servers?). That might have been very effective in this case, to help determine the initial series of events, although it might not have helped to pinpoint the site of the ultimate crash site -- where adequate satellite communication coverage may not have existed, and where the data may have been simply overwritten after the subsequent hours of continued flight. ------------------------------ Date: Tue, 25 Mar 2014 13:40:22 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: A prosecution trend to watch out for: liking a Facebook post [Thanks to Simon Davies <simon () privacy org> for spotting this one. PGN] UK police action over "liking" a Facebook post could signal a dangerous prosecution trend http://www.privacysurgeon.org/blog/incision/uk-police-action-over-liking-a-facebook-post-could-signal-a-dangerous-prosecution-trend/ [like a look? look alike? MITI likes arose? PGN] ------------------------------ Date: Tue, 25 Mar 2014 14:46:56 -0400 From: Tim Duncan <tim () duncan cx> Subject: Smart key, pretty dumb: Chevy Volt What if you don't want your Smart Key to automatically unlock the doors of your Chevrolet Volt when it gets within three feet of the car? Well, unfortunately, Chevrolet (General Motors) apparently never thought about this scenario as they didn't design in a way to turn off this feature. Interesting story about a woman who can't take her key with her surfing (because it isn't water proof) and can't lock it in her car either because it will automatically unlock her doors if she does. http://techpageone.dell.com/downtime/smart-key-pretty-dumb/?dgc=BA&cid=274608&lid=5143394&acd=12309197280467600#.UzG-GY-d5dI ------------------------------ Date: Wed, 26 Mar 2014 11:41:37 -0400 From: Monty Solomon <monty () roscom com> Subject: Carmaker Misled Grieving Families on a Lethal Flaw Hilary Stout, Bill Vlasic, Danielle Ivory and Rebecca R. Ruiz *The New York Times*, 24 Mar 2014 It was nearly five years ago that any doubts were laid to rest among engineers at General Motors about a dangerous and faulty ignition switch. At a meeting on May 15, 2009, they learned that data in the black boxes of Chevrolet Cobalts confirmed a potentially fatal defect existed in hundreds of thousands of cars. But in the months and years that followed, as a trove of internal documents and studies mounted, G.M. told the families of accident victims and other customers that it did not have enough evidence of any defect in their cars, interviews, letters and legal documents show. Last month, G.M. recalled 1.6 million Cobalts and other small cars, saying that if the switch was bumped or weighed down it could shut off the engine's power and disable air bags. ... http://www.nytimes.com/2014/03/25/business/carmaker-misled-grieving-families-on-a-lethal-flaw.html ------------------------------ Date: Tue, 25 Mar 2014 12:54:39 -0700 From: Gene Wirchenko <genew () telus net> Subject: CASL destined to be challenged on grounds it violates Charter rights: lawyers (Brian Jackson) Brian Jackson, *IT Business*, 24 Mar 2014 http://www.itbusiness.ca/news/casl-destined-to-be-challenged-on-grounds-it-violates-charter-rights-lawyers/47627 opening text: Canada's regulations to limit unwanted e-mail messages from businesses have been four years in the making, but if organizations representing the business community get their way, it could unravel much faster than that. Canada's Anti-Spam Legislation (CASL) is set to come into effect July 1 and requires businesses to receive consent from consumers before sending them commercial messages via e-mail or any other digital channel. But members of the business community and lawyers critical of the new law say the first organization fined by the enforcement regime will likely challenge it in court on the basis that it violates the Charter's protection of free speech. In this case, it would be a limitation on commercial speech. ------------------------------ Date: Fri, 21 Mar 2014 15:26:34 -0700 (GMT-07:00) From: hbaker1 <hbaker1 () pipeline com> Subject: NSA: Fixing Internet vulnerabilities compromises national security Richard Ledgett, Deputy Director of the NSA, recently responded to Edward Snowden in a 30-minute TED Talk interview with Chris Anderson: https://www.ted.com/talks/richard_ledgett_the_nsa_responds_to_edward_snowden_s_ted_talk also on YouTube: https://www.youtube.com/watch?v=zLNXIXingyU Although this interview has been covered in the press, so far the articles I've seen missed an important exchange between Ledgett and Anderson. At ~7:40 into this interview, Chris asked Richard about the NSA's BULLRUN program to weaken Internet encryption standards, and then at ~27:30 Chris asks about the NSA's exploitation of existing Internet vulnerabilities. Richard never directly answered the question about weakening encryption, but he did declare that the NSA discloses to vendors the "overwhelming majority" of vulnerabilities that the NSA finds. Of course, no actual statistics were given about the number of vulnerabilities that were disclosed, nor how long the NSA took before such disclosures were made, nor how ethical it would be for the NSA to leave US citizens, companies, banks, and state & local governments at continuing risk of attacks from the vulnerabilities that the NSA preferred not to disclose. But Ledgett emphatically claimed that Snowden's disclosures of these vulnerabilities compromised national security, thus equating "Internet vulnerabilities" with "national security"; i.e., it is the NSA's policy to preserve Internet vulnerabilities in the interest of "national security". Nine months after Snowden's disclosures, I'm still trying to get my head around how an agency of the U.S. government which is paid by my tax dollars and which is sworn to protect me, arrogantly thinks that keeping me, my identity, and my computers vulnerable to all the bad actors in the world is somehow improving my "national security". The NSA has apparently taken up Saddam Hussein's tactics and decided to use me -- and you and every American citizen with a computer -- as a "human shield" against terrorists. Any damage to our identities and bank accounts are merely collateral damage and acceptable losses in this war on terrorists, drug dealers and paedophiles. In the best gung-ho Vietnam-war-like bravado, "we [the NSA] had to destroy the Internet in order to save it". At the very minimum, the NSA's view is an exceedingly provincial and warped view of "national security". It's time for these NSA guys/gals to "come out of the cold" and get a real job in the commercial sector to help to actually protect each and all of us from those bad actors on the Internet. ------------------------------ Date: Wed, 26 Mar 2014 11:41:37 -0400 From: Monty Solomon <monty () roscom com> Subject: Police Keep Quiet About Cell-Tracking Technology (Jack Gillum) Jack Gillum, Associated Press, 22 Mar 2014 Police across the country may be intercepting phone calls or text messages to find suspects using a technology tool known as Stingray. But they're refusing to turn over details about its use or heavily censoring files when they do. Police say Stingray, a suitcase-size device that pretends it's a cell tower, is useful for catching criminals, but that's about all they'll say. For example, they won't disclose details about contracts with the device's manufacturer, Harris Corp., insisting they are protecting both police tactics and commercial secrets. The secrecy - at times imposed by nondisclosure agreements signed by police - is pitting obligations under private contracts against government transparency laws. Even in states with strong open records laws, including Florida and Arizona, little is known about police use of Stingray and any rules governing it. A Stingray device tricks all cellphones in an area into electronically identifying themselves and transmitting data to police rather than the nearest phone company's tower. Because documents about Stingrays are regularly censored, it's not immediately clear what information the devices could capture, such as the contents of phone conversations and text messages, what they routinely do capture based on how they're configured or how often they might be used. ... http://abcnews.go.com/Technology/wireStory/police-quiet-cell-tracking-technology-23016515 ------------------------------ Date: Sun, 23 Mar 2014 00:23:45 -0400 From: Monty Solomon <monty () roscom com> Subject: Can You Trust 'Secure' Messaging Apps? (Molly Wood) Molly Wood, *The New York Times*, blog, 19 Mar 2014 It's officially a post-Snowden and post-WhatsApp world, and my inbox is filled with pitches from companies promoting their secure messaging apps. But can you trust them? As the messaging wars heat up, security seems to be the big differentiator -the levels of security range from "military grade" to lightweight, depending on the app. But all of them have one thing in common, said the cryptographer and security expert Bruce Schneier: You shouldn't use them if your life is on the line. Mr. Schneier said when it comes to evaluating the security of a secure messaging app, the real question lies in why you need it. ... http://bits.blogs.nytimes.com/2014/03/19/can-you-trust-secure-messaging-apps/ ------------------------------ Date: Tue, 25 Mar 2014 12:56:23 -0700 From: Gene Wirchenko <genew () telus net> Subject: Previewing e-mail in Outlook can lead to malware infection (Lewis Morgan) Lewis Morgan, IT Governance, 25 Mar 2014 Microsoft 'zero day' vulnerability http://blog.itgovernance.co.uk/microsoft-zero-day-vulnerability-previewing-emails-in-outlook-can-lead-to-malware-infection-2/ opening text: On 24 March Microsoft released details about a vulnerability in Microsoft Word that can be used to infect computers with malware. The disturbing part however, is that computers can be infected from just 'previewing' an e-mail in Microsoft Outlook. ------------------------------ Date: Sun, 23 Mar 2014 00:23:45 -0400 From: Monty Solomon <monty () roscom com> Subject: Third-Party Hotel Booking Sites Can Mislead Consumers (Alina Tugend) Alina Tugend, *The New York Times*, 21 Mar 2014 This is the situation: Customers search for a particular hotel and click on a link. They think they've landed on the official hotel website, but unknowingly they really have arrived at an unrelated site of a hotel booking company. They're promised great deals - and warned that rooms are going fast - but it turns out these so-called bargains are often worse than what's offered directly by the hotel. Many people have discovered this practice the hard way. Randy Ratliff, a lawyer in Kentucky; Debbie Greenspan, a hospitality expert in Maryland; and dozens of other people have posted comments online saying they were duped when they thought they were booking rooms on hotel websites, only to wind up fighting credit card charges from companies they had never heard of. ... http://www.nytimes.com/2014/03/22/your-money/third-party-hotel-booking-sites-can-mislead-consumers.html ------------------------------ Date: Wed, 26 Mar 2014 11:41:37 -0400 From: Monty Solomon <monty () roscom com> Subject: Obama to Call for End to N.S.A.'s Bulk Data Collection (Charlie Savage) Charlie Savage, *The New York Times*, 24 Mar 2014 http://www.nytimes.com/2014/03/25/us/obama-to-seek-nsa-curb-on-call-data.html WASHINGTON - The Obama administration is preparing to unveil a legislative proposal for a far-reaching overhaul of the National Security Agency's once-secret bulk phone records program in a way that - if approved by Congress - would end the aspect that has most alarmed privacy advocates since its existence was leaked last year, according to senior administration officials. Under the proposal, they said, the N.S.A. would end its systematic collection of data about Americans' calling habits. The bulk records would stay in the hands of phone companies, which would not be required to retain the data for any longer than they normally would. And the N.S.A. could obtain specific records only with permission from a judge, using a new kind of court order. ... ------------------------------ Date: Sat, 22 Mar 2014 15:43:25 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Turkey Moves To Block Twitter At The IP Level "In its effort to curtail access to Twitter, Turkey is getting more aggressive with a block of the service's IP address, according to sources inside Turkey as well as a DNS provider. That means that changing their DNS server, whether it be Google DNS or OpenDNS, will no longer work for residents in the country ... But the latest move by the government will make it more difficult, but not quite impossible, for residents to access Twitter. By blocking Twitter at the IP level, DNS services will no longer work. Instead, citizens are being urged to access the service via VPN or by using the Tor anonymity network." http://j.mp/NE9nmr (Techcrunch via NNSquad) - - - If the government of Turkey comes knocking on the Internet Governance door any time soon as things stand now, slam it in their face. [This has no end, apparently. For example, browse on `Turkey blocks YouTube days after Twitter ban'. PGN] ------------------------------ Date: Sun, 23 Mar 2014 11:07:27 +0200 From: tkalama <tkalama1 () gmail com> Subject: Turkey blocks Google's DNSs [...] Many groups have voiced outrage and many have suggested manually changing the DNS servers so that twitter can be accessed again. A day later, Google's DNSs (8.8.8.8 and 8.8.4.4) also have been blocked in Turkey. Likewise, the IP addresses belonging to twitter.com have also been blocked. Despite all these measures of censorship, the use of Twitter in Turkey has exploded, thanks to proxy servers, alternative DNS servers, and VPN servers. It has been said that Egypt's Mubarrak has remained in power for only 16 days after banning social networks in the country, thus Turks are hopeful that already three of those sixteen days have already gone by. ------------------------------ Date: Sun, 23 Mar 2014 15:12:54 -0400 From: Monty Solomon <monty () roscom com> Subject: Closing the Gap to Human-Level Performance in Face Verification (Taigman et al.) Yaniv Taigman, Ming Yang, Marc'Aurelio Ranzato, Lior Wolf DeepFace: Closing the Gap to Human-Level Performance in Face Verification Conference on Computer Vision and Pattern Recognition (CVPR) Abstract In modern face recognition, the conventional pipeline consists of four stages: detect => align => represent => classify. We revisit both the alignment step and the representation step by employing explicit 3D face modeling in order to apply a piecewise affine transformation, and derive a face representation from a nine-layer-deep neural network. This deep network involves more than 120 million parameters using several locally connected layers without weight sharing, rather than the standard convolutional layers. Thus we trained it on the largest facial dataset to date, an identity-labeled dataset of four million facial images belonging to more than 4,000 identities, where each identity has an average of over a thousand samples. The learned representations coupling the accurate model-based alignment with the large facial database generalize remarkably well to faces in unconstrained environments, even with a simple classifier. Our method reaches an accuracy of 97.25% on the Labeled Faces in the Wild (LFW) dataset, reducing the error of the current state of the art by more than 25%, closely approaching human-level performance. ... https://www.facebook.com/publications/546316888800776/ https://www.facebook.com/download/388286407980383/deepface.pdf [Potentially an interesting advance. This might work fairly well for small groups of subjects. But note that a 2.75% inaccuracy rate would represent 27,500 false identifications for each million subjects. One potential question for Homeland Security: For how many known terrorists are there 1000 images, and for how many unknown terrorists are there any known images? PGN] ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.82 ************************
Current thread:
- Risks Digest 27.82 RISKS List Owner (Mar 29)