RISKS Forum mailing list archives
Risks Digest 28.54
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 2 Mar 2015 15:46:30 PST
RISKS-LIST: Risks-Forum Digest Monday 2 March 2015 Volume 28 : Issue 54 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.54.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Google and tech's elite are living in a parallel universe (John Naughton) What will happen when the Internet of things becomes artificially intelligent? (Stephen Balkam) Spy Research Agency Is Building Psychic Machines to Predict Hacks (Aliya Sternstein) US government and private sector developing 'precrime' system to anticipate cyber-attacks (The Stack) Belarus bans Tor and all anonymising Internet technologies (The Stack) U.S. and British Agencies May Have Tried to Get SIM Encryption Codes, Gemalto Says (The NYTimes) Uber Driver Database Breached by Someone Outside Company (The NYTimes) White House Proposes Broad Consumer Data Privacy Bill (The NYTimes) Will we never learn? H&R Block software on Windows 8.1 (Jeremy Epstein) The big money behind Iran's Internet censorship (Daily Dot) Internet of Obnoxious Things.... (Mike O'Dell) When Driver Error Becomes Programming Error (Joel Shurkin) Thief Steals $15,000 Bike in Sausalito With Tap of Hand (Alyssa Goard) Blaming the Internet for Terrorism: So Wrong and So Dangerous (Lauren Weinstein) Phishing attacks target developers (Paul McIntire) "Hackers force death of Canadian Bitcoin exchange" (Howard Solomon) Crying "wolf" when reporting browser security flaws (Arthur) "Flaw in popular Web analytics plug-in exposes WordPress sites to hacking" (Lucian Constantin) Unblined e-mail from National Park Service, DEath VAlley (Leonard Finegold) Journal Accepts Paper Reading "Get Me Off Your F***ing Mailing List" (Stephen Luntz) Re: Hard disk firmware infection campaign detected (Geoff Kuenning) Re: Jeb Bush publishes e-mail personal info of Florida residents online (John Levine, R. G. Newbury) Re: "Regulating the Drone Economy" (Mike Spencer) Re: More "Right To Be Forgotten" nonsense from "The Guardian" (Amos Shapir) Re: ... use of GOTOs in code is *not* harmful ... (Richard A. O'Keefe) Re: Too-real simulation (Erling Kristiansen) "Lenovo shows us why we need to reinvent Web security" (Scott Dorsey) "Patent trolls are on the run, but not vanquished yet" (Bill Snyder) "Net neutrality triumphs as ISPs weep" (Paul Venezia) FCC votes for net neutrality, a ban on paid fast lanes, and Title II (Ars) Bruce Schneier's *Data and Goliath* excerpt (PGN) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Feb 22, 2015 9:51 AM From: "Hendricks Dewayne" <dewayne () warpspeed com> Subject: Google and tech's elite are living in a parallel universe (John Naughton) John Naughton, *The Guardian*, Feb 21 2015 (via Dave Farber) The gap between the richly rewarded few of tech firms and banks and the rest of us is growing wider. Blame the digital revolution http://www.theguardian.com/commentisfree/2015/feb/22/google-tech-elite-living-in-a-parallel-universe-john-naughton Someone once observed that the difference between Tony Blair and Margaret Thatcher was that whereas Thatcher believed that she was always right, Blair believed not only that he was right but also that he was good. Visitors to the big technology companies in California come away with the feeling that they have been talking to tech-savvy analogues of Blair. They are fired with a zealous conviction that they are doing great stuff for the world, and proud of the fact that they work insanely hard in the furtherance of that goal. The fact that they are richly rewarded for their dedication is, one is given to believe, incidental. The guys (and they are mostly guys) who manage these good folk are properly respectful of their high-IQ charges. Chief among them is Eric Schmidt, the executive chairman of Google, and a man who takes his responsibilities seriously. So seriously, in fact, that he co-authored a book with his colleague Jonathan Rosenberg on the care and maintenance of these precious beings. Dr Schmidt objects to the demeaning term `knowledge workers' that economists have devised for them. Google employees, he tells us, are much, much more impressive than mere knowledge workers: they are `smart creatives'. In the opinion of their chairman, these Wunderkinder are very special indeed. They are ``not averse to taking risks.'' Nor are they ``punished or held back when those risky initiatives fail, ... not hemmed in by role definitions or organisational structures, .. don't keep quiet when they disagree with something.'' [...] ------------------------------ Date: Feb 22, 2015 10:01 AM From: "Hendricks Dewayne" <dewayne () warpspeed com> Subject: What will happen when the Internet of things becomes artificially intelligent? (Stephen Balkam) Stephen Balkam, *The Guardian*, 20 Feb 2015 - From Stephen Hawking to Spike Jonze, the existential threat posed by the onset of the `conscious web' is fueling much debate -- but should we be afraid? http://www.theguardian.com/technology/2015/feb/20/internet-of-things-artificially-intelligent-stephen-hawking-spike-jonze When Stephen Hawking, Bill Gates and Elon Musk all agree on something, it's worth paying attention. All three have warned of the potential dangers that artificial intelligence or AI can bring. The world's foremost physicist, Hawking said that the full development of artificial intelligence (AI) could `spell the end of the human race'. Musk, the tech entrepreneur who brought us PayPal, Tesla and SpaceX described artificial intelligence as our ``biggest existential threat,'' and said that playing around with AI was like ``summoning the demon.'' Gates, who knows a thing or two about tech, puts himself in the `concerned' camp when it comes to machines becoming too intelligent for us humans to control. What are these wise souls afraid of? AI is broadly described as the ability of computer systems to ape or mimic human intelligent behavior. This could be anything from recognizing speech, to visual perception, making decisions and translating languages. Examples run from Deep Blue who beat chess champion Garry Kasparov to supercomputer Watson who outguessed the world's best Jeopardy player. Fictionally, we have Her, Spike Jonze's movie that depicts the protagonist, played by Joaquin Phoenix, falling in love with his operating system, seductively voiced by Scarlet Johansson. And coming soon, Chappie stars a stolen police robot who is reprogrammed to make conscious choices and to feel emotions. An important component of AI, and a key element in the fears it engenders, is the ability of machines to take action on their own without human intervention. This could take the form of a computer reprogramming itself in the face of an obstacle or restriction. In other words, to think for itself and to take action accordingly. Needless to say, there are those in the tech world who have a more sanguine view of AI and what it could bring. Kevin Kelly, the founding editor of Wired magazine, does not see the future inhabited by HALs -- the homicidal computer on board the spaceship in 2001: A Space Odyssey. Kelly sees a more prosaic world that looks more like Amazon Web Services: a cheap, smart, utility which is also exceedingly boring simply because it will run in the background of our lives. He says AI will enliven inert objects in the way that electricity did over 100 years ago. ``Everything that we formerly electrified, we will now cognitize.'' And he sees the business plans of the next 10,000 startups as easy to predict: ``Take X and add AI.'' [...] ------------------------------ Date: Wed, 25 Feb 2015 12:08:08 -0500 (EST) From: "ACM TechNews" <technews () hq acm org> Subject: Spy Research Agency Is Building Psychic Machines to Predict Hacks (Aliya Sternstein) Aliya Sternstein, NextGov.com, 23 Feb 2015, via ACM TechNews The U.S. Intelligence Advanced Research Projects Activity (IARPA) is working on a new contest that will challenge government and private-sector entities to create a system for analyzing numerous streams of data from social media to black market malware storefronts to create predictions of what cyberthreats a given network may face ahead of time. The Cyber-Attack Automated Unconventional Sensor Environment (CAUSE) project is envisioned as a cybersecurity equivalent of systems that have been able to analyze various data streams to successfully predict political uprisings and the spread of diseases such as Ebola. IARPA's Rob Rahmer, who is leading the CAUSE project, says the competition is meant to help move the cybersecurity field from a reactive to a proactive posture. Such a system would not be perfect and would make mistakes, but Rahmer says it would help agencies and businesses spend their cybersecurity resources proactively. CAUSE is envisioned as a four-year race and IARPA currently is developing guidelines and determining what the prize for the competition will be. There already is strong interest in the project; about 150 would-be participants from the private sector and academia attended a recent informational workshop about CAUSE. One issue that needs addressing is what computing resources competitors will need to use; CAUSE would likely require supercomputer-level computing power. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-d684x2c74fx065558&; ------------------------------ Date: Wed, 25 Feb 2015 16:07:47 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: U.S. government and private sector developing 'precrime' system to anticipate cyber-attacks The Stack via NNSquad http://thestack.com/iarpa-cause-ibm-precrime-threat-prediction-240215 "The USA's Office of the Director of National Intelligence (ODNI) is soliciting the involvement of the private and academic sectors in developing a new 'precrime' computer system capable of predicting cyber-incursions before they happen, based on the processing of 'massive data streams from diverse data sets' -- including social media and possibly deanonymised Bitcoin transactions. In January the Intelligence Advanced Research Projects Activity (IARPA), administrated by ODNI, held a Proposers' Day Conference for the Cyber-attack Automated Unconventional Sensor Environment (CAUSE) initiative, inviting interest from IBM and other cyber-security companies including Battelle, RepKnight, the Florida Center for Cybersecurity (FC2), Galois Inc., SoarTech, SRA International Inc. [PGN-NOTE: SRA, *not* SRI!], Vion ... and, of course, IBM, which produces technologies used and cited by some of the other vendors in their own proposals. Dr. Peter Highnam presented the overview on January 21st, initially drawing attention to the interests in the project of no less than 16 major government departments, including the CIA, the Defense Intelligence Agency, the Department of State, the FBI, the Department of Homeland Security and all branches of the US military." Looks like a giant trolling target. There will be folks who would like nothing more than to trigger false alarms for such a system, just for funsies. ------------------------------ Date: Wed, 25 Feb 2015 16:10:38 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Belarus bans Tor and all anonymising Internet technologies The Stack via NNSquad http://thestack.com/belarus-bans-tor-250215 "In the wake of Russia's announcement that it intends to ban Tor, VPNs and all other technologies that permit users to hide their identities on the Internet, the neighbouring Republic of Belarus has announced [Russian language] that it will enable legislation to bring these restrictions into effect. The ban was announced in the official national portal of Belarus. The edict declares that any service which provides access to anonymising facilities such as Tor and Virtual Private Networks must be entered onto a national blacklist, and that Internet service providers will be obliged to check state inspectorate lists daily for new banned services and sites, and to implement blocks accordingly." ------------------------------ Date: Wed, 25 Feb 2015 08:24:57 -0500 From: Monty Solomon <monty () roscom com> Subject: U.S. and British Agencies May Have Tried to Get SIM Encryption Codes, Gemalto Says The digital security company said it believed attacks by the N.S.A. and its British counterpart occurred over two years, starting in 2010. http://www.nytimes.com/2015/02/26/business/international/gemalto-says-nsa-tried-to-take-sim-encryption-codes.html ------------------------------ Date: Fri, 27 Feb 2015 22:18:30 -0500 From: Monty Solomon <monty () roscom com> Subject: Uber Driver Database Breached by Someone Outside Company The breach may have revealed the names and identification numbers of up to 50,000 drivers, but so far there are no reports that stolen information has been misused. http://bits.blogs.nytimes.com/2015/02/27/uber-driver-database-breached-by-someone-outside-company/ ------------------------------ Date: Thu, 26 Feb 2015 10:21:58 -0500 From: Mike Stayton <stayton () pobox com> Subject: Police probe outage that cut Internet, phones in Arizona Another single point of failure? http://www.usatoday.com/videos/news/nation/2015/02/26/24047643/ Mike Stayton, 106 Miss Georgia Court, Cary, NC 27511 919 460-0561 ------------------------------ Date: Sun, 1 Mar 2015 13:39:27 -0500 From: Monty Solomon <monty () roscom com> Subject: White House Proposes Broad Consumer Data Privacy Bill Under the proposed legislation, called the Consumer Privacy Bill of Rights Act, industries would draw up their own codes of conduct on handling customer data, which regulators would enforce. http://www.nytimes.com/2015/02/28/business/white-house-proposes-broad-consumer-data-privacy-bill.html ------------------------------ Date: Sun, 1 Mar 2015 11:15:07 -0500 From: Jeremy Epstein <jeremy.j.epstein () gmail com> Subject: Will we never learn? H&R Block software on Windows 8.1 Celebrating the beginning of March by starting to work on my taxes, I bought the CD from H&R Block. (I've used their software for at least 10 years - while not perfect, it can do trust returns, unlike the consumer-grade Quicken product.) Anyway, I got an error when I tried to install on my Windows 8.1 system. Some Googling reveals that this is a known problem: The software is fully compatible with Windows 8.1, however, as many users have discovered, the user's rights are somewhat restricted even on an Administrator account, since Windows Vista. It turns out that since then, Microsoft's operating systems have had a true administrator account that is hidden by default. You can search for the simple instructions to enable this account, however in support we have had success by simply creating a new account with Administrator rights and leave the Administrator account disabled. One very simple trick that has worked for me personally is to right button click the installer file, and choose "Run as Administrator". Sometimes that is all that is needed! - - - - So let's see, the software needs *something* that only a "true" administrator account can do, and they never tested it on the latest version of Microsoft's operating system before release??? Will we never learn, either about security or testing? http://community.hrblock.com/t5/DIY-Products/HR-BLOCK-PREMIUM-2014-TAX-CD-WILL-NOT-INSTALL/td-p/55443 ------------------------------ Date: Sun, 22 Feb 2015 09:51:08 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: The big money behind Iran's Internet censorship (Daily Dot) Daily Dot via NNSquad http://www.dailydot.com/politics/iran-censorship-circumvention-tech/ "While the Iranian government spends millions of dollars to build and maintain one of the strictest censorship regimes on the planet, its citizens spend their own millions on anti-censorship software that allows them to see the Internet more freely. Anti-censorship is so much money, in fact, that many of the same government authorities that do the censoring then turn around and allow the sale of censorship-beating software--in order to line their pockets, offer a false sense of security to Iranians, and even to make their surveillance jobs that much easier." ------------------------------ Date: Feb 22, 2015 11:35 AM From: "Mike O'Dell" <mo () ccr org> Subject: Internet of Obnoxious Things.... The PKDick excerpt cited about a shakedown by a door lock is, I fear, more prescient than it first appears. I very much doubt that any "Internet of Things" will become Artificially Impudent because long before that happens, all the devices will be co-opted by The Bad Guys who will proceed to pursue shakedowns, extortion, and "protection" rackets on a coherent global scale. Whether it is even possible to "secure" such a collection of devices empowered with such direct control over physical reality is a profound and, I believe, completely open theoretical question. (We don't even have a strong definition of what that would mean.) Even if it is theoretically possible, it has been demonstrated in the most compelling possible terms that it will not be done for a host of reasons. The most benign fall under the rubric of "Never ascribe to malice what is adequately explained by stupidity" while others will be aggressively malicious. First and foremost, however, is the attitude that "security" can be added-on in a piecemeal fashion to a fundamentally insecure system in retrospect. This is patently false and has been known to be the case for many decades. A close second, however, is a definition of "security" that reads, approximately, "Do what I should have meant." Eg, the rate of technology churn cannot be reduced just because we haven't figured out what we need it to do (or not do) - we'll just "iterate" every time Something Bad(tm) happens. An even deeper concern, however, is that the entire concept of "security" as naively held may be fundamentally unachievable, that phrases like "This must not happen again" are simply irrational because the underlying theoretical foundations cannot produce it. The problem with pursuing such a goal is that it has led us down a path of "brittle failure" where things work right up until they fail, and then they fail catastrophically. The outcome is forced to be binary. In most of Computer Science, there have been only relatively modest efforts directed at building systems which fail gracefully, or partially. Certainly some sub-specialties have spent a lot of effort on this notion, but it is not the norm in the education of a journeyman system builder. If it is the case that we are unlikely to build any large system which is fail-proof, and that certainly seems to be the situation, we need to focus on building systems which can tolerate, isolate, and survive local failures. As it has been so ably demonstrated, it is now possible to steal from a million people with the same effort as one person (approximately). That is a great example of a "brittle failure" and could well be a great place to start rethinking protocols and algorithms so that a big failure may produce a million opportunities to steal, but that executing any one theft produces no advantage to executing the next. This is not a panacea, but is a useful direction to pursue if we are to be overrun with Artificially Impudent light switches, toasters, and toilet seats. I *really* don't want someone playing games with the temperature of my shower, to pick one at random. ------------------------------ Date: Mon, 2 Mar 2015 12:01:54 -0500 (EST) From: "ACM TechNews" <technews () hq acm org> Subject: When Driver Error Becomes Programming Error (Joel Shurkin) *Inside Science* (02/26/15) Joel N. Shurkin via ACM TechNews, 2 Mar 2015 If automated automobiles become practical and widely adopted, then car accidents will be the result of programming errors instead of driver errors, which makes the assignment of responsibility in litigation a challenge. At a recent meeting of the American Association for the Advancement of Science, Stanford University researchers announced the production of an automated vehicle that can compete with champion amateur drivers on a racetrack. The car uses global-positioning systems, computer-driven controls, and programmed rules to drive and navigate. Stanford professor Chris Gerdes says its computerized thinking process raises important concerns. For example, because such a car is programmed to obey all traffic rules and not violate laws, there may be limitations to its usefulness. One example is a programmed vehicle's inability to cross double lines to get around an illegally parked car, because such a maneuver would technically break the rules. University of South Carolina in Columbia professor Bryant Walker Smith thinks with the advent of automated cars, the onus of liability will shift more to manufacturers than consumers, with the costs ultimately passed on to consumers. He also notes if the cars improve safety, it is likely the number of accident-related lawsuits will decline. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-d6b9x2c76cx057431&; ------------------------------ Date: Sat, 28 Feb 2015 18:34:22 -0800 From: Paul Saffo <paul () saffo com> Subject: Thief Steals $15,000 Bike in Sausalito With Tap of Hand (Alyssa Goard) Alyssa Goard, NBC Bay Area, 27 Feb 2015 Thief Steals $15,000 Bike in Sausalito With Tap of Hand: Police http://www.nbcbayarea.com/news/local/Thief-Steals-15000-Bike-in-Sausalito-With-Tap-of-Hand-294430531.html A thief in Sausalito stole a bike valued at $15,000 from an Audi on Thursday, all with a tap of his hand. The man made off with the Cervelo P5 bicycle and other valuables on Central Avenue in Sausalito during the afternoon on Feb. 19, much of which was captured on surveillance video. As police described it, the man was on Central Avenue driving a black vehicle, possibly a a 2011-2014 Volkswagen Golf TDI Diesel, when he drove past the Audi. It was then when police say he reached out, tapping the Audi with his hand as he passed by. He parked his Volkswagen close to the Audi, walked up to it and touched the vehicle's door handles. After he did that, somehow the doors unlocked. Police believe the thief unlocked the Audi using an electronic device or remote. Sausalito police warn residents that even advanced, high tech locks and security systems can be outsmarted. Police say the suspect in this crime appears to be about 25 to 35 years old and was wearing black clothing. Anyone with information on the suspect or this crime should contact Detective Ryan McMahon at 415-289-4118. [Fascinating. an Audi master key, used by dealers and locksmiths presumably? Good reminder that having trapdoors, backdoors, and frontdoors is NOT A GOOD IDEA. PGN] ------------------------------ Date: Sun, 22 Feb 2015 17:29:34 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Blaming the Internet for Terrorism: So Wrong and So Dangerous http://lauren.vortex.com/archive/001087.html You can almost physically hear the drumbeat getting louder. It's almost impossible to read a news site or watch cable news without seeing some political, religious, or "whomever we could get on the air just now" spokesperson bemoaning and/or expressing anger about free speech on the Internet. Their claims are quite explicit. "Almost a hundred thousand social media messages sent by ISIL a day!" "Internet is the most powerful tool of extremists." On and on. Now, most of these proponents of "controlling" free speech aren't dummies. They don't usually come right out and say they want censorship. In fact, they frequently claim to be big supporters of free speech on the Net -- they only want to shut down "extremist" speech, you see. And don't worry, they all seem to claim they're up to the task of defining which speech would be so classified as verboten. "Trust us," they plead with big puppy dog eyes. But blaming the Net for terrorism -- which is the underlying story behind their arguments -- actually has all the logical and scientific rigor of blaming elemental uranium for atomic bombs. Speaking of which, I'd personally be much more concerned about terrorist groups getting hold of loose fissile material than Facebook accounts. And I'm pretty curious about how that 100K a day social media messages stat is derived. Hell, if you multiply the number of social media messages I typically send per day times the number of ostensible followers I have, it would total in the millions -- every day. And you know what? That plus one dollar will buy you a cup of crummy coffee. Proponents of controls on Internet speech are often pretty expert at conflating and confusing different aspects of speech, with a definite emphasis on expanding the already controversial meanings of "hate speech" and similar terms. They also note -- accurately in this respect -- that social media firms aren't required to make publicly available all materials that are submitted to them. Yep, this is certainly true, and an important consideration. But what speech control advocates seem to conveniently downplay is that the major social media firms already have significant staffs devoted to removing materials from their sites that violate their associated Terms of Service related to hate speech and other content, and what's more this is an incredibly difficult and emotionally challenging task, calling on the Wisdom of Solomon as but one prerequisite. The complexities in this area are many. The technology of the Net makes true elimination of any given material essentially impossible. Attempts to remove "terrorist-related" items from public view often draw more attention to them via the notorious "Streisand Effect" -- and/or push them into underground, so-called "darknets" where they are still available but harder to monitor towards public safety tracking of their activities. "Out of sight, out of mind" might work for a cartoon ostrich with its head stuck into the ground, but it's a recipe for disaster in the real world of the Internet. There are of course differences between "public" and "publicized." Sometimes it seems like cable news has become the paid publicity partner of ISIL and other terrorist groups, merrily spending hours promoting the latest videotaped missive from every wannabe terrorist criminal wearing a hood and standing in front of an ISIL flag fresh from their $50 inkjet printer. But that sort of publicity in the name of ratings is very far indeed from attempting to control the dissemination of information on the Net, where information once disseminated can receive almost limitless signal boosts from every attempt made to remove it. This is not to say that social media firms shouldn't enforce their own standards. But the subtext of information control proponents -- and their attempts to blame the Internet for terrorism -- is the implicit or explicit implication that ultimately governments will need to step in and enforce their own censorship regimes. We're well down that path already in some ways, of course. Government-mandated ISP block lists replete with errors blocking innocent sites, yet still rapidly expanding beyond their sometimes relatively narrow original mandates. And whether we're talking about massive, pervasive censorship systems like in China or Iran, or the immense censorship pressures applied in countries like Russia, or even the theoretically optional systems like in the U.K, the underlying mindsets are very much the same, and very much to the liking of political leaders who would censor the Internet not just on the basis of "stopping terrorism," but for their own political, financial, religious or other essentially power hungry reasons as well. In this respect, it's almost as if terrorists were partnering with these political leaders, so convenient are the excuses for trying to crush free speech, to control that "damned Internet" -- provided to the latter by the former. Which brings us to perhaps the ultimate irony in this spectacle, the sad truth that by trying to restrict information on the Internet in the name of limiting the dissemination of "terrorist" materials on the Net, even the honest advocates of this stance -- those devoid of ulterior motives for broader information control -- are actually advancing the cause of terrorism by drawing more attention to those very items they'd declare "forbidden," even while it will be technologically impossible to actually remove those materials from public view. It's very much a lose-lose situation of the highest order, with potentially devastating consequences far beyond the realm of battling terrorists. For if these proponents of Internet information control -- ultimately of Internet censorship -- are successful in their quest, they will have handed terrorists, totalitarian governments, and other evil forces a propaganda and operational prize more valuable to the cause of repression than all the ISIL social media postings and videos made to date or yet to be posted. And then, dear friends, as the saying goes, the terrorists really would have won, after all. Be seeing you. ------------------------------ Date: Tue, 24 Feb 2015 21:31:59 -0800 From: Paul McIntire <paul.mcintire () sfunix net> Subject: Phishing attacks target developers We recently fell victim to a clever phishing attack targeted directly at our mobile application. The email received looked exactly like a correspondence from Google App Store and contained a deep link obfuscated in an HTML email pointing to a 3rd party malicious site in guise of the Developer Console. The subject was "3-Day Notification of Google Play Developer Term Violation" which certainly got our attention. One of our harried developers clicked on the link and logged into a site http://accounts.gooogle.com.de/ providing hackers with our credentials. The takeaway here is obvious. Enforce multi-factor authentication on all email accounts linked to app store logins. I don't understand how this is even optional anymore. https://guardianproject.info/2015/02/24/phishing-for-developers/ ------------------------------ Date: Mon, 23 Feb 2015 11:34:58 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Hackers force death of Canadian Bitcoin exchange" (Howard Solomon) Howard Solomon, *IT Business*, 20 Feb 2015 http://www.itbusiness.ca/news/hackers-force-death-of-canadian-bitcoin-exchange/53891 Digital currencies hold appeal to some enterprises, but the security of exchanges is a weak point. The latest to fall is Canadian exchange CaVirtex over what it says is a possible breach. [..] ------------------------------ Date: Thu, 26 Feb 2015 15:06:32 -0500 From: Arthur <Risks201502.6.atsjbt () xoxy net> Subject: Crying "wolf" when reporting browser security flaws I, like many careful people, run either with active scripting fully disabled or with the Noscript plugin of Firefox set to disallow scripts from any site I don't exempt. "Noscript" is one of the most popular Firefox plugins for a good reason. As Ron put it a while back, "I always thought of JavaScript as the browser's malware injection facility." The problem is that almost all reports of browser exploits follow the same template: First they name the exploit. Then they explain, in gory detail, the horrible nasty things the exploit can do. Finally they say that, until a fix can be written and applied, your best method of safety is to disable scripts or to run with Noscript. Sometimes they leave that last bit off even though the exploit requires active scripting. The risk is that people who browse safely, without scripting, may ignore browser exploit reports. If or when one such comes along which does not rely on scripting, those people will be vulnerable longer. (By the way, does anyone have statistics on browser exploits broken down by scripting required for the vulnerability versus everything else?) It would be nice if the reporting template were instead more along these lines: Name the exploit; state who is and isn't vulnerable; detail the exploit type (evil script, buffer overrun, SQL injection, etc.); tell the extent of the exploit; and explain how who those who are vulnerable can fix or mitigate the problem. ------------------------------ Date: Thu, 26 Feb 2015 13:33:12 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Flaw in popular Web analytics plug-in exposes WordPress sites to hacking" (Lucian Constantin) Lucian Constantin, InfoWorld, 25 Feb 2015 Attackers can easily crack cryptographic keys used by the WP-Slimstat plug-in and use them to read information from a site's database http://www.infoworld.com/article/2888878/security/flaw-in-popular-web-analytics-plugin-exposes-wordpress-sites-to-hacking.html ------------------------------ Date: Mon, 2 Mar 2015 13:36:51 -0500 From: Leonard Finegold <L () drexel edu> Subject: Unblinded e-mail from National Park Service, DEath VAlley Minor fun, from National Park Service, DEath VAlley, one of my favorite places. This was sent to about 256 people; presumably (like me) they had once contacted NPS. Nice to note that NPS doesn't worry about keeping E-addresses confidential. Note "there" for their. Begin forwarded message:
Date: March 2, 2015 12:25:08 PM EST From: "DEVA Information, NPS" <deva_information () nps gov> To: [MONSTER LIST OF E-MAIL ADDRESSES DELETED BY PGN FOR RISKS] Subject: Morning Report 03/02/2015
Good Luck, to all those who are making plans for there [sic] summer season and moving on. May you find your way back soon!
The subsequent e-mail after that provided a correction, but again included the entire list of addresses.
Subject: Error while sending Morning Report 03/02/2015
Please disregard last message morning report is meant for selected contact stations in error it was sent to all contacts. Please do not respond just delete message. Document resent to stations, and thank you for your understanding.
[If you were French, you might ask PARK-WHA? (pourqua?)... PGN] ------------------------------ Date: Wed, 25 Feb 2015 11:39:20 -0800 From: Gene Wirchenko <genew () telus net> Subject: Journal Accepts Paper Reading "Get Me Off Your F***ing Mailing List" (Stephen Luntz) Stephen Luntz, IFL Science, 23 Nov 2014 http://www.iflscience.com/technology/journal-accepts-paper-reading-get-me-your-fucking-mailing-list A paper that largely consists of the words "Get me off your f***ing mailing list" repeated 863 times has been accepted by a journal that claims to be peer reviewed. The move might appear to offer hope to scientists struggling to get marginal work published, but really just exposes the extent of scam publications pretending to be contributing to science. [...] ------------------------------ Date: Sun, 01 Mar 2015 02:09:34 -0800 From: Geoff Kuenning <geoff () cs hmc edu> Subject: Re: Hard disk firmware infection campaign detected (Houppermans) A few days after the news of the NSA's hard-disk infections came out, I spoke to a high-level manager at Seagate about the attack. He told me a couple of interesting things: 1. Although all drives have a "download new firmware" command, the firmware has to be signed. Ten years ago that wasn't true. So although the NSA might have previously succeeded with this attack, today they would have to beg, borrow, or steal the signing key. That's not to say they haven't (after all, sneakiness is their stock in trade), but it makes things more difficult. 2. An unrelated but interesting point is that at least at Seagate (and presumably elsewhere) all on-drive information is *always* encrypted using a random key (and the drive itself is a superb source of randomness). There's an "erase drive" command that simply forgets the key. No, I don't know how to issue it; it doesn't seem to be in hdparm's list of options. Geoff Kuenning geoff () cs hmc edu http://www.cs.hmc.edu/~geoff/ Paymasters come in only two sizes: one sort shows you where the book says that you can't have what you've got coming to you; the second sort digs through the book until he finds a paragraph that lets you have what you need even if you don't rate it. Doughty was the second sort. Robert A. Heinlein, "The Door Into Summer" ------------------------------ Date: 24 Feb 2015 02:12:40 -0000 From: "John Levine" <johnl () iecc com> Subject: Re: Jeb Bush publishes e-mail personal info of Florida residents online (RISKS-28.51) Copyright law is more complicated than that. The U.S. law has broad rules for a fair use defense to claims of copyright infringement, based on: The purpose and character of the use, including whether such use is of commercial nature or is for nonprofit educational purposes The nature of the copyrighted work The amount and substantiality of the portion used in relation to the copyrighted work as a whole The effect of the use upon the potential market for, or value of, the copyrighted work Since the use was non-commercial, the public has a clear interest in Bush's correspondence since he was a government official at the time and a likely candidate for US President, and the commercial market of the e-mail is negligible, the argument for fair use in this case is very small. In Europe or Canada, privacy laws would likely forbid publication of people's personal details, but other than a few narrow cases that don't apply here, the US has no privacy laws. ------------------------------ Date: Tue, 24 Feb 2015 10:10:56 -0500 From: "R. G. Newbury" <newbury () mandamus org> Subject: Re: Jeb Bush publishes e-mail personal info of Florida residents online (RISKS-28.53) NOT! As a first order WAG, I would assume that the TOS involved in emailing the governor *in his official capacity as an elected public figure, cover that. And the FOIA would cover the publication. R. Geoffrey Newbury, Barrister and Solicitor, newbury () mandamus org Mississauga, Ontario, L5H 3R2 905-271-9600 ------------------------------ Date: Tue, 24 Feb 2015 03:07:28 -0400 From: mspencer () tallships ca (Mike Spencer) Subject: Re: "Regulating the Drone Economy" No one seems to have remarked on what happens if you shoot one of these drones down when it's buzzing around you back yard. Have you committed multiple serious felonies related to aircraft? Or have you wrecked somebody's expensive toy that was intruding on your privacy? ------------------------------ Date: Fri, 27 Feb 2015 12:17:46 +0200 From: Amos Shapir <amos083 () gmail com> Subject: Re: More "Right To Be Forgotten" nonsense from "The Guardian" The Guardian's article demonstrates yet again the "Barbra Streisand effect"; as John Oliver had said about the Spaniard who had started this round "the only fact I know about him is the very fact he wanted to be forgotten".... ------------------------------ Date: Thu, 26 Feb 2015 12:03:26 +1300 From: "Richard A. O'Keefe" <ok () cs otago ac nz> Subject: Re: ... use of GOTOs in code is *not* harmful ... (R-28.51) RISKS-28.51 pointed us to an article that concluded the use of GOTOs is not harmful in practice. A quick glance through the paper looks good, but it may seriously mislead readers who aren't aware of Dijkstra's context. He did not "fear" that the use of gotos "would" obscure the code but observed that it *did*. For example, when he wrote, Fortran was one of the dominant languages. It had no "while" or "switch"/"case" statements and even no "if" statement as we currently understand it. COBOL 61 was not much better. IBM had introduced PL/I, but it still no "switch"/"case" statement. If developers are now using gotos responsibly, Dijkstra deserves a lot of the credit, because before he wrote, a lot of programmers didn't. The people who designed programming languages where you *could* write serious code with few if any gotos also deserve a lot of credit. Fortran 90 (and later) and COBOL 85 (and later) support precisely the kind of structured programming that Dijkstra and others were advocating. The difficulty of trying to understand how a program got to where it is has other guises these days. JavaScript has no 'goto' statement; that does not make understanding Node.js code easy! ------------------------------ Date: Sat, 28 Feb 2015 21:26:14 +0100 From: Erling Kristiansen <erling.kristiansen () xs4all nl> Subject: Re: Too-real simulation (RISKS-28.53) Back in the late 1970's, I was involved in the launch of the first European meteorological satellite METEOSAT-1. A couple of days before the launch date, the launcher, sitting on the launch pad, received a telecommand to self-destruct. Fortunately, the execution of this command was disabled while on the ground, so nothing happened. But the launch was delayed by about 2 weeks to find the source of the telecommand. It turned out that a tracking station had been doing simulations of contingency operations, and had accidentally transmitted the command to the antenna rather than to the "dummy load" that is supposed to be used for training and tests. (To make the training as realistic as possible, everything in the Earth station is typically fully configured, except that the final output signal is routed to a load resistor rather than to the transmit antenna). ------------------------------ Date: Tue, 24 Feb 2015 11:30:30 -0500 From: Scott Dorsey <kludge () panix com> Subject: "Lenovo shows us why we need to reinvent Web security" (Venezia) If you cannot trust your operating system, you cannot trust anything, and no encryption, no certificate, no algorithm is going to allow you to trust anything. The problem is not SSL security, the problem is not being able to trust your OS. --scott [Of course, PGN agrees -- having maintained that position throughout the history of RISKS and long before.] ------------------------------ Date: Thu, 26 Feb 2015 11:02:50 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Patent trolls are on the run, but not vanquished yet" (Bill Snyder) Here's hoping! Part 1 Bill Snyder, InfoWorld, 26 Feb 2015 Strong legislation that will weaken the ability of the trolls to shake down innovators is likely to pass Congress, but more should be done Tech's Bottom Line http://www.infoworld.com/article/2889194/patents/patent-trolls-are-on-the-run-but-not-vanquished-yet.html selected text: There's finally light at the end of the dark, troll-invested tunnel, and it isn't an oncoming train. Congress is likely to pass a bill that will take money out of the pockets of innovation-sucking patent trolls (aka "nonpracticing entities") despite opposition from lawyers, the pharmaceutical industry, and a few tech companies that hold large numbers of patents. That study, titled "Does Patent Licensing Promote Innovation?," ... "We find that very few patent licenses from assertion result in any innovation, whether we measure that directly by looking for new products and features, or indirectly by looking for proxies such as the transfer of technology, sharing of personnel, or the development of joint ventures," they wrote. Patent licensing, they say, "seems to be an activity almost entirely divorced from innovation." ------------------------------ Date: Thu, 26 Feb 2015 11:11:36 -0800 From: Gene Wirchenko <genew () telus net> Subject: "Net neutrality triumphs as ISPs weep" (Paul Venezia) Here's hoping, Part 2. Paul Venezia, InfoWorld, 26 Feb 2015 The public interest has prevailed and the FCC has voted to reclassify ISPs as common carriers. At last we have the means to control our Internet future http://www.infoworld.com/article/2888962/net-neutrality/net-neutrality-triumphs-as-isps-weep.html ------------------------------ Date: Thu, 26 Feb 2015 10:13:40 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: FCC votes for net neutrality, a ban on paid fast lanes, and Title II Ars via NNSquad http://arstechnica.com/business/2015/02/fcc-votes-for-net-neutrality-a-ban-on-paid-fast-lanes-and-title-ii/ "The Federal Communications Commission today voted to enforce net neutrality rules that prevent Internet providers--including cellular carriers--from blocking or throttling traffic or giving priority to Web services in exchange for payment. The most controversial part of the FCC's decision reclassifies fixed and mobile broadband as a telecommunications service, with providers to be regulated as common carriers under Title II of the Communications Act. This brings Internet service under the same type of regulatory regime faced by wireline telephone service and mobile voice, though the FCC is forbearing from stricter utility-style rules that it could also apply under Title II." BOOM! As the moderator of the Network Neutrality Squad now reaching back for so many years, I must say I am quite pleased overall with this decision. There will be lawsuits, and threats from Congress relating to this vote, and the risk of reversals with new Commissioners later always will exist, but today is a really good day for the Internet. ------------------------------ Date: Mon, 2 Mar 2015 10:40:40 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Bruce Schneier's *Data and Goliath* excerpt Bruce Schneier, How to Mess With Surveillance: Why you should search for random people on Facebook, and other tips. This essay is excerpted from Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World by Bruce Schneier, published by W. W. Norton & Co. Inc., 2015. Surveillance is both a technological and a legal problem. Technological solutions are often things we can do ourselves. We can use various privacy and anonymity technologies to protect our data and identities. These are effective but can be thwarted by secret government orders. We need to fight the political battle as well. Political solutions require group effort but are generally limited to specific countries. Technological solutions have the potential to be global. If Microsoft designs its Windows operating system with ubiquitous file encryption, or if the Internet Engineering Task Force decides that all Internet traffic will be encrypted by default, then those changes will affect everyone in the world who uses those products and protocols. The point is that politics can undermine technology, and also that technology can undermine politics. Neither trumps the other. If we are going to fix things, we need to fight on both the technological and political fronts. And it's not just up to governments and corporations. We the people have a lot of work to do here. [... Long item PGN-truncated for RISKS] Excerpted from Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World by Bruce Schneier. Copyright 2015 by Bruce Schneier. With permission of the publisher, W. W. Norton & Co. Inc. All= rights reserved. ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.54 ************************
Current thread:
- Risks Digest 28.54 RISKS List Owner (Mar 02)