RISKS Forum mailing list archives
Risks Digest 28.36
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 17 Nov 2014 13:34:41 PST
RISKS-LIST: Risks-Forum Digest Monday 17 November 2014 Volume 28 : Issue 36 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.36.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Crypto Wars II (Bruce Schneier) 81% of Tor users can be de-anonymized by analyzing router information, (The Stack via NNSquad) The GCHQ boss's assault on privacy is promoting illegality on the Net (Eben Moglen via Brian Randell) More Federal Agencies Are Using Undercover Operations (NYT via Monty Solomon) State Department Targeted by Hackers in 4th Agency Computer Breach (NYT) Americans' Cellphones Targeted in Secret U.S. Spy Program (Devlin Barrett) Lost Key? Copies From the Cloud! (Monty Solomon) Internet Voting Hack Alters PDF Ballots In Transmission (Michael Mimoso via Jim Reisert) Bloomberg: Forex Investors May Face $1 Billion Loss as Trade Site Vanishes (Gabe Goldberg) FileVault 2: Mac users' unsaved files and screenshots are automatically uploaded (Gabe Goldberg) For Guccifer, Hacking Was Easy. Prison Is Hard (Monty Solomon) Americans Say They Want Privacy, but Act as if They Don't (NYT via Monty Solomon) Debts Canceled by Bankruptcy Still Mar Consumer Credit (NYT via Monty Solomon) Poor systems design may kill... (Jay Ashworth) "Vulnerability leaves iPhones and iPads open to fake app attack" (Martyn Williams via Gene Wirchenko) "Malware doesn't discriminate when it comes to Web ads" (Serdar Yegulalp via Gene Wirchenko) Only Half of USB Devices Have an Unpatchable Flaw But No One Knows Which Half (Andy Greenberg) `Masque Attack' Bug Threatens iOS Users (Stephanie Mlot) ISPs Removing Their Customers' Email Encryption (Jacob Hoffman-Andrews) Re: ISPs Removing Their Customers' Email Encryption (Suresh Ramasubramanian via Dave Farber, Scott Miller via Bob Gezelter) Re: Risks of assuming votes are accurate (Rashid Motala, John Levine) Re: $11M Tool That Could Help Computers Write Their Own Code (Joseph Barrett, Erling Kristiansen) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 15 Nov 2014 02:22:20 -0600 From: Bruce Schneier <schneier () schneier com> Subject: Crypto Wars II CRYPTO-GRAM November 15, 2014 by Bruce Schneier CTO, Co3 Systems, Inc. schneier () schneier com http://www.schneier.com [EXCERPTED FOR RISKS. PGN] A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>. You can read this issue on the web at <http://www.schneier.com/crypto-gram-1411.html>. These same essays and news items appear in the "Schneier on Security" blog at <http://www.schneier.com/blog>, along with a lively and intelligent comment section. An RSS feed is available. Crypto Wars II FBI Director James Comey again called for an end to secure encryption by putting in a backdoor. Here's his speech: There is a misconception that building a lawful intercept solution into a system requires a so-called "back door," one that foreign adversaries and hackers may try to exploit. But that isn't true. We aren't seeking a back-door approach. We want to use the front door, with clarity and transparency, and with clear guidance provided by law. We are completely comfortable with court orders and legal process -- front doors that provide the evidence and information we need to investigate crime and prevent terrorist attacks. Cyber adversaries will exploit any vulnerability they find. But it makes more sense to address any security risks by developing intercept solutions during the design phase, rather than resorting to a patchwork solution when law enforcement comes knocking after the fact. And with sophisticated encryption, there might be no solution, leaving the government at a dead end -- all in the name of privacy and network security. I'm not sure why he believes he can have a technological means of access that somehow only works for people of the correct morality with the proper legal documents, but he seems to believe that's possible. As Jeffrey Vagle and Matt Blaze point out, there's no technical difference between Comey's "front door" and a "back door." As in all of these sorts of speeches, Comey gave examples of crimes that could have been solved had only the police been able to decrypt the defendant's phone. Unfortunately, none of the three stories is true. The Intercept tracked down each story, and none of them is actually a cas here encryption foiled an investigation, arrest, or conviction: In the most dramatic case that Comey invoked -- the death of a 2-year-old Los Angeles girl -- not only was cellphone data a non-issue, but records show the girl's death could actually have been avoided had government agencies involved in overseeing her and her parents acted on the extensive record they already had before them. In another case, of a Louisiana sex offender who enticed and then killed a 12-year-old boy, the big break had nothing to do with a phone: The murderer left behind his keys and a trail of muddy footprints, and was stopped nearby after his car ran out of gas. And in the case of a Sacramento hit-and-run that killed a man and his girlfriend's four dogs, the driver was arrested in a traffic stop because his car was smashed up, and immediately confessed to involvement in the incident. [...] Hadn't Comey found anything better since then? In a question-and-answer session after his speech, Comey both denied trying to use scare stories to make his point -- and admitted that he had launched a nationwide search for better ones, to no avail. This is important. All the FBI talk about "going dark" and losing the ability to solve crimes is absolute bullshit. There is absolutely no evidence, either statistically or even anecdotally, that criminals are going free because of encryption. So why are we even discussing the possibility to forcing companies to provide insecure encryption to their users and customers? Sadly, I don't think this is going to go away anytime soon. Comey: http://www.nytimes.com/2014/10/17/us/politics/fbi-director-in-policy-speech-calls-dark-devices-hindrance-to-crime-solving.html or http://tinyurl.com/nwqn846 Comey's speech: http://www.fbi.gov/news/speeches/going-dark-are-technology-privacy-and-public-safety-on-a-collision-course or http://tinyurl.com/pq426z9 Vagle and Blaze: http://justsecurity.org/16503/security-front-doors-vs-back-doors-distinction-difference/ or http://tinyurl.com/l5sxvpc The Intercept: https://firstlook.org/theintercept/2014/10/17/draft-two-cases-cited-fbi-dude-dumb-dumb/ or http://tinyurl.com/kj5mro5 The EFF points out that companies are protected by law from being required to provide insecure security to make the FBI happy. https://www.eff.org/deeplinks/2014/10/eff-response-fbi-director-comeys-speech-encryption or http://tinyurl.com/lpvfbyz My first post on these new Crypto Wars is here. https://www.schneier.com/blog/archives/2014/10/iphone_encrypti_1.html or http://tinyurl.com/q5ost46 [Bruce's latest issue of CRYPTOGRAM also includes a bunch of other RISKS-related items. I recommend it for those of you who need to or want to worry about security! Paranoia is not Paranoise. PGN] ------------------------------ Date: Fri, 14 Nov 2014 11:19:33 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: 81% of Tor users can be de-anonymized by analyzing router information, research indicates The Stack via NNSquad http://thestack.com/chakravarty-tor-traffic-analysis-141114 "Research undertaken between 2008 and 2014 suggests that more than 81% of Tor clients can be 'de-anonymized' - their originating IP addresses revealed - by exploiting the 'Netflow' technology that Cisco has built into its router protocols, and similar traffic analysis software running by default in the hardware of other manufacturers." Not surprising at all. ------------------------------ Date: November 14, 2014 at 2:02:22 AM HST From: Brian Randell <brian.randell () newcastle ac uk> Subject: The GCHQ boss's assault on privacy is promoting illegality on the Net (Eben Moglen) Eben Moglen, *The Guardian*, 14 Nov 2014 The state's anti-privacy bandwagon uses the most misleading language to blackmail technology companies into illegal surveillance. As he will have wished and we might have predicted, the bandwagon created by the GCHQ boss, Robert Hannigan, is gathering momentum. His demand that the Internet companies abandon their stance on privacy now carries the weight of the British government. Addressing the Society of Editors conference on Tuesday, Sajid Javid, the culture secretary, dismissed the right to privacy -- in the form of the right to be forgotten -- as ``little more than an excuse for well-paid lawyers to hide the shady pasts of wealthy businessmen and the sexual indiscretions of sporting celebrities.'' Last weekend the former home secretary David Blunkett jumped on board, accusing technology companies that offer encryption of ``helping terrorists to co-ordinate genocide and foster fear and instability around the world.'' Bernard Hogan Howe, the Metropolitan police commissioner, said this month that space and technology firms must do more to frustrate paedophiles, murderers and terrorists. Hannigan's assault on privacy has found friends in the highest places. Prior to the Edward Snowden revelations, the spymasters and generals directing the NSA and GCHQ didn't write newspaper essays about their work. But times have changed, highlighted by Hannigan's decision to use the Financial Times last week to accuse Twitter and Facebook -- ``the largest US technology companies'' -- of being routes for crime and terrorism. Like pretty much everything else said by governments, and spy agencies in particular, since Snowden pulled the behaviour of the US and UK listeners into daylight, Hannigan's comments were intentionally disingenuous. But also, like servants of various despotisms with whom he would be loth to compare himself, Hannigan's frequent use of the word *democracy* is accompanied by a stunning contempt for the rule of law. [...] Full story (and lots of comments already) at http://www.theguardian.com/commentisfree/2014/nov/13/gchq-assault-privacy-illegality-net-blackmail-surveillance ------------------------------ Date: Sun, 16 Nov 2014 20:59:18 -0500 From: Monty Solomon <monty () roscom com> Subject: More Federal Agencies Are Using Undercover Operations Once largely the domain of the F.B.I., undercover work has increased across federal agencies as policies have changed, according to officials, former agents and documents. http://www.nytimes.com/2014/11/16/us/more-federal-agencies-are-using-undercover-operations.html ------------------------------ Date: Sun, 16 Nov 2014 21:00:47 -0500 From: Monty Solomon <monty () roscom com> Subject: State Department Targeted by Hackers in 4th Agency Computer Breach The agency was forced to temporarily shut down its unclassified email and public websites after the attack on its computer systems. http://www.nytimes.com/2014/11/17/us/politics/state-department-targeted-by-hackers-in-4th-agency-computer-breach.html ------------------------------ Date: Fri, 14 Nov 2014 06:41:46 -0500 From: Monty Solomon <monty () roscom com> Subject: Americans' Cellphones Targeted in Secret U.S. Spy Program (Devlin Barrett) Devlin Barrett, *Wall Street Journal*, 14 Nov 2014 Devices on Planes that Mimic Cellphone Towers Used to Target Criminals, but Also Sift Through Thousands of Other Phones The Justice Department is scooping up data from thousands of mobile phones through devices deployed on airplanes that mimic cellphone towers, a high-tech hunt for criminal suspects that is snagging a large number of innocent Americans, according to people familiar with the operations. http://online.wsj.com/articles/americans-cellphones-targeted-in-secret-u-s-spy-program-1415917533 ------------------------------ Date: Sun, 16 Nov 2014 01:56:36 -0500 From: Monty Solomon <monty () roscom com> Subject: Lost Key? Copies From the Cloud! A company is placing kiosks in New York-area 7-Eleven stores that will allow people to make car keys without having to go to a car dealer. http://www.nytimes.com/2014/11/16/automobiles/lost-key-copies-from-the-cloud.html ------------------------------ Date: Thu, 13 Nov 2014 15:52:39 -0700 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Internet Voting Hack Alters PDF Ballots In Transmission (Michael Mimoso) November 13, 2014 , 12:30 pm Researchers Daniel M. Zimmerman and Joseph R. Kiniry published a paper called "Modifying an Off-the-Shelf Wireless Router for PDF Ballot Tampering" that explains an attack against common home routers that would allow a hacker to intercept a PDF ballot and use another technique to modify a ballot before sending it along to an election authority. http://threatpost.com/internet-voting-hack-alters-pdf-ballots-in-transmission/109333 ------------------------------ Date: Thu, 13 Nov 2014 15:36:22 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Bloomberg: Forex Investors May Face $1 Billion Loss as Trade Site Vanishes The first time Rajibuddin Mandal, a family doctor in Birmingham, England, tried his hand at trading currencies online, he lost 2,000 British pounds. From that experience, he concluded that the foreign-exchange market was too big, too complex and too hazardous for amateur investors like himself. He decided he needed help from the professionals. http://bloom.bg/1wVxpwW 1%/day gain, investment principal return assured. What could go wrong? ------------------------------ Date: Thu, 13 Nov 2014 10:43:56 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: FileVault 2: Mac users' unsaved files and screenshots are automatically uploaded Opening TextEdit in your MacBook to jot down some notes may feel like the digital equivalent of scrawling on the back of an envelope. Unfortunately, those unsaved notes may not be as private as you think they are -- and likely haven't been for a while. If you're like the majority of Mac users, you may think your in-progress files -- the ones you haven't explicitly saved -- are being stored directly on your hard drive. And with FileVault 2, a full-disk encryption feature included with your OS, Apple has made it easy to encrypt the contents of your entire drive, offering an additional layer of security if your laptop is stolen -- especially if you store your own recovery key. But security researcher Jeffrey Paul recently noticed that Apple's default autosave is storing in-progress files -- the ones you haven't explicitly saved yet -- in the cloud, not on your hard drive. (Surprise!) Unless you decided to hit save before you start typing, or manually changed the default settings, those meeting notes, passwords, and credit card numbers you jotted down in "Untitled 17" are living in iCloud. http://www.slate.com/blogs/future_tense/2014/11/03/filevault_2_mac_users_unsaved_files_and_screenshots_are_automatically_uploaded.html What could go wrong? ------------------------------ Date: Thu, 13 Nov 2014 00:21:21 -0500 From: Monty Solomon <monty () roscom com> Subject: For Guccifer, Hacking Was Easy. Prison Is Hard http://www.nytimes.com/2014/11/11/world/europe/for-guccifer-hacking-was-easy-prison-is-hard-.html Marcel-Lehel Lazar, whose pseudonym celebrated ``the style of Gucci and the light of Lucifer,'' rampaged through the email of rich Americans, showing the ease of going rogue online. ------------------------------ Date: Thu, 13 Nov 2014 00:18:42 -0500 From: Monty Solomon <monty () roscom com> Subject: Americans Say They Want Privacy, but Act as if They Don't http://www.nytimes.com/2014/11/13/upshot/americans-say-they-want-privacy-but-act-as-if-they-dont.html People are doubtful about the safety of their personal information online or on cellphones. Yet it does not necessarily change their behavior, according to a new poll. ------------------------------ Date: Thu, 13 Nov 2014 07:20:26 -0500 From: Monty Solomon <monty () roscom com> Subject: Debts Canceled by Bankruptcy Still Mar Consumer Credit Scores Officials suspect that big banks ignore bankruptcy court discharges, keeping debts alive on credit reports and impairing borrowers' ability to secure housing and jobs. http://dealbook.nytimes.com/2014/11/12/debts-canceled-by-bankruptcy-still-mar-consumer-credit-scores/ ------------------------------ Date: Mon, 17 Nov 2014 12:40:29 -0500 (EST) From: Jay Ashworth <jra () baylink com> Subject: Poor systems design may kill... And no, that's not really a hyperbolic headline; anyone who knows that power utilities have a hot list of addresses to restore first due to medical device usage knows exactly what I mean. http://spectrum.ieee.org/aerospace/military/electromagnetic-warfare-is-here As digital and Internet-connected control expands to cover more and more disciplines that we've never used it on before, our exposure to bad guys becomes larger and larger -- as much because the barrier to entry becomes lower and lower, and there are always 12-year-old boys as for any other reason. Risk analysis is the fundamental issue here -- and the fact that even those who ask for it don't always listen. We Told You So isn't always even satisfying. No matter; we *know* where the likely RISKS pinch points are in systems designs; we've known it for years. What hasn't happened is *getting the people who know into the design cycle, everywhere*. Will that require legislation? We've mooted the topic many times here on RISKS over the 3 decades I've read it. I'm not sure the rate at which the problem's getting better is outstripping the rate at which the domain is getting larger. Jay R. Ashworth, St Petersburg FL; Baylink http://www.bcp38.info +1 727 647 1274 jra () baylink com [MOOTED? We've variously TOOTED work by Paul Kocher, Ross Anderson, Dan Boneh, and many others, LOOTED risks in ROOTED systems being BOOTED, risks in pacemakers, and more. It's not moot, and of course it never was except in the eyes of folks who thought they could ignore the problems. This seems to be another example of ``in that we don't know what to do about it, we're going to ignore it.'' PGN] ------------------------------ Date: Fri, 14 Nov 2014 12:25:17 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Vulnerability leaves iPhones and iPads open to fake app attack" (Martyn Williams) Martyn Williams, InfoWorld, 10 Nov 2014 Attackers can replace legitimate apps with fake ones that access and steal personal information http://www.infoworld.com/article/2846015/mobile-security/vulnerability-leaves-iphones-and-ipads-open-to-fake-app-attack.html ------------------------------ Date: Wed, 12 Nov 2014 13:59:30 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Malware doesn't discriminate when it comes to Web ads" (Serdar Yegulalp) Serdar Yegulalp, InfoWorld, 12 Nov 2014 Racy or benign, your favorite sites have likely exposed you to malware-laden ads http://www.infoworld.com/article/2846993/malware/malware-doesnt-discriminate-when-it-comes-to-web-ads.html ------------------------------ Date: Nov 12, 2014 4:48 AM From: "Dewayne Hendricks" <dewayne () warpspeed com> Subject: Only Half of USB Devices Have an Unpatchable Flaw But No One Knows Which Half (Andy Greenberg) Andy Greenberg, *WiReD*, 12 Nov 2014 (via Dave Farber) <http://www.wired.com/2014/11/badusb-only-affects-half-of-usbs/> First, the good news: that unpatchable security flaw in USB devices first brought to light over the summer affects only about half of the things you plug into your USB port. The bad news is it's nearly impossible to sort out the secure gadgets from the insecure ones without ripping open every last thumb drive. At the PacSec security conference in Tokyo on Wednesday, hacker Karsten Nohl presented an update to his research on the fundamental insecurity of USB devices he's dubbed BadUSB. Nohl and his fellow researchers Jakob Lell and Sascha Krissler have analyzed every USB controller chip sold by the industry's eight biggest vendors to see if their hack would work against each of those slices of silicon. The results: Roughly half of the chips were immune to the attack. But predicting which chip a device uses is practically impossible for the average consumer. ``It's not like you plug [a thumbdrive] into your computer and it tells you this is a Cypress chip, and this one is a Phison chip,'' says Nohl, naming two of the top USB chip manufacturers. ``You really can't check other than by opening the device and doing the analysis yourself. The scarier story is that we can't give you a list of safe devices.'' Nohl's BadUSB attack, which he revealed at the Black Hat security conference in August, takes advantage of the fact that a USB controller chip's firmware can be reprogrammed. That means a thumb drive's controller chip itself, rather than the Flash storage on that memory stick, can be infected with malware that invisibly spreads to computers, corrupts files stored on the drive, or quietly begins impersonating a USB keyboard to type commands on the victim's machine. ``You'd Never Get Away With This in a Laptop'' Now Nohl's research team has tested that reprogrammability problem in USB controller chips sold by the industry's biggest vendors: Phison, Alcor, Renesas, ASmedia, Genesys Logic, FTDI, Cypress and Microchip. They checked versions of each chip both by looking up its published specs and by plugging a device using it into a computer and attempting to rewrite the chip's firmware. They found an unpredictable patchwork of results. All of the USB storage controllers from Taiwanese firm Phison that Nohl tested, for instance, were vulnerable to reprogramming. Chips from ASmedia weren't, Nohl's tests found. Controller chips from fellow Taiwanese company Genesys that used the USB 2 standard were immune, but ones that used the newer USB 3 standard were susceptible. In other categories of device like USB hubs, keyboards, webcams and mice, the results produced an even messier Excel spreadsheet of ``vulnerable,'' ``secure,'' and ``inconclusive.'' [...] ------------------------------ Date: Nov 12, 2014 5:22 AM From: "Dewayne Hendricks" <dewayne () warpspeed com> Subject: `Masque Attack' Bug Threatens iOS Users (Stephanie Mlot) [Note: This item comes from friend Steve Goldstein. DLH] (via Dave Farber) Stephanie Mlot, *PC Mag*, 11 Nov 2014 The "Masque Attack" allows hackers to replace a legit app with a phony one to track and collect private information. <http://www.pcmag.com/article2/0,2817,2471947,00.asp> Apple iOS users, beware: A bug discovered in Apple's mobile operating system can leave iPhones and iPads vulnerable to attacks. Uncovered in July by FireEye mobile security researchers, the "Masque Attack" allows hackers to replace a legitimate app with a phony one, then track and collect private information. That data -- cached emails, login tokens, etc. -- can then be used by the attacker to log into the victim's accounts. Users should be on the lookout for pop-up messages that prompt them to install something like an updated version of Flappy Bird or the latest Angry Birds title. As demonstrated in the video below, clicking on a malicious link could open the door to attackers, who mimic an original app's login interface to steal the victim's credentials. FireEye highlights the bug via the official Gmail application, downloaded to an iPhone from the iTunes App Store. "We have confirmed this attack with email apps where the malware can steal local caches of important emails and upload them to [a] remote server," the blog said. Worst of all, the malware is almost indistinguishable to the victim, who is unlikely to realize they have been duped. "In this situation, we consider it urgent to let the public know," FireEye said, "since there could be existing attacks that haven't been found by security vendors." The firm notified Apple about the vulnerability on July 26. Cupertino did not respond to PCMag's request for comment. ------------------------------ Date: Nov 12, 2014 4:59 AM From: "Dewayne Hendricks" <dewayne () warpspeed com> Subject: ISPs Removing Their Customers' Email Encryption Jacob Hoffman-Andrews, *EFF*, 11 Nov 2014 <https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks> Recently, Verizon was caught tampering with its customer's web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers' data to strip a security flag=94called STARTTLS=94from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.1 By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco's PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception. This type of STARTTLS stripping attack has mostly gone unnoticed because it tends to be applied to residential networks, where it is uncommon to run an email server2. STARTTLS was also relatively uncommon until late 2013, when EFF started rating companies on whether they used it. Since then, many of the biggest email providers implemented STARTTLS to protect their customers. We continue to strongly encourage all providers to implement STARTTLS for both outbound and inbound email. Google's Safer email transparency report and starttls.info are good resources for checking whether a particular provider does. Several Standards for Email Encryption The SMTP protocol, the underpinning of email, was not originally designed with security in mind. But people quickly started using it for everything from shopping lists and love letters to medical advice and investigative reporting, and soon realized their mail needed to be protected from prying eyes. In 1991, Phil Zimmerman implemented PGP, an end-to-end email encryption protocol that is still in use today. Adoption of PGP has been slow because of its highly technical interface and difficult key management. S/MIME, with similar properties as PGP, was developed in 1995. And in 2002, STARTTLS for email was defined by RFC 3207. While PGP and S/MIME are end-to-end encryption, STARTTLS is server-to-server. That means that the body of an email protected with, e.g. PGP, can only be read by its intended recipient, while email protected with STARTTLS can be read by the owners of the sending server and the recipient server, plus anyone else who hacks or subpoenas access to those servers. However, STARTTLS has three big advantages: First, it protects important metadata (subject lines and To:/From/CC: fields) that PGP and S/MIME do not. Second, mail server operators can implement STARTTLS without requiring users to change their behavior at all. And third, a well-configured email server with STARTTLS can provide Forward Secrecy for emails. The two technologies are entirely compatible and reinforce each other. The most secure and private approach is to use PGP or S/MIME with a mail service that uses STARTTLS for server-to-server communication. [...] ------------------------------ Date: Nov 12, 2014 5:27 AM From: "Suresh Ramasubramanian" <suresh () hserus net> Subject: Re: [IP] ISPs Removing Their Customers' Email Encryption (via Dave Farber) Is this on port 25 outbound where you would possibly expect to see something like a Cisco ASA or similar smtp proxy device deployed by an ISP intent on filtering malware / spam traffic outbound from infected user desktops or local spammers? Is this filter on port 587 (the smtp submission port) as well? Several ISPs in the USA and elsewhere outright block port 25 instead of proxying it, but the awareness of port 587 being available for use isn't uniform across all countries so that it is possible that a local ISP may have elected to proxy rather than block outbound port 25 traffic. Of course such an approach ideally whitelists port 25 traffic to known outbound servers (say those belonging to large email providers) but certainly won't be able to account for every mailserver running on a VPS or Linux box on a home dsl line for that matter. And in all cases using port 587, which has been RFC standard, widely supported and recommended as a best practice for several years, is ideal for any outbound mail you might want to send. EFF may want to take port 587 into account especially when they recommend TLS and study incidents like this Thai one (TLS is a best practice the security community entirely agrees with by the way) ------------------------------ Date: Fri, 14 Nov 2014 08:54:10 -0500 From: "Scott Miller" <SMiller () unimin com> Subject: Re: ISPs reportedly interfering with customer use of STARTTLS (Bob Gezelter, RISKS-28.35) How does this compare or relate to the "TLS False Start Using RSA" browser flag? That flag allows the packets to begin to flow before TLS credentials are validated. A Mozilla user can use Data Manager to change this from "allow" to "block" for a given domain, however, recent versions of the browser will refuse to honor that directive. Earlier versions honored it, but it was deliberately deprecated. I have found debates about this issue in Mozilla developer forums; the prevailing opinion appeared to be that requiring strict pre-authentication did not offer sufficient incremental security to justify the delay in page load time. I tend to be skeptical of arguments that appear to be as self-serving as that one, and I fail to see how it in any way justifies removing the option from the discretion of the individual browser user. I did not do much research on IE or Chrome, but I did see some hits that suggest similar policies. ------------------------------ Date: Fri, 14 Nov 2014 14:31:16 +0000 From: Rashid Motala <rashidm () identisoft net> Subject: Re: Risks of assuming votes are accurate (Motala, RISKS-28.34) The better solution to this would be not to equate having a drivers license with citizenship. In many places, being able to drive is almost a basic necessity, and denying illegal immigrants drivers licenses only results in more illegal (unlicensed and untested) drivers on the road. ------------------------------ Date: 16 Nov 2014 04:48:56 -0000 From: "John Levine" <johnl () iecc com> Subject: Re: Risks of assuming votes are accurate (Motala, RISKS-28.34) Legal immigrants aka green card holders have been eligible for drivers' licenses since approximately forever. It has never been the case that possession of a driver's license means the holder is a citizen.* I don't see any reason to believe that adding illegal immigrants to the mix makes a significant difference. * In some states there's a thing called an Enhanced Driver's License (EDL) with more stringent documentation requirements that does mean that the holder is a citizen, but they've been notably unpopular. ------------------------------ Date: Thu, 13 Nov 2014 23:00:02 -0800 From: josephkk <joseph_barrett () sbcglobal net> Subject: Re: $11M Tool That Could Help Computers Write Their Own Code (Finley, RISKS-28.35) And at a horrendous cost in code diversity. Not my favorite idea. A far better idea is to teach the difference between well written code and sloppy code. It is really easy, just put the two side by side and discuss for many use cases. ------------------------------ Date: Fri, 14 Nov 2014 21:25:37 +0100 From: Erling Kristiansen <erling.kristiansen () xs4all nl> Subject: Re: The $11M Tool That Could Help Computers Write Their Own Code The scary part, at least to me, is that the tool may suggest something that is NOT what you intended, but is sufficiently similar that you do not spot the difference. In particular, if larger chunks of code are inserted, this is a real risk. When you write code yourself, you know what you intend it to do. If a tool inserts it, you may not take the trouble to fully understand what it does because "the tool normally generates good code (whatever that means)". ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks ^^^ [NOTE CHANGE, FINALLY NOTED HERE. SORRY FOR THE DELAY.] Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.36 ************************
Current thread:
- Risks Digest 28.36 RISKS List Owner (Nov 17)