RISKS Forum mailing list archives
Risks Digest 28.84
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 4 Aug 2015 15:35:15 PDT
RISKS-LIST: Risks-Forum Digest Tuesday 4 August 2015 Volume 28 : Issue 84 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.84.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Lottery chief resigns in scandal (Wikipedia) Doctors Still In the Dark After Electronics Records Hack Exposes Data on 4 Million (Security Ledger) Google Cloud Platform to Let Customers Control Encryption Keys (DataCenterKnowledge) Counterterrorism expert says it's time to give companies offensive cybercapabilities (IT World) Nice item on Going Dark (Nick Weaver via PGN) Struggling to Disconnect From Our Digital Lives (NYTimes) Steep Discounts a Boon for Customers, but a Gamble for Start-Ups (NYTimes) Mark Karpeles, Chief of Mt. Gox Bitcoin Exchange, Arrested in Tokyo (NYTimes) UK peer calls for universal Internet delete button, may also want unicorns (Ars Technica) Why Consumers Should Tread Carefully with Samsung Galaxy's Price Cut? (NYTimes) Siri's new voice, new name: Comey (James Cook via Henry Baker) CISA could 'sweep away' Internet users' privacy (Sam Thielman) 'Hack Back' NACK (Grant Gross) Stolen Consumer Data Is a Smaller Problem Than It Seems (NYTimes) Vehicular connectivity system vulnerabilities may be far more widespread than Fiat Chrysler Jeep (Reuters) DDR3 modules found to be vulnerable to designed intensive memory accesses; alter other contents (Reuters) Re: Space Ship Two crash investigation results (Peter Bernard Ladkin) Re: Why you shouldn't trust your Intel/AMD/ARM chips (Bob Eager) Re: GW 9525 EASA crash report (Dick Mills) Re: Windows 10 and Wifi Sense (David Damerell) Re: Windows XP: Embedded systems, what fun... (Geoff Kuenning) Re: Don't bring your drones to New Zealand (Richard A. O'Keefe) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 03 Aug 2015 08:08:46 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Lottery chief resigns in scandal https://en.wikipedia.org/wiki/Dual_EC_DRBG "one of the numbers in the winning combination appeared on TV screens before it was actually drawn" Quantum entanglement may be implicated... https://en.wikipedia.org/wiki/Alain_Aspect http://bigstory.ap.org/article/4b23b095df6345dfaaa993192ce8ab93/serbia-lottery-chief-resigns-live-ticket-draw-scandal Serbia lottery chief resigns in live ticket draw scandal Jul. 30, 2015 12:27 PM EDT BELGRADE, Serbia (AP) The head of Serbia's state lottery resigned on Thursday following allegations of fraud during a live ticket draw this week. In a live broadcast Tuesday evening, one of the numbers in the winning combination appeared on TV screens before it was actually drawn. That sparked accusations that the numbers had been chosen in advance. The State Lottery has denied fraud and blamed the incident on a "technical mistake." The company head, Aleksandar Vulovic, said Thursday that he was stepping down out of "moral obligation." "The draw was completely in accordance with the rules and the company abides by the law," the state lottery said in a statement. Police said lottery employees who worked during the draw will undergo a lie detector test, while computers and other equipment have been impounded. Police said they have questioned six people in the scandal. The lottery is very popular in Serbia, a Balkan country with a poor economy and widespread corruption. ------------------------------ Date: Sat, 1 Aug 2015 18:25:17 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Doctors Still In the Dark After Electronics Records Hack Exposes Data on 4 Million Security Ledger via NNSquad https://securityledger.com/2015/07/doctors-still-in-the-dark-after-electronics-records-hack-exposes-data-on-4-million/ Four million patients of more than 230 hospitals, doctors offices and clinics had patient data exposed in a May hack of Fort Wayne, Indiana firm Medical Informatics Engineering (MIE) and its NoMoreClipBoard electronic health records system, according to the Indiana Attorney General. The breach affected 3.9 million people in total, 1.5 million in Indiana alone, almost a quarter of the state's population, according to a statement by the Indiana Attorney General's Office. The breach affects healthcare organizations from across the country. Healthcare providers ranging from prominent hospitals to individual physicians' offices and clinics are among 195 customers of the NoMoreClipBoard product that had patient information exposed in the breach. However, more than a month after the breach was discovered, some healthcare organizations whose patients were affected are still waiting for data from EMI on how many and which patients had information exposed, the Security Ledger has learned. "We have received no information from MIE regarding that," said a spokeswoman for Fort Wayne Radiology Association, one of hundreds of healthcare organizations whose information was compromised in the attack on MIE. Calls and e-mail messages seeking comment from EMI were not returned. ------------------------------ Date: Tue, 28 Jul 2015 15:40:52 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Google Cloud Platform to Let Customers Control Encryption Keys DataCenterKnowledge via NNSquad http://www.datacenterknowledge.com/archives/2015/07/28/google-cloud-platform-to-let-customers-control-encryption-keys/ Now, the "Customer-Supplied Encryption Keys" feature allows customers to use their own encryption keys as a free beta feature, providing customers more control around their data security, as long as they are able to securely store the encryption key. "With Customer-Supplied Encryption Keys, we are giving you control over how your data is encrypted with Google Compute Engine," Leonard Law, product manager forGoogle Cloud Platform for Enterprise, wrote in a blog post. "Keep in mind, though, if you lose your encryption keys, we won't be able to help you recover your keys or your data - with great power comes great responsibility!" ------------------------------ Date: Mon, 3 Aug 2015 16:44:36 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Counterterrorism expert says it's time to give companies offensive cybercapabilities IT World via NNSquad http://www.itworld.com/article/2956115/counterterrorism-expert-says-its-time-to-give-companies-offensive-cybercapabilities.html The U.S. government should deputize private companies to strike back against cyberattackers as a way to discourage widespread threats against the nation's businesses, a former government official says. Not just an idiot, but an incredibly dangerous idiot. ------------------------------ Date: Tue, 4 Aug 2015 9:41:15 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Nice item on Going Dark (Nick Weaver) http://www.lawfareblog.com/iphones-fbi-and-going-dark ------------------------------ Date: Sun, 2 Aug 2015 19:16:34 -0400 From: Monty Solomon <monty () roscom com> Subject: Struggling to Disconnect From Our Digital Lives The more time we spend swimming in digital waters, the shallower our cognitive capacity becomes and the less control we have of our attention. http://www.nytimes.com/2015/08/01/business/dealbook/struggling-to-disconnect-from-our-digital-lives.html ------------------------------ Date: Sat, 1 Aug 2015 17:55:16 -0400 From: Monty Solomon <monty () roscom com> Subject: Steep Discounts a Boon for Customers, but a Gamble for Start-Ups As new tech companies spend huge amounts to lure customers with deals, it's a great time to be a consumer. But can these companies ever turn a profit? http://www.nytimes.com/2015/07/30/technology/personaltech/steep-discounts-a-boon-for-customers-but-a-gamble-for-start-ups.html ------------------------------ Date: Sun, 2 Aug 2015 19:15:24 -0400 From: Monty Solomon <monty () roscom com> Subject: Mark Karpeles, Chief of Mt. Gox Bitcoin Exchange, Arrested in Tokyo The police said they believed Mr. Karpeles had manipulated transaction records on a computer system that Mt. Gox used to swap Bitcoins for dollars. http://www.nytimes.com/2015/08/02/business/dealbook/mark-karpeles-mt-gox-bitcoin-arrested.html ------------------------------ Date: Mon, 3 Aug 2015 09:11:43 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: UK peer calls for universal Internet delete button, may also want unicorns http://arstechnica.com/tech-policy/2015/08/uk-peer-calls-for-universal-internet-delete-button-may-also-want-unicorns/ In an interview with the Irish Examiner, Baroness Kidron was tackled this point. "The question of how they know you are a child is a torturous question," she told the paper. "There are plenty of companies that work on anonymous verification and there are ways websites can know that a kid is a kid without knowing who they are." Essentially, then, the good Baroness believes in techno-magic: those clever geeks will come up with some unspecified system that can work out a young person's age to the nearest day--or month, or year, depending on your gullibility--without even knowing who they are. That's merely one technical reason why the system will be impossible to implement. Another is because of legal issues. Last week, Google politely but firmly refused to extend the so-called "right to be forgotten" from Europe to the whole world. As it wrote on its blog, "We believe that no one country should have the authority to control what content someone in a second country can access." Other Internet companies are likely to agree with that viewpoint, which means that at best they might block access to a young person's post for visitors from the UK, or possibly in Europe, but it would still exist for users in other countries (and for those who connect via VPNs, of course). Dangerous pandering politicos. ------------------------------ Date: Sat, 1 Aug 2015 17:52:26 -0400 From: Monty Solomon <monty () roscom com> Subject: Why Consumers Should Tread Carefully with Samsung Galaxy's Price Cut? Samsung is reducing the price of its Galaxy S6 mobile phone. That doesn't necessarily mean that buyers should rush in. http://bits.blogs.nytimes.com/2015/07/30/why-consumers-should-tread-carefully-with-samsung-galaxys-price-cut/ ------------------------------ Date: Mon, 03 Aug 2015 16:46:31 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Siri's new voice, new name: Comey (James Cook) Comey voice: "You have reached the telephone of John Doe. Please leave a detailed message so that we may get track to you." [No iWarrants necessary.] Although the NSA politely refused comment on the Apple announcement, Adm. Michael Rogers was seen to be giving a high five to Mr. Comey. http://www.businessinsider.com/apple-siri-voicemail-transcription-service-2015-8 Apple is preparing to launch a voicemail service that will use Siri to transcribe your messages James Cook Aug. 3, 2015, 5:51 AM Apple employees are testing a voicemail service that uses Siri to answer your calls and transcribe voicemail messages. Apple's iCloud service will then send you the text of the transcribed voicemail -- meaning you will never need to listen to your voicemails again, sources tell Business Insider. The new service is being prepared for launch in 2016, we hear. Apple's proposed solution is both incredibly simple and incredibly clever: People like to leave voicemails (it's often quicker to orally deliver your information than it is to type it in a text message). But they don't like to receive voicemails (it's a lot quicker to read a text than it is to listen to the person talking to you). The new product will also bridge a generation gap: Older users like voicemails. Young people do not. We first heard about Apple employees using a new kind of voicemail service several weeks ago. Here is how it works: When someone using iCloud Voicemail is unable to take a call, Siri will answer instead of letting the call go to a standard digital audio recorder. iCloud Voicemail can relay information about where you are and why you can't pick up the phone to certain people. But the coolest feature of the service is that Siri will transcribe any incoming voicemails, just as it does with anything else you say to it. Here's what it looks like at the moment when Siri transcribes something you say into text: http://static3.businessinsider.com/image/55bf3a6add0895fa668b4682-800-250/fullsizerender.jpg Apple sends voice data to company servers, where Siri converts the words spoken into text. iCloud Voicemail will presumably function in the same way, sending the raw voicemails to Apple, and Siri will then transcribe them and make them available on your iPhone. Siri is already going to be upgraded in iOS 9, Apple's coming mobile operating system. It will be able to search within applications and predict what you want to do. Clearly, Apple is focusing on its virtual assistant, and iCloud Voicemail will be another part of what it can do. Multiple Apple employees are testing iCloud Voicemail. Business Insider understands that the service is scheduled to be released in 2016 if it works reliably enough, presumably with the iOS 10 mobile operating system. Apple has already launched products that stray into the domain of mobile phone network and wireless service providers. It quietly launched Apple SIM in 2014, which lets customers switch between networks easily, all through the device. There has been continued speculation that Apple may want to become its own mobile virtual network operator. (An MVNO rents bandwidth from traditional wireless service suppliers and bills customers who go through it.) iCloud Voicemail would replicate something that carriers already do. Another incentive for Apple to launch its own carrier network would be to compete with Google. Google is operating its own service, but only through its Nexus 6 smartphone. ------------------------------ Date: Tue, 04 Aug 2015 07:50:19 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: CISA could 'sweep away' Internet users' privacy "the bill that would give participants in the proposed information-sharing program immunity not just from prosecution, but from regulatory action" Sam Thielman, *The Guardian*, 3 Aug 2015 Homeland Security admits Cybersecurity Information Sharing Act raises concerns while corporations and data brokers lobby for bill as it returns to Senate http://www.theguardian.com/world/2015/aug/03/cisa-homeland-security-privacy-data-internet The Department of Homeland Security (DHS) on Monday said a controversial new surveillance bill could sweep away `important privacy protections', a move that bodes ill for the measure's return to the floor of the Senate this week. The latest in a series of failed attempts to reform cybersecurity, the Cybersecurity Information Sharing Act (Cisa) grants broad latitude to tech companies, data brokers and anyone with a web-based data collection to mine user information and then share it with `appropriate Federal entities', which themselves then have permission to share it throughout the government. Minnesota senator Al Franken queried the DHS in July; deputy secretary of the department Alejandro Mayorkas responded today that some provisions of the bill `could sweep away important privacy protections' and that the proposed legislation `raises privacy and civil liberties concerns'. Much of the attention on Cisa has been directed at companies such as Google, Facebook and Comcast, which have large hoards of Internet user behavior. But arguably more important are data brokers. Among the groups lobbying for the passage of Cisa are Experian, which tracks consumer trends using information from loyalty cards and other sources and licenses the information to help target advertising; Oracle, whose Data Cloud product works similarly; and Hitrust, which aggregates healthcare information. The paragraph generating the most concern can be found in section 4 of the bill: [a] private entity may, for cybersecurity purposes, monitor A) the information systems of such a private entity; B) the information systems of another entity, upon written consent of such other entity and D) information that is stored on, processed by, or transiting the information systems monitored by the private entity under this paragraph. Debate on the bill could start on Wednesday with a vote on Thursday. Privacy concerns are already significant in the private sector, where the use of personal data at scale is largely unregulated. ``With respect to data brokers that sell marketing products, the Commission recommends that Congress consider legislation requiring data brokers to provide consumers access to their data, including sensitive data held about them, at a reasonable level of detail, and the ability to opt out of having it shared for marketing purposes,'' wrote the FTC in a whitepaper titled Data Brokers: A Call for Transparency and Accountability last May. Such legislation has been introduced, but is repeatedly referred to committee. https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf Data brokers are anxious to avoid losing the ability to aggregate vast quantities of personal data - the sale and licensing of consumer databases is a lucrative practice, as web advertising booms and TV advertising becomes more sophisticated. It's also a practice that prefers not to disclose exactly what information it is holding. Mike Seay, an Illinois man whose child died the year previous, received in 2014 a junk mail flier from OfficeMax addressed to ``Mike Seay, Daughter Killed in Car Crash'' (this was indeed how his 17-year-old daughter had died). Cisa's mandate would seem to cover the publicly used interfaces of the health insurers and banks -- including SunTrust, Prudential, American Express, Aflac and Bank of America -- that lobbied on the bill. Drew Mitnick of digital advocacy organization Access Now pointed to language in the bill that would give participants in the proposed information-sharing program immunity not just from prosecution, but from regulatory action. ``The transparency requirement is so narrow that, if you met the requirements within the bill to get protection, it would give [participating companies] broad range to collect data and then send it to the government.'' Lobby group the Financial Services Roundtable (FSR) on Monday launched an advertising campaign, stopcyberthreats.com, aimed at tackling an online campaign by privacy activists who have dubbed Cisa `the Darth Vader bill' and are worried by the sweeping legal immunity corporations will receive under Cisa. If the bill were to pass and enough of those companies were to cooperate with any given agency, the amount of information floating free within the federal government could easily extend to credit card histories (collected by data miners at Argus), lists of goods purchased (aggregated from customer loyalty cards by companies including Acxiom and Experian), and healthcare records (tracked by insurers). Credit check giant Experian said that the company would like to see the legislation pass. ``Experian supports legislation that would facilitate greater sharing of cyberthreat information among appropriate private and government entities,'' said a company spokeswoman in a statement to the Guardian. ``Such sharing arrangements, under parameters set by law, could improve our mutual efforts to better detect and respond to emerging cyber threats.'' The company also laid the duty to walk the knife's edge between citizens' information security and their personal safety at the feet of their elected officials. ``Congress has the responsibility to balance the need for facilitating greater information sharing, and thereby enhancing cyber security, with important consumer privacy concerns. We encourage and support Congress' effort in striking this balance.'' ------------------------------ Date: Tue, 04 Aug 2015 08:05:45 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: 'Hack Back' NACK (Grant Gross) http://www.kattenstoet.be/en/page/497-510/cat-torturing-in-the-middle-ages.html Once again, people who live in glass houses shouldn't be throwing anything, much less rocks. Focusing on fixing vulnerabilities is like building a ``10-foot wall at the price of $1 million around your complex,'' he added. Then, [the criminals] ``go out and purchase a 15-foot ladder for $30.'' And when you can't find the criminals, the alternative is? ``When you decide you're going to breach territorial jurisdiction and go after someone, you have opened up a can of worms which is well beyond the scope of your threat,'' Rogers added. I never thought I would agree with Mike Rogers on anything! Grant Gross, IT World, 3 Aug 2015 Counterterrorism expert says it's time to give companies offensive cybercapabilities http://www.itworld.com/article/2956115/business/counterterrorism-expert-says-its-time-to-give-companies-offensive-cybercapabilities.html The U.S. government should deputize private companies to strike back against cyberattackers as a way to discourage widespread threats against the nation's businesses, a former government official says. Many U.S. businesses have limited options for defending their IP networks, and the nation needs to develop more `aggressive' capabilities to discourage cyberattacks, said Juan Zarate, the former deputy national security advisor for counterterrorism during President George W. Bush's administration. The U.S. government should consider allowing businesses to develop ``tailored hack-back capabilities,'' Zarate said Monday at a forum on economic and cyberespionage hosted by think tank the Hudson Institute. The U.S. government could issue cyberwarrants, giving a private company license ``to protect its system, to go and destroy data that's been stolen or maybe even something more aggressive,'' he added. Zarate, now a senior counselor focused on sanctions at antiterrorism think tank the Foundation for Defense of Democracies, called for better cybersecurity tools as well, but suggested a new way of thinking about the tools ``that not only puts us on the defensive, but also on the offensive.'' Also: http://hudson.org/research/11408-cyber-enabled-economic-warfare-an-evolving-challenge https://s3.amazonaws.com/media.hudson.org/files/publications/2015.08CyberEnabledEconomicWarfareAnEvolvingChallenge.pdf ------------------------------ Date: Sun, 2 Aug 2015 19:15:06 -0400 From: Monty Solomon <monty () roscom com> Subject: Stolen Consumer Data Is a Smaller Problem Than It Seems It can easily feel as if no one's bank account or credit card is safe. But for consumers, the effect is quite different from what the headlines suggest. http://www.nytimes.com/2015/08/02/business/stolen-consumer-data-is-a-smaller-problem-than-it-seems.html ------------------------------ Date: Sun, 02 Aug 2015 21:33:15 -0700 From: "Bob Gezelter" <gezelter () rlgsc com> Subject: Vehicular connectivity system vulnerabilities may be far more widespread than Fiat Chrysler Jeep Reuters is reporting that the mobile interfaces found to be vulnerable to recently reported remote control exploits in Fiat Chrysler Jeep vehicles may also be present in other manufacturers' vehicles. Apparently, the vendor who produced the systems has other automotive customers. This incident highlights the need for integral firewalls when constructing remote access mechanisms for network connected devices. This is not a problem limited to vehicular electronics, it is present a large number of devices that are network-enabled (e.g., IoT). The complete Reuters article is at: http://www.reuters.com/article/2015/07/31/us-fiat-chrysler-hacking-regulator-idUSKCN0Q525U20150731 - Bob Gezelter, http://www.rlgsc.com ------------------------------ Date: Sun, 02 Aug 2015 21:31:55 -0700 From: "Bob Gezelter" <gezelter () rlgsc com> Subject: DDR3 modules found to be vulnerable to designed intensive memory accesses; alter other contents Reuters is reporting that the mobile interfaces found to be vulnerable to recently reported remote control exploits in Fiat Chrysler Jeep vehicles may also be present in other manufacturers' vehicles. Apparently, the vendor who produced the systems has other automotive customers. This incident highlights the need for integral firewalls when constructing remote access mechanisms for network connected devices. This is not a problem limited to vehicular electronics, it is present a large number of devices that are network-enabled (e.g., IoT). The complete Reuters article is at: http://www.reuters.com/article/2015/07/31/us-fiat-chrysler-hacking-regulator-idUSKCN0Q525U20150731 - Bob Gezelter, http://www.rlgsc.com ------------------------------ Date: Mon, 3 Aug 2015 14:47:10 +0200 From: Peter Bernard Ladkin <ladkin () rvs uni-bielefeld de> Subject: Re: Space Ship Two crash investigation results (Macintyre, R-28.83) In Risks 28.82, Alister Macintyre writes about the NTSB public hearings on the accident to SpaceShipTwo (SS2). The NTSB customarily presents the provisional findings, statement of probable cause, and any safety recommendations they have made or will make. Presentations are made by investigators and comments are received. Little to no written reasoning is given, but matters may be verbally discussed. The final report appears typically months later. The NTSB's summary of what happened is succinct. There are twin tail booms on SpaceShip2 with aerodynamic surfaces ("feathers"). Booms with feathers are actuated during reentry to maintain the craft in the design position for aerodynamic braking and heat dispersion. Normal position of both booms is nominally 0° and when activated they rise to 60°. After release from the carrier aircraft, the rocket is fired up and SS2 accelerates nearly vertically. The booms are locked until the difficult transsonic flight regime is passed, and they are unlocked at about Mach 1.4, to ensure they remain ready for deployment when needed somewhat later. But the pilot flying unlocked them while still transsonic, below Mach 1. The actuators aren't able alone to hold the booms in place against the aerodynamic forces during this flight phase and the booms deployed. And the spacecraft broke. That is, as techies say, its structural integrity was compromised. The NSTB largely fingered - or aims to finger - weaknesses in the hazard analysis (HazAn) involving human factors (HF). The point being that there was a event with catastrophic effect (technical term) subject to a single point of failure, namely the human error involved in unlocking too early. Shouldn't be so, they suggest rightly, and say what weaknesses there are in the HazAn process and the assessment process of release to flight which might have allowed this feature to escape sufficient attention. But Macintyre speaks of "cut corners" and various other deprecations. I strongly disagree with any such suggestions. Getting a HazAn right is very tricky, especially on novel equipment such as this. I don't see evidence for anything like that at this stage. To the contrary, I see people doing a very hard and novel job, largely succeeding, and finding out in the hardest way possible where they need to do better. I say more at http://www.abnormaldistribution.org/2015/08/03/the-accident-to-spaceship-two/ Prof. Peter Bernard Ladkin, University of Bielefeld and Causalis Limited www.rvs.uni-bielefeld.de www.causalis.com ------------------------------ Date: 3 Aug 2015 09:41:09 GMT From: Bob Eager <news0005 () eager cx> Subject: Re: Why you shouldn't trust your Intel/AMD/ARM chips (RISKS-28.83) Hagelin was around in about 1924, and tried to sell his ealy machine to the US and the UK. They weren't interested so he sold it to the Germans. BTW...that early machine was replicated in software for the original UNIX 'crypt'. There are arrays called wheel1, wheel2 (or similar). ------------------------------ Date: Mon, 3 Aug 2015 10:52:01 -0400 From: Dick Mills <dickandlibbymills () gmail com> Subject: Re: GW 9525 EASA crash report "... so there is an apparent need for a better balance between privacy of the individual, and ..." I've heard some variant of the above statement almost every day of my adult life. Erosion is the appropriate word when applied to privacy. Each "balance" chips away at it. Thus, are mighty mountains eroded to mere dust. After 50 years of struggle, I'm ready to throw in the towel. Defense of individual privacy is utterly pointless. ------------------------------ Date: Mon, 03 Aug 2015 16:51:58 +0100 From: David Damerell <damerell () chiark greenend org uk> Subject: Re: Windows 10 and Wifi Sense
What could possible go wrong?
A great deal, but one thing could possibly go right. This will, at a stroke, ensure essentially every domestic user has plausible deniability for use made of their Internet connection. If a company's business model is to sue a small subset of the people who've infringed copyright in some trivial fashion for wildly disproportionate sums, this ought to nicely cut them off at the knees; and any idea of legislating equally draconian penalties for third-party use of one's wireless will, I hope, also become unfeasible when that turns out to include basically everyone. It also might, I hope, reduce the utility of ubiquitous snooping by the security services - not just from plausible deniability but because it really won't be that easy to tie an IP address to a person or household. -- David Damerell <damerell () chiark greenend org uk> Kill the tomato! Today is Tuesday, July. Tomorrow will be Wednesday, July. ------------------------------ Date: Sun, 02 Aug 2015 23:53:30 -0700 From: Geoff Kuenning <geoff () cs hmc edu> Subject: Re: Windows XP: Embedded systems, what fun... I still run XP (admittedly, it's in a virtual machine that doesn't respond to the Internet and is relatively little used). Why? Well, Vista didn't offer that much of an improvement. Then everybody said Windows 7 sucked, so no sense in upgrading to that. I tried installing Windows 8 in a fresh VM and found its UI changes so annoying that I shut the thing down and haven't rebooted it. Windows 9 was so bad that Microsoft didn't even release it. And this very issue of RISKS lists severe (to be mild) privacy problems with 10. I suspect a lot of consumers are of the same mind: XP works well enough for them, and what they hear from their friends who have bought new computers with Vista/8/10 is scary. As for enterprises, those significant UI and other changes make the cost of upgrading extremely high. In my experience, software developers--especially young ones--rarely grasp the cost of discarding backwards compatibility. They're so focused on "new" and "shiny" and "fancier" that they forget to consider whether it "works". ------------------------------ Date: Mon, 3 Aug 2015 17:17:08 +1200 From: "Richard A. O'Keefe" <ok () cs otago ac nz> Subject: Re: Don't bring your drones to New Zealand (Risks 28.82) It is said that hard cases make bad laws. The New Zealand "Civil Aviation Rules, part 102" can be found at www.caa.govt.nz/rules/Rule_Consolidations/Part_102_Consolidation.pdf There's certainly a "hard cases" issue here. According to http://www.stuff.co.nz/technology/gadgets/70493842/drone-operators-may-need-flying-permits-under-new-rules.html the number of reported drone incidents was 2012: 3, 2013: 9, 2014: 27, 2015 (FIRST HALF): 53. Combine that with the fact that the present government is strongly pro-business, and they want to *allow* more businesses to use more drones for more things, and the fact that previously drones were governed by part 101, which can be found at https://www.caa.govt.nz/rules/Rule.../Part_101_Consolidation.pdf, and covers things like model aircraft and kites, and the badness of the new regulations is a little less clear-cut than might at first appear. For example, under the old regulations, it was forbidden to operate a "remotely piloted aircraft" - within 4km of an aerodrome - above people who have not given consent - above property without prior consent - any higher than 400 feet (feet? we went metric a long time ago; what are *feet* doing in NZ law?) except with detailed prior notice - if your view is obstructed - at night - that weights more than 25kg - or that might drop anything that could do damage. The really important thing is that the new rules DO NOT TAKE ANY OLD PERMISSIONS AWAY. Part 102 only applies to "a person who operates an unmanned aircraft OTHER THAN in accordance with Part 101" or who wants an operator certificate anyway. Any way that you were previously allowed to operate a drone, you still are. The point of Part 102 is to *free things up* so that businesses can operate bigger drones, make deliveries, fly higher, fly in the dark &c. The requirement for a pretty detailed "exposition" covering hazards, risks, and mitigation schemes, would be far more onerous for hobbyists than the certificate fee, but seem fair enough for a business. I am not a lawyer. (My father was, but my Ouija board blew a fuse when I tried to install Windows 10.) So my reading of these regulations is definitely subject to correction by people with real knowledge in this area. But just this once, it seems that when a government minister talked about new rules being intended to *increase flexibility*, he may have been telling the truth. Oh, you may feel that requiring consent before operating above people and property is a hard burden for hobbyists. It may be so, but it is not a burden introduced in Part 102. ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.84 ************************
Current thread:
- Risks Digest 28.84 RISKS List Owner (Aug 04)