RISKS Forum mailing list archives
Risks Digest 28.89
From: RISKS List Owner <risko () csl sri com>
Date: Wed, 19 Aug 2015 16:17:37 PDT
RISKS-LIST: Risks-Forum Digest Wednesday 19 August 2015 Volume 28 : Issue 89 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.89.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Technical problem suspends flights along east coast (PGN) Could Hackers Take Down a City? (Andrea Peterson) Hackers Say They Have Released Ashley Madison Files (NYTimes) Ashley Madison hack affects more than 33 million users (PGN) Voting risk in UK Labour Leadership Election (Paul Gittins) Wikipedia freedom-of-editing (Ken Knowlton) Intel to customers: We listen to you... All The Time! (Ariha Setalvad) Ad Blockers and the Nuisance at the Heart of the Modern Web (NYTimes) Re: Supreme Court's Free-Speech Expansion Has Far-Reaching Consequences (Henry Baker) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 19 Aug 2015 13:05:07 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Technical problem suspends flights along east coast (Re: RISKS-28.87) [Thanks to John Rushby, who notes that this upgrade is a part of ERAM (En Route Automation Modernization). PGN] The ATC problems that grounded hundreds of flights on Saturday were caused by `a recent software upgrade' at the high-altitude radar facility in Leesburg, Virginia, the FAA said in a statement on Monday. The upgrade, which was installed by Lockheed Martin Corp., had a new function that allowed controllers to set up a customized window of frequently referenced data, the FAA said. But as controllers used the new function, deleted settings weren't deleted from the system memory, and the storage capacity was overloaded. ``This consumed processing power needed for the successful operation of the overall system,'' the FAA said. The FAA said it has temporarily suspended the use of this function, and is working with Lockheed on a permanent solution. "The company is closely examining why the issue was not identified during testing," the FAA said. <http://www.avweb.com/avwebflash/news/ATC-Failure-Disrupts-Airline-Flights-224698-1.html> <http://www.faa.gov/news/press_releases/news_story.cfm?newsId=19354> ------------------------------ Date: Wed, 19 Aug 2015 12:44:15 -0400 (EDT) From: "ACM TechNews" <technews () hq acm org> Subject: Could Hackers Take Down a City? (Andrea Peterson) Andrea Peterson, *The Washington Post*, 18 Aug 2015 (via ACM TechNews) Researchers such as David Raymond, deputy director of Virginia Polytechnic Institute and State University's IT Security Lab, warn of the possibility of cyberattackers crippling a city because of urban centers' increasing reliance on technology and the frail, messy connections that bind those systems together. "The digital pathways between all of the entities and organizations in a city [are] often not well managed," Raymond cautions. "In many cases, there's no overarching security architecture or even understanding of holistically what the city looks like." Raymond, U.S. Military Academy at West Point professor Gregory Conti, and Drawbridge Networks' Tom Cross presented research at this month's Black Hat USA conference on cities' cyber-vulnerabilities. They speculate transportation systems are one area that may be susceptible to a targeted attack, given they are places where otherwise well-shielded technology may converge in ways that are not well protected, leading to a cascade effect that impacts the entire city. Other researchers presenting at Black Hat detailed how security vulnerabilities involving Ethernet switches could be exploited to cause a nuclear plant shutdown. Conti also notes cities concerned about hacking vulnerabilities often have difficulty drawing the right specialists and secure resources to offer a long-term solution. Cross argues cities should use the same types of risk management tactics they apply to traditional attacks to the digital domain. http://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_5-dfe2x2d26bx0= 62548& ------------------------------ Date: Wed, 19 Aug 2015 01:11:40 -0400 From: Monty Solomon <monty () roscom com> Subject: Hackers Say They Have Released Ashley Madison Files http://bits.blogs.nytimes.com/2015/08/18/hackers-say-they-have-released-ashley-madison-files/ Hackers said last month that they had breached the computer network of the adult dating site and stole passwords, email addresses and transaction information. ------------------------------ Date: Wed, 19 Aug 2015 15:15:12 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Ashley Madison hack affects more than 33 million users Michael Miller, *The Washington Post*, 19 Aug 2015 Up to 40 million members of infidelities-R-us Web site compromised? http://www.washingtonpost.com/news/morning-mix/wp/2015/08/19/dont-gloat-about-the-ashley-madison-leak-its-about-way-more-than-infidelity/?hpid=z8 Personal info of some 33 million users are now available for download. 15,000 people with U.S, .mil/.gov addresses, 133 UK folks with links to gov/local authorities. http://www.wired.co.uk/news/archive/2015-08/19/ashley-madison-have-i-been-hacked Welcome to the first day of the rest of your Internet! 35M e-addresses, 33M accounts, including every credit-card transaction from the last seven years. http://www.theawl.com/2015/08/notes-on-the-ashley-madison-hack Lots more. This is REALLY UGLY. ,.. seamy, see-me squirming, unseemly, ... ------------------------------ Date: Wed, 19 Aug 2015 20:43:02 +0100 From: Paul Gittins <paul.gittins () gmail com> Subject: Voting risk in UK Labour Leadership Election A family member received their online vote for the UK Labour leadership election - the party in opposition electing a new leader after they lost in May 2015. Politics aside, I was concerned by their approach to security and the risks. As the opposition party there are no fundamental constitutional issues, but poor practice, especially as it was run by a 3rd party (Electoral Reform Services Ltd) There seems little point in putting in place 2 part security" when they send both parts in the same email... Also of note -- if you have technical issues you are supposed to send them part one of the code as part of the report -- a minor issue but still poor security. The email read: Dear ZZZZ, You can now vote for the next Leader and Deputy Leader of the Labour Party. You can vote online and your vote must be received by 12 noon on Thursday 10 September to count. To vote, go to http://www.labour.org.uk/ballot2015 and enter the following two-part security code to confirm your identity: Security Code Part One: <redacted, all 8 digits> Security Code Part Two: <redacted, 4 letters> Once you have entered your security code, the website will give clear instructions on how to cast your vote. It takes just a few moments to cast your vote online, and you can do so at any time until the ballot closes at 12 noon on Thursday 10 September. ------------------------------ Date: Tue, 18 Aug 2015 18:10:12 -0400 From: Ken Knowlton <kcknowlton () aol com> Subject: Wikipedia freedom-of-editing Re: Wikipedia's loose control: 'LaurensRS' posted on "my" Ken Knowlton Wikipedia site a rant so crude that I think it's actually amusing. But, because I'm still a living person (14 years into my 70's), it was removed after three weeks of glory there. It is, however, still available in Wiki's edit history: http://en.wikipedia.org/w/index.php?title=Ken_Knowlton&diff=616405285&oldid=613415154 [Ken, Does this imply that, similar to known cases of dead people having had votes cast in their names for years after their deaths, the deceased should actually be able to request false wikipages be removed? PGN] ------------------------------ Date: Wed, 19 Aug 2015 07:31:46 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Intel to customers: We listen to you... All The Time! (Ariha Setalvad) FYI -- The insane idiocy of this "feature" has left me speechless... Is that an Intel in your pocket, or are you just happy to hear me? Obviously, Intel wants to cozy up to the NSA/FBI/GCHQ even more than AT&T. Of course, (many?) previous Intel processors already have this feature, and Skylake is just the first one that has been publicly acknowledged. "Intel said voice activation was technically possible with last year's Core M chips." Nice knowing you, Intel! https://www.theverge.com/2015/8/18/9174887/microsoft-cortana-intel-voice-activation Intel's new processors let you wake your computer with your voice Ariha Setalvad, 18 Aug 2015 Intel's newest Skylake processors have a slightly [why only slightly?] creepy new feature -- they're always listening to you. Shout "hey Cortana" or "Cortana, wake up" at a Windows 10 machine with one of the new chips, and your voice will be picked up by a digital signal processor secreted inside the chip that will rouse your PC from its low power state. Once it wakes up, Cortana takes over and you can use all the standard voice commands, including telling the digital assistant to play music or videos. The company announced the new feature at its Intel Developer Forum in San Francisco today. A similar option also appeared on Microsoft's Xbox One and Motorola's Moto X smartphone, but as with those devices, after the novelty wears off, you might find it easier to simply turn on your machine in the normal way instead of yelling at it from across the room. Intel didn't mention how much power the always-listening mode will drain or how much it will affect the standby power, nor whether users would need any extra hardware in order to boss their computer around with words. Although Intel said voice activation was technically possible with last year's Core M chips, it's only now with Windows 10 and its Cortana integration that PCs can take advantage of the feature. ------------------------------ Date: Wed, 19 Aug 2015 09:29:56 -0400 From: Monty Solomon <monty () roscom com> Subject: Ad Blockers and the Nuisance at the Heart of the Modern Web http://www.nytimes.com/2015/08/20/technology/personaltech/ad-blockers-and-the-nuisance-at-the-heart-of-the-modern-web.html The adoption of ad-blocking technology is rising steeply. Some see an existential threat to online content as we know it, but others see a new business niche. ------------------------------ Date: Tue, 18 Aug 2015 14:55:23 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Re: Supreme Court's Free-Speech Expansion Has Far-Reaching Consequences Wow! This First Amendment case is a real shot across the bow on a large number of fronts; I agree with Peter that the real implications will be significant for the Internet. Here are some quick thoughts: * "Right to be forgotten"/"ban the box": fuhgeddaboudit in the U.S. * Publishing 0-day vulnerabilities (no 2-year prior restraint by Volkswagen): http://www.bloomberg.com/news/articles/2015-08-14/vw-has-spent-two-years-trying-to-hide-a-big-security-flaw http://www.theguardian.com/technology/2013/jul/30/car-hacking-ignition-injunction http://www.theguardian.com/technology/2013/jul/26/scientist-banned-revealing-codes-cars * Non-"PC" speech can't be banned on public university campuses and online forums. * Is it too much to hope that parts of DMCA would now be considered unconstitutional due to First Amendment violations? ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.89 ************************
Current thread:
- Risks Digest 28.89 RISKS List Owner (Aug 19)