RISKS Forum mailing list archives
Risks Digest 28.93
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 3 Sep 2015 12:25:58 PDT
RISKS-LIST: Risks-Forum Digest Thursday 3 September 2015 Volume 28 : Issue 93 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.93.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Bloomberg: HSBC Fault Keeps 275,000 People From Payday (Gabe Goldberg) Automating Oil Drilling (Forbes) It's A Bird... It's A Plane... It's NonLethalDrone (Justin Glawe via Henry Baker) Drone-Killing Laser Cannon (Jordan Golson via Henry Baker) Comey high 5's Turkey for arresting encrypting journalists (Umut Uras) Breaking Wyndham (FTC via Henry Baker) A Roadmap for a World Without Drivers (Medium via Lauren Weinstein) Google's Driverless Cars Run Into Problem: Cars With Drivers (NYTimes) Uber Hires Two Engineers Who Showed Car Hackings (Isaac/Perlroth) Vehicles with keyless ignition systems may continue to run unattended (Bob Gezelter) Many new top-level domains have become Internet's `bad neighborhoods' (Ars Technica) Popular Belkin Wi-Fi routers plagued by unpatched security flaws (Lucian Constantin) Act Now To Save WiFi From The FCC (Brian Benchoff) Two-Factor Authentication Phishing From Iran (Citizen Lab) Heidelberg Laureate Forum on data collection (Katherine Noyes) No gigabyte nets for autonomous vehicles (Mike Liebhold, Ross Stapleton-Gray) Tools for Tailored Learning May Expose Students' Personal Details (NYTimes) Zuckerberg cheers as 1 billion suckers login to Facebook in 24 hours (Matthew Kruk) Windows 7, 8, and 10: Now all collecting user data for Microsoft (Fahmida Y. Rashid) Windows Creepy Spying extended to Win7/8 Unwanted data transmissions by Windows 10 (Joe Durusau) U.S. Senate Report on Target breach (Alister Wm Macintyre) Ashley Madison Hack Creates Ethical Conundrum For Researchers (HuffPost) Re: Data from hack of Ashley Madison cheater site (Dan Jacobson) Re: ATM security risk: nonfinalization (Dan Jacobson) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 28 Aug 2015 14:47:05 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Bloomberg: HSBC Fault Keeps 275,000 People From Payday [Not the kind of payday loan people want...] Bloomberg, 28 Aug 2015 HSBC Holdings Plc said most of the 275,000 payments from U.K. business customers it failed to process Friday will be completed by the end of the day after a software problem held up transactions before a long weekend. To read the entire article, go to http://bloom.bg/1NLnjqV ------------------------------ Date: Wed, 26 Aug 2015 19:24:32 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: Automating Oil Drilling (Forbes) The 7 Sep 2015 edition of Forbes Magazine (cover story about Tesla) has an article pages 46-48 about the future of oil drilling, how humans are to be replaced by robots. There is an illustration on page 48 of how this will work, where personnel back at HQ will manage all the hardware at the drilling site, in much the same way as military drones over the Middle East, and Asia, are operated by remote pilots at NATO military bases. I see things which can go wrong with this notion. The page 48 illustration looks to me to be *exactly* what BP had at the time of the Gulf of Mexico oil spill. People back at HQ had lots of feeds telling them exactly what was going on at the drill site, but were clueless even before the explosion ripped out their Internet connections. I watched US Coast Guard hearings into that disaster. The hardware back at HQ reminded me of computer security logs. You have to be ultra-trained in what the heck all that means, to make heads or tails of it, but a lot of corporate hiring is of people with no relevant experience. There are similar things going on with ground transportation disasters. Hardware seems to be designed with the assumption that nothing will ever go wrong, so the info about what's going on is not made user-friendly. The first a place knows that they have had a major disaster is when human witnesses nearbye phone in what they see, so human technicians are sent out to investigate, who may not have the right tools or training to deal with it properly. The data is at HQ, but no one there knows how to interpret it. State-of-art needs to be upgraded, in many industries, to make the data intelligible to non-technical management, so it does not need specialist training for translation. Also more industries need rapidly deployable First Responders, with a good spectrum of resources, similar to what city Public Utilities have. People on-site, at the BP Gulf Oil disaster, could have averted it, had they been given relevant training, and documentation, which they did not get. Will the same mentality program the robots? They are getting data faster, from deep below the ground, expect that soon the oil workers will have the data on their smart phones. There's more problems, which we learn from the killer drones. Every auto driver knows that we need to avoid tailgating, or going too fast for conditions, because when there is trouble ahead, our eyes see it, our brain interprets the situation, then tells our body to react, changing steering, speed of auto. This does not happen instantaneously. The military drones have an added dimension called "latency," or the time it takes, for what the drone sees, to bounce off a satellite in space, get to the remote operator, to decide what to do, then there is the signal in the reverse direction. So if the drone sees a potential enemy, and the remote pilot says to kill that enemy, then thanks to latency, the drone will miss, as the target has probably moved in the mean time. That's why our military blows up entire buildings - schools, restaurants, housing complexes. They don't move, and there is a suspect inside. That's one reason why there is a high rate of innocent bystander collateral damage killed by that technology. So if the automated oil rigs are to be managed by operators at HQ, is there any data for which the latency will make reactions too slow? The killer drones can be hacked. How about the feed between HQ and an automated oil well, to cause an accident on purpose? Already some oil wells are fully automated. ------------------------------ Date: Wed, 26 Aug 2015 21:03:08 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: It's A Bird... It's A Plane... It's NonLethalDrone (Justin Glawe) FYI -- And some people can't understand why campaigns like "Black Lives Matter" are gaining so much support... Don't police officers have to announce themselves as police officers (including wearing a uniform and showing a badge) in order to not get shot at themselves when they pull out a deadly weapon? How does an armed police drone properly announce itself so as not to get shot down? And how exactly is an ordinary citizen to know that his/her life is *not* in danger when some drone (police or otherwise) starts shooting at him/her? There still is a Second Amendment to the Constitution, and imminent deadly force can be met with deadly force -- particularly when the only thing left `dead' is an inanimate drone. Quotes: ``Less than lethal weapons like rubber bullets, pepper spray, tear gas, sound cannons, and Tasers are therefore *permitted* on police drones.'' ``At least 39 people have been killed by police Tasers in 2015 so far.'' ``Rost said he needs to use drones for surveillance in order to obtain a warrant in the first place.'' [Going fishing, are we?] Justin Glawe, Armed Drones for Cops Are Now Legal, 26 Aug 2015 ND: First State Legalizes Taser Drones for Cops, Thanks to a Lobbyist http://www.thedailybeast.com/articles/2015/08/26/first-state-legalizes-armed-drones-for-cops-thanks-to-a-lobbyist.html ------------------------------ Date: Thu, 27 Aug 2015 20:48:04 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Drone-Killing Laser Cannon (Jordan Golson) FYI -- Let's see: a number of high efficiency precision corner reflectors mounted on the drone would do a pretty good job on this IR laser cannon and/or its operator. If these corner reflectors weren't individually too large, they wouldn't reflect back very much in the microwave wavelengths, thus making it harder for radar detection and guidance. Millions of dollars of equipment ruined by a few dollars worth of corner reflectors. https://en.wikipedia.org/wiki/Corner_reflector And what could possibly go wrong with a 2kw continuous invisible IR laser in an urban environment ? Lemme guess: the name of the weapon? "Archimedes" ? Shouldn't we worry that this IR cannon "cure" could be worse than the drone disease? http://www.sciencebuzz.org/blog/archimedes-heat-ray ``Other than numerous safety warnings to ensure *no one was blinded by the two-kilowatt infrared laser*, there was no fanfare. No explosions, *no visible beam*.'' ``Boeing's developed a laser cannon specifically designed to turn unmanned aircraft [and your entire neighborhood] into flaming wreckage.'' http://www.wired.com/2015/08/welcome-world-drone-killing-laser-cannon/ Welcome to the World, Drone-Killing Laser Cannon Jordan Golson, *WiReD*, 27 Aug 2015 http://www.wired.com/wp-content/uploads/2015/08/IMG_6496-copy-582x418.jpg ------------------------------ Date: Wed, 02 Sep 2015 09:51:51 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Comey high 5's Turkey for arresting encrypting journalists FYI: "The main issue seems to be that the [Vice News] fixer uses a complex encryption system on his personal computer that a lot of ISIL militants also utilise for strategic communications." The journalists were also using cars that could have been used as car bombs. Water bottles were also found; 100% of terrorists are known to use water. http://www.aljazeera.com/news/2015/09/vice-news-fixer-arrested-encryption-software-150901200622345.html Umut Uras, Vice News fixer 'charged over encryption software', 2 Sep 2015 Turkey official tells Al Jazeera charges made after fixer found to have encryption software used by ISIL on his laptop. Three staff members from Vice News were charged with "engaging in terrorist activity" because one of the men was using an encryption system on his personal computer which is often used by the Islamic State of Iraq and the Levant (ISIL), a senior press official in the Turkish government has told Al Jazeera. Two UK journalists, Jake Hanrahan and Philip Pendlebury, along with their Turkey-based Iraqi fixer and a driver, were arrested on Thursday in Diyarbakir while filming clashes between security forces and youth members of the outlawed and armed Kurdistan Workers' Party (PKK). On Monday, the three men were charged by a Turkish judge in Diyarbakir with "engaging in terrorist activity" on behalf of ISIL, the driver was released without charge. The Turkish official, who spoke on condition of anonymity, told Al Jazeera: "The main issue seems to be that the fixer uses a complex encryption system on his personal computer that a lot of ISIL militants also utilise for strategic communications." Speaking to Al Jazeera, Tahir Elci, the head of the Diyarbakir lawyers association, said: "I find it ridiculous that they were taken into custody. I don't believe there is any accuracy to what they are charged for. "To me, it seems like an attempt by the government to get international journalists away from the area of conflict. [...] ------------------------------ Date: Thu, 27 Aug 2015 07:45:26 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: FTC: Breaking Wyndham FYI -- And companies are asking the govt to provide them with even more immunity from liability? This is yet more of the same type of "socializing losses while privatizing profits" scheme that we have come to know & love from the recent financial crisis. According to the FTC complaint, ``there were no fewer than 10 practices that taken together, unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft.'' ``Apparently both the username and password for a Wyndham property management system developed by Micros Systems Inc. was *micros*.'' ``The company had no security controls whatsoever in many of these areas.'' The 2007 FTC guidebook ``advises companies to *consider encrypting sensitive information*'' ["Consider" ? As in a street sign that says *Consider Stopping*?] ``The FTC [is] in a very tricky position -- trying to hold companies accountable for failing to implement reasonable security measures without ever defining what those reasonable measures are.'' ``How were we supposed to implement adequate security when no one ever told us what that means?'' Josephine Wolff, *Slate*, 26 Aug 2015 What Exactly Does Reasonable Mean? The FTC's maddening attempts to hold companies liable for cybersecurity lapses. http://www.slate.com/articles/technology/future_tense/2015/08/the_ftc_punishes_wyndham_for_failing_to_protect_customer_data.html ------------------------------ Date: Sun, 30 Aug 2015 08:52:18 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: A Roadmap for a World Without Drivers Medium via NNSquad https://medium.com/@alexrubalcava/a-roadmap-for-a-world-without-drivers-573aede0c968 The reaction to the first car bombing using an AV is going to be massive, and it's going to be stupid. CNN will go into "missing airplane" mode. There will be calls for the government to issue a stop to all AV operations, much in the same way that the FAA ordered a ground stop after 9/11. But unlike 9/11, which involved a decades-old transportation infrastructure, the first AV bombing will use an infrastructure in its infancy, one that will be much easier to shut down. That shutdown could stretch from temporary to quasi-permanent with ease, as security professionals grapple with the technical challenge of distinguishing between safe, legitimate payloads and payloads that are intended to harm. The scenario described above -- using an AV to commit a violent crime -- involves no hacking. Hacking is the second major barrier to adoption that will present unique problems to AVs. Yep, like I've been saying for ages. To be clear, I fully support autonomous vehicle research, because I believe it will save millions of lives just through advanced driver assist systems. But once you go truly autonomous, the Pandora's Box opens in ways most of us have only begun to think about. ------------------------------ Date: Wed, 2 Sep 2015 02:24:56 -0400 From: Monty Solomon <monty () roscom com> Subject: Google's Driverless Cars Run Into Problem: Cars With Drivers http://www.nytimes.com/2015/09/02/technology/personaltech/google-says-its-not-the-driverless-cars-fault-its-other-drivers.html The cars have been involved in a smattering of minor accidents because they observe traffic laws to the letter -- and people don't. ------------------------------ Date: Sat, 29 Aug 2015 15:32:18 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Uber Hires Two Engineers Who Showed Car Hackings The above subject line is the title of an article by Mike Isaac and Nicole Perlroth in *The New York Times*, 29 Aug 2015 (page B2 in the National Edition). Charlie Miller and Chris Valasek have been hired by Uber's offices in Pittsburgh to help ensure the security and safety of Uber's self-driving car and robotics research. (See RISKS-28.80 and .81 on their most recent exploits.) Whatever you think of Uber, the desire for greater security and safety is welcome. However, Uber is also going to need more people with broad expertise in total system architectures for trustworthy systems. Despite the hype, trustworthy self-driving cars in a completely automated highway that is meaningfully risk-free seem to be a long ways off. ------------------------------ Date: Fri, 28 Aug 2015 12:40:16 -0700 From: "Bob Gezelter" <gezelter () rlgsc com> Subject: Vehicles with keyless ignition systems may continue to run unattended Many new vehicles are equipped with keyless ignition systems. The vehicle is started with a button, so long as a electronic key fob is present. Unfortunately, this creates the potential for a number of hazards not found in keyed ignition systems. Apparently, some of these vehicles will continue operation if the key fob is no longer in the vehicle. With some of the quieter running power plants (e.g., hybrids), they will eventually activate their internal combustion power plants when the batteries run low. This creates a carbon monoxide hazard when the car is in a closed space (e.g., garage). The hazard happens when the owner leaves the vehicle without successfully turning off all the ignition (e.g., clumsy button push with gloved hand). Solutions to this problem are not simple. Simply requiring the presence of a working key fob opens the possibility of unexpected system shutdown if the key fob stops functioning (e.g., bad battery). The complete Money article is at CNN: money.cnn.com/2015/08/26/autos/keyless-ignition-lawsuit/index.html ------------------------------ Date: Thu, 3 Sep 2015 10:24:08 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Many new top-level domains have become Internet's "bad neighborhoods" http://arstechnica.com/security/2015/09/many-new-top-level-domains-have-become-internets-bad-neighborhoods/ There were many who warned that the Internet Corporation for Assigned Names and Numbers' (ICANN) decision to allow a host of new commercial generic top-level Internet domains was going to create a huge opportunity for Internet scammers and hackers. The approval of top-level domains (TLDs) beyond those assigned to countries and generic ones such as .com, .org, and .net created an opportunity, some in the security industry warned, for criminals to set up "look-alike" domains in the new namespace that aped legitimate sites already registered in .com or elsewhere. Well, the warnings were spot-on. Uh, like nobody predicted this, right? As Gomer Pyle would say, "Surprise, surprise, surprise!" ------------------------------ Date: Thu, 03 Sep 2015 09:19:42 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Popular Belkin Wi-Fi routers plagued by unpatched security flaws" (Lucian Constantin) Lucian Constantin (credit: Michael Homnick), PC World, 1 Sep 2015, ISP-provided routers are full of security vulnerabilities Attackers could exploit the flaws to hijack DNS requests or completely take over affected devices http://www.infoworld.com/article/2978777/networking/popular-belkin-wi-fi-routers-plagued-by-unpatched-security-flaws.html opening text: If your Wi-Fi network is using the popular Belkin N600 DB router, be warned: it may have several vulnerabilities that could allow hackers to take it over. ------------------------------ Date: Wed, 02 Sep 2015 10:12:56 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Act Now To Save WiFi From The FCC FYI -- The FCC wants to *ban open-source firmware for your wifi router*. Note that although this rule supposedly affects only 5GHz, it would affect *ALL* routers because no one is going to make a 2.4GHz-only router. Brian Benchoff, Save WiFi: Act Now To Save WiFi From The FCC, 2 Sep 2015 http://hackaday.com/2015/09/02/save-wifi-act-now-to-save-wifi-from-the-fcc/ Right now, the FCC is considering a proposal to require device manufacturers to implement security restricting the flashing of firmware. We posted something about this a few days ago, but completely missed out on a call to action. Contrary to conventional wisdom, we live under a system of participatory government, and there is still time to convince the FCC this regulation would stifle innovation, make us less secure, and set back innovation in the United States decades. [Henry also goes on to excerpt from the following items, truncated for RISKS, but URLs left for those readers who might be documenting this.] http://hackaday.com/2015/08/31/fcc-introduces-rules-banning-wifi-router-firmware-modification/ https://libreplanet.org/wiki/Save_WiFi/Individual_Comments https://apps.fcc.gov/kdb/GetAttachment.html?id=1UiSJRK869RsyQddPi5hpw%3D%3D&desc=594280%20D02%20U-NII%20Device%20Security%20v01r02&tracking_number=39498 https://www.federalregister.gov/articles/2015/08/06/2015-18402/equipment-authorization-and-electronic-labeling-for-wireless-devices https://www.federalregister.gov/articles/2015/08/06/2015-18402/equipment-authorization-and-electronic-labeling-for-wireless-devices http://hackaday.com/2015/08/31/fcc-introduces-rules-banning-wifi-router-firmware-modification/ https://apps.fcc.gov/kdb/GetAttachment.html?id=1UiSJRK869RsyQddPi5hpw%3D%3D&desc=594280%20D02%20U-NII%20Device%20Security%20v01r02&tracking_number=39498 https://apps.fcc.gov/oetcf/kdb/forms/FTSSearchResultPage.cfm?id=39498&switch=P ------------------------------ Date: Thu, 27 Aug 2015 14:39:37 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Two-Factor Authentication Phishing From Iran Citizen Lab via NNSquad https://citizenlab.org/2015/08/iran_two_factor_phishing/ This report describes an elaborate phishing campaign against targets in Iran's diaspora, and at least one Western activist. The ongoing attacks attempt to circumvent the extra protections conferred by two-factor authentication in Gmail, and rely heavily on phone-call based phishing and "real time" login attempts by the attackers. Most of the attacks begin with a phone call from a UK phone number, with attackers speaking in either English or Farsi. The attacks point to extensive knowledge of the targets' activities, and share infrastructure and tactics with campaigns previously linked to Iranian threat actors. We have documented a growing number of these attacks, and have received reports that we cannot confirm of targets and victims of highly similar attacks, including in Iran. The report includes extra detail to help potential targets recognize similar attacks. The report closes with some security suggestions, highlighting the importance of two-factor authentication. ------------------------------ Date: Mon, 31 Aug 2015 12:13:10 -0400 (EDT) From: "ACM TechNews" <technews () hq acm org> Subject: Heidelberg Laureate Forum on data collection (Katherine Noyes) Katherine Noyes, Orange Hosting, IDG News Service (08/26/15) via ACM TechNews, Monday, August 31, 2015 Many of the world's top computer science experts met last week at the Heidelberg Laureate Forum to determine how the widespread collection of data about consumers can be prevented from causing harm in the future. Much of today's data collection happens on the websites people visit, and that can spill over into surveillance by governments, according to the Electronic Frontier Foundation's (EFF) Jeremy Gillula. Most of the participants at the forum agreed there is a need for better mechanisms for protecting individuals' privacy, as well as for more transparency on the part of those collecting and using the data. "We need a policy approach" that offers not just privacy by design, but privacy by default, says Carnegie Mellon University professor Alessandro Acquisti. Although public policy and legislation are one approach to the problem, some experts do not see much reason for optimism in that direction. The EFF already has published a "Do Not Track" policy, which organizations can adopt, and it is working on a Privacy Badger, a browser extension for Firefox and Chrome that blocks spying ads and invisible trackers. The EFF also advocates end-to-end encryption because government agencies cannot do mass surveillance if all the data is encrypted, according to Gillula. http://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_5-e0a0x2d36fx063635& ------------------------------ Date: Monday, August 31, 2015 From: Mike Liebhold <mnl () well com> Subject: No gigabyte nets for autonomous vehicles (via Dave Farber) In the midst of all of the hype and hoopla over self driving cars, let's pause for a reality check: None of the many rosy media discussions of the future of autonomous vehicles show any awareness that there are no credible network plans at all to support these vehicles - at scale - in cities and in the countryside. Meanwhile among the engineers, there is a growing consensus that autonomous vehicles will need dense networks supporting gigabyte low latency streams for every vehicle. e.g. at least "300gBytes/ per month" of *coordinated* secure networks of LTE WiFi DSRC-V2V meshes , and satellites according to Andeas Mai, Director Smart Connected Vehicles at Cisco http://viodi.com/2015/06/15/300-gbytes-of-data-per-month-per-car/ Here are some other recent relevant quotes about network requirements for autonomous vehicle: Intel: ``Approximately 1 GB of data will need to be processed each second in the car's real-time operating system.'' https://www-ssl.intel.com/content/www/us/en/automotive/driving-safety-advanced-driver-assistance-systems-self-driving-technology-paper.html Telecom Italia: ``A primary bottleneck is the overall sum of application and network latencies, which are far too high today.'' http://www.networkcomputing.com/cloud-infrastructure/enabling-the-self-driving-car/a/d-id/1319538 BMW: ``... need ultra-reliable networks, low-latency, and they must work everywhere.'' http://www.computerworlduk.com/news/it-vendors/bmw-5g-could-be-key-self-driving-car-deployment-3501253/ Ericsson" ``... self-driving cars, will rely on as-yet-undefined 5G technology. The networks that we have today have nowhere near that quality-of-service guarantee.'' http://www.computerworlduk.com/news/it-vendors/the-smartest-cars-may-need-5= g-ericsson-says-3497872/ When thinking about self driving cars, I try to remember the words of two former colleagues at IFTF: One of our founders Roy Amara observed that ``When thinking about the future we tend to over estimate the impacts in the near-term and under estimate impacts in the long term.'' or as aptly paraphrased by former long time IFTF Fellow Paul Saffo, ``Never mistake a clear view for a short distance.'' Mike Liebhold, Distinguished Fellow, Institute for the Future, IFTF.org ------------------------------ Date: Aug 31, 2015 6:34 PM From: "Ross Stapleton-Gray" <ross.stapletongray () gmail com> Subject: No gigabyte nets for autonomous vehicles (Re: Liebhold) (via Dave Farber) I would have to think that humans are an existence proof that driving a car doesn't necessarily require high long-haul bandwidth. I'm sure one could collect 1 GB of data per second just from optical/radar/sonar/lidar sensors in the car, of the road ahead, along with GPS for general proximity, digital maps carried onboard, etc., etc. We can also expect that an increasing amount of the information absorbed from other than the car's organic sensors would be short-range wireless, e.g., car-car and car-curb data, that require little in the way of complex infrastructure, but which can augment situational awareness (just like I get digital sign data today telling me that travel time to particular destinations is X minutes presently). If the average 100 IQ human with modest visual ability and reflexes can successfully navigate, it's not at all clear to me why my future Subaru++ is going to require the equivalent of a streaming Hollywood movie, from long distances, to compete. Stapleton-Gray & Associates, Inc., Albany, CA ------------------------------ Date: Mon, 31 Aug 2015 05:43:32 -0400 From: Monty Solomon <monty () roscom com> Subject: Tools for Tailored Learning May Expose Students' Personal Details http://www.nytimes.com/2015/08/31/technology/tools-for-tailored-learning-may-expose-students-personal-details.html Many technological tools used by schools are designed to customize learning, but concern is developing over the collection and use of data on individual students. ------------------------------ Date: Sat, 29 Aug 2015 00:29:00 -0600 From: "Matthew Kruk" <mkrukg () gmail com> Subject: Zuckerberg cheers as 1 billion suckers login to Facebook in 24 hours [My sentiments exactly.] http://www.computerworld.com/article/2977085/social-business/one-billion-people-facebook-monday-itbwcw.html ------------------------------ Date: Tue, 01 Sep 2015 15:47:46 -0700 From: Gene Wirchenko <genew () telus net> Subject: Windows 7, 8, and 10: Now all collecting user data for Microsoft (Fahmida Y. Rashid) Fahmida Y. Rashid, InfoWorld, 1 Sep 2015 http://www.infoworld.com/article/2979054/windows-security/windows-7-8-10-now-all-collecting-user-data-for-microsoft.html Uncomfortable with Windows 10 slurping personal data? Too bad -- Microsoft rolls out similar snooping capabilities to Windows 7, Windows 8 ------------------------------ Date: Tue, 01 Sep 2015 05:43:58 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Windows Creepy Spying extended to Win7/8 FYI -- Why is Microsoft doing this? Google/Facebook envy? FBI/NSA NSL? http://www.ghacks.net/2015/08/28/microsoft-intensifies-data-collection-on-windows-7-and-8-systems/ Microsoft intensifies data collection on Windows 7 and 8 systems Martin Brinkmann, GHacks, 28 Aug 2015 Microsoft has been criticized by privacy advocates in regards to the data hunger of its Windows 10 operating system. The operating system slurps data like there is no tomorrow, especially when systems are set up using the express settings. http://www.ghacks.net/2015/07/30/windows-10-and-privacy/ Experienced users may disable telemetry and data collection partially during setup, and then some more afterward using the Registry or Group Policy. [Long item truncated for RISKS.] ------------------------------ Date: Wed, 26 Aug 2015 15:21:07 -0600 From: "Joe Durusau" <durusau () att net> Subject: Unwanted data transmissions by Windows 10 (RISKS-28.92) I can't test this myself, since I don't have windows 10 (and might never have it), but I wonder if any of those complaining about unwanted data transmissions have tried editing the hosts file to see whether this solves the problem? It would do so on a Unix-like system, but, as I said, I can't try it myself, so wondered whether anyone else has tried doing so. ------------------------------ Date: Wed, 2 Sep 2015 12:51:58 -0500 From: Alister Wm Macintyre <macwheel99 () wowway com> Subject: U.S. Senate Report on Target breach A 16-page PDF report on the Target breach has been issued by the US Senate Committee on Commerce, Science, and Transportation. <http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=24d3c229-4f2f-405d-b8db-a3a67f183883> It is dated March 2014, but I just found the link in an article about Federal Trade Commission (FTC) involvement. http://www.msn.com/en-us/news/us/ftc-investigates-target-data-breach/ar-AAdQDA5?ocid=iehp At the time of the Senate report, the investigations had not yet figured out: . Details of the Fazio penetration. . How the attackers got from the access granted Fazio, to Target's POS terminals. . How the attackers found default account password access for BMC software IT management system; or if the password interface was bypassed. There are some nice diagrams at the end of the report, such as a time line of when Target allegedly received warnings, apparently ignored, of what the attackers were up to. There are also lots of links to more info. The body of the report talks about other things Target could have done to avert this disaster. ------------------------------ Date: Wed, 2 Sep 2015 08:22:22 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Ashley Madison Hack Creates Ethical Conundrum For Researchers HuffPost via NNSquad http://www.huffingtonpost.com/entry/ashley-madison-hack-creates-ethical-conundrum-for-researchers_55e4ac43e4b0b7a96339dfe9 Frederick and other experts agreed that the research applications of these data are potentially endless. At the most basic level, you could use them to tease out patterns of infidelity (or at least interest in infidelity) in terms of geography, age, race, religion, sex, height or income. But with the tremendous benefits come serious risks. As sex researchers dig into the data from the Ashley Madison hack, they're confronted with a set of thorny questions: Is the data reliable? Is it proper for researchers to analyze? Is it even legally permissible to access? ``We're in uncharted ethical waters with the Internet and all the data that's coming out of social networks. The Ashley Madison hack is just a particularly difficult example of a much larger issue,'' said Dr. Sharlene Hesse-Biber, a sociologist and research ethics expert at Boston College. The reliability question is the most pressing; after all, if the data are so unreliable that they're not usable, the ethics and logistics don't matter. Early, non-academic analysis of the data has shown that a huge share of the 36 million accounts in the hack were fake, inactive or incomplete. And Ashley Madison made essentially no effort to verify any of the information in these accounts -- even email addresses -- so much of that information may wind up being useless. You mean researchers are concerned that users might have put FALSE information on forms at an online marriage cheating site? Surely you jest! (I know, I know, don't call you Shirley.) ------------------------------ Date: Thu, 03 Sep 2015 21:32:01 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: Re: Data from hack of Ashley Madison cheater site (RISKS-28.92)
highly embarrassing for the men and women
... a huge portion of Ashley Madison's software development efforts are aimed at refining their fembot army, to make it seem that women are active on the site. Either they did this because the number of real women was vanishingly small, or because they didn't want men to hook up with real women and stop buying credits from the company. Whatever the reason, it appears that the Ashley Madison money-making scheme was bots all the way down. http://gizmodo.com/ashley-madison-code-shows-more-women-and-more-bots-1727613924 ------------------------------ Date: Thu, 03 Sep 2015 20:41:21 +0800 From: Dan Jacobson <jidanni () jidanni org> Subject: Re: ATM security risk: nonfinalization (McIntyre) Where I live it is: Please take your card. Please take your cash. In that order. You are not getting your cash if you don't remove your card. Seems to solve most problems. ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.93 ************************
Current thread:
- Risks Digest 28.93 RISKS List Owner (Sep 03)