RISKS Forum mailing list archives

Previous By Date Next
Previous By Thread Next

Risks Digest 28.89

From: RISKS List Owner <risko () csl sri com>
Date: Wed, 19 Aug 2015 16:17:37 PDT
RISKS-LIST: Risks-Forum Digest  Wednesday 19 August 2015  Volume 28 : Issue 89

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/28.89.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Technical problem suspends flights along east coast (PGN)
Could Hackers Take Down a City? (Andrea Peterson)
Hackers Say They Have Released Ashley Madison Files (NYTimes)
Ashley Madison hack affects more than 33 million users (PGN)
Voting risk in UK Labour Leadership Election (Paul Gittins)
Wikipedia freedom-of-editing (Ken Knowlton)
Intel to customers: We listen to you... All The Time! (Ariha Setalvad)
Ad Blockers and the Nuisance at the Heart of the Modern Web (NYTimes)
Re: Supreme Court's Free-Speech Expansion Has Far-Reaching Consequences
  (Henry Baker)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 19 Aug 2015 13:05:07 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Technical problem suspends flights along east coast
  (Re: RISKS-28.87)

  [Thanks to John Rushby, who notes that this upgrade is a part of ERAM
  (En Route Automation Modernization).  PGN]

The ATC problems that grounded hundreds of flights on Saturday were caused
by `a recent software upgrade' at the high-altitude radar facility in
Leesburg, Virginia, the FAA said in a statement on Monday. The upgrade,
which was installed by Lockheed Martin Corp., had a new function that
allowed controllers to set up a customized window of frequently referenced
data, the FAA said.  But as controllers used the new function, deleted
settings weren't deleted from the system memory, and the storage capacity
was overloaded.  ``This consumed processing power needed for the successful
operation of the overall system,'' the FAA said.

The FAA said it has temporarily suspended the use of this function, and is
working with Lockheed on a permanent solution.  "The company is closely
examining why the issue was not identified during testing," the FAA said.

<http://www.avweb.com/avwebflash/news/ATC-Failure-Disrupts-Airline-Flights-224698-1.html>
<http://www.faa.gov/news/press_releases/news_story.cfm?newsId=19354>

------------------------------

Date: Wed, 19 Aug 2015 12:44:15 -0400 (EDT)
From: "ACM TechNews" <technews () hq acm org>
Subject: Could Hackers Take Down a City? (Andrea Peterson)

Andrea Peterson, *The Washington Post*, 18 Aug 2015 (via ACM TechNews)

Researchers such as David Raymond, deputy director of Virginia Polytechnic
Institute and State University's IT Security Lab, warn of the possibility of
cyberattackers crippling a city because of urban centers' increasing
reliance on technology and the frail, messy connections that bind those
systems together.  "The digital pathways between all of the entities and
organizations in a city [are] often not well managed," Raymond cautions.
"In many cases, there's no overarching security architecture or even
understanding of holistically what the city looks like."  Raymond,
U.S. Military Academy at West Point professor Gregory Conti, and Drawbridge
Networks' Tom Cross presented research at this month's Black Hat USA
conference on cities' cyber-vulnerabilities.  They speculate transportation
systems are one area that may be susceptible to a targeted attack, given
they are places where otherwise well-shielded technology may converge in
ways that are not well protected, leading to a cascade effect that impacts
the entire city.  Other researchers presenting at Black Hat detailed how
security vulnerabilities involving Ethernet switches could be exploited to
cause a nuclear plant shutdown.  Conti also notes cities concerned about
hacking vulnerabilities often have difficulty drawing the right specialists
and secure resources to offer a long-term solution.  Cross argues cities
should use the same types of risk management tactics they apply to
traditional attacks to the digital domain.
http://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_5-dfe2x2d26bx0=
62548&

------------------------------

Date: Wed, 19 Aug 2015 01:11:40 -0400
From: Monty Solomon <monty () roscom com>
Subject: Hackers Say They Have Released Ashley Madison Files

http://bits.blogs.nytimes.com/2015/08/18/hackers-say-they-have-released-ashley-madison-files/

Hackers said last month that they had breached the computer network of the
adult dating site and stole passwords, email addresses and transaction
information.

------------------------------

Date: Wed, 19 Aug 2015 15:15:12 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Ashley Madison hack affects more than 33 million users

Michael Miller, *The Washington Post*, 19 Aug 2015
Up to 40 million members of infidelities-R-us Web site compromised?
http://www.washingtonpost.com/news/morning-mix/wp/2015/08/19/dont-gloat-about-the-ashley-madison-leak-its-about-way-more-than-infidelity/?hpid=z8

Personal info of some 33 million users are now available for download.
15,000 people with U.S, .mil/.gov addresses, 133 UK folks with links to
   gov/local authorities.
http://www.wired.co.uk/news/archive/2015-08/19/ashley-madison-have-i-been-hacked
Welcome to the first day of the rest of your Internet!
35M e-addresses, 33M accounts, including every credit-card transaction from
  the last seven years.
http://www.theawl.com/2015/08/notes-on-the-ashley-madison-hack

Lots more.  This is REALLY UGLY.

,.. seamy, see-me squirming, unseemly, ...

------------------------------

Date: Wed, 19 Aug 2015 20:43:02 +0100
From: Paul Gittins <paul.gittins () gmail com>
Subject: Voting risk in UK Labour Leadership Election

A family member received their online vote for the UK Labour leadership
election - the party in opposition electing a new leader after they lost in
May 2015.

Politics aside, I was concerned by their approach to security and the
risks. As the opposition party there are no fundamental constitutional
issues, but poor practice, especially as it was run by a 3rd party
(Electoral Reform Services Ltd)

There seems little point in putting in place 2 part security" when they send
both parts in the same email... Also of note -- if you have technical issues
you are supposed to send them part one of the code as part of the report --
a minor issue but still poor security.

The email read:

Dear ZZZZ,

You can now vote for the next Leader and Deputy Leader of the Labour Party.

You can vote online and your vote must be received by 12 noon on Thursday
10 September to count.

To vote, go to http://www.labour.org.uk/ballot2015 and enter the following
two-part security code to confirm your identity:

Security Code Part One: <redacted, all 8 digits>
Security Code Part Two: <redacted, 4 letters>

Once you have entered your security code, the website will give clear
instructions on how to cast your vote. It takes just a few moments to cast
your vote online, and you can do so at any time until the ballot closes at
12 noon on Thursday 10 September.

------------------------------

Date: Tue, 18 Aug 2015 18:10:12 -0400
From: Ken Knowlton <kcknowlton () aol com>
Subject: Wikipedia freedom-of-editing

Re: Wikipedia's loose control: 'LaurensRS' posted on "my" Ken Knowlton
Wikipedia site a rant so crude that I think it's actually amusing.  But,
because I'm still a living person (14 years into my 70's), it was removed
after three weeks of glory there.  It is, however, still available in Wiki's
edit history:

http://en.wikipedia.org/w/index.php?title=Ken_Knowlton&diff=616405285&oldid=613415154

  [Ken, Does this imply that, similar to known cases of dead people having
  had votes cast in their names for years after their deaths, the deceased
  should actually be able to request false wikipages be removed?  PGN]

------------------------------

Date: Wed, 19 Aug 2015 07:31:46 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: Intel to customers: We listen to you... All The Time!
  (Ariha Setalvad)

FYI -- The insane idiocy of this "feature" has left me speechless...

Is that an Intel in your pocket, or are you just happy to hear me?

Obviously, Intel wants to cozy up to the NSA/FBI/GCHQ even more than AT&T.

Of course, (many?) previous Intel processors already have this feature, and
Skylake is just the first one that has been publicly acknowledged.

"Intel said voice activation was technically possible with last year's
Core M chips."

Nice knowing you, Intel!

https://www.theverge.com/2015/8/18/9174887/microsoft-cortana-intel-voice-activation

Intel's new processors let you wake your computer with your voice

Ariha Setalvad, 18 Aug 2015

Intel's newest Skylake processors have a slightly [why only slightly?]
creepy new feature -- they're always listening to you.  Shout "hey Cortana"
or "Cortana, wake up" at a Windows 10 machine with one of the new chips, and
your voice will be picked up by a digital signal processor secreted inside
the chip that will rouse your PC from its low power state.  Once it wakes
up, Cortana takes over and you can use all the standard voice commands,
including telling the digital assistant to play music or videos.

The company announced the new feature at its Intel Developer Forum in San
Francisco today.  A similar option also appeared on Microsoft's Xbox One and
Motorola's Moto X smartphone, but as with those devices, after the novelty
wears off, you might find it easier to simply turn on your machine in the
normal way instead of yelling at it from across the room.  Intel didn't
mention how much power the always-listening mode will drain or how much it
will affect the standby power, nor whether users would need any extra
hardware in order to boss their computer around with words.  Although Intel
said voice activation was technically possible with last year's Core M
chips, it's only now with Windows 10 and its Cortana integration that PCs
can take advantage of the feature.

------------------------------

Date: Wed, 19 Aug 2015 09:29:56 -0400
From: Monty Solomon <monty () roscom com>
Subject: Ad Blockers and the Nuisance at the Heart of the Modern Web

http://www.nytimes.com/2015/08/20/technology/personaltech/ad-blockers-and-the-nuisance-at-the-heart-of-the-modern-web.html

The adoption of ad-blocking technology is rising steeply. Some see an
existential threat to online content as we know it, but others see a new
business niche.

------------------------------

Date: Tue, 18 Aug 2015 14:55:23 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: Re: Supreme Court's Free-Speech Expansion Has Far-Reaching Consequences

Wow!  This First Amendment case is a real shot across the bow on a large
number of fronts; I agree with Peter that the real implications will be
significant for the Internet.

Here are some quick thoughts:

* "Right to be forgotten"/"ban the box": fuhgeddaboudit in the U.S.

* Publishing 0-day vulnerabilities (no 2-year prior restraint by Volkswagen):

http://www.bloomberg.com/news/articles/2015-08-14/vw-has-spent-two-years-trying-to-hide-a-big-security-flaw

http://www.theguardian.com/technology/2013/jul/30/car-hacking-ignition-injunction

http://www.theguardian.com/technology/2013/jul/26/scientist-banned-revealing-codes-cars

* Non-"PC" speech can't be banned on public university campuses and online
  forums.

* Is it too much to hope that parts of DMCA would now be considered
  unconstitutional due to First Amendment violations?

------------------------------

Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string `notsp' at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 28.89
************************
Previous By Date Next
Previous By Thread Next

Current thread: