RISKS Forum mailing list archives
Risks Digest 28.19
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 21 Aug 2014 11:44:23 PDT
RISKS-LIST: Risks-Forum Digest Thursday 21 August 2014 Volume 28 : Issue 19 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.19.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Computer Eyesight Gets a Lot More Accurate (John Markoff via Dewayne Hendricks) This chart shows the world's Internet usage shifting to smartphones (Jon Russell via Dewayne Hendricks) Hacking Traffic Lights is Amazingly Really Easy (David Farber) How to Save the Net: Don't Give In to Big ISPs (Reed Hastings via NNSquad) Customer data may have been exposed by malware at UPS stores in 24 states (HuffPost via David Farber) Leaked Docs Show Spyware Used to Snoop on U.S. Computers (Propublica via Monty Solomon) Google Map Tracks Your Every Move. Check Your 'Location History' to Verify It (David Farber) Microsoft yanks botched Black Tuesday patches KB 2982791, KB 2970228, KB 2975719, and KB 2975331 (Woody Leonhard via Gene Wirchenko) Re: Pervasive Medicare Fraud Proves Hard to Stop (Abelson/Lichtblau via Kevin Fu) Re: Human cryptography is the key to online voting (Lyndon Nerenberg) Re: Lawful Hacking ... (Eric Amick) Re: Google scanning e-mail (Dimitri Maziuk) Re: Some taking a hard line against paying by E-ZPass (Stephen Bryant) Re: Cybersecurity as Realpolitik: Black Hat keynote (Alister Wm Macintyre) Re: Breach of 1.2 billion user names and passwords (Alister Wm Macintyre) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tuesday, August 19, 2014 From: *Dewayne Hendricks* <dewayne () warpspeed com> Subject: Computer Eyesight Gets a Lot More Accurate (John Markoff) John Markoff, *The New York Times*, 18 Aug 2014 (via Dave Farber) http://bits.blogs.nytimes.com/2014/08/18/computer-eyesight-gets-a-lot-more-accurate/ Just as the Big Bad Wolf promised Little Red Riding Hood that his bigger eyes were ``the better to see you with,'' a machine's ability to see the world around it is benefiting from bigger computers and more accurate mathematical calculations. The improvement was visible in contest results released Monday evening by computer scientists and companies that sponsor an annual challenge to measure improvements in the state of machine vision technology. Started in 2010 by Stanford, Princeton and Columbia University scientists, the Large Scale Visual Recognition Challenge this year drew 38 entrants from 13 countries. The groups use advanced software, in most cases modeled loosely on the biological vision systems, to detect, locate and classify a huge set of images taken from Internet sources like Twitter. The contest was sponsored this year by Google, Stanford, Facebook and the University of North Carolina. Contestants run their recognition programs on high-performance computers based in many cases on specialized processors called GPUs, for graphic processing units. This year there were six categories based on object detection, locating objects and classifying them. Winners included the National University of Singapore, the Oxford University, Adobe Systems, the Center for Intelligent Perception and Computing at the Chinese Academy of Sciences, as well as Google in two separate categories. Accuracy almost doubled in the 2014 competition and error rates were cut in half, according to the conference organizers. ``This year is really what I consider a historical year for the challenge,'' said Fei-Fei Li, the director of the Stanford Artificial Intelligence Laboratory and one of the creators of a vast set of labeled digital images that is the basis for the contest. ``What really excites us is that performance has taken a huge leap.'' Despite the fact that contest is based on pattern recognition software that can be `trained' to recognize objects in digital images, the contest itself is made possible by the Imagenet database, an immense collection of more than 14 million images that have been identified by humans. The Imagenet database is publicly available to researchers at http://image-net.org/. In the five years that the contest has been held, the organizers have twice, once in 2012 and again this year, seen striking improvements in accuracy, accompanied by more sophisticated algorithms and larger and faster computers. In 2012 the contest was won by Geoffrey E. Hinton, a cognitive scientist at the University of Toronto, and two of his students. Mr. Hinton is a pioneer in the field of artificial neural networks, and in 2013 he joined Google with his students Alex Krizhevsky and Ilya Sutskever. This year the entrants had the option of either disclosing the details of their algorithms or keeping them proprietary, and all of the winning groups chose to share details of their technical innovations. That was significant, according to Dr. Li, because it is possible to move quickly from research to commercial applications. Machine vision has countless applications, including computer gaming, medical diagnosis, factory robotics and automotive safety systems. Recently a number of car makers have added the ability to recognize pedestrians and bicyclists and stop automatically without driver intervention. [...] ------------------------------ Date: August 19, 2014 at 11:35:40 AM EDT From: Dewayne Hendricks <dewayne () warpspeed com> Subject: This chart shows the world's Internet usage shifting to smartphones (Jon Russell) This chart shows the world's Internet usage shifting to smartphones Jon Russell, The Next Web, 19 Aug 2014 (via Dave Farber) <http://thenextweb.com/shareables/2014/08/19/watch-world-move-towards-smartphones-one-simple-chart/> It's well known that mobile phones are increasingly the primary device for accessing the Internet across the world. Here's a great way to illustrate that using Google's Public Data service. Plotting smartphone usage against PC usage produces this fascinating chart which literally shows the rise of smartphone usage over the past three years. It's worth bearing in mind that this data comes from TNS Germany -- which, though a reputable source of information, means there may be anomalies. Nonetheless, it demonstrates one of the most important technological trends of the decade. ... ------------------------------ Date: Thu, 21 Aug 2014 11:58:07 -0400 From: "David Farber via ip" <ip () listbox com> Subject: Hacking Traffic Lights is Amazingly Really Easy http://thehackernews.com/2014/08/hacking-traffic-lights-is-amazingly_20.html ------------------------------ Date: Tue, 19 Aug 2014 17:58:06 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: How to Save the Net: Don't Give In to Big ISPs (Reed Hastings) "It's worth noting that Netflix connects directly with hundreds of ISPs globally, and 99 percent of those agreements don't involve access fees. It is only a handful of the largest U.S. ISPs, which control the majority of consumer connections, demanding this toll. Why would more profitable, larger companies charge for connections and capacity that smaller companies provide for free? Because they can. This is the reason we have opposed Comcast's proposed acquisition of Time Warner Cable. Comcast has already shown the ability to use its market position to require access fees, as evidenced by the Netflix congestion that cleared up as soon as we reached an agreement with them. A combined company that controls over half of US residential Internet connections would have even greater incentive to wield this power." Reed Hastings, WiReD via NNSquad, http://www.wired.com/2014/08/save-the-net-reed-hastings/ ------------------------------ Date: Thu, 21 Aug 2014 10:05:12 -0400 From: "David Farber via ip" <ip () listbox com> Subject: Customer data may have been exposed by malware at UPS stores in 24 states (HuffPost) This is getting boring . djf http://www.huffingtonpost.com/2014/08/21/malware-breach-ups_n_5697157.html ------------------------------ Date: Thu, 21 Aug 2014 01:10:41 -0400 From: Monty Solomon <monty () roscom com> Subject: Leaked Docs Show Spyware Used to Snoop on U.S. Computers http://www.propublica.org/article/leaked-docs-show-spyware-used-to-snoop-on-u.s.-computers ------------------------------ Date: Thu, 21 Aug 2014 12:02:11 -0400 From: "David Farber via ip" <ip () listbox com> Subject: Google Map Tracks Your Every Move. Check Your 'Location History' to Verify It There is the url in the news item on how to check your history. djf http://thehackernews.com/2014/08/google-map-tracks-your-every-move-check.html "Google has been involved in several controversies including among the companies that was claimed to cooperate with US surveillance agencies on their global data-mining programmes, and just yesterday the popular Media tycoon Rupert Murdoch labeled Google worse than the NSA, saying ``NSA privacy invasion bad, but nothing compared to Google.'' Now another, but already known controversy over the Internet giant has raised many concerns over privacy of users who carry their smartphones with them. We all have sensors in our pockets that track us everywhere we go i.e., Smartphones. GOOGLE TRACKS YOU EVERYWHERE YOU GO. ------------------------------ Date: Tue, 19 Aug 2014 10:19:56 -0700 From: Gene Wirchenko <genew () telus net> Subject: Microsoft yanks botched Black Tuesday patches KB 2982791, KB 2970228, KB 2975719, and KB 2975331 (Woody Leonhard) Woody Leonhard | InfoWorld, 18 Aug 2014 Microsoft recommends that users uninstall last week's update -- even if their machines are working fine http://www.infoworld.com/t/microsoft-windows/microsoft-yanks-botched-black-tuesday-patches-kb-2982791-kb-2970228-kb-2975719-and-kb-2975331-248582 selected text: The problems are so bad that you'd be well-advised to uninstall the offending Automatic Update patches, even if your machine is working fine at the moment. It's possible, but by no means certain, that as long as the bad patches are at work, installing certain applications or modifying your fonts in specific odd (but entirely legitimate) ways may brick your machine. Microsoft buries that recommendation in the fine print of its FAQ for MS14-045. ------------------------------ Date: Tue, 19 Aug 2014 01:53:11 -0400 From: Kevin Fu <kevinfu () umich edu> Subject: Re: Pervasive Medicare Fraud Proves Hard to Stop (Abelson/Lichtblau) This *NYTimes* article focuses on the dramatic part of Medicare fraud---the horse-out-of-the-barn scenario of catching bad guys red handed. But the problem is more interesting than that, but perhaps less dramatic. If you read the GAO reports or attend the House hearings, you'll find that the problem breaks down into subtle terms of: Fraud. Waste. Abuse. One of the more effective mitigation strategies mentioned in the GAO report is the use of stronger registration controls and vetting of new vendors (stop the bad guys from setting up shop), and the use of surety bonds (make the bad guy take a risk). The surety bonds are not sexy, but they can be more effective than just chasing horses. However, there will always be some horses to chase I suppose. U.S. GAO reports: http://www.gao.gov/assets/670/664381.pdf http://www.gao.gov/products/GAO-11-409T My U.S. House testimony: http://energycommerce.house.gov/hearing/examining-options-combat-health-care-waste-fraud-and-abuse ------------------------------ Date: Mon, 18 Aug 2014 15:31:02 -0700 From: Lyndon Nerenberg <lyndon () orthanc ca> Subject: Re: Human cryptography is the key to online voting (RISKS-28.18)
who has received an Australian Research Council Future Fellowship worth almost $800,000 to build user-owned passwords. PGN]
The dollar value of the award validates the worthiness of his words? You know better than that. ------------------------------ Date: Mon, 18 Aug 2014 17:03:35 -0400 From: Eric Amick <eric.amick () verizon net> Subject: Re: Lawful Hacking ... (RISKS-28.19) ... Using Existing Vulnerabilities for Wiretapping the Internet
As Dietrich Bonhoeffer, ... famously noted:
It was Martin Niemöller. ------------------------------ Date: Mon, 18 Aug 2014 18:39:02 -0500 From: Dimitri Maziuk <dmaziuk () bmrb wisc edu> Subject: Re: Google scanning e-mail (Brown, RISKS-28.18)
Should Google be looking for drug deals, too?
Yes. Once they can tell drug deals from discounted generic pills, they should be looking. To improve the targeting of their advertising. Because you want fewer false positives, you want to be able to tell a drug dealer from a diabetic looking for insulin. Or a pedophile from a young mother shopping for pampers. Because computers are stupid, all they can do is search for patterns in a stream of e-mails. You have to figure out what the pattern means. You have to tell them: this pattern is X, that one's Y. This one we want for ads, that one we're legally required to report to LEAs. It has nothing to do with what you might think reprehensible or illegal, sorry. Dimitri Maziuk, BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu ------------------------------ Date: Tue, 19 Aug 2014 14:40:49 +0000 From: <Stephen.Bryant () sungard com> Subject: Re: Some taking a hard line against paying by E-ZPass (Reisert, RISKS-28.17) I am not one of those who is worried about EZ-Pass. I have used it since 2001 and it has saved me countless long waits for a toll booth. Yes, they know where I've been, but at least I know that they know. But I have sometimes used the cash lane instead. There have been times when the EZ-Pass-only lanes have been jammed up, and I'd rather pay cash (this is an xor choice on the Mass Pike) than be one of dozens of cars merging and creeping though an overcrowded lane. So I vote for keeping both. ------------------------------ Date: Tue, 19 Aug 2014 14:19:07 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: Re: Cybersecurity as Realpolitik: Black Hat keynote (Gold, R-28.18) Barry Gold wrote about the importance of a right to start over with a replacement Internet identity. * So that's what we need. A right to change your name and start over, possibly in a new place or at least a new website and/or ISP. Yes? I saw some time ago that there was some move from governments to make it illegal for a person to give false information about who they are, to any Internet service. Could someone point me at a url with an update on whether that is still a real threat? There are long standing needs in the physical world, for people to get new identities, or more than one identity. * Children should not be using real identities until they have sufficiently matured to know what info about themselves is too dangerous for the public to know. * Victims of real-world harassment, like domestic abuse & stalking -- they need to get a new identity, new e-mail address, new phone #, then supply that to most trusted friends and family, while keeping the new contact info confidential from whoever is the threat. Judgment errors in who to trust, means that this replacement may need to be done multiple times. * Witness protection on the Internet. * There's our life associated with our career, and on the job vs. our private life outside of work place -- different identities for each reality. * There's where we must use PII for government dictated interaction -- taxes, finances -- and there's where PII has no place, social media -- different Internet ID for the 2 realities. There was a crook using Facebook who got caught, but I wonder how many out there are not yet caught. 1. People on Facebook were giving what was believed to be their real name, real geography, lots of personal info. 2. The crook got lists of banks and credit unions in the identified geography, then started calling them. 3. ``If I forget my password, what do I need to tell you, short of coming into the bank in person?'' 4. ``Can you look up to see if there is an account in my name?'' (Using name of person from Facebook, who lived in that city) 5. Then checking the info about the person on Facebook, to get the info needed for the security questions at the banks. 6. Then engaging in fraud against the people whose Facebook info matched their bank security info. ------------------------------ Date: Tue, 19 Aug 2014 13:57:40 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: Re: Breach of 1.2 billion user names and passwords (Gold, R-28.18) Barry Gold wrote about challenges of password management, in a world of nasty e-spies, and he concluded
Screw this. I'm going back to storing them in a Word file.
One of his concerns was risk of a key-tracker. I think our security needs to be able to evaluate what is running in the background, specifically looking for things like a key-tracker. I have access to more than one `working' PC in my home: * Cave Man -- supplied by my employer, which is 20+ years ancient, OS -- also ancient. * Heaven's to Betsy - personal PC, going on 10 years old. * Einstein = Latest acquisition, custom setup supplied to me last month by V. Long range plan, when one PC has problems, use another on Internet to research solutions. Normally use one personal PC for day to day interests, use other to research aps I am interested in using. I have met other people with similar arrangements, such as * several people in one household, or office work place, each with their own PC, interlinked for sharing printers and other devices. * A person has both a desk top and lap top and mobile hand-held device, occasionally interconnects them to share latest copies of some info. One idea is that we could * have a Word or Excel File on ONE PC with the passwords needed for another PC. * Refrain from using any Internet identity from more than one PC. That way, if the PC with the passwords got penetrated, they would not be valid for IDs used from that PC. Unfortunately, I now use scores of different ID, and had wanted to have Excel with columns for: ID; its password; Site; other info. The reason for different ID -- if I get breached at a particular site, all they have is the ID and password I use at that site, not the ID and password used at scores of other sites. So I would need to have one file for each id. It would be convenient for me if they were all in one folder -- go to folder, click on file whose name is the ID, and in there is Excel with password that ID uses at each of several different sites. Alternatively files named after site -- click on them & see ID and password used for that site. But all in one folder might be too obvious for crooks -- they find one id or password or site, recognize what it is, rapidly find the others. Could someone comment on the validity and risks of my approach ideas? I recognize a more ideal solution would be to have the file on a PC or other device which will NEVER be connected to the Internet, but would have copy/paste capability using some kind of smart card reader normally used by business cards. The stand-alone device copies the password & related info to like a business card. The Internet connection device reads this in, then we copy/paste from there to where needed. This way, the stand-alone unit can only be penetrated by physical burglary, or insider, where a trusted visitor is a mistake, or we forget ourselves and permit data flow in other direction, such as when we implement some upgrade. Some day I'd like to be able to again play all the old DOS MPS games & recognize such a system would have to be stand alone so it would be Ok to not get upgraded to a reality which no longer supports those games. There were also games I enjoyed on OS no longer around. ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.19 ************************
Current thread:
- Risks Digest 28.19 RISKS List Owner (Aug 21)