RISKS Forum mailing list archives
Risks Digest 28.76
From: RISKS List Owner <risko () csl sri com>
Date: Wed, 8 Jul 2015 22:19:16 PDT
RISKS-LIST: Risks-Forum Digest Wednesday 8 July 2015 Volume 28 : Issue 76 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.76.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Modal design leads to death of Marine (Steve Golson) Man killed by a factory robot in Germany; human error blamed (Ars via Richard I Cook) TransAsia flight: Shutdown Wrong Engine! (PGN) NYSE troubles predicted (Alister Wm Macintyre) "Technical issues" @ NYSE, UA, other places (Alister Wm Macintyre) United grounded (PGN) Is Cyber-Armageddon Upon Us? 3 Glitches Today Have Some Saying Yes (WiReD) Why back doors are a bad idea (PGN) More on Keys Under Doormats (PGN) Senate Judiciary "Going Dark" site is untrusted! (Henry Baker) FBI, Justice Dept. Take Encryption Concerns to Congress (Privacy) Hackers take over German missile battery in Turkey (Mark Thorson ) Screen Addiction Is Taking a Toll on Children (NYTimes) Senior Tech: A Tablet for Aging Hands Falls Short (NYTimes) Facing a Selfie Election, Presidential Hopefuls Grin and Bear It (NYTimes) Days of Our Digital Lives (NYTimes) Chicago's 'cloud tax' makes Netflix and other streaming services more expensive (The Verge) Cyber "Deterrence" considered harmful & mad (Henry Baker) NZ Harmful Digital Communications Bill (Richard A. O'Keefe) Some heads-up to consider for RISKS (found at Slashdot) Early adopters of Apple Music find playlists, album art, and metadata corrupted (mike) "OpenSSL tells users to prepare for a high severity flaw" (Lucian Constantin) Senate advances secret plan forcing Internet services to report terror activity (Ars) Matt Bonner Blames New iPhone 6 for Injury, Poor Shooting (Kyle Newport) Re: Windows 10 will share your Wi-Fi key with your friends' friends (Bob Frankston) Leap Second Causes Sporadic Outages Across the Internet (Cade Metz) Re: "Leap Second Problem" and "Growing opposition to the Leap Second" (David E. Ross) Re: DVD drive in PC fire hazard (Henry Baker) Re: Overcoming Information Overload (Mark E. Smith) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 02 Jul 2015 10:56:39 -0400 From: Steve Golson <sgolson () trilobyte com> Subject: Modal design leads to death of Marine Marine Corps MV-22 Osprey tilt-rotor attempted to take off while in maintenance mode, which reduces power by 20%. One crew member was lost at sea. http://www.sandiegouniontribune.com/news/2015/jun/30/osprey-crash-at-sea-command-investigation/ The aircraft controls didn't warn them they were about to take off in maintenance mode, nor did their flight manuals explain the dangers. After starting the engines, the pilots thought it odd that both hung up for about 15 seconds before spooling normally. They also discussed the fact that the exhaust deflector was set to ON instead of AUTO as usual. But the aircraft seemed fine otherwise, so they assumed a harmless software update was to blame. RISK 1: not knowing what mode your system is in RISK 2: assuming something unusual is due to "a harmless software update" ------------------------------ Date: Thu, 2 Jul 2015 08:45:49 +0200 From: Richard I Cook MD <ricookmd () gmail com> Subject: Man killed by a factory robot in Germany; human error blamed http://arstechnica.com/business/2015/07/man-killed-by-a-factory-robot-in-germany/ On Wednesday, Volkswagen said that a 22-year-old external contractor for the company had been killed by a robot at a production factory in Baunatal, Germany. Heiko Hillwig, a VW spokesperson speaking to the AP about the incident, said that the robot grabbed the worker and crushed him against a metal plate. The worker died later at a nearby hospital due to complications from his injuries. <http://hosted.ap.org/dynamic/stories/E/EU_GERMANY_ROBOT_KILLING?SITE=TXWIC&SECTION=HOME&TEMPLATE=DEFAULT> Hillwig told the AP, ``initial conclusions indicate that human error was to blame.'' He added that the contractor was helping set up the robot and was inside the metal safety cage that usually separates personnel from the metal-manipulating robots. Another worker was present when the incident occurred, but because he was behind the barrier, he was unharmed. Ars has reached out to Volkswagen but has not yet received a response. According to the Financial Times ``A Volkswagen spokesman stressed that the robot was not one of the new generation of lightweight collaborative robots that work side-by-side with workers on the production line and forgo safety cages.'' http://www.ft.com/intl/fastft/353721/worker-killed-volkswagen-robot-accident German newspaper HNA reported that the robot in question is used to build electric engines for Volkswagen, and the FT noted rather bleakly that the robot suffered no damage in the accident. No further details were given by Volkswagen because prosecutors have launched an investigation into the incident. The story gained some morbid attention earlier today when a Financial Times employment reporter named Sarah O'Connor tweeted the story, not realizing the connection between her name and character who has a similar name (Sarah Connor) in the Terminator series. Her tweet was retweeted more than 3,500 times <https://twitter.com/sarahoconnor_/status/616282747200479232> and she received an influx of messages making jokes about the news. ``Feeling really uncomfortable about this inadvertent Twitter thing I seem to have kicked off,'' she tweeted later today. "Somebody died. Let's not forget.'' ------------------------------ Date: Thu, 2 Jul 2015 22:11:08 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: TransAsia flight: Shutdown Wrong Engine! Interim report on the ATR Crash in Taipei in Feb 2015 finally published: On 4 Feb 2015, TransAsia Airways flight GE 235, an ATR72-600, registration B-22816, took off from Taipei Songshan Airport for Kinmen, Taiwan. http://www.asc.gov.tw/main_en/docaccident.aspx?uid=343&pid=296&acd_no=191 Evidently one of the two engines failed, the Captain accidentally shut down the working one. He was heard to say on the CVR: ``Wow, pulled back the wrong side throttle.'' That failure mode should be familiar to long-time RISKS readers! ------------------------------ Date: Wed, 8 Jul 2015 17:40:54 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: NYSE troubles predicted NYSE suspended trading for approx 4 hours Wed July-8 starting 11.30 am due to a "technical issue" not yet explained. DHS says there is no evidence of cyber mischief, but then we remember when there was that in the past, it took them 2 years to figure out what happened. Anonymous sent a note late Tues nite about anticipating a problem at NYSE for Wednesday. How often are there notes like this.? A coincidence? http://www.msn.com/en-us/news/itinsider/anonymous-issued-cryptic-tweet-on-ev e-of-nyse-suspension/ar-AAcIPjz?ocid=iehpo ------------------------------ Date: Wed, 8 Jul 2015 18:09:41 -0500 From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com> Subject: "Technical issues" @ NYSE, UA, other places 11.32 am Wed July-8 NYSE went down for "technical issues", officially not believed related to cyber mischief. WSJ went down at about same time, I not yet seen an explanation. United Airlines got grounded a few hours earlier because of a "network connectivity issue." By 1.30 pm, WSJ was back in business. 3.10 pm NYSE was back in operation. http://www.msn.com/en-us/news/us/nyse-resumes-trading/ar-AAcIGgj?ocid=iehp Before the facts come out about any incident, "Technical Issues" is what the general public is usually told. When the SONY Breach chaos began, Nov-24, the official line was an "IT problem." Top executives at SONY had been told on Nov-21 by the perpetrators that this was coming, if they did not comply with the perpetrator demands, so Nov-24 may have been a shock to SONY management, but not really a surprise. Several people has warned the CEO, months in advance, that The Interview would lead to North Korea hacking them, but their reaction to this news was merely to edit the trailer to be less offensive to NK, until the movie actually came out. For lots of gory details on SONY behind the scenes, see the cover story of July-1 Fortune magazine. ------------------------------ Date: Wed, 8 Jul 2015 11:45:29 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: United grounded http://www.komonews.com/news/national/FAA-All-US-United-Continental-flights-grounded-312486921.html http://www.washingtonpost.com/business/economy/nyse-trading-has-been-halted/2015/07/08/46b51974-2588-11e5-b72c-2b7d516e1e0e_story.html CNN has officially called it a set of unrelated `whacky technical problems'. http://www.theguardian.com/business/live/2015/jul/08/new-york-stock-exchange-wall-street ------------------------------ Date: Thu, 9 Jul 2015 11:03:59 +1200 From: "Dave Farber" <dave () farber net> Subject: Is Cyber-Armageddon Upon Us? 3 Glitches Today Have Some Saying Yes (WiReD) http://www.wired.com/2015/07/cyberarmageddon-upon-us-3-glitches-today-saying-yes/?mbid=nl_7815 ------------------------------ Date: Tue, 7 Jul 2015 22:26:07 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Why back doors are a bad idea http://takingnote.blogs.nytimes.com/2015/07/07/why-a-back-door-to-the-internet-is-a-bad-idea/ ------------------------------ Date: Tue, 7 Jul 2015 22:31:43 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: More on Keys Under Doormats [There were a few errors in the MIT archival URL. A Corrected copy is at www.crypto.com/papers/Keys_Under_Doormats_FINAL.pdf thanks to Matt Blaze. PGN] http://www.theguardian.com/world/2015/jul/07/uk-and-us-demands-to-access-encrypted-data-are-unprincipled-and-unworkable Nicole Perlroth in the Wednesday print edition: http://www.nytimes.com/2015/07/08/technology/code-specialists-oppose-us-and-british-government-access-to-encrypted-communication.html http://www.wsj.com/articles/technology-experts-hit-back-at-fbi-on-encryption-1436316464 ------------------------------ Date: Wed, 08 Jul 2015 08:15:46 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Senate Judiciary "Going Dark" site is untrusted! The Senate Judiciary Committee is holding "Going Dark" hearings today, but their own HTTPS web site is "Untrusted" by Firefox! Isn't this the very definition of "delicious irony"? "This Connection is Untrusted" "You have asked Firefox to connect securely to www.judiciary.senate.gov, but we can't confirm that your connection is secure." "Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified." "What Should I Do?" "If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue." Cody M. Poplin, 8 Jul 2015 http://www.lawfareblog.com/live-senate-hearings-going-dark Live: Senate Hearings on "Going Dark" ------------------------------ Date: Wed, 8 Jul 2015 09:35:15 -0700 From: PRIVACY Forum mailing list <privacy () vortex com> Subject: FBI, Justice Dept. Take Encryption Concerns to Congress http://www.nytimes.com/aponline/2015/07/08/us/politics/ap-us-fbi-encryption.html Vermont Sen. Patrick Leahy, the panel's senior Democrat, expressed wariness about facilitating law enforcement's access to encrypted material, saying he wasn't sure how much that would help. "Strong encryption would still be available from foreign providers," Leahy said. "Some say that any competent Internet user would be able to download strong encryption technology, or install an app allowing encrypted communications -- regardless of restrictions on American businesses." ------------------------------ Date: Wed, 8 Jul 2015 12:49:36 -0700 From: Mark Thorson <eee () sonic net> Subject: Hackers take over German missile battery in Turkey Ridiculous that this should even be possible. The missile battery is not on the Internet, is it? http://www.thelocal.de/20150707/german-missiles-taken-over-by-hackers ------------------------------ From: Monty Solomon <monty () roscom com> Date: Tue, 7 Jul 2015 08:38:56 -0400 Subject: Screen Addiction Is Taking a Toll on Children (NYTimes) American youths are plugged in and tuned out of the real world for many more hours of the day than experts consider healthy for normal development. http://well.blogs.nytimes.com/2015/07/06/screen-addiction-is-taking-a-toll-on-children/ ------------------------------ Date: Sun, 5 Jul 2015 10:44:26 -0400 From: Monty Solomon <monty () roscom com> Subject: Senior Tech: A Tablet for Aging Hands Falls Short http://well.blogs.nytimes.com/2015/06/30/senior-tech-a-tablet-for-aging-hands-fall-short/ The AARP RealPad promises ``no confusion and no frustration'' for older adults. Starting with the on button, it delivers the opposite. ------------------------------ Date: Sat, 4 Jul 2015 19:44:04 -0400 From: Monty Solomon <monty () roscom com> Subject: Facing a Selfie Election, Presidential Hopefuls Grin and Bear It http://www.nytimes.com/2015/07/05/us/politics/facing-a-selfie-election-presidential-hopefuls-grin-and-bear-it.html The Selfie Election http://nyti.ms/1NE67AX ------------------------------ Date: Sat, 4 Jul 2015 22:34:46 -0400 From: Monty Solomon <monty () roscom com> Subject: Days of Our Digital Lives (NYTimes) http://www.nytimes.com/2015/07/05/opinion/sunday/seth-stephens-davidowitz-days-of-our-digital-lives.html Minute by minute, just what are we searching for? ------------------------------ Date: Wed, 1 Jul 2015 23:01:29 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Chicago's 'cloud tax' makes Netflix and other streaming services more expensive (The Verge) *The Verge* via NNSquad http://www.theverge.com/2015/7/1/8876817/chicago-cloud-tax-online-streaming-sales-netflix-spotify Today, a new "cloud tax" takes effect in the city of Chicago, targeting online databases and streaming entertainment services. It's a puzzling tax, cutting against many of the basic assumptions of the web, but the broader implications could be even more unsettling. Cloud services are built to be universal: Netflix works the same anywhere in the US, and except for rights constraints, you could extend that to the entire world. But many taxes are local -- and as streaming services swallow up more and more of the world's entertainment, that could be a serious problem. ------------------------------ Date: Tue, 07 Jul 2015 09:14:01 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Cyber "Deterrence" considered harmful & mad The U.S. seems intent on doubling down on the inappropriate application of nuclear deterrence theory to "cyber deterrence". The concept of nuclear deterrence depends upon the concept of "mutually assured destruction" (MAD). No destruction, no assured, no mutual, no deterrence. *Cyber deterrence is a contradiction in terms; there is no deterrence in cyberspace.* The U.S. has done its part in guaranteeing the "mutual" part; the U.S. has left itself wide open to "cyber" attack, because it has no defenses. As Adm. Winnefeld admits, the U.S.--with the largest collection of sophisticated networks--has far more to lose than anyone else. Deterrence is a feedback system; the signaling has to go both ways. But if the signaling is ignored, the feedback is useless. It is the equivalent of adjusting a thermostat that isn't connected to the air conditioning system. As has been stated many times before, appropriate destruction requires proper attribution, but in the "cyber" case, attribution remains highly dubious. Hitting back at the wrong target will simply create more enemies. The time has come for computer scientists to speak up against the whole concept of "cyber deterrence", because it is ineffective and dangerous. Because it is ineffective, no one is going to be deterred, and therefore any reliance on "deterrence" instead of defense will encourage rather than discourage such an attack. WWI started as a result of inappropriate signaling among the Great Powers in 1914. Let's not repeat this mistake in the 21st Century. https://en.wikipedia.org/wiki/Deterrence_theory https://en.wikipedia.org/wiki/World_War_I 37-minute talk by Adm. James Winnefeld regarding, among other things, "cyber deterrence". https://www.youtube.com/watch?v=j9cFHYHMQcY ADM James A. Winnefeld, Vice Chairman of the Joint Chiefs of Staff at the Army Cyber Institute May 14, 2015. ------------------------------ Date: Thu, 2 Jul 2015 18:41:25 +1200 From: "Richard A. O'Keefe" <ok () cs otago ac nz> Subject: NZ Harmful Digital Communications Bill We've all experienced or heard stories about cyberbullying and the like. My own daughter has had nastygrams and death threats through electronic media. There are risks of doing nothing, and risks of over-reacting. I heard today that New Zealand's "Harmful Digital Communications Bill" passed at the end of last month. http://parliamenttoday.co.nz/2015/06/harmful-digital-communications-bill-passes/ Metadata: http://www.parliament.nz/en-nz/pb/legislation/bills/00DBHOH_BILL12843_1/harmful-digital-communications-bill Text: http://legislation.govt.nz/bill/government/2013/0168/latest/whole.html This has been in the works for several years. It has been officially reviewed for consistency with our Bill of Rights Act (BORA), and found acceptable. (http://www.justice.govt.nz/policy/constitutional-law-and-human-rights/human-rights/bill-of-rights/harmful-digital-communications-bill) However, it's still controversial, although the hooraw about changing the flag has distracted attention from it. http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11473451 There must be some people reading comp.risks who could comment on this more competently than I, but here are some things I notice. "digital communication (a) means any form of electronic communication; and (b) includes any text message, writing, photograph, picture, recording, or other matter that is communicated electronically." So anything said over a landline phone, CB radio, amateur, or marine radio counts as "digital communication" even if it is all analogue. Wouldn't "electronic communication" have done? "The purpose of this Act is to (a) deter, prevent, and mitigate harm caused to individuals by digital communications; and (b) provide victims of harmful digital communications with a quick and efficient means of redress." However, "harm means serious emotional distress" and "posts a digital communication [means] (a) means transfers, sends, posts, publishes, disseminates, or otherwise communicates by means of a digital communication (i) any information, whether truthful or untruthful, about the victim; or (ii) an intimate visual recording of another individual; and (b) includes an attempt to do anything referred to in paragraph (a) so it would seem that a mobile phone service that transfers a message from one person to another might be covered by "transfer". Deciding what to do about "hosts" and trying to get it right apparently caused a lot of trouble in drafting. They clearly didn't *intend* ISPs or phone companies to be affected, provided there's a straightforward complaints process. Truthfulness is not an issue? If Miss A says to Miss B, "stay away from Mr C, he put his last girlfriend in the hospital", and Mr C says this hurt his feelings, Miss A could be facing up to NZD 50,000 in fines or 2 years in prison, *even it is true*. Thinking from a computing perspective, we already have laws about defamation, and we can't expect what seems like haphazard patching to produce anything but buggy consequences. Several other acts are amended by this one, and again, programming has me wondering about the ability of the "Legislation IDE" to find *all* the legislation that needs patching. There are 10 principles. 1. A digital communication should not disclose sensitive personal facts about an individual. 2. A digital communication should not be threatening, intimidating, or menacing. 3. A digital communication should not be grossly offensive to a reasonable person in the position of the affected individual. 4. A digital communication should not be indecent or obscene. 5. A digital communication should not be used to harass an individual. 6. A digital communication should not make a false allegation. 7. A digital communication should not contain a matter that is published in breach of confidence. 8. A digital communication should not incite or encourage anyone to send a message to an individual for the purpose of causing harm to the individual. 9. A digital communication should not incite or encourage an individual to commit suicide. 10. A digital communication should not denigrate an individual by reason of his or her colour, race, ethnic or national origin, religion, gender, sexual orientation, or disability. So *if* I were to tell you that my dog is so smart she has a degree from MIT, principle 6 would get me. It just occurred to me that I'm on the SUmOfUs.org mailing list, and have signed a lot of their petitions. If a board member of [name your favourite predatory company] should claim to have suffered "serious emotional distress" as a result of receiving one of these petitions, principle 5 might or might not get me, but principle 8 would certainly get SumOfUs.org, should they ever be subject to NZ law. There are oddball features, like someone is to be appointed to be or run an Approved Agency for dealing with complaints under the Act, but "is not to be regarded as being employed in the service of the Crown..." Much of the Act is administrative, but a District Court (which typically deals with things like minor assault, unpaid fines, &c) may be orders (paraphrased): - to take down or disable material - to tell people to stop doing whatever they've been doing - to order a correction to be published - to give a right of reply to the affected individual - to demand an apology. It also creates an offence basically, deliberately posting material that does harm someone and could have been expected to. An order to take material down because it upsets someone comes, or could come, quite close to the right to be forgotten. ------------------------------ Date: Sat, 4 Jul 2015 00:04:09 +0200 From: Werner U <werneru () gmail com> Subject: Some heads-up to consider for RISKS (found at Slashdot) *Windows 10 Shares Your Wi-Fi Password With Contacts* tech.slashdot.org/story/15/07/01/2121252/windows-10-shares-your-wi-fi-password-with-contacts?sbsrc=md (July 1, Slashdot) *The Register reports that Windows 10 will include, defaulted on, "Wi-Fi Sense <http://www.theregister.co.uk/2015/06/30/windows_10_wi_fi_sense/>" which shares wifi passwords with Outlook.com contacts, Skype contacts and, with an opt-in, Facebook friends. This involves Microsoft storing the wifi passwords entered into your laptop which can then be used by any other person suitably connected to you. If you don't want someone's Windows 10 passing on your password, Microsoft has two solutions; only share passwords using their Wi-Fi Sense service, or by adding "_optout" to your SSID.* *Senator Demands Answers on FBI's Use of Zero Days, Phishing* threatpost.com/senator-demands-answers-on-fbis-use-of-zero-days-phishing/113593 (July 2,Threatpost) Sen. Charles Grassley (R-Iowa) , chairman of the powerful Senate Judiciary Committee, has sent a letter to FBI Director James Comey asking some pointed questions about the bureau's use of zero-day vulnerabilities, phishing attacks, spyware, and other controversial tools (a list of highly specific questions about the way the FBI uses remote exploitation capabilities and spyware tools). The letter <https://www.grassley.senate.gov/sites/default/files/judiciary/upload/FBI%2C%2006-12-15%2C%20use%20of%20spyware%20letter.pdf> is related to a current effort by the Department of Justice to get more leeway in the way that its agencies use spyware tools in criminal investigations. *Government Illegally Spied On Amnesty International* yro.slashdot.org/story/15/07/02/2053222/uk-government-illegally-spied-on-amnesty-international (July 2, Slashdot) *A court has revealed that the UK intelligence agency, GCHQ, illegally spied on human rights organization Amnesty International <http://amnesty.org.uk/press-releases/surveillance-uk-government-spied-on-amnesty-international#.VZRD7VrIjak.twitter>. It is an allegation that the agency had previously denied, but an email from the Investigatory Powers Tribunal backtracked on a judgment made in June which said no such spying had taken place. The email was sent to Amnesty International yesterday, and while it conceded that the organization was indeed the subject of surveillance <http://betanews.com/2015/07/02/uk-government-illegally-spied-on-amnesty-international/>, no explanation has been offered. It is now clear that, for some reason, communications by Amnesty International were illegally intercepted, stored, and examined. What is not clear is when the spying happened, what data was collected and, more importantly, why it happened.* *Samsung Faces Lawsuit In China Over Smartphone Bloatware* tech.slashdot.org/story/15/07/03/1424207/samsung-faces-lawsuit-in-china-over-smartphone-bloatware *(July 3, Slashdot) Samsung is being sued in China for installing too many apps onto its smartphones <http://www.shanghaidaily.com/metro/society/Samsung-Oppo-facing-landmark-lawsuits-over-preinstalled-apps/shdaily.shtml>. The Shanghai Consumer Rights Protection Commission is also suing Chinese vendor Oppo, demanding that the industry do more to rein in bloatware <http://thestack.com/samsung-oppo-lawsuit-smartphone-bloatware-030715>. The group said complaints are on the rise from smartphone users who are frustrated that these apps take up too much storage and download data without the user being aware. Out of a study of 20 smartphones, Samsung and Oppo were found to be the worst culprits. A model of Samsung's Galaxy Note 3 contained 44 pre-installed apps that could not be removed from the device, while Oppo's X9007 phone had 71. Firefox 39 Released, Bringing Security Improvements and Social Sharing* ( news.slashdot.org/story/15/07/03/1426226/firefox-39-released-bringing-security-improvements-and-social-sharing ) *(July 3, Slashdot) **Today Mozilla announced the release of Firefox 39.0 <https://blog.mozilla.org/blog/2015/07/02/new-sharing-features-in-firefox/> , which brings an number of minor improvements to the open source browser. (Full release notes <https://www.mozilla.org/en-US/firefox/39.0/releasenotes/>.) They've integrated Firefox Share with Firefox Hello, which means that users will be able to open video calls through links sent over social media. Internally, the browser dropped support for the insecure SSLv3 <http://it.slashdot.org/story/14/10/15/000239/google-finds-vulnerability-in-ssl-30-web-encryption> and disabled use of RC4 <http://yro.slashdot.org/story/13/03/14/1839239/cryptographers-break-commonly-used-rc4-cipher> except where explicitly whitelisted. The SafeBrowsing malware detection now works for downloads on OS X and Linux. (Full list of security changes,) https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox39 The Mac OS X version of Firefox is now running Project Silk <https://hacks.mozilla.org/2015/01/project-silk/>, which makes animations and scrolling noticeably smoother. Developers now have access to the powerful Fetch API <https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API>, which should provide a better interface for grabbing things over a network.* ------------------------------ Date: Tue, 7 Jul 2015 10:47:18 -0600 From: mike <mike1234z () hotmail com> Subject: Early adopters of Apple Music find playlists, album art, and metadata corrupted One risk of jumping onto a new product release is the possibility of side effects that damage or destroy your data -- as some Apple Music enrollees are discovering. On the Apple discussion forum and elsewhere users are complaining that thru some unexplained mechanism their existing playlists and album art are being corrupted by Apple Music. Playlists that have taken hours to compile become useless. Also there are reports that user meta-data describing the song (genre, artist, notes, etc.) is replaced by meta-data from Apple music. See https://discussions.apple.com/thread/7104745 ------------------------------ Date: Tue, 07 Jul 2015 12:56:36 -0700 From: Gene Wirchenko <genew () telus net> Subject: "OpenSSL tells users to prepare for a high severity flaw" (Lucian Constantin) Lucian Constantin. InfoWorld, 7 Jul 2015 Patches will be released on July 9 for a high severity vulnerability in OpenSSL's widely used cryptographic library http://www.infoworld.com/article/2944802/security/openssl-tells-users-to-prepare-for-a-high-severity-flaw.html ------------------------------ Date: Tue, 7 Jul 2015 16:35:28 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Senate advances secret plan forcing Internet services to report terror activity (Ars) Ars Technica via NNSquad http://arstechnica.com/tech-policy/2015/07/senate-advances-secret-plan-forcing-internet-services-to-report-terror-activity/ Senator Dianne Feinstein (D-CA), who sponsored the Internet services provision, did not return a call seeking comment. The legislation is modeled after a 2008 law, the Protect Our Children Act. That measure requires Internet companies to report images of child porn, and information identifying who trades it, to the National Center for Missing and Exploited Children. That quasi-government agency then alerts either the FBI or local law enforcement about the identities of online child pornographers. The bill, which does not demand that online companies remove content, requires Internet firms that obtain actual knowledge of any terrorist activity to "provide to the appropriate authorities the facts or circumstances of the alleged terrorist activity," wrote The Washington Post, which was able to obtain a few lines of the bill text. The terrorist activity could be a tweet, a YouTube video, an account, or a communication. Actual child porn is fairly obvious. Terror activity is a much more nebulous concept, and I suspect a significant percentage of the blowhard statements from idiot trolls in posting comments could be theoretically swept into this category. I suspect what's actually going on here is that this is a preliminary to trying to push through legislation banning strong encryption by these services, trying to turn Internet services into monitoring agents for the government. ------------------------------ Date: Wed, 8 Jul 2015 13:48:35 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Matt Bonner Blames New iPhone 6 for Injury, Poor Shooting Bleacher Report -- Kyle Newport -- Jul 6, 2015 http://bleacherreport.com/articles/2516427-matt-bonner-blames-new-iphone-6-for-injury-poor-shooting Matt is quoted in the article: ``I hate to make excuses, I was raised to never make excuses, but I went through a two-and-a-half month stretch where I had really bad tennis elbow, and during that stretch it made it so painful for me to shoot I'd almost be cringing before I even caught the ball like, this is going to kill.'' [...] Everybody is going to find this hilarious, but here's my theory on how I got it. When the new iPhone came out it was way bigger than the last one, and I think because I got that new phone it was a strain to use it, you have to stretch further to hit the buttons, and I honestly think that's how I ended up developing it." ------------------------------ Date: 8 Jul 2015 17:11:51 -0400 From: "Bob Frankston" <bob2-53 () bob ma> Subject: Re: Windows 10 will share your Wi-Fi key with your friends' friends (RISKS-28.75) ÍòÄÜÔ¿³× (http://www.lianwifi.com/) provides app used by hundreds of millions of Chinese to share Wi-Fi keys. I haven't used it because it's an APK not vetted in the Android store but I understand the value and the need for a tool to avoid wasting time negotiating past all those Wi-Fi agree screens other annoyances present even if there is no charge. At some point we need to face up to the fact that this whole idea of Wi-Fi security is a debacle as well as a security risk. Microsoft's approach may be problematic because it seems to had more complexity but it does address a real need for "just works" connectivity. ------------------------------ Date: Wed, 1 Jul 2015 23:24:42 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Leap Second Causes Sporadic Outages Across the Internet (Cade Metz) Cade Metz -- WiReD -- 07.01.15 -- 1:08 pm Yesterday's leap second caused sporadic outages in more than 2,000 networks that link machines across the Internet, according to a company that tracks the performance of online services. Doug Madory, the director of Internet analysis at the New Hampshire-based Dyn Inc., says the outages occurred just after midnight Coordinated Universal Time, when the leap second was added. Because no single Internet service provider was responsible for the outage, Madory says, the leap second was almost certainly the culprit. http://www.wired.com/2015/07/leap-second-causes-sporadic-outages-across-internet/ ------------------------------ Date: Wed, 1 Jul 2015 09:42:18 -0700 From: "David E. Ross" <david () rossde com> Subject: Re: "Leap Second Problem" and "Growing opposition to the Leap Second" (RISKS-28.74) Back in 1969, I was a software tester for a system that handled leap-seconds seamlessly, a system that remained in use until the early 1990s (more than 20 years). We had no problems with leap-seconds. Internally, all time-tags were in TAI (atomic time), which does not have leap-seconds. This, of course, simplified the accurate computation of intervals between two events. All inputs and displays used a small software routine that converted UTC to TAI and vice-versa with the insertion or removal of appropriate leap-seconds. The problem today is that a seven years went by (1999-2006) with no leap-seconds. Then, only one leap second occurred between 2006 and 2012, on 1 January 2009 (one in a six-year interval). That is, there were only two leap-seconds in a 13-year period. Programmers, testers, and others involved in computer systems became complacent, lazy, and possibly ignorant of fundamental physical processes that are causing the earth's rotation to slow. No, the leap-second is not a problem. The problem lies in systems that were designed without regard for a phenomenon that occurred 22 times from 1972 to 1999, 27 years during which no serious opposition was expressed against leap-seconds. ------------------------------ Date: Tue, 07 Jul 2015 07:17:36 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Re: DVD drive in PC fire hazard (mctaylor, RISKS-28.75) My 17" HP Windows laptop fries its own hard drive, because it's located right next to a very hot GPU. However, it has a completely empty bay on the other side that is about 20-25 degrees C cooler. I got a short SATA extender cable & relocated the hard drive to this cooler bay. I then started running Ubuntu, because it runs 10-15 degrees C cooler than Windows. As best I can tell, once-mighty HP has lost all of its lustre, and all of its excellent engineers have left for greener pastures. ------------------------------ Date: Wed, 8 Jul 2015 02:53:28 +0800 From: "Mark E. Smith" <mymark () gmail com> Subject: Re: Overcoming Information Overload Over time I've developed my own methods of overcoming information overload. 1. I have no interface with mainstream or commercial media. I don't own a TV, don't listen to my hand-cranked radio except for a single jazz station, and don't read newspapers or magazines. I have no cell phone, my landline is used only for my dial-up Internet connection, and I'm no longer a registered voter. Therefore my only contact with stories planted by the CIA, corporations, or political operatives, is if they are exposed and/or commented on by somebody in my personal network. 2. For topics that interest me I keep abreast by subscribing to list-serves dedicated to those specific topics and following people who have demonstrated an ability to keep themselves informed and to inform others about these topics on Twitter. For example, I subscribe to two list-serves about Fukushima and follow several people on Twitter who are knowledgeable about and only or primarily Tweet about Fukushima. 3. I subscribe through RSS feeds or by email notification to websites that specialize in topics of interest to me, such as natural health cures, pollution, technology risks, countries under attack by NATO, indigenous struggles, sexism, racism, etc., and follow people with similar interests, experience, and expertise on Twitter. So I get daily or frequent updates from or about Iraq, Syria, Afghanistan, Pakistan, Libya, Somalia, Yemen, Palestine, Sudan, Venezuela, Mexico, Ecuador, Russia, etc., and news about government or paramilitary attacks on indigenous peoples, people of color, and on women and children everywhere, plus news of the latest pharmaceutical and health industry scandals and natural health breakthroughs. 4. To save time, I filter emails that don't interest me, and I block more than 90% of the people who try to follow me on Twitter, after checking their profiles to make sure they have nothing to say that I consider of informational value. 5. I don't use social media other than Twitter, which ensures that everything I read is concise and succinct, due to the character limit on Tweets. While Dan Gillmor's notice of the MediaLit MOOC is certain to be of value to many who have not already worked out a system of their own, as soon as I saw that it included voices from the mainstream media, I knew it would not be of sufficient value to me to give it any more time than this response, which I hope might save others some time. ------------------------------ Date: Mon, 17 Nov 2014 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.76 ************************
Current thread:
- Risks Digest 28.76 RISKS List Owner (Jul 08)